Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2017-01-11 16:18:59
- marcuch
- Contributor
- Registered: 2016-12-09
- Posts: 9
Writing EM4305 tags
Hi everyone, and happy new year!
Has anyone of you ever managed to write the UID on an EM4305 tag?
lf em4x em410xwrite command returns a correct message, but nothing is really written on the tag.
Any ideas? Thanks in advance!
Offline
#2 2017-01-11 16:24:28
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Writing EM4305 tags
'em410xwrite' writes a uid to a T55x7 tag, which in turn emulates em410x when read.
Offline
#3 2017-01-12 05:36:45
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Writing EM4305 tags
Iceman is correct. No EM4305 cmds have been written in the firmware yet. Feel free to add it in.
Offline
#4 2017-01-17 09:15:57
- marcuch
- Contributor
- Registered: 2016-12-09
- Posts: 9
Re: Writing EM4305 tags
Thank both of you for the answer! I hadn't understood the use of em410xwrite...
Offline
#5 2017-01-18 17:40:35
- marcuch
- Contributor
- Registered: 2016-12-09
- Posts: 9
Re: Writing EM4305 tags
Hello again, still working with EM4305 tags.
When using lf search, the card finds an EM410x pattern,
EM410x pattern found:
EM TAG ID : 4305FAA555
Unique TAG ID : C2A05FA5AA
(...)When trying to get the same information by myself, once ASK/Manchester demodulated, I get the following sequence:
0000001010111101
0100101000101001
0100101010000111
1111110100100110
0000001010111101
0100101000101001
0100101010000111
1111110100100110
0000001010111101
0100101000101001
0100101010000111
1111110100100110
0000001010111101
0100101000101001
0100101010000111
1111110100100110
0000001010111101
0100101000101001
0100101010000111
111111That once rearranged gives the following values:
111111111
0100 1 x4
0011 0 x3
0000 0 x0
0101 0 x5
1111 0 xF
1010 0 xA
1010 0 xA
0101 0 x5
0101 0 x5
0101 0 x5
1000 0This corresponds to the EM Tag ID found by lf search. My question is: where does the Unique TAG ID comes from? In this case is C2A05FA5AA. Shouldn't it be also contained in the demodulated data?
Thanks in advance!
Offline
#6 2017-01-18 18:33:15
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Writing EM4305 tags
the uniq id is a scrambled version of EM TAG ID.
Offline
#7 2017-01-18 20:25:00
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Writing EM4305 tags
as with the other ID's listed below the EM ID it is a subset of the EM ID as read by some commercial readers.
Offline
#8 2017-01-19 11:22:32
- marcuch
- Contributor
- Registered: 2016-12-09
- Posts: 9
Re: Writing EM4305 tags
Good information. Thanks again!
Offline
#9 2017-02-12 20:41:23
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Writing EM4305 tags
to correct some information i said before:
actually the lf em readword and lf em writeword is such that it might work with an em4305 tag. seems to have been built for em4469/em4569 tags which share the same read/write commands as the em4305.
it appears the timings may need adjustment for some antenna's/pm3 hardware though as i was not able to get any commands to work without adjusting these for my em tags. (had to adjust the zero bit send off period to 20 and on to 12, from 23 and 9.)
you also would have to fully understand the memory map and datasheet of this tag as it can be a bit challenging to understand all the bit order stuff before attempting to write to it.
Offline
#10 2017-02-12 21:31:20
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Writing EM4305 tags
Excellent!
Do you have some EM4469/EM4569 tags also to test with? Or maybe someone else has?
Offline
#11 2017-02-13 06:38:47
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Writing EM4305 tags
i do not have any of the em4x69 tags. (that i am aware of at least. i do have some tags that don't seem to match either datasheet but respond to the read/write commands)
Offline
#12 2017-02-18 05:46:33
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Writing EM4305 tags
My fork now has a preliminary fully functioning readword and dump for the em4x05/em4x69. (Also the write cmd now will read back the verification msg from the card to validate it took)
I renamed the 'lf em readword' and 'lf em writeword' to
lf em 4x05readword
lf em 4x05writeword
And added
lf em 4x05dump
After some further testing and maybe a few other cmds for this chip I'll issue a pull request to the master repo.
Offline
#13 2017-02-18 05:46:41
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Writing EM4305 tags
Note also I renamed the other em chip commands to drop the redundant em in them. Like:
lf em em410xdemod
to:
lf em 410xdemod
Offline
#14 2017-02-18 08:44:06
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Writing EM4305 tags
Great job @Marshmellow!
May I suggest dropping the word part in the commands aswell. Make it more similar with all other read commands.
lf em 4x50read
lf em 4x50writeOffline
#15 2017-02-18 14:13:07
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Writing EM4305 tags
Great job @Marshmellow!
May I suggest dropping the word part in the commands aswell. Make it more similar with all other read commands.
We still need to separate it from default read mode. You don't have to type the whole thing out as the cmds work with only part of it typed in.
We aren't just reading the tag, we are reading the memory words on the chip.
Offline
#16 2017-02-18 17:20:12
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,506
- Website
Re: Writing EM4305 tags
Yes, we do need to separate it from default readmode indeed, just like t55xx commands which still follows easy short "read/write" command I think em would need something similar.
lf em read
lf em info
would give default read mode, and some kind of identification on current tag.
-- 4x50
lf em 4x50 read
lf em 4x50 write
lf em 4x50 dump
would give command mod, and rewritting em tags.
Offline
#17 2017-02-22 17:39:07
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Writing EM4305 tags
I've just created the pull request to bring the rebuild of the EM4x05/EM4x69 read and write commands that i've been working on to the master repo.
NOTE: ALL the lf em command structure has changed.
the old `lf em4x em4...` style was very redundant so it has been changed to `lf em 4...`
i also renamed the readword and writeword to more clearly be `lf em 4x05readword` and `lf em 4x05writeword` (and iceman was so kind to provide the merge of the pwd options into the main commands.)
also with this rewrite the new 4x05readword will automatically attempt to demod the response from the tag and output the results. this is much easier to do accurately on these chips over the t55xx chips due to the response protocol the chip follows.
the 4x05writeword will also attempt to read the chip response to validate the write was successful.
to summarize the new or re-written commands:
lf em 4x05readword [address] (pwd)
lf em 4x05writeword [address] [data] (pwd)
lf em 4x05info (pwd)
lf em 4x05dump (pwd)
Please note: em4x05 and em4x69 chips are compatible with these commands but other chips (like em4x50) are NOT and were never designed to be.
you may also notice the lf search now may sometimes indicate it found a valid em4x05 chip, after indicating the format and ID of the tag. (yes it is possible to find a valid HID tag and a valid EM4x05 chip.)
Offline
Pages: 1