Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hello fellows,
I tried my new proxmark on a car key transponder.
According to the data sheet I have the transponder should give an amplitude-modulated signal in the low frequency domain.
The full data sheet is here: https://www.digchip.com/datasheets/download_datasheet.php?id=296845&part-number=EM4170
What I got from lf search is this signal:
Running the autocorrelation routine gives the following:
/
From what I see, I would say the signal's information is in the pauses after a pulse, where a pulse is a spike up followed by a spike down. It alternates between a short pause and a long pause. So the signal might just be the clock signal of 01010101010101...
A single bit takes 80 periods and so we have the big spike in the autocorrelation at 160 periods.
But according to the data sheet it should look like an amplitude modulated signal similarly to the ones I get for my EM4100 card, where it works perfectly.
My questions are:
- Am I interpreting this signal wrong?
- Does anyone recognize this modulation scheme?
- Is the proxmark able to communicate with such a transponder? (if not with the current code, at least physically with a tailored code?)
Thanks for any clues!
Cheers
Stephan
Offline
did you try the "data raw" command?
Offline
Typing in 'data raw' prints the help for data rawdemod:
Usage: data rawdemod [modulation] <help>|<options>
[modulation] as 2 char, 'ab' for ask/biphase, 'am' for ask/manchester, 'ar' for ask/raw, 'fs' for fsk, ...
'nr' for nrz/direct, 'p1' for psk1, 'p2' for psk2
<help> as 'h', prints the help for the specific modulation
<options> see specific modulation help for optional parameters
sample: data rawdemod fs h = print help specific to fsk demod
: data rawdemod fs = demod GraphBuffer using: fsk - autodetect
: data rawdemod ab = demod GraphBuffer using: ask/biphase - autodetect
: data rawdemod am = demod GraphBuffer using: ask/manchester - autodetect
: data rawdemod ar = demod GraphBuffer using: ask/raw - autodetect
: data rawdemod nr = demod GraphBuffer using: nrz/direct - autodetect
: data rawdemod p1 = demod GraphBuffer using: psk1 - autodetect
: data rawdemod p2 = demod GraphBuffer using: psk2 - autodetect
Then I tried everyone of those options. It did not produce an output, except for 'nr':
proxmark3> data rawdemod nr
Tried NRZ Demod using Clock: 8 - invert: 0 - Bits Found: 3745
NRZ demoded bitstream:
0000000000011000
0000011110000001
1000000001111000
0001100000000111
1000000110000000
0111100000011000
0000011110000001
1000000001111000
0001100000000111
1000000110000000
0111100000011000
0000011110000001
1000000001111000
0001100000000111
1000000110000000
0111100000011000
0000011110000001
1000000001111000
0001100000000111
1000000110000000
0111100000011000
0000011110000001
1000000001111000
0001100000000111
1000000110000000
0111100000011000
0000011110000001
1000000001111000
0001100000000111
1000000110000000
0111100000011000
0000011110000001
The plot window did not change for any option, it just show the pulse signal shown in my opening post.
Offline
Interesting. The signal is weak, but I don't think our current demod routines will correctly demod it even if it was a strong read.
I'll take a closer look at the datasheet in a bit.
If you could post a link to a trace file, one read at 134khz and one read at the normal 125khz it will help.
Offline
Thank you both very much for helping! It would be so cool if we can figure it out.
Here are the traces:
125 kHz:
http://en.file-upload.net/download-12239735/EM4170_lf_125khz.pm3.html
134kHz:
http://en.file-upload.net/download-12239736/EM4170_lf_134khz.pm3.html
According to the data sheet it should operate at 125 kHz. The plot of the trace is in my opening post.
Here is the plot of the trace for 134kHz:
Offline
sorry that site is loaded with viruses. can you use pastebin or something else?
Offline
Good call! Here are the two traces:
125 kHz: http://pastebin.com/1jj1NhDa
134 kHz: http://pastebin.com/tm389naR
Also, I made the discovery, when I snoop the trace when the car key is turned in the car, I get a more sophisticated signal:
Here is the trace for that: http://pastebin.com/zzSyZWkF
Does anyone know what kind of modulation that could be? When I use the built-in demodulation procedures I get:
proxmark3> data rawdemod fs
Using Clock:16, invert:0, fchigh:5, fclow:2
FSK?? decoded bitstream:
0100000000000010
0000010100000010
0000000100000001
0000000010000010
0000000101000000
0010000000000010
0000000000001000
00000000000
proxmark3> data rawdemod ab
proxmark3> data rawdemod am
proxmark3> data rawdemod ar
proxmark3> data rawdemod nr
Tried NRZ Demod using Clock: 16 - invert: 0 - Bits Found: 1881
NRZ demoded bitstream:
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000011111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
proxmark3> data rawdemod p1
proxmark3> data rawdemod p2
Offline
what you have is a tag in standby mode outputting a stream of LIW... (waiting for a command)
your snoop is a weak capture that kind of catches the reader's attempt to bring the tag out of the standby mode but it appears it was unsuccessful. (though it is a bit hard to tell with signal that weak)
how certain are you that this is an EM4170 chip?
Offline
Thanks for the answer!
I am not at all certain that I have a EM4170 chip, but that turned up, when I was looking up what immobilizers VW uses.
Can you tell be what kind of modulation scheme is used here? Is it amplitude, frequency or phase or something else?
Do you have any idea why the signal is so weak? Is there a possibility to get a stronger signal?
Last edited by Tiberius (2017-01-13 19:38:39)
Offline
it is ASK, With custom marker bits like the LIW.
i assume the tag is small and inside a keyfob. these tend to be weaker or require a smaller more focused antenna.
what is the size and voltage of your antenna?
Offline
the reason i asked about the EM4170 is according to that datasheet the LIW doesn't match exactly...
i would guess you have an non-public version of the EM4170 chip. similar but not the same.
Offline
H@marshmellow: Thanks, you know your stuff! But why does the trace look so different from the ones I get from the EM4100 card or even from the data sheet. As I understand it, I should see changing amplitudes of a wave, but this seems like some carrier wave with another wave multiplied and some phase jumps.
So, the built in ASK routines of the proxmark didn't seem to work. Do you think there is any chance that it might work with new software? Then I would try it out to write new routines and contribute them. To my understanding the EM4170 is a very widespread car key transponder chip, so it could be useful.
I discovered that this is another possibility for the chip: http://pdf1.alldatasheet.com/datasheet-pdf/view/195868/EMMICRO/V4070.html
Offline
I've noticed weak ask waves can invert themselves and flip like that. I believe the signal is too weak for the low filters to work making the signal appear strange.
Offline
Step one is to find a way to increase the signal strength. Especially on the snoop. What is your antenna like?
Offline
I bought the whole kit: https://store.ryscc.com/products/new-proxmark3-kit , there was an antenna included, which can be seen on the site.
Noted, I think I will build my own antenna then to get a clearer signal. Is it possible to send a stronger excitation with the proxmark?
Offline
ah. yes that antenna is not very good for a snoop. (or keyfobs either..)
a better antenna would significantly help your cause.
Offline
for a decent tutorial on antennas take a look at: https://github.com/Proxmark/proxmark3/wiki/antennas
Offline
just note that for small tags you want a smaller diameter antenna, so maybe not one as big as the one shown in the wiki would be ideal for you. (maybe 3cm square is a good size)
Offline
@marshmellow: Ok, that explains my weak signal. I will be going right into antenna building.
Thanks for the tips!
One last question: You recognized immediately that the signal is weak. How do I see if a signal is week? Is it about the max and min value under the lf search plot? For my EM4100 card this reads max=127 and min=127 and for the key fob in the best position it reads max=126 and min=-112. Are these volt values?
Alright, otherwise I come back if I had advances with the antenna build.
Offline
the plot window min and max do indicate signal strength. but experience has also taught me how ask signal deteriorates and how it tends to look on a weak read.
Offline
Hi,
it worked out great! I built a smaller antenna and got a readable signal from the rfid chip. I could identify it as the LIW signal from the EM4100 just as marshmellow predicted.
Here are some pictures from my antenna:
proxmark3> hw tune
Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)
......#db# DownloadFPGA(len: 42096)
.
# LF antenna: 36,16 V @ 125.00 kHz
# LF antenna: 38,23 V @ 134.00 kHz
# LF optimal: 47,30 V @ 127,66 kHz
# HF antenna: 1,17 V @ 13.56 MHz
# Your HF antenna is unusable.
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
And here is the transponder signal:
The markers mark the beginning and end of the LIW signal according to the data sheet.
So now comes phase two where I want to talk to the transponder. For that I have to work through the proxmark code, I guess and understand how the sending and receiving routines work.
Offline
That signal looks MUCH better..
So now comes phase two where I want to talk to the transponder. For that I have to work through the proxmark code, I guess and understand how the sending and receiving routines work.
correct. and you might need to understand the timers available on the pm3 hardware to get the kind of precise timing the chip is looking for. i won't sugar coat it, it won't be easy, but it is certainly doable.
Offline
I found the EM4170 Application Note, which is very helpful for understanding the communication process.
Are there already functions that read a tag for a while and then send something and then read again ( for LF) ? I am looking for the simplest procedure that does something like that and also is documented somewhere. Maybe the Mifare routines are the best options even though they are HF. As far as I understand most of the LF routines just listen for the tag or simulate a saved id.
Any tips would be helpful.
Offline
The lf hitag might be the closest, but note that some of that code is pretty old and some parts may be unfinished
Offline
Is the EM4170 pwm-based? In that case, maybe look at the pcf7931
Offline
@marshmellow: I will check it out.
@Iceman: As I understand it from the data sheet page 11 (https://www.digchip.com/datasheets/download_datasheet.php?id=296845&part-number=EM4170) it works over amplitude modulation. The transceiver sends a continuous voltage over 32 periods to transmit a 1 and no voltage for 16 periods and then full voltage for 16 periods to transmit a zero:
---- = 1
__-- = 0
That leads to the problem that for a long sequence of ones the transponder and transceiver can get out of sync, since there is no clock in the transceiver signal.
The transponder instead uses amplitude modulation with manchester encoding:
--__ = 1
__-- = 0
Is there anything similar to this on the proxmark?
Offline
Sounds like OOK, onoffkeying,
look into the t55xx commands on device side. armsrc/lfops.c (read/write t55xx) or the pcf7931 ... both uses something similar, if I understand this correct.
Offline
Thanks!
@Tiberius: Yes, a data sheet for an EM4095 reader that is supposed to read the EM4170 transponder describes it as On-Off keying.
@marshmellow: As I understand the Hitag uses something like Binary Pulse Length Modulation (BPLM)
Do you think the lf em4x commands contain anything useful? They sound similar by name, but I have not figured out whether they really send commands to the card.
Offline
So far the em4x cmds do not send any data to the card.
The pcf7931 are unfinished in that they do not properly listen for the liw window before attempting to send a command.
The t55xx cmds do not need to sync with any liw window and just blast the command to the chip and then listen for the response.
Offline
The hitag is the only example in lf where someone implemented true two way comms. But the protocol is a little different. (I'm not an expert here though so take my thoughts with a grain of salt.)
Offline
I guess you are referring to the >>lf hitag writer<< command. Then I will read up on this and try to copy the functionality.
Offline