New version of software: EM410x routines, offline mode, and more!

samy · 2009-07-02 04:42:47

Hi guys,

I've just checked in a new version of the proxmark3 client into the google code repo (http://code.google.com/p/proxmark3/)

New functions:

em410xread [clock (optional, should always be 64 anyway)] -- Reads the ID from an EM410x tag (the plot should contain the raw tag).
Example:
> loread
> losamples 2000
> em410xread
Auto-detected clock rate: 64
EM410x Tag ID: 1a0041375d

em410xsim [tag id] -- Simulates an EM410x tag with the specified ID.
Example:
> em410xsim 1a0041375d
(The orange light will turn on. Press the button on the PM3 to stop emulating the tag.)

em410xwatch -- Watches for an EM410x tag until it detects one. Essentially "loread + losamples 2000 + em410xread" until a tag is detected.
Example:
> em410xwatch
Auto-detected clock rate: 64
EM410x Tag ID: 1a0041375d

manmod [clock (optional)] -- This will Manchester modulate the graphed bitstream. It's a helper function for em410xsim but can be re-used.

detectclock -- This function will auto-detect the clock rate.
Example:
> detectclock
Auto-detected clock rate: 64

bitstream [clock (optional)] -- Converts a waveform into a bitstream. The number of "samples" is still the same but it's easier to read a stream. I've only tested this using EM4102 tags.

Other Features:

Auto-detection of clock rate -- You'll notice in most functions, clock rate is auto-detected now.

prox.exe offline -- An offline mode is now available in the Windows client. You can use this to examine or work with older traces.

mandemod update -- Mandemod no longer requires specifying a clock rate and no longer requires askdemod being run first.

askdemod update -- Askdemod no longer requires specifying a clock rate.

traces/ directory -- I've included a traces/ directory in the repository containing some traces of my EM4102 tags. Might be useful to others to see or use them.

Let me know if you have any issues/questions!

adam@algroup.co.uk · 2009-07-02 16:15:04

Excellent stuff!

I've just committed the updated help so it doesn't get too out of step...

Future commands should go in alphabetical order please!

edo512 · 2009-07-03 11:35:26

Works great! I just updated the online manual too. I'll test emulation as soon as I get my hands on a EM reader...

adam@algroup.co.uk · 2009-07-03 12:50:54

I've just tested simulation and it works like a charm!

proxmark3> em410xsim 04120d79e4
> em410xsim 04120d79e4
Auto-detected clock rate: 64

$ ./lfxtype.py -s 9600 -l /dev/ttyUSB1 -R RFIDIOt.rfidiot.READER_ACG
lfxtype v0.1h (using RFIDIOt v0.1y-beta)
Reader: ACG LFX 1.0 (serial no: 07090143)

Card ID: U2048B09E27
Tag type: EM 4x02 (Unique)
Unique ID: 04120d79e4

Nice!

edo512 · 2009-07-03 13:00:13

adam@algroup.co.uk wrote:

Card ID: U2048B09E27
Tag type: EM 4x02 (Unique)
Unique ID: 04120d79e4

Out of curiosity: what is the Card ID as compared to the Unique ID ?

Ed

duran97 · 2009-07-03 13:15:25

Hmmm, I could read the IDs of the EM410x tags, but when I ran the simulation it didnt work, and the reader didn't read anything. The orange light came on, but the red also - the red flicked a bit, came fully on, and then went off.

adam@algroup.co.uk · 2009-07-03 13:23:18

Documentation needs updating... If you follow the steps on the web page, bad stuff happens!

proxmark3> load EMMARIN-1.bin
> load EMMARIN-1.bin
loaded 24000 samples
proxmark3> askdemod 64 1
> askdemod 64 1
proxmark3> mandemod 64
> mandemod 64
Manchester decoded bitstream
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0

The new method works fine though:

proxmark3> load EMMARIN-1.bin
> load EMMARIN-1.bin
loaded 24000 samples
proxmark3> mandemod
> mandemod
Auto-detected clock rate: 64
Manchester decoded bitstream
0 1 1 0 0 0 0 0 0 1 1 1 1 0 0 1
1 0 1 0 1 0 0 1 1 1 1 0 0 1 0 0
1 0 0 1 0 1 0 0 1 1 0 0 1 0 1 0
1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0
0 1 1 0 0 0 0 0 0 1 1 1 1 0 0 1
1 0 1 0 1 0 0 1 1 1 1 0 0 1 0 0
1 0 0 1 0 1 0 0 1 1 0 0 1 0 1 0
1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0
0 1 1 0 0 0 0 0 0 1 1 1 1 0 0 1
1 0 1 0 1 0 0 1 1 1 1 0 0 1 0 0
1 0 0 1 0 1 0 0 1 1 0 0 1 0 1 0
1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0
0 1 1 0 0 0 0 0 0 1 1 1 1 0 0 1
1 0 1 0 1 0 0 1 1 1 1 0 0 1 0 0
1 0 0 1 0 1 0 0 1 1 0 0 1 0 1 0
1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0
0 1 1 0 0 0 0 0 0 1 1 1 1 0 0 1
1 0 1 0 1 0 0 1 1 1 1 0 0 1 0 0
1 0 0 1 0 1 0 0 1 1 0 0 1 0 1 0
1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0
0 1 1 0 0 0 0 0 0 1 1 1 1 0 0 1
1 0 1 0 1 0 0 1 1 1 1 0 0 1 0 0
1 0 0 1 0 1 0 0 1 1 0 0 1 0 1 0

edo512 · 2009-07-03 13:44:12

adam@algroup.co.uk wrote:

Documentation needs updating... If you follow the steps on the web page, bad stuff happens!
proxmark3> load EMMARIN-1.bin
> load EMMARIN-1.bin
loaded 24000 samples
proxmark3> askdemod 64 1
> askdemod 64 1
proxmark3> mandemod 64
> mandemod 64

Oh yeah, I removed the need for the clock as input argument, good point! I just updated the manual.

Ed

Last edited by edo512 (2009-07-03 21:06:03)

adam@algroup.co.uk · 2009-07-03 14:12:21

edo512 wrote:

adam@algroup.co.uk wrote:
Card ID: U2048B09E27
Tag type: EM 4x02 (Unique)
Unique ID: 04120d79e4
Out of curiosity: what is the Card ID as compared to the Unique ID ?
Ed

The ACG reader doesn't interpret the data bits coming from the card so I have to do that in software (in this case it's just a reversal of all the bits). It also prepends the 'U' to signify a 'Unique' tag.

BTW, I've just committed traces from em4x05 and em4x50.

adam@algroup.co.uk · 2009-07-03 20:02:56

I spotted another problem, which was the output of mandemod appears to be inverted:

proxmark3> load ../traces/EM4102-1.pm3
> load ../traces/EM4102-1.pm3
loaded 16000 samples
proxmark3> mandemod
> mandemod
Auto-detected clock rate: 64
Manchester decoded bitstream
1 0 0 0 0 0 0 1 1 1 0 0 0 1 1 0
0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1
0 0 1 1 1 1 1 0 1 1 1 0 1 0 0 0
0 1 1 0 1 0 0 0 0 1 0 1 0 0 0 0
1 0 0 0 0 0 0 1 1 1 0 0 0 1 1 0
0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1
0 0 1 1 1 1 1 0 1 1 1 0 1 0 0 0
0 1 1 0 1 0 0 0 0 1 0 1 0 0 0 0
1 0 0 0 0 0 0 1 1 1 0 0 0 1 1 0
0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1
0 0 1 1 1 1 1 0 1 1 1 0 1 0 0 0
0 1 1 0 1 0 0 0 0 1 0 1 0 0 0 0
1 0 0 0 0 0 0 1 1 1 0 0 0 1 1 0
0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1

The header being '0 0 0 0 0 0 0 0 0' when it should be '1 1 1 1 1 1 1 1 1'...

To check it (and because it might be useful anyway), I added the ability to invert the output on mandemod:

mandemod -- [ i ] [clock rate] -- Manchester demodulate binary stream (option 'i' to invert output)

proxmark3> mandemod i
> mandemod i
Inverting output
Auto-detected clock rate: 64
Manchester decoded bitstream
0 1 1 1 1 1 1 0 0 0 1 1 1 0 0 1
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
1 1 0 0 0 0 0 1 0 0 0 1 0 1 1 1
1 0 0 1 0 1 1 1 1 0 1 0 1 1 1 1
0 1 1 1 1 1 1 0 0 0 1 1 1 0 0 1
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
1 1 0 0 0 0 0 1 0 0 0 1 0 1 1 1
1 0 0 1 0 1 1 1 1 0 1 0 1 1 1 1
0 1 1 1 1 1 1 0 0 0 1 1 1 0 0 1
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
1 1 0 0 0 0 0 1 0 0 0 1 0 1 1 1
1 0 0 1 0 1 1 1 1 0 1 0 1 1 1 1
0 1 1 1 1 1 1 0 0 0 1 1 1 0 0 1
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0

Which looks to me like correct output.

I've left the logic of mandemod as it was, but it may want swapping around.

Oh, and I also fixed an indentation problem which made it almost impossible to understand WTF was going on in that routine!

samy · 2009-07-03 20:42:42

Adam, nice!

Yeah, the bit swapping seemed to differ card to card. My cards worked with the way the bits were, but Ed's needed bit swapping. Obviously it's probably not the cards, just how I'm reading it somehow, but honestly I don't know how to correctly detect which way it is in the waveform. However, the em410xread function tries bit swapping if it doesn't detect a card the first time.

Also, re-indentation, my X-Code likes to reindent the code I touch and probably has different tab lengths than already in the code...I'll see if I can turn it off (I indent my code!

samy · 2009-07-03 20:46:58

Duran,

Can you tell me what you're simulating specifically? I'll test out your tag ID just to confirm. What reader are you using?

Anyone have any ideas why the sim wouldn't work for Duran? Maybe bit flipping needs to happen? If so, maybe I'll send the tag ID twice, then flip the tag ID and send that twice, and loop.

Anyone know why this would happen (from Duran): "With the simulation, the orange LED comes on as intended, but the red flickers, then on full, then off."

adam@algroup.co.uk · 2009-07-03 20:54:35

No, the bit pattern you're putting out is 100% correct, so you definitely don't need to do any bit flipping, and you may cause unpredictable results against external readers if you do that.

edo512 · 2009-07-03 20:57:21

Regarding bit inversion: indeed, if you use the askdemod then the mandemod routine based off "0/1" values - my original routine - it always gets back on its feet and demodulates all tags properly - I just noticed that you also added the "i" option there too, in my experience this should not be necessary? Can you confirm?

On the other hand, Samy's much more efficient algo assumes the initial bit value is "0" and hence sometimes gets it right, sometimes not. Typically, with the same EM tag, successive loread attempts lead to varying results.

My guess is that we need a way to detect when Samy's routine is unsynchronized and invert the bitstream, it should be possible! Anyone's got an idea?

Ed

Last edited by edo512 (2009-07-03 21:21:17)

duran97 · 2009-07-03 21:26:36

I'm using em410xsim 17004c2772 to simulate an existing tag I have. I read the ID from both my standard reader and using you em410xreadsim.

I just changed the firmware to your r29 release - yesterday I was using r28. Since changing the behaviour of the redlight is changed - now it's constantly on (along with the orange light) but much dinner than the normal.

I presume it shouldn't matter what my reader is. I will try my em410x cloner and see if that picks up the demotag.

em410watch also doesn't appear to work for me either. The redlight flashes and the client appears to lock up. Again slightly different behaviour to the r28 release (which didn't work either for me for em410watch).

duran97 · 2009-07-03 21:34:47

The reader is one of those generic desktop readers - see http://www.rfidshop.com.hk/datasheet/12 … USB-D1.JPG

duran97 · 2009-07-03 21:44:12

I do note that the behaviour of the red light isn't always consistent. It appears that it doesn't always come on when simulating. Hmmmm

Ground Loop · 2010-02-03 06:56:32

(Using SVN 317)

Confirmed that em410xsim works fine here, when read by a Phidget RFID reader. Tag values match exactly! Read range is slightly better than a real card, using the ZikZak antenna.

em410xwatch, however, just crashes the Linux and Windows prox client. Doing the same steps manually works just fine.

adam@algroup.co.uk · 2010-02-04 00:02:44

Yes, that was next on my list to look at... probably the same sync/async issue as losim...

adam@algroup.co.uk · 2010-02-05 00:18:36

OK, I think I fixed em410xwatch - rev 322 makes LF sampling ACK before we try and download/process....

Last edited by adam@algroup.co.uk (2010-02-05 00:33:41)

CardSaysMoops · 2010-03-18 17:40:34

em410xwatch works great!

Proxmark3 community

Announcement

#1 2009-07-02 04:42:47

New version of software: EM410x routines, offline mode, and more!

#2 2009-07-02 16:15:04

Re: New version of software: EM410x routines, offline mode, and more!

#3 2009-07-03 11:35:26

Re: New version of software: EM410x routines, offline mode, and more!

#4 2009-07-03 12:50:54

Re: New version of software: EM410x routines, offline mode, and more!

#5 2009-07-03 13:00:13

Re: New version of software: EM410x routines, offline mode, and more!

#6 2009-07-03 13:15:25

Re: New version of software: EM410x routines, offline mode, and more!

#7 2009-07-03 13:23:18

Re: New version of software: EM410x routines, offline mode, and more!

#8 2009-07-03 13:44:12

Re: New version of software: EM410x routines, offline mode, and more!

#9 2009-07-03 14:12:21

Re: New version of software: EM410x routines, offline mode, and more!

#10 2009-07-03 20:02:56

Re: New version of software: EM410x routines, offline mode, and more!

#11 2009-07-03 20:42:42

Re: New version of software: EM410x routines, offline mode, and more!

#12 2009-07-03 20:46:58

Re: New version of software: EM410x routines, offline mode, and more!

#13 2009-07-03 20:54:35

Re: New version of software: EM410x routines, offline mode, and more!

#14 2009-07-03 20:57:21

Re: New version of software: EM410x routines, offline mode, and more!

#15 2009-07-03 21:26:36

Re: New version of software: EM410x routines, offline mode, and more!

#16 2009-07-03 21:34:47

Re: New version of software: EM410x routines, offline mode, and more!

#17 2009-07-03 21:44:12

Re: New version of software: EM410x routines, offline mode, and more!

#18 2010-02-03 06:56:32

Re: New version of software: EM410x routines, offline mode, and more!

#19 2010-02-04 00:02:44

Re: New version of software: EM410x routines, offline mode, and more!

#20 2010-02-05 00:18:36

Re: New version of software: EM410x routines, offline mode, and more!

#21 2010-03-18 17:40:34

Re: New version of software: EM410x routines, offline mode, and more!

Board footer