Need help identifying LF Tag [SOLVED: EM4305]

beben · 2015-05-28 10:30:07

Hi everyone,

I've stumbled upon a bag of LF tags, and I cannot seem to figure out how to interact with them.
They come as white cards, they look a lot like this, except with no characters printed on them and no HID branding.
They do not answer to

lf hid fskdemod

When I try

lf search u

I get :

Reading 30000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
EM410x pattern found:           

EM TAG ID      : 1111111111          
Unique TAG ID  : 8888888888          

Possible de-scramble patterns          
HoneyWell IdentKey {          
DEZ 8          : 01118481          
DEZ 10         : 0286331153          
DEZ 5.5        : 04369.04369          
DEZ 3.5A       : 017.04369          
DEZ 3.5B       : 017.04369          
DEZ 3.5C       : 017.04369          
DEZ 14/IK2     : 00073300775185          
DEZ 15/IK3     : 000586406201480          
DEZ 20/ZK      : 08080808080808080808          
}
Other          : 04369_017_01118481          
Pattern Paxton : 287657745 [0x11254F11]          
Pattern 1      : 4342282 [0x42420A]          
Pattern Sebury : 4369 17 1118481  [0x1111 0x11 0x111111]          

Valid EM410x ID Found!

which I guess is a false positive, since the em4x commands do not seem to work...

Anyone ever encountered something like that?
Any idea as to what they might be?
What could I do to further test them?

Thanks!

Last edited by beben (2015-05-29 16:53:49)

marshmellow · 2015-05-28 12:24:06

If it spit out an em id then your tag is Manchester or BIPHASE encoded.

After an lf search, do a data rawd am

It is unusual to get a false positive on the em id like that. What em4x cmds are you talking about?

beben · 2015-05-28 13:21:56

Thank you for your reply,

The output for the raw decoding using ask/manchester is :

Using Clock:64, Invert:0, Bits Found:467          
ASK/Manchester decoded bitstream:          
0011000110001100
0001111111110001
1000110001100011
0001100011000110
0011000110001100
0001111111110001
1000110001100011
0001100011000110
0011000110001100
0001111111110001
1000110001100011
0001100011000110
0011000110001100
0001111111110001
1000110001100011
0001100011000110
0011000110001100
0001111111110001
1000110001100011
0001100011000110
0011000110001100
0001111111110001
1000110001100011
0001100011000110
0011000110001100
0001111111110001
1000110001100011
0001100011000110
0011000110001100
000          
EM410x pattern found:           

EM TAG ID      : 1111111111          
Unique TAG ID  : 8888888888          

Possible de-scramble patterns          
HoneyWell IdentKey {          
DEZ 8          : 01118481          
DEZ 10         : 0286331153          
DEZ 5.5        : 04369.04369          
DEZ 3.5A       : 017.04369          
DEZ 3.5B       : 017.04369          
DEZ 3.5C       : 017.04369          
DEZ 14/IK2     : 00073300775185          
DEZ 15/IK3     : 000586406201480          
DEZ 20/ZK      : 08080808080808080808          
}
Other          : 04369_017_01118481          
Pattern Paxton : 287657745 [0x11254F11]          
Pattern 1      : 4342282 [0x42420A]          
Pattern Sebury : 4369 17 1118481  [0x1111 0x11 0x111111]

Obviously, lf em4x em410xread gives me the same output as lf search, but lf em4x readword does not output anything, and writeword does not seem to work either.
As for em410xwrite, it prints "Tag written with 0x..." for each mode (T5555 and T55x7) but there is no change on the tag when I read it.

What you are suggesting is that they are plain em410x tags ?
In fact it might very well be the case, but the person who gave them to me told me he bought them a few years back as 'writeable RFID tags' but was never able to use them, I assumed they might be some type of emulated tag (T55XX or otherwise)...
The weird thing is, I have 10 tags, and they all have:

EM TAG ID      : 1111111111          
Unique TAG ID  : 8888888888

Do you think he was simply ripped off, or might there be more to it ?

marshmellow · 2015-05-28 13:33:33

Many ata55x7s come pre-formatted for em410x emulation. Did you try the lf t5 detect?

marshmellow · 2015-05-28 13:35:43

There are other chips that can emulate the em410x, but the ata55x7s are the most common.

marshmellow · 2015-05-28 13:41:08

BTW the em4x readword is for the em4x50 not em410x. And you can never write on a em410x as it is a read only chip. I believe that command was to clone an em410x to an ata55x7.

But true em410x are factory programmed to be unique. So your tags if programmed with the same number are not the em410x, but another chip emulating it.

Which means the chip is r/w and may still be if they aren't locked.

beben · 2015-05-28 13:49:19

Thanks again,

lf t5 detect gives me:

clk 255          
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

lf t5 trace and lf t5 info do not display anything with ask demod, or biphase[A] demod

lf t5 special gives me:

[00] 0x00000000  00000000000000000000000000000000          
[01] 0x00000000  00000000000000000000000000000000          
[02] 0x00000000  00000000000000000000000000000000          
[03] 0x00000000  00000000000000000000000000000000          
[04] 0x00000000  00000000000000000000000000000000          
[05] 0x00000000  00000000000000000000000000000000          
[06] 0x00000000  00000000000000000000000000000000          
[07] 0x00000000  00000000000000000000000000000000          
[08] 0x00000000  00000000000000000000000000000000          
[09] 0x00000000  00000000000000000000000000000000          
[10] 0x00000000  00000000000000000000000000000000          
[11] 0x00000000  00000000000000000000000000000000          
[12] 0x00000000  00000000000000000000000000000000          
[13] 0x00000001  00000000000000000000000000000001          
[14] 0x00000002  00000000000000000000000000000010          
[15] 0x00000005  00000000000000000000000000000101          
[16] 0x0000000A  00000000000000000000000000001010          
[17] 0x00000015  00000000000000000000000000010101          
[18] 0x0000002A  00000000000000000000000000101010          
[19] 0x00000055  00000000000000000000000001010101          
[20] 0x000000AA  00000000000000000000000010101010          
[21] 0x00000155  00000000000000000000000101010101          
[22] 0x000002AA  00000000000000000000001010101010          
[23] 0x00000555  00000000000000000000010101010101          
[24] 0x00000AAA  00000000000000000000101010101010          
[25] 0x00001555  00000000000000000001010101010101          
[26] 0x00002AAB  00000000000000000010101010101011          
[27] 0x00005556  00000000000000000101010101010110          
[28] 0x0000AAAD  00000000000000001010101010101101          
[29] 0x0001555A  00000000000000010101010101011010          
[30] 0x0002AAB5  00000000000000101010101010110101          
[31] 0x0005556A  00000000000001010101010101101010          
[32] 0x000AAAD5  00000000000010101010101011010101          
[33] 0x001555AA  00000000000101010101010110101010          
[34] 0x002AAB55  00000000001010101010101101010101          
[35] 0x005556AA  00000000010101010101011010101010          
[36] 0x00AAAD55  00000000101010101010110101010101          
[37] 0x01555AAA  00000001010101010101101010101010          
[38] 0x02AAB555  00000010101010101011010101010101          
[39] 0x05556AAA  00000101010101010110101010101010          
[40] 0x0AAAD555  00001010101010101101010101010101          
[41] 0x1555AAAA  00010101010101011010101010101010          
[42] 0x2AAB5555  00101010101010110101010101010101          
[43] 0x5556AAAA  01010101010101101010101010101010          
[44] 0xAAAD5555  10101010101011010101010101010101          
[45] 0x555AAAAA  01010101010110101010101010101010          
[46] 0xAAB55554  10101010101101010101010101010100          
[47] 0x556AAAA9  01010101011010101010101010101001          
[48] 0xAAD55552  10101010110101010101010101010010          
[49] 0x55AAAAA5  01010101101010101010101010100101          
[50] 0xAB55554A  10101011010101010101010101001010          
[51] 0x56AAAA95  01010110101010101010101010010101          
[52] 0xAD55552B  10101101010101010101010100101011          
[53] 0x5AAAAA56  01011010101010101010101001010110          
[54] 0xB55554AD  10110101010101010101010010101101          
[55] 0x6AAAA95A  01101010101010101010100101011010          
[56] 0xD55552B4  11010101010101010101001010110100          
[57] 0xAAAAA569  10101010101010101010010101101001          
[58] 0x55554AD2  01010101010101010100101011010010          
[59] 0xAAAA95A5  10101010101010101001010110100101          
[60] 0x55552B4A  01010101010101010010101101001010          
[61] 0xAAAA5695  10101010101010100101011010010101          
[62] 0x5554AD2B  01010101010101001010110100101011          
[63] 0xAAA95A56  10101010101010010101101001010110

marshmellow · 2015-05-28 14:05:28

After LF t5 detect save a trace and post it. I could verify if it is an ata55x7 but just not detected (detection isn't perfect)

beben · 2015-05-28 14:19:00

Done! the trace is here, thanks.

Last edited by beben (2015-05-28 14:36:32)

marshmellow · 2015-05-28 17:04:41

well that is odd. either the tag didn't receive the ata55x7 read command (part of detect), or it isn't an ata55x7.
how strong is your antenna? hw tune?

if you have a good antenna i'd lean towards your tag being one of the "other" writable multi-use lf chips. (em4305?)

just for fun you can try the lf t5 detect with your tag various distances from the antenna from right on it to about 1 inch away. sometimes that helps.

beben · 2015-05-28 17:15:38

My antenna is pretty strong (maybe too strong?):

# LF antenna: 20.62 V @   125.00 kHz          
# LF antenna: 19.25 V @   134.00 kHz          
# LF optimal: 28.88 V @   129.03 kHz

With the tag on it I get:

# LF antenna:  6.88 V @   125.00 kHz          
# LF antenna:  7.97 V @   134.00 kHz          
# LF optimal: 13.61 V @   148.15 kHz

Varying the distance between reader and tag did not change anything.

marshmellow · 2015-05-28 17:33:31

i've found with stronger antennas it just means you might need to put a little space between it and the tag. (but other times it comes in handy and reads tags it otherwise can't.)

then your tag might be ata55x7 that is password protected. i believe somewhere around here there is a thread about a cloner that password protected the tags. you could try to write block 0 with a standard config (thus removing the password protection) while using different known passwords. if you get the right password and it is a ata55x7 that is locked you will have unlocked it.

(if is isn't a known password, then there is no known way to bypass it, just brute force which isn't really viable.)
it could also be a different chip. i don't believe, with just the pm3, you could identify any other chip that it might be without coding new functions..

Last edited by marshmellow (2015-05-28 17:34:55)

beben · 2015-05-29 10:50:24

Ok, thanks again for your help!

I found the thread you mentioned and I can only assume you're right, the tags I have are password protected t55xx!
I've been trying a bunch of obvious passwords (0x00000000, 0x12345678, 0xa0a1a2a3, 0xffffffff,....) but I can't seem to find a list of default passwords similar to the one for mifare classic, with non-obvious but frequent passwords.

I'll just try to bruteforce it and hope I'll get lucky

Anyway, thank you very much for your time!

app_o1 · 2015-05-29 12:59:00

I thought the latest improvements in the T55xx section can tell you if a T55x7 has the password mode ON or not.
You may have some read only EMxxxx.... How many do you have? If they are the cards as you said then, you can easily peel off the back plastic cover and have a look at the chip. If you are lucky there is some visible marking on it.

marshmellow · 2015-05-29 13:53:22

If a t55xx is password protected there it will not respond to any t55xx command unless you have the password. So no way to detect even in the new code.

marshmellow · 2015-05-29 13:58:11

It is also possible it is an old q5, another poster indicated the t55xx command changes may have broken their compatibility with the q5. He also indicated v.0.0.7 of aspers compiled binaries worked with the q5 to write (but not read.)

marshmellow · 2015-05-29 14:05:31

Are you trying passwords on the write block command, attempting to overwrite the block 0 config with a config value that would unlock it, but keep the config the same(except the pwd bit)? Since the read commands kinda require the detect method first, and the detect method doesn't work on locked tags, the only way to test for passwords is to attempt to overwrite the config block with the proper config you want. Then if you hit the real pwd in a write command you'll be able to detect and read block 7 to verify what the pwd was.

Last edited by marshmellow (2015-05-29 14:06:14)

beben · 2015-05-29 15:37:10

Hi app_o1, thank you for your suggestion!

I have 10 of them, all with the same ID.

Just opened one of them, the chip only has the numbers 43 and 05 written on each side, which leads me to believe that the tags are em4305

Mystery solved, I guess, now I have to find a compatbile reader/writer....

marshmellow · 2015-05-29 17:24:35

the lf em writeword / readword commands might work with a em4305. i've been meaning to do some testing with that chip and the pm3, just haven't gotten to it.

beben · 2015-05-29 17:35:33

I can confirm that lf em readword does something, I just wrote 0s in all 15 words with it and the card does not answer lf search anymore.

However lf em readword does not do anything, even on a brand new card.

marshmellow · 2015-05-29 20:06:26

the readword likely just sends a read command and doesn't demodulate the results, so you may need to data samples 20000, and data rawd am to demodulate what the tag sent back.

(that is how the original t55xx commands worked before iceman re-did them.)

iceman · 2015-05-31 21:05:00

yes, before the em410x / t55xx command only worked on the "lf read / data samples 20000" in graphbuffer..
which wasn't always so intuative. I like to get data out when I issue a read command.. like they to in the HF commands.

So there is this older way of looking into LF, which among others the em4x50read/readword/readwordpwd works like.
and then you have the newer way of working, which you notice in t55xx, "lf search"

We added the option to still be able to load a trace and run the command, like you could in the old way.
so, yeah, it is not totally harmony within the LF commands at the moment. you can see the pcf7931/indala/ti/hitag/hid subcommand and be confused.

But that is not what this thread is about..

If a t55xx tag is password protected, you will only get garbage out from the "lf t55 det/lf t55 read"..
Your trace is readable, so I don't think its password protected.
especiallay if you get a good output from "lf t55 info"

Last edited by iceman (2015-05-31 21:05:43)

marshmellow · 2015-05-31 21:28:53

iceman wrote:

Your trace is readable, so I don't think its password protected.
especiallay if you get a good output from "lf t55 info"

?? He didn't get detect or info to wotk... ?
His tag appears to be an em4305 not T55x7.

His trace just shows the normal output of the tags config, an em410x id (which is what you'd expect after a t55xx read if either the tag is locked or not a t55xx.)

Did I miss something? BTW I love the new t55xx cmds

iceman · 2015-05-31 21:43:58

oo, my bad in that case. I tought the trace was from a t55xx read...

beben · 2015-06-01 13:06:55

Hi again,

Ran some more tests over the weekend, I can definitely modify the contents of the card with lf em4x writeword. However, it does not seem to follow em4305 spec as seen on http://www.emmicroelectronic.com/sites/ … 305_ds.pdf. I tried writing a new UID (00000000) on word1, And the tag started answering gibberish...
lf search returned:

Reading 30000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
BitLen: 29          
Indala UID=00000000000000000000000000000 (0000000000000000000000000000000000000000000000000)          

Valid Indala ID Found!

After modifying it once more (11111111), I got:

Reading 30000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
BitLen: 102          
Indala UID=000000000000000000000000000000000000000000000000000000010101010101010110101010010101010101010101010101 (00000000000000000000000000000000000005555aa555555)          

Valid Indala ID Found!

And finally, when I tried changing Word 0 (4ac00000), the tag stopped responding altogether, can't seem to make it work again.
I cannot compare contents with a working tag, because for some reason readword does not seem to work (only writeword appears to do something).

Once again, I come to you for help, do you have any ideas what could cause this ?

Thanks!

marshmellow · 2015-06-01 15:29:12

did you try comment #21 on the readword?

beben · 2015-06-04 16:35:00

Sorry for the slow answer!

I did try it on the tag I successfully wrote, it gave me

proxmark3> lf em4x readword 0
Reading word 0          
proxmark3> data sample 20000
Reading 20000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
proxmark3> data rawd am

Using Clock:32, Invert:0, Bits Found:51          
ASK/Manchester decoded bitstream:          
0000110011110000
0111100000111100
0001111000000000
000      
proxmark3> lf em4x readword 1
Reading word 1          
proxmark3> data sample 20000
Reading 20000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
proxmark3> data rawd am

Using Clock:32, Invert:0, Bits Found:52          
ASK/Manchester decoded bitstream:          
7000011000101001
1011010010001101
0110000010000111
0001  
proxmark3> lf em4x readword 2
Reading word 2          
proxmark3> data sample 20000
Reading 20000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
proxmark3> data rawd am

Yup, there's a 7 in the BITstream for block 1...

On one of the virgin ones, it gave me:

proxmark3> lf em4x readword 0
Reading word 0          
proxmark3> data sample 20000
Reading 20000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
proxmark3> data rawd am

Using Clock:64, Invert:0, Bits Found:309          
ASK/Manchester decoded bitstream:          
0001010010011100
0000000000010000
0100000000001101
1100111111111000
1100011000110001
1000110001100011
0001100011000110
0000111111111000
1100011000110001
1000110001100011
0001100011000110
0000111111111000
1100011000110001
1000110001100011
0001100011000110
0000111111111000
1100011000110001
1000110001100011
0001100011000110
00001          
EM410x pattern found:           

EM TAG ID      : 1111111111          
Unique TAG ID  : 8888888888          

Possible de-scramble patterns          
HoneyWell IdentKey {          
DEZ 8          : 01118481          
DEZ 10         : 0286331153          
DEZ 5.5        : 04369.04369          
DEZ 3.5A       : 017.04369          
DEZ 3.5B       : 017.04369          
DEZ 3.5C       : 017.04369          
DEZ 14/IK2     : 00073300775185          
DEZ 15/IK3     : 000586406201480          
DEZ 20/ZK      : 08080808080808080808          
}
Other          : 04369_017_01118481          
Pattern Paxton : 287657745 [0x11254F11]          
Pattern 1      : 4342282 [0x42420A]          
Pattern Sebury : 4369 17 1118481  [0x1111 0x11 0x111111]

I was swamped at work lately and didn't have much time to work on this, sorry!

Proxmark3 community

Announcement

#1 2015-05-28 10:30:07

Need help identifying LF Tag [SOLVED: EM4305]

#2 2015-05-28 12:24:06

Re: Need help identifying LF Tag [SOLVED: EM4305]

#3 2015-05-28 13:21:56

Re: Need help identifying LF Tag [SOLVED: EM4305]

#4 2015-05-28 13:33:33

Re: Need help identifying LF Tag [SOLVED: EM4305]

#5 2015-05-28 13:35:43

Re: Need help identifying LF Tag [SOLVED: EM4305]

#6 2015-05-28 13:41:08

Re: Need help identifying LF Tag [SOLVED: EM4305]

#7 2015-05-28 13:49:19

Re: Need help identifying LF Tag [SOLVED: EM4305]

#8 2015-05-28 14:05:28

Re: Need help identifying LF Tag [SOLVED: EM4305]

#9 2015-05-28 14:19:00

Re: Need help identifying LF Tag [SOLVED: EM4305]

#10 2015-05-28 17:04:41

Re: Need help identifying LF Tag [SOLVED: EM4305]

#11 2015-05-28 17:15:38

Re: Need help identifying LF Tag [SOLVED: EM4305]

#12 2015-05-28 17:33:31

Re: Need help identifying LF Tag [SOLVED: EM4305]

#13 2015-05-29 10:50:24

Re: Need help identifying LF Tag [SOLVED: EM4305]

#14 2015-05-29 12:59:00

Re: Need help identifying LF Tag [SOLVED: EM4305]

#15 2015-05-29 13:53:22

Re: Need help identifying LF Tag [SOLVED: EM4305]

#16 2015-05-29 13:58:11

Re: Need help identifying LF Tag [SOLVED: EM4305]

#17 2015-05-29 14:05:31

Re: Need help identifying LF Tag [SOLVED: EM4305]

#18 2015-05-29 15:37:10

Re: Need help identifying LF Tag [SOLVED: EM4305]

#19 2015-05-29 17:24:35

Re: Need help identifying LF Tag [SOLVED: EM4305]

#20 2015-05-29 17:35:33

Re: Need help identifying LF Tag [SOLVED: EM4305]

#21 2015-05-29 20:06:26

Re: Need help identifying LF Tag [SOLVED: EM4305]

#22 2015-05-31 21:05:00

Re: Need help identifying LF Tag [SOLVED: EM4305]

#23 2015-05-31 21:28:53

Re: Need help identifying LF Tag [SOLVED: EM4305]

#24 2015-05-31 21:43:58

Re: Need help identifying LF Tag [SOLVED: EM4305]

#25 2015-06-01 13:06:55

Re: Need help identifying LF Tag [SOLVED: EM4305]

#26 2015-06-01 15:29:12

Re: Need help identifying LF Tag [SOLVED: EM4305]

#27 2015-06-04 16:35:00

Re: Need help identifying LF Tag [SOLVED: EM4305]

Board footer