Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-07-15 09:37:51

crispy
Contributor
Registered: 2015-07-14
Posts: 25

False positive - lf search - EM4100

Hi,

I have a unknown lf card.  Doing a lf search, the proxmark detected it as a EM4100 card, but I am confident it is not a EM4100 card because:
1. Copying it as a EM4100 card resulted in the copy not working.
2. I have a different device that I normally use to read EM4100 cards which I have used for a long time without problem.  This does not detect it as a EM4100 card.

I believe I saw another post in this thread with a similar thing and in the thread it had instructions on what to do. Something like to look for the 111111111 in the demod and then how to program block 0, 1, 2 & 3 in the t55x7 tag?

If anyone knows the post I am talking about, I would greatly appreciate if if you could link to it as I have spent much time searching for it.

Thanks

Offline

#2 2015-07-15 13:05:58

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: False positive - lf search - EM4100

There are different types of em410x with different clocks and number of bytes.  The em410xwrite does not cover them all.  So if you used that to clone it could fail. 

It is very rare, though I suppose not totally impossible, to get a false positive with current firmware on the em410x as it verifies multiple parties.

Offline

#3 2015-07-15 14:18:16

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: False positive - lf search - EM4100

Thanks marshmellow.  Would it be possible for me to please email you the data from the card for you to have a quick glance at?  If yes, can you please let me know your email or contact?

Offline

#4 2015-07-15 14:21:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: False positive - lf search - EM4100

Sure.

Last edited by marshmellow (2015-07-17 14:03:40)

Offline

#5 2015-07-16 17:30:31

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: False positive - lf search - EM4100

Very interesting, Can u please post it?

Offline

#6 2015-07-16 18:37:38

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: False positive - lf search - EM4100

Btw I haven't seen anything yet.

Offline

#7 2015-07-17 07:17:59

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: False positive - lf search - EM4100

marshmellow wrote:

Sure.  Email = [my name here]rf at g mail dot com

Thanks. I emailed it to you.

Offline

#8 2015-07-17 14:06:49

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: False positive - lf search - EM4100

Hmmm. I don't see it.

Offline

#9 2015-07-17 14:09:04

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: False positive - lf search - EM4100

Oops..  Found it, sorry.  I'll take a look in a little bit.

Offline

#10 2015-07-17 17:40:38

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: False positive - lf search - EM4100

the verdict is it is an em410x, just one of the rf/32 clock varieties instead of rf/64. so the em410xwrite did not clone it correctly (it uses rf/64)

Offline

#11 2015-07-17 17:42:47

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: False positive - lf search - EM4100

i suppose i could patch the command to take an optional argument for clock.  ...  soon - ish...

Offline

#12 2015-07-18 08:53:44

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: False positive - lf search - EM4100

marshmellow wrote:

i suppose i could patch the command to take an optional argument for clock.  ...  soon - ish...

Thanks for working out the problem.

In the meantime, would it be possible for me to write it with the normal em410xwrite command but then change block 0 by writing to it with the configuration block for EM4100 RF/32 instead of the  EM4100 RF/64?

Offline

#13 2015-07-18 09:26:44

crispy
Contributor
Registered: 2015-07-14
Posts: 25

Re: False positive - lf search - EM4100

Hi,

Would the following steps be the correct way to change the clock variety to RF/32 ?

1. program the card normally using the em410xwrite command. checking lf t55xx detect shows:

[== Undefined ==]
proxmark3> lf t55xx detect
clk 255
Modulation : ASK
Bit Rate   : 5 - RF/64
Inverted   : No
Offset     : 1
Block0     : 0x00148040

2. change block 0 from rf/64 to rf/32 with "lf t55xx write 0 0x00088040" command.  checking lf t55xx detect shows:

[== Undefined ==]
proxmark3> lf t55xx detect
clk 255
Found [2] possible matches for modulation.
--[1]---------------
Modulation : ASK
Bit Rate   : 2 - RF/32
Inverted   : No
Offset     : 0
Block0     : 0x00088040

--[2]---------------
Modulation : DIRECT/NRZ
Bit Rate   : 2 - RF/32
Inverted   : Yes
Offset     : 14
Block0     : 0x10080001

Could not detect modulation automatically. Try setting it manually with 'lf t55x
x config'

Offline

#14 2015-07-18 09:31:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: False positive - lf search - EM4100

It looks correct,  it found two matching modulations.
and it can't make a decision about it.

Try setting it manually... 
"lf t55xx config d ASK i 0 o 0 b 32" 

and then try reading the "lf t55xx info"

Offline

Board footer

Powered by FluxBB