Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2009-02-02 18:38:12

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

UNKNOWN TAG !!! Impossible to communicate !

I would like to ask you help about a RFID tag that is expressly claimed to be a MIFARE key ISO14443A because I know you are REALLY GOOD at RFID, my interests are alogs and I am really not good in electronics...

I have a 13.56Mhz reader/writer bought form http://www.stronglink.cn/english/reader.htm (model SL500F) and it is REALLY good in read and also write ISO14443A/B e ISO15693 (regretfully, it is not able to sniff) but the strange thing is that is NOT able to access that mifare tag... my questions are 2:

1) Is it possible that is a Mifare 1K at 125Khz ? I don't think so because ISO 14443A+Mifare = 13.56Mhz but I ask you for confirmation...

2) Is it possible that I am NOT ABLE to use the software with Mifare ? I mean I only used my reader/writer for SRIX4K (ISO14443B 13.56Mhz) and works GRAT but I don't have other mifare spare tags. I attach you a screen of the reader/writer free software and I ask you to tell me what PURSE FUNCTION (top left of the image) is, maybe I set a wrong value there:

immagine1gh9.th.jpg

3) The latest possibility is that IT'S NOT a Mifare but an old model. I attach you the opened key contents:

p1010531ht0.th.jpg

The smaller one was a really old model with the antenna built externally (had been removed because damaged during opening operations)

Thank you very much for your help !

Last edited by asper (2013-04-28 10:14:07)

Offline

#2 2009-02-03 14:56:30

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

If anyone is interested I can send him the key to make some tests with, I will pay for all the shipping costs ! Is there anyone who can do me this favour ? THANK YOU EVERYBODY IN ADVANCE !

Offline

#3 2011-10-16 07:44:47

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

Definitively it is NOT a mifare tag (100% sure about that); it is a custom RFID device.

Last edited by asper (2011-10-16 07:45:41)

Offline

#4 2011-10-16 14:47:46

moebius
Contributor
Registered: 2011-03-10
Posts: 206

Re: UNKNOWN TAG !!! Impossible to communicate !

asper wrote:

Definitively it is NOT a mifare tag (100% sure about that); it is a custom RFID device.

1) You can contact Laser21, he has some cheap Proxmark3. Tell him that I told you.

2) You can send me the tags. I'll try to read them using my Pmark3. Contact me using internal DM if you want.

cheers.

Offline

#5 2011-10-16 16:16:33

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

I answered you, check mail.

Offline

#6 2011-10-16 18:28:20

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: UNKNOWN TAG !!! Impossible to communicate !

Maybe it is UHF tag?

Offline

#7 2011-10-16 18:32:19

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

Absolutely not, it probably is 95% a LF tag (4% HF tag or 1% custom frequency tag); 100% sure it is not a standard communication because it went in the market before RFID ISO standards come out.

Last edited by asper (2011-10-16 18:34:16)

Offline

#8 2011-10-16 18:43:34

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: UNKNOWN TAG !!! Impossible to communicate !

Where this tags are used? What city, area, etc? Can you see any logos or numbers/symbols on it?

Offline

#9 2011-10-16 22:17:25

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

Laundry/vending, used almost worldwide (USA and Europe) before 2007.

Offline

#10 2011-10-24 16:58:47

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

Is someone of you good to understnad, from the turns number and from the capacitor value, the approximatetag frequency ?

You can use 5 euro-cents like lenght-referral (21.25 mm); thickness is under 1 mm and antenna is in double layer.

http://ww1.microchip.com/downloads/en/AppNotes/00710c.pdf  (PAG.11 or PAG12 - I am not good at that...)


Anyway after some other tests it seems to react to 6.32 MHz, maybe some frequency under that (es. divided by 2 = 3.11 or similar).



EDIT: did some test with some 14a 14b and 15 commands... here are the results... any idea ?

testfreq.gif

(last command, hf 15 read, was followed by data hexsamples but no results)

Last edited by asper (2011-10-24 17:41:07)

Offline

#11 2011-10-25 08:14:29

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

Can someone tell me what ocmmand to send ? I can also access the official reader... any command to snoop ?

Does an "higet" command will help me determine what tag is it ?

Last edited by asper (2011-10-25 08:33:47)

Offline

#12 2012-03-11 10:31:52

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

I resume this post:

I did again some tests using HF and LF antennas to identify the working frequency of that tag:

I have a little voltage INCREMENT only at 13.56MHz (from 10.15v to 10.28); should that mean that the frequency is LOWER than 13.56 ? The chip is manufactured from EM Microelectronic in 2000-2002 and is not a common chip but a custom one called H4062 (H was used by EM Microelectronics before the introduction of the EM suffix before chip number so is an old chip with absolutely no documentation of it).

EM Microelectronic sheets (factsheets and/or datasheets) you can find on the web::

H4001    125 kHz    Read only, 64 Bit   
EM4102/H4102    125 kHz    Read only, 64 Bit   
H4003    125 kHz - 3.25 MHz    Read only, 64 Bit   
EM4005/EM4105    100~150 kHz    Read only, 128 Bit    ISO 11784/85 Compatible
EM4006/H4006    13.56 MHz    Read only, 64 Bit   
EM4022/P4022    Multifrequency    NONE (64 Bit UID)   
EM4025/EM4125    100~150 kHz    Read only, 55 Bit   
EM4026    125 kHz    Read only, 64 Bit   
EM4033    13.56 MHz    Read only, 64 Bit    ISO 15693
EM4034    13.56 MHz    R/W, 448 Bit    ISO 15693
EM4035    13.56 MHz    R/W, 3.2K Bit    ISO 15693
V4050    125 KHz    R/W, 1024 Bit   
V4070    125 kHz    R/W, 160 Bit   
V4082        ROM, 64 Bit   
P4092    100~150 kHz    Base Station   
EM4055    125 kHz    R/W, 1K Bit   
EM4056/P4056    100~150 kHz    R/W, 2K Bit   
EM4069/EM4169    100~150 kHz    R/W, 128 Bit   
EM4083    115~140 kHz    R/W, 512 Bit   
EM4094    13.56 MHz    Base Station    ISO 15693-14443A/B
EM4095    125 kHz    Booster Circuit   
EM4100    100~150 kHz    Read only, 64 Bit   
EM4102    125 kHz    Read only, 64 Bit   
EM4105/EM4005    125 kHz    Read only, 128 Bit   
EM4122    860~960 MHz    Read only, 64 Bit   
EM4123 (replaces EM4122)    860~960 MHz    Read only, 64 Bit   
EM4124    860~960 MHz    R/W, 176 Bits    ISO18000
EM4126    860~960 MHz    R/W, 224 Bits    ISO18000
EM4133    13.56 MHz    R/W, 512 Bit    ISO 15693
EM4135    13.56 MHz    R/W, 2432 Bit    ISO 15693
EM4150/EM4350    100~150 kHz    R/W, 1K Bit   
EM4170    125 kHz    R/W, 256 Bit   
EM4200 (replaces EM4100/4102/4005/4105)    125~134.2 kHz    Read only, 64 Bit    ISO 11784/85 Compatible
EM4205/EM4305    125~134.2 kHz    R/W, 512 Bit    ISO 11784/85 Compatible
EM4222    300MHz~2GHz    Read only, 64 Bit   
EM4223 (replaces EM4035/EM4135)    800MHz    Read only, 128 Bit   
EM4233 SLIC    13.56 MHz    R/W, 1K Bit    ISO 15693
EM4233 2k    13.56 MHz    R/W, 2K Bit    ISO 15693
EM4269    125 kHz    R/W, 512 Bit    ISO FDX-B
EM4294    13.56 MHz    Front End    ISO 15693/ISO 14443A/B
EM4322    125kHz+6.8MHz    Read only, 64 Bit   
EM4324    860~960 MHz    Read only, 1024 Bit    ISO 18000
EM4325    860~960 MHz    R/W, 4096 Bit    ISO 18000
EM4333    13.56 MHz    R/W, 1K System+4K User+64KCode    ISO15693-ISO14443A
EM4350/EM4150    100~150 kHz    R/W, 1K Bit   
EM4369    125 kHz    R/W, 512 Bit    ISO FDX-B
EM4444    300MHz-2.4GHz    R/W, 512 Bit   
EM4450/EM4550 (replaces EM4150/EM4350)    125 kHz    R/W, 1024 Bit   
EM4469    100~150 KHz    R/W, 512 Bit    ISO 11785 Compatible
EM4522    125kHz+6.8MHz    R/W, 640 Bit   
EM4550/EM4450 (replaces EM4150/EM4350)    125 kHz    R/W, 1024 Bit

Last edited by asper (2013-04-28 10:22:44)

Offline

#13 2012-03-11 14:53:52

Raymond
Contributor
Registered: 2011-09-14
Posts: 30

Re: UNKNOWN TAG !!! Impossible to communicate !

Thank you for sharing all this information asper.

Offline

#14 2012-03-11 19:00:33

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

Well EM products are really a lot and datasheets are present for almost all of them (even if they are private you can find them on the net); if someone is interested in this project can contact me, I would like to add also this undocumented EM chip I found.

Last edited by asper (2012-03-11 19:08:53)

Offline

#15 2012-03-12 19:46:34

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

Well those datasheets are available in many PDFs sites, some are difficult to get but you can find tehm if you have patience; to save you some hard-searching time here is a link to the Datasheet and AN (Application Notes) of EM: http://www.sendspace.com/file/ec93ns

Maybe someone can add them to Proxmark because those PDFs are REALLY detailed !

Last edited by asper (2013-04-28 10:25:02)

Offline

#16 2012-03-13 12:37:08

rule
Member
Registered: 2008-05-21
Posts: 417

Re: UNKNOWN TAG !!! Impossible to communicate !

It very well can use a proprietary modulation, algorithm and commands, but it is not likely it will use a different frequency. Those bands are often regulated by law in (almost) all countries. This means they can only sell them in a specific country where they acquired a special license for a certain frequency band (and should be publicly available, since those transaction have to be transparent). If they use the open frequencies though (125-134 kHz / 13.56MHz) then they are free to do what they want.

Maybe it uses the open UHF bands (433 MHz, 900 MHz, 2.45 GHz), but otherwise I think it is safe to assume it uses the "standard" frequency. Can you measure more precise (maybe with a spectrum analyzer?)

Offline

#17 2012-03-13 13:03:53

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

The tag, under proxmark antennas, show NO modifcation at 125KHz, and 0.2volt increment (not decrement) at 13.56MHz.
The chip was manufactured in 1999-early 2000, maybe there was no standard at that time.
I don't think in 2000 there where 433 or 900 or 2500 MHz tags... don't you think ?
I hope to bring with me an oscilloscope to test that frequency (mine is max 20MHz capable if someone can lend me one portable I will renstitute it as soon as I can).
Reading an411.pdf it shows most used frequency (pag.3):

0...135kHz,
400kHz,
6.78MHz,
13.56MHz,
27.125MHz,
40.68MHz,
433.29MHz,
869MHz,
915MHz,
2.45GHz,
5.8GHz
24.125GHz

PS connecting directly to the tag antenna the oscilloscope measured only 1.4KHz but I think this is an error dued to the internal tag circuitry (this cannot be the real frequency, it is too low in my opinion); I also recorded waves from the tag but I did not test a free copper coil inside the reader to test the real possible frequency.
The wav I recorded shows waves but they are too low to be understood (no specific line code can be identified): if someone is interested I can attach them.

Last edited by asper (2012-03-13 13:10:15)

Offline

#18 2012-03-13 16:18:18

Bugman1400
Contributor
Registered: 2010-12-20
Posts: 132

Re: UNKNOWN TAG !!! Impossible to communicate !

What was the voltage on the O-scope? If the freq is not supposed to be 1400 Hz then, you most likely hit one of its multiples.

Offline

#19 2012-03-13 19:39:37

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

You can see the logs there: http://www.sendspace.com/file/5in1it
The oscilloscope behaved in a weired way... it identified different frequencies but no one of them (tested only 125KHz and 13.56MHz) seem to resonate using tag and PM3 antenna. I repeat, logs were made connecting directly the 2-tag-antenna-extremities to the oscilloscope probe... someone suggests me to use a free copper coil without connecting directly to the antenna. Pass is   proxmark3

Any clues ? I also have Audacity recordings using a netbook audio-in "sniffer" (in theory tuned for 125KHz).

PS 1400Hz (1.4KHz) are in the range of ULF... too "ultra-low" I think for that kind of device... don't you think ? Maybe a sub-multiple...

Last edited by asper (2013-06-01 09:20:12)

Offline

#20 2012-03-13 20:02:41

rule
Member
Registered: 2008-05-21
Posts: 417

Re: UNKNOWN TAG !!! Impossible to communicate !

Does this mean you expect automatic modulation will appear? Simple LF tags use this kind of operation, they immediately start sending their identifier and keep on repeating it with only a delay or separator in between. If you look at more "sophisticated" LF tags, like the NXP hitag series for example (produced from 1996). They only respond on a reader field after a certain "hello" command modulated by the reader (unless the tag is configured to operate in "public" mode, which is a broadcasting just a simple identifier).

It could very well this tag needs a "trigger" command before it starts responding. You can try to look at the datasheets of similar products from EM and send the simple "select" commands to figure out on which it will respond.

Offline

#21 2012-03-13 20:31:54

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

The logs were made connecting directly to the tag antenna and the tag was inserted in the reader so it was surely "triggered" ! I can see waveforms changing during wav recordings but they have a non-common pattern so probably the frequncy recorded was not right.

Offline

#22 2012-03-14 19:41:08

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

This are 2 recordings (WAVs) made one with 125KHz filter and the other one without the filter; if someone is able to understand how it works it can be useful (what kind of line code it can be) ! http://www.sendspace.com/file/jdfcdw

Last edited by asper (2012-03-14 19:41:50)

Offline

#23 2012-03-14 23:41:53

Bugman1400
Contributor
Registered: 2010-12-20
Posts: 132

Re: UNKNOWN TAG !!! Impossible to communicate !

Can you post the waveforms here? I'm not sure I want to execute the www.sendspce.com download file. Sounds like trojans to me.

Offline

#24 2012-03-15 11:00:00

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

No file to execute, you probably clicked the wrong link, you should get a .rar archive (243.07KB), not an .exe; click on "Click here to start download from sendspace"; maybe you are not familiar with sendspace pages ?

Offline

#25 2012-03-17 00:25:57

Bugman1400
Contributor
Registered: 2010-12-20
Posts: 132

Re: UNKNOWN TAG !!! Impossible to communicate !

asper wrote:

No file to execute, you probably clicked the wrong link, you should get a .rar archive (243.07KB), not an .exe; click on "Click here to start download from sendspace"; maybe you are not familiar with sendspace pages ?

No, I am not familiar with it and do not have an account but, you cannot click on anything on that link without an invitation to download iLivid.exe file.........no thank you.

Offline

#26 2012-03-17 09:17:40

YoungJules
Contributor
Registered: 2012-01-29
Posts: 60

Re: UNKNOWN TAG !!! Impossible to communicate !

Worked OK for me, but don't click on the first 'click here to start download..' link with the CD next to it!

Look for:

Desktop.rar
File Size: 243.07KB
Upgrade for Fast & Ad-free file transfers - See Plans and pricing
Click here to start download from sendspace

Offline

#27 2012-03-18 12:38:37

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

Sorry Bugman1400, maybe it is not immediate but, again, like YoungJules shows, there is no need to install iLivid.exe. If you can have a look at waveforms it will be useful for me, thank you smile

Offline

#28 2012-12-07 14:34:48

MagMeister
Contributor
Registered: 2012-12-04
Posts: 19

Re: UNKNOWN TAG !!! Impossible to communicate !

asper wrote:

I resume this post:

I did again some tests using HF and LF antennas to identify the working frequency of that tag:

I have a little voltage INCREMENT only at 13.56MHz (from 10.15v to 10.28); should that mean that the frequency is LOWER than 13.56 ? The chip is manufactured from EM Microelectronic in 2000-2002 and is not a common chip but a custom one called H4062 (H was used by EM Microelectronics before the introduction of the EM suffix before chip number so is an old chip with absolutely no documentation of it).

If someone is interested I also found lot of EM Microelectronic datasheets (not factsheest) files for many EM products, here is the list:

H4001    125 KHz    Read only, 64 Bit   
EM4102/H4102    125 KHz    Read only, 64 Bit   
H4003    125 KHz - 3.25 MHz    Read only, 64 Bit   
EM4005/EM4105    100~150 KHz    Read only, 128 Bit    ISO 11784/85 Compatible
EM4006/H4006    13.56 MHz    Read only, 64 Bit   
EM4022/P4022    Multifrequency    NONE (64 Bit UID)   
EM4025/EM4125    100~150 KHz    Read only, 55 Bit   
EM4033    13.56 MHz    Read only, 64 Bit    ISO 15693
EM4034    13.56 MHz    R/W, 448 Bit    ISO 15693
EM4035    13.56 MHz    R/W, 3.2K Bit    ISO 15693
V4050    125 KHz    R/W, 1024 Bit   
EM4055    125 KHz    R/W, 1K Bit   
EM4056/P4056    100~150 KHz    R/W, 2K Bit   
EM4069/EM4169    100~150 KHz    R/W, 128 Bit   
V4070    115~135    R/W, 160 Bit   
P4092    100~150 KHz    Base Station   
EM4094    13.56 MHz    Base Station    ISO 15693-14443A/B
EM4095    125 KHz    Booster Circuit   
EM4100    100~150 KHz    Read only, 64 Bit   
EM4102    125 KHz    Read only, 64 Bit   
EM4105    125 KHz    Read only, 128 Bit   
EM4033    13.56 MHz    Read only, 64 Bit (UID)    ISO 15693
EM4122    860~960 MHz    Read only, 64 Bit   
EM4123 (replaces EM4122)    860~960 MHz    Read only, 64 Bit   
EM4133    13.56 MHz    R/W, 512 Bit    ISO 15693
EM4135    13.56 MHz    R/W, 2432 Bit    ISO 15693
EM4150/EM4350    100~150 KHz    R/W, 1K Bit   
EM4170    125 KHz    R/W, 256 Bit   
EM4200 (replace EM4100/4102/4005/4105)    125~134.2 KHz    Read only, 64 Bit    ISO 11784/85 Compatible
EM4205/EM4305    125~134.2 KHz    R/W, 512 Bit    ISO 11784/85 Compatible
EM4233    13.56 MHz    R/W, 2K Bit    ISO 15693
EM4294    13.56 MHz    Front End    ISO 15693/ISO 14443A/B
EM4324    860~960 MHz    Read only, 1024 Bit    ISO 18000 6C
EM4450/EM4550    125 KHz    R/W, 1024 Bit   
EM4469    100~150 KHz    R/W, 512 Bit    ISO 11785 Compatible

asper, I'm interested in the datasheets. Is there any way to download them?

Offline

#29 2012-12-07 14:37:38

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

http://www.proxmark.org/files/ smile

Offline

#30 2012-12-07 16:36:10

MagMeister
Contributor
Registered: 2012-12-04
Posts: 19

Re: UNKNOWN TAG !!! Impossible to communicate !

asper wrote:

http://www.proxmark.org/files/ smile

Where do I have to look? Can't find EM4233 for example...

Offline

#31 2012-12-07 17:27:46

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: UNKNOWN TAG !!! Impossible to communicate !

Well you are right, probably they had been removed. They were there at least 2 month ago.

Offline

#32 2012-12-07 17:29:09

MagMeister
Contributor
Registered: 2012-12-04
Posts: 19

Re: UNKNOWN TAG !!! Impossible to communicate !

sad

Offline

Board footer

Powered by FluxBB