Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-08-28 11:47:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Star wars Galaxy Edge - lightsables [EM 4x05]

Seem like there is a themepark Star Wars Galaxy Edge.

There you can buy lightsables of course,   which are driven by Kyber Crystals

Now these seems to be LF 4x05 tags.
Someone made a list of known values,  but even unknown / unreleased.

Time to make a list and lua script for easy simulation / configuration of suck Crystals.

ref
https://www.youtube.com/watch?v=fNlXbNlJkZo

Offline

#2 2019-12-11 22:28:42

risin247
Contributor
Registered: 2019-12-11
Posts: 5

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

I wanted to see if anyone has a follow-up on this, as I've been having a headache working on this for the last few hours.

Version I'm  Running: v3.1.0-166-ge73c9f1-suspect

Hardware ProxmarkRDV2

OS: windows 10

From everywhere I've been looking around the crystals appear to be 4305's.

it appears I can recognize the tags, but they seem to show up as 410xs

Checking for known tags:

EM410x pattern found:

EM TAG ID      : 0000000C0C

Possible de-scramble patterns
Unique TAG ID  : 0000003030
HoneyWell IdentKey {
DEZ 8          : 00003084
DEZ 10         : 0000003084
DEZ 5.5        : 00000.03084
DEZ 3.5A       : 000.03084
DEZ 3.5B       : 000.03084
DEZ 3.5C       : 000.03084
DEZ 14/IK2     : 00000000003084
DEZ 15/IK3     : 000000000012336
DEZ 20/ZK      : 00000000000003000300
}
Other          : 03084_000_00003084
Pattern Paxton : 1329676 [0x144A0C]
Pattern 1      : 1108 [0x454]
Pattern Sebury : 3084 0 3084  [0xC0C 0x0 0xC0C]

Valid EM410x ID Found!

However any attempted dump of the chip fails:

proxmark3> lf em 4x05d
Read Address 00 | failed
Read Address 01 | failed
 PWD Address 02 | cannot read
Read Address 03 | failed
Read Address 04 | failed
Read Address 05 | failed
Read Address 06 | failed
Read Address 07 | failed
Read Address 08 | failed
Read Address 09 | failed
Read Address 10 | failed
Read Address 11 | failed
Read Address 12 | failed
Read Address 13 | failed
Read Address 14 | failed
Read Address 15 | failed

How is it that it cant seem to read the addresses of the card, but can pull the ID just fine?  I've been able to clone T5577's to match the ID, but I've been unable to do much else with the tags themselves.

I've also gotten a write succesfull message on writing to address 6 - but scanning the chip again returns the same ID as the original.

Is this an issue with my Hardware/Firmware/Antenna? I've read 4305s are 'finicky', but I seem to be able to read them just fine.

Offline

#3 2019-12-12 08:30:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

interesting,
I see mixed info on the internet.

try

lf t55xx detect
lf t55xx info
lf t55xx dump

Because if its only a EM410x tag that the underlaying architecture is simulating with EM4305 ,  then you might just simulate it with T55x7 cards.   Also try the lf em410x sim aswell

Offline

#4 2019-12-12 17:11:01

risin247
Contributor
Registered: 2019-12-11
Posts: 5

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

"Also try the lf em410x sim aswell"

Do you mean to see if the hilt will detect it?  Cant do at the moment.  I've managed to get some t55xx's to work with displaying the same ID, but the hilt is currently at my brother in laws so I'm waiting a bit to test.  Are you not able to write to 410x's?

Checking for known tags:

EM410x pattern found:

EM TAG ID      : 0000000C0C

Possible de-scramble patterns
Unique TAG ID  : 0000003030
HoneyWell IdentKey {
DEZ 8          : 00003084
DEZ 10         : 0000003084
DEZ 5.5        : 00000.03084
DEZ 3.5A       : 000.03084
DEZ 3.5B       : 000.03084
DEZ 3.5C       : 000.03084
DEZ 14/IK2     : 00000000003084
DEZ 15/IK3     : 000000000012336
DEZ 20/ZK      : 00000000000003000300
}
Other          : 03084_000_00003084
Pattern Paxton : 1329676 [0x144A0C]
Pattern 1      : 1108 [0x454]
Pattern Sebury : 3084 0 3084  [0xC0C 0x0 0xC0C]

Valid EM410x ID Found!
proxmark3> data rawdemod am

Using Clock:64, Invert:0, Bits Found:468
ASK/Manchester - Clock: 64 - Decoded bitstream:
0000000000000000
0110000000011000
0000011111111100
0000000000000000
0000000000000000
0110000000011000
0000011111111100
0000000000000000
0000000000000000
0110000000011000
0000011111111100
0000000000000000
0000000000000000
0110000000011000
0000011111111100
0000000000000000
0000000000000000
0110000000011000
0000011111111100
0000000000000000
0000000000000000
0110000000011000
0000011111111100
0000000000000000
0000000000000000
0110000000011000
0000011111111100
0000000000000000
0000000000000000
0110

it looks like it can read the data, and when I attempt to read address 6, I can demod the data from the read, but everything it tells me says it fails:

proxmark3> lf em 4x05read 6
Reading address 06
Read Address 06 | failed
proxmark3> data rawdemod am

Using Clock:64, Invert:0, Bits Found:91
ASK/Manchester - Clock: 64 - Decoded bitstream:
1100000000000000
0000000000000000
0000011000000001
1000000001111111
1100000000000000
00000000000

When I run 4x05 dump and watch the graph output, it appears to just be repeating its ID for each address.  Is this chip read only? or does it not allow access to those without a password?

Offline

#5 2019-12-12 17:24:31

risin247
Contributor
Registered: 2019-12-11
Posts: 5

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

proxmark3> lf t5 con d ASK
Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 0 - RF/8
Inverted   : No
Offset     : 0
Seq. Term. : No
Block0     : 0x00000000

proxmark3> lf t5 det
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
proxmark3>

t5 detect also fails (I've tried a lot of different configs) - even if the modulation is set to ASK (which I know its using).

Offline

#6 2019-12-13 02:08:46

risin247
Contributor
Registered: 2019-12-11
Posts: 5

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

Just got in another crystal to see if thats the issue - no dice.

Also ordered a pack of 4305's off amazon and I'm having the same issue.

is the Electhouse RDV2 not compatable? or is this the something with all the tags I'm getting?  How can I verify they arent password protected?

T5577s in the mail to see if they can work as a replacement tag.

Offline

#7 2019-12-14 18:55:56

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

Offline

#8 2019-12-25 12:32:23

MrJester
Contributor
Registered: 2019-12-23
Posts: 8

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

@risin247
     Any luck messing with these? I have also been playing with them running into the same issue as you. Wondering why the cheap knock off RFID Reader/Writers would work and the Proxmark3 would not? I did try the 410x_sim and was unable to get the lightsaber to recognize it.

Any idea how you would be able to write back a modified value back to the crystal with the Proxmark? I'm using a Proxmark3RDV4

Offline

#9 2019-12-27 20:07:20

ruthsarian
Contributor
Registered: 2019-12-26
Posts: 6

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

The RFID chips in the kyber crystals are EM4305s. They are configured with last word of 6, so in default read it's spitting out words 5 and 6 which contain data that match or simulate the EM4100 protocol. Other RFID chips that can do EM4100 will work with the Disney stuff. I've used T5577s myself for this.

I have a PM3 Easy and I find that to get it to detect the EM4305 I need to position the crystal vertically about 1 inch above the antenna. It will detect it laying on top of the antenna, but the 4x05 commands tend to not work and sometimes lf search will detect it as an 410x even when it's not. I've found leaving the crystal in the canister it comes in and sitting that vertically over the antenna provides that inch of height.

Sometimes the PM3 will detect it as an EM4305 when it's laying down over the antenna, but even rotating the crystal 30 degrees can put it in a position where the PM3 will see nothing. Maybe all these troubles are down to the nature of the antenna.

Here's an image gallery showing what's inside a kyber crystal, including verification it is an EM4305:
https://imgur.com/gallery/6WAiVDv

Offline

#10 2019-12-27 20:55:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

Awesome pictures, ruthsarian!

p9GfoEP.jpg

Offline

#11 2019-12-28 13:25:06

MrJester
Contributor
Registered: 2019-12-23
Posts: 8

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

@ruthsarian
     Thanks for the inel I will look into that later today. I don't actually have the container but I can still play with it and see if I can replicate what you are talking about with my crystal. Thanks.

Offline

#12 2019-12-28 22:12:07

MrJester
Contributor
Registered: 2019-12-23
Posts: 8

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

Hummmmm ya playing with my own crystal here I am unable to replicate what you saw. That sucks. I tried turning it every which way I could and holding it different distances. I can only get it to come up as EM410x using lf search. If I just try to do a 'lf em 4x05_read 6' It just always fails. I have one of the cheap knock off reader/writers showing up hopefully next week I will see what that does with my crystal.

Offline

#13 2019-12-30 02:17:44

ruthsarian
Contributor
Registered: 2019-12-26
Posts: 6

Offline

#14 2019-12-30 14:37:41

MrJester
Contributor
Registered: 2019-12-23
Posts: 8

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

What version of proxmark software are you running?

/opt/proxmark3$ ./pm3
[=] Waiting for Proxmark3 to appear...

          
  ██████╗ ███╗   ███╗ ████╗            
  ██╔══██╗████╗ ████║   ══█║           
  ██████╔╝██╔████╔██║ ████╔╝           
  ██╔═══╝ ██║╚██╔╝██║   ══█║     iceman@icesql.net          
  ██║     ██║ ╚═╝ ██║ ████╔╝    https://github.com/rfidresearchgroup/proxmark3/          
  ╚═╝     ╚═╝     ╚═╝ ╚═══╝  pre-release v4.0          
          
[=] Session log /home/rhays/.proxmark3/log_20191230.txt
[=] Using UART port /dev/ttyACM0           
[=] Communicating with PM3 over USB-CDC           
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.

 [ Proxmark3 RFID instrument ]           

 [ CLIENT ]           
  client: RRG/Iceman          
  compiled with GCC 8.3.0 OS:Linux ARCH:x86_64          

 [ PROXMARK3 RDV4 ]           
  external flash:                  present           
  smartcard reader:                present           

 [ PROXMARK3 RDV4 Extras ]           
  FPC USART for BT add-on support: absent           
          
 [ ARM ]
  bootrom: RRG/Iceman/master/a6a48f0e 2019-12-23 13:08:16
       os: RRG/Iceman/master/a6a48f0e 2019-12-23 13:08:25
  compiled with GCC 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907]

 [ FPGA ]
  LF image built for 2s30vq100 on 2019-07-31 at 15:57:16
  HF image built for 2s30vq100 on 2018-09-03 at 21:40:23          

 [ Hardware ]           
  --= uC: AT91SAM7S512 Rev B          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 275876 bytes (53%) Free: 248412 bytes (47%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

Then this is the device I am using

SNdZiTF.jpg

Last edited by MrJester (2019-12-30 14:46:57)

Offline

#15 2019-12-30 16:37:29

ruthsarian
Contributor
Registered: 2019-12-26
Posts: 6

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

I'm using Proxmark3 Master version v3.1.0-168-g5a03ea9-suspect.

Offline

#16 2019-12-30 21:25:23

MrJester
Contributor
Registered: 2019-12-23
Posts: 8

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

So I tested with Proxmark3 Master version v3.1.0-170

Seeing the same results with identifying as a 410x

q0Irz07.jpg

Offline

#17 2020-01-08 12:45:15

MrJester
Contributor
Registered: 2019-12-23
Posts: 8

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

So I finally got my knock off reader/writer in the mail. I was successful in writing to the RFID tag within the crystal. I’m still digging into why this one would work but I was unable to do this with my proxmark. I can post some pictures later.

Offline

#18 2020-05-05 03:37:40

t1v0
Contributor
Registered: 2020-04-23
Posts: 3

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

Any update on this?  I am trying with my RDV4, RDV and Easy and none of them have been able to detect it as 4305, no matter what position I try.  I've tried sim'ing a 410x with the same value but the handle doesn't seem to pick it up.

I've tried different builds of both the proxmark source and the iceman fork... no luck with any.

Ideas?

Offline

#19 2020-05-05 07:47:20

NeiJPass
Contributor
From: Usa
Registered: 2014-05-14
Posts: 37
Website

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

https://imgur.com/UFcigN3
I for EM4X05-EM4X50 I use other hardware knock EMDB409 official EM Electronics. "Chinese". Has official software and you can write, read etc

Last edited by NeiJPass (2020-05-05 07:48:00)

Offline

#20 2020-05-05 21:12:00

t1v0
Contributor
Registered: 2020-04-23
Posts: 3

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

So a little more testing today...

I can sim the 410x and it gets picked up by the holocron to at least change colour, but I haven't got it to do the different voices yet. Sim'ing doesn't seem to work on the RDV4.  I also tried sim'ing it with the RDV4 and then searching with a different proxmark and it doesn't get picked up.  The successful sim that the holocron picked up was on the RDV running the proxmark 3.1 (not iceman fork) firmware. 

Is sim maybe not working on the RDV4?

Still not able to get the saber to recognize the sim'ed card.  I ordered some 4305 fobs and a cheap reader/writer that I've seen other videos have luck with changing the code on the crystals with. 

Still very curious why the proxmarks I have can't seem to detect the 4305, where I've seen videos of others running very close firmware versions and it is working for them...

Offline

#21 2020-05-06 03:33:47

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

@t1v0

Is sim maybe not working on the RDV4?

The sim seems to be working on my tests with the RDV4
e.g.

lf em 410x_sim  0000000C0C

then I could read that via lf search with my other proxmarks as well as 2 cloners.

Offline

#22 2021-03-08 05:15:31

JoeT
Contributor
From: Tampa, FL
Registered: 2021-03-02
Posts: 9

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

So I jumped into this (like an idiot).   I cannot get either a PM3 RDV4/Iceman nor a Proxmark Pro to recognize either of two crystals as anything other than a 410x or an Indala.    I tried holding it every which way - different heights, different locations with respect to the antennas, everything.    Anyone else using these platforms and found the secret to getting these to ID/read properly?

Offline

#23 2021-03-15 06:45:43

JoeT
Contributor
From: Tampa, FL
Registered: 2021-03-02
Posts: 9

Re: Star wars Galaxy Edge - lightsables [EM 4x05]

If you are trying to work with Kyber Crystals with a Proxmark 3 RDV4, here's what you do:

1. Change the antenna to low Q by switching the switch on the bottom from "Range" to "Accurate".
   Otherwise, it has problems reading from and writing to the card.   Bear in mind that these are 4305 chipset tags emulating an EM 4100, 
   so you write it as a 4305, but an "lf search" will show it as an EM 4100. 

2. Place the crystal on it's one flat facet, with the "point" aimed at the LEDs and dead center on the antenna.

3. Run "lf em info" and "lf em 4x05 read -a 6".  If they both return responses, you should be ready to proceed. 

4. Go here and look up the value in the "Word 6" column for the crystal you want to program yours to be.
   Note that they are all in the format "xxxx3000".

5. Run "lf em 4x05 write -a 6 -d <word 6 value>"

6. Do another "lf em 4x05 read -a 6" and verify that the value programmed properly.

Note that in my testing on the only device I have - a Jedi holocron - you cannot use Sith voices; you simply get a red color and Yoda.   There is a way to put the Holocron in a quasi-Sith mode, but the Sith crystals don't seem to exactly work, they seem to play combinations of Jedi voices.    Figuring that all out is still a work in progress as I don't have either a lightsaber or a Sith holocron.


Also - if you want to program a T5577, use the EM Tag ID like so: "lf em 410x clone --id 0000000c0B".   If you orient the Jedi Holocron so that the crystal tray opens to the side and faces down, then you can place a small T5577 key-fob tag on the side that is now the top, and open and close the tray.   It will read the tag and use the accompanying voice, all without reprogramming an actual crystal.

Last edited by JoeT (2021-03-15 06:46:43)

Offline

Board footer

Powered by FluxBB