I would like to ask you help about a RFID tag that is expressly claimed to be a MIFARE key ISO14443A because I know you are REALLY GOOD at RFID, my interests are alogs and I am really not good in electronics...
I have a 13.56Mhz reader/writer bought form http://www.stronglink.cn/english/reader.htm (model SL500F) and it is REALLY good in read and also write ISO14443A/B e ISO15693 (regretfully, it is not able to sniff) but the strange thing is that is NOT able to access that mifare tag... my questions are 2:
1) Is it possible that is a Mifare 1K at 125Khz ? I don't think so because ISO 14443A+Mifare = 13.56Mhz but I ask you for confirmation...
2) Is it possible that I am NOT ABLE to use the software with Mifare ? I mean I only used my reader/writer for SRIX4K (ISO14443B 13.56Mhz) and works GRAT but I don't have other mifare spare tags. I attach you a screen of the reader/writer free software and I ask you to tell me what PURSE FUNCTION (top left of the image) is, maybe I set a wrong value there:
3) The latest possibility is that IT'S NOT a Mifare but an old model. I attach you the opened key contents:
The smaller one was a really old model with the antenna built externally (had been removed because damaged during opening operations)
Thank you very much for your help !
Last edited by asper (2013-04-28 10:14:07)
If anyone is interested I can send him the key to make some tests with, I will pay for all the shipping costs ! Is there anyone who can do me this favour ? THANK YOU EVERYBODY IN ADVANCE !
did you find your answer to this problem ?
I have the same tag, but with a SCL3711 reader, and it doesn't see the tag
So I am very interested on this
Definitively it is NOT a mifare tag (100% sure about that); it is a custom RFID device.
Last edited by asper (2011-10-16 07:45:41)
Definitively it is NOT a mifare tag (100% sure about that); it is a custom RFID device.
1) You can contact Laser21, he has some cheap Proxmark3. Tell him that I told you.
2) You can send me the tags. I'll try to read them using my Pmark3. Contact me using internal DM if you want.
I answered you, check mail.
Maybe it is UHF tag?
Absolutely not, it probably is 95% a LF tag (4% HF tag or 1% custom frequency tag); 100% sure it is not a standard communication because it went in the market before RFID ISO standards come out.
Last edited by asper (2011-10-16 18:34:16)
Where this tags are used? What city, area, etc? Can you see any logos or numbers/symbols on it?
Laundry/vending, used almost worldwide (USA and Europe) before 2007.
Is someone of you good to understnad, from the turns number and from the capacitor value, the approximatetag frequency ?
You can use 5 euro-cents like lenght-referral (21.25 mm); thickness is under 1 mm and antenna is in double layer.
http://ww1.microchip.com/downloads/en/AppNotes/00710c.pdf (PAG.11 or PAG12 - I am not good at that...)
Anyway after some other tests it seems to react to 6.32 MHz, maybe some frequency under that (es. divided by 2 = 3.11 or similar).
EDIT: did some test with some 14a 14b and 15 commands... here are the results... any idea ?
(last command, hf 15 read, was followed by data hexsamples but no results)
Last edited by asper (2011-10-24 17:41:07)
Can someone tell me what ocmmand to send ? I can also access the official reader... any command to snoop ?
Does an "higet" command will help me determine what tag is it ?
Last edited by asper (2011-10-25 08:33:47)
I resume this post:
I did again some tests using HF and LF antennas to identify the working frequency of that tag:
I have a little voltage INCREMENT only at 13.56MHz (from 10.15v to 10.28); should that mean that the frequency is LOWER than 13.56 ? The chip is manufactured from EM Microelectronic in 2000-2002 and is not a common chip but a custom one called H4062 (H was used by EM Microelectronics before the introduction of the EM suffix before chip number so is an old chip with absolutely no documentation of it).
EM Microelectronic sheets (factsheets and/or datasheets) you can find on the web::
H4001 125 kHz Read only, 64 Bit
EM4102/H4102 125 kHz Read only, 64 Bit
H4003 125 kHz - 3.25 MHz Read only, 64 Bit
EM4005/EM4105 100~150 kHz Read only, 128 Bit ISO 11784/85 Compatible
EM4006/H4006 13.56 MHz Read only, 64 Bit
EM4022/P4022 Multifrequency NONE (64 Bit UID)
EM4025/EM4125 100~150 kHz Read only, 55 Bit
EM4026 125 kHz Read only, 64 Bit
EM4033 13.56 MHz Read only, 64 Bit ISO 15693
EM4034 13.56 MHz R/W, 448 Bit ISO 15693
EM4035 13.56 MHz R/W, 3.2K Bit ISO 15693
V4050 125 KHz R/W, 1024 Bit
V4070 125 kHz R/W, 160 Bit
V4082 ROM, 64 Bit
P4092 100~150 kHz Base Station
EM4055 125 kHz R/W, 1K Bit
EM4056/P4056 100~150 kHz R/W, 2K Bit
EM4069/EM4169 100~150 kHz R/W, 128 Bit
EM4083 115~140 kHz R/W, 512 Bit
EM4094 13.56 MHz Base Station ISO 15693-14443A/B
EM4095 125 kHz Booster Circuit
EM4100 100~150 kHz Read only, 64 Bit
EM4102 125 kHz Read only, 64 Bit
EM4105/EM4005 125 kHz Read only, 128 Bit
EM4122 860~960 MHz Read only, 64 Bit
EM4123 (replaces EM4122) 860~960 MHz Read only, 64 Bit
EM4124 860~960 MHz R/W, 176 Bits ISO18000
EM4126 860~960 MHz R/W, 224 Bits ISO18000
EM4133 13.56 MHz R/W, 512 Bit ISO 15693
EM4135 13.56 MHz R/W, 2432 Bit ISO 15693
EM4150/EM4350 100~150 kHz R/W, 1K Bit
EM4170 125 kHz R/W, 256 Bit
EM4200 (replaces EM4100/4102/4005/4105) 125~134.2 kHz Read only, 64 Bit ISO 11784/85 Compatible
EM4205/EM4305 125~134.2 kHz R/W, 512 Bit ISO 11784/85 Compatible
EM4222 300MHz~2GHz Read only, 64 Bit
EM4223 (replaces EM4035/EM4135) 800MHz Read only, 128 Bit
EM4233 SLIC 13.56 MHz R/W, 1K Bit ISO 15693
EM4233 2k 13.56 MHz R/W, 2K Bit ISO 15693
EM4269 125 kHz R/W, 512 Bit ISO FDX-B
EM4294 13.56 MHz Front End ISO 15693/ISO 14443A/B
EM4322 125kHz+6.8MHz Read only, 64 Bit
EM4324 860~960 MHz Read only, 1024 Bit ISO 18000
EM4325 860~960 MHz R/W, 4096 Bit ISO 18000
EM4333 13.56 MHz R/W, 1K System+4K User+64KCode ISO15693-ISO14443A
EM4350/EM4150 100~150 kHz R/W, 1K Bit
EM4369 125 kHz R/W, 512 Bit ISO FDX-B
EM4444 300MHz-2.4GHz R/W, 512 Bit
EM4450/EM4550 (replaces EM4150/EM4350) 125 kHz R/W, 1024 Bit
EM4469 100~150 KHz R/W, 512 Bit ISO 11785 Compatible
EM4522 125kHz+6.8MHz R/W, 640 Bit
EM4550/EM4450 (replaces EM4150/EM4350) 125 kHz R/W, 1024 Bit
Last edited by asper (2013-04-28 10:22:44)
Thank you for sharing all this information asper.
Well EM products are really a lot and datasheets are present for almost all of them (even if they are private you can find them on the net); if someone is interested in this project can contact me, I would like to add also this undocumented EM chip I found.
Last edited by asper (2012-03-11 19:08:53)
Well those datasheets are available in many PDFs sites, some are difficult to get but you can find tehm if you have patience; to save you some hard-searching time here is a link to the Datasheet and AN (Application Notes) of EM: http://www.sendspace.com/file/ec93ns
Maybe someone can add them to Proxmark because those PDFs are REALLY detailed !
Last edited by asper (2013-04-28 10:25:02)
It very well can use a proprietary modulation, algorithm and commands, but it is not likely it will use a different frequency. Those bands are often regulated by law in (almost) all countries. This means they can only sell them in a specific country where they acquired a special license for a certain frequency band (and should be publicly available, since those transaction have to be transparent). If they use the open frequencies though (125-134 kHz / 13.56MHz) then they are free to do what they want.
Maybe it uses the open UHF bands (433 MHz, 900 MHz, 2.45 GHz), but otherwise I think it is safe to assume it uses the "standard" frequency. Can you measure more precise (maybe with a spectrum analyzer?)
The tag, under proxmark antennas, show NO modifcation at 125KHz, and 0.2volt increment (not decrement) at 13.56MHz.
The chip was manufactured in 1999-early 2000, maybe there was no standard at that time.
I don't think in 2000 there where 433 or 900 or 2500 MHz tags... don't you think ?
I hope to bring with me an oscilloscope to test that frequency (mine is max 20MHz capable if someone can lend me one portable I will renstitute it as soon as I can).
Reading an411.pdf it shows most used frequency (pag.3):
PS connecting directly to the tag antenna the oscilloscope measured only 1.4KHz but I think this is an error dued to the internal tag circuitry (this cannot be the real frequency, it is too low in my opinion); I also recorded waves from the tag but I did not test a free copper coil inside the reader to test the real possible frequency.
The wav I recorded shows waves but they are too low to be understood (no specific line code can be identified): if someone is interested I can attach them.
Last edited by asper (2012-03-13 13:10:15)
What was the voltage on the O-scope? If the freq is not supposed to be 1400 Hz then, you most likely hit one of its multiples.
You can see the logs there: http://www.sendspace.com/file/hxus1f
The oscilloscope behaved in a weired way... it identified different frequencies but no one of them (tested only 125KHz and 13.56MHz) seem to resonate using tag and PM3 antenna. I repeat, logs were made connecting directly the 2-tag-antenna-extremities to the oscilloscope probe... someone suggests me to use a free copper coil without connecting directly to the antenna. Pass is proxmark3
Any clues ? I also have Audacity recordings using a netbook audio-in "sniffer" (in theory tuned for 125KHz).
PS 1400Hz (1.4KHz) are in the range of ULF... too "ultra-low" I think for that kind of device... don't you think ? Maybe a sub-multiple...
Last edited by asper (2012-03-13 19:45:14)
Does this mean you expect automatic modulation will appear? Simple LF tags use this kind of operation, they immediately start sending their identifier and keep on repeating it with only a delay or separator in between. If you look at more "sophisticated" LF tags, like the NXP hitag series for example (produced from 1996). They only respond on a reader field after a certain "hello" command modulated by the reader (unless the tag is configured to operate in "public" mode, which is a broadcasting just a simple identifier).
It could very well this tag needs a "trigger" command before it starts responding. You can try to look at the datasheets of similar products from EM and send the simple "select" commands to figure out on which it will respond.
The logs were made connecting directly to the tag antenna and the tag was inserted in the reader so it was surely "triggered" ! I can see waveforms changing during wav recordings but they have a non-common pattern so probably the frequncy recorded was not right.
This are 2 recordings (WAVs) made one with 125KHz filter and the other one without the filter; if someone is able to understand how it works it can be useful (what kind of line code it can be) ! http://www.sendspace.com/file/jdfcdw
Last edited by asper (2012-03-14 19:41:50)
Can you post the waveforms here? I'm not sure I want to execute the www.sendspce.com download file. Sounds like trojans to me.
No file to execute, you probably clicked the wrong link, you should get a .rar archive (243.07KB), not an .exe; click on "Click here to start download from sendspace"; maybe you are not familiar with sendspace pages ?