EM4x with two tracks?

miaoski · 2016-09-21 04:56:54

Hi.
I'm new to Proxmark3. Thanks for this great tool; really love it!
I would like to clone my EM4x card (branded as Dr.ID) which has 2 set of codes in it.

What kind of chip can it be?
Is it possible to simulate such card with 2 sets of codes?
(I can work on it and send PR, if I know the right way to simulate it.)

It looks like a EM4x card at the first glance.

proxmark3> lf search
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

EM410x pattern found:

EM TAG ID      : EACE141C42
Unique TAG ID  : 5773283842

Possible de-scramble patterns
HoneyWell IdentKey {
DEZ 8          : 01317954
DEZ 10         : 3457424450
DEZ 5.5        : 52756.07234
DEZ 3.5A       : 234.07234
DEZ 3.5B       : 206.07234
DEZ 3.5C       : 020.07234
DEZ 14/IK2     : 01008479771714
DEZ 15/IK3     : 000375594170434
DEZ 20/ZK      : 05070703020803080402
}
Other          : 07234_020_01317954
Pattern Paxton : 3928513090 [0xEA285A42]
Pattern 1      : 4276580 [0x414164]
Pattern Sebury : 7234 20 1317954  [0x1C42 0x14 0x141C42]

Valid EM410x ID Found!

However, lf sim EACE141C42 didn't work for me. I borrowed cards from colleagues, and all of them read EACE141C42.
So I tried to rawdemod it.

proxmark3> data rawdemod am

Using Clock:64, Invert:0, Bits Found:469
ASK/Manchester - Clock: 64 - Decoded bitstream:
0001101010000101
1010011111111111
1011010011000111
0100011010010001
1110000100100101
1000011111111111
1011011011101111
0111101011001100
0001101010000101
1010011111111111
1011010011000111
0100011010010001
1110000100100101
1000011111111111
1011011011101111
0111101011001100
0001101010000101
1010011111111111
1011010011000111
0100011010010001
1110000100100101
1000011111111111
1011011011101111
0111101011001100
0001101010000101
1010011111111111
1011010011000111
0100011010010001
1110000100100101
10000
EM410x pattern found:
...

In fact, data rawdemod ab works as well. I'm not 100% sure it's in Manchester.
The first set of code looks fine. Manually checked its parity, it matches EM4100 spec.

1111111111110110100110001110100011010010001111000010010010110000
1111111111110110110111011110111101011001100000110101000010110100

111111111
11101 e
10100 a
11000 c
11101 e
00011 1
01001 4
00011 1
11000 c
01001 4
00101 2
10000
111111111
11101 e 
10110 b  huh?  wrong parity!
11101 e  
11101 e
11101 e
01100 6
11000 c
00110 3
10100 a
00101 2
10100

The card reader by the door reads 008-2908 as I beep the card.
However, I don't know how is 0x0B5C encoded in the second set.

Thanks in advance and thanks again for the great device!

iceman · 2016-09-21 07:31:34

interesting, the demod decodes to a valid EM410x, but it seem like your tag is a newer model like EM420x , EM430x.
The current code doesn't look for the extra blocks of data, since it got a valid EM410x .

However for the interest in Sim and Clone potential, how about you try these out and report back

LF SIM

lf simask FFF698E8D23C24B0FFF6DDEF598350B4

T55x7 Clone

block | data
 0 | 00148080    (EM configblock with maxblocks set to 4)
 1 | FFF698E8
 2 | D23C24B0
 3 | FFF6DDEF 
 4 | 598350B4

miaoski · 2016-09-21 13:47:36

Cool, both work like a charm!
Are you working on the code or do you mind accepting a push request?

Thank you again!

iceman · 2016-09-21 13:53:50

depends what you gonna push in your PR.,.

The second blocks of data doesn't contain correct em parities, so we need a way of identifying this properly. Do you have something in mind?

miaoski · 2016-09-21 14:20:46

I checked the data sheets and it looks more like EM4200, though Dr.ID doesn't comply with known standards (Manchester 64, ISO11785). I tried fixing the wrong parity and it fails to work. The wrong bit is likely designed on purpose.

My idea is to enhance lf search, so it reports EM4x with this non-standard data, and possibly add a function lf em4x dump, which removes duplicated data and fits it to preset lengths (64, 96, 128).

Do you think it's feasible?

iceman · 2016-09-21 14:39:04

we would need to identify the blockdata and how to decode it correct. The wrong parity is an issue. Maybe its inverse parity?
After that we can incorporate it into "LF SEARCH".

miaoski · 2016-09-22 10:55:25

I have collected six cards of the same type. All cards have that parity inverted, while other parities are even.

iceman · 2016-09-22 11:39:04

there is only one parity that changed in the second block and does not decodes to a valid id either.

iceman · 2016-09-22 11:41:04

I only found this one so far regarding decoding em4305 http://permalink.gmane.org/gmane.comp.d … devel/2085

Does someone have the datasheet for it?

marshmellow · 2016-09-22 15:16:29

http://www.emmicroelectronic.com/sites/ … 305_ds.pdf
but while that chip could be configured to output that (like the T55xx chips) it would not do that by default.

marshmellow · 2016-09-22 15:31:12

i've never seen a published chip with 2 111111111 headers. seems more likely it is a configurable chip and someone created a modified format?

Proxmark3 community

Announcement

#1 2016-09-21 04:56:54

EM4x with two tracks?

#2 2016-09-21 07:31:34

Re: EM4x with two tracks?

#3 2016-09-21 13:47:36

Re: EM4x with two tracks?

#4 2016-09-21 13:53:50

Re: EM4x with two tracks?

#5 2016-09-21 14:20:46

Re: EM4x with two tracks?

#6 2016-09-21 14:39:04

Re: EM4x with two tracks?

#7 2016-09-22 10:55:25

Re: EM4x with two tracks?

#8 2016-09-22 11:39:04

Re: EM4x with two tracks?

#9 2016-09-22 11:41:04

Re: EM4x with two tracks?

#10 2016-09-22 15:16:29

Re: EM4x with two tracks?

#11 2016-09-22 15:31:12

Re: EM4x with two tracks?

Board footer