Now available: EM410x tag simulator AND cloner!

samy · 2009-07-01 06:09:32

Hi guys,

So got my pm3 the other day and started a bunch of development. I should be getting access to the google code repo soon and will be submitting all of my changes, but I know some people are as eager as me to get their hands on new code!

So I've created various new functions for different things. Some of the more interesting functions are below.

Emulating EM410x tags. You can specify the 40 bit tag ID (in hex) you want your proxmark3 to behave as like so:
em410xsim [tagid]
Example:
em410xsim 12deadbeef

This begins simulating the ID you specified. You can then confirm with something like a Phidgets reader.

Cloning is also incredibly easy now...will post in new topic.

You can get these sources for now at http://samy.pl/proxmark3/current/winsrc/

I'll update this topic once it's in the SVN tree.

atrox · 2010-01-22 17:19:20

I'm using svn-314 but can't get the simulator to work - I've tried to simulate a tag to a codatex-reader and another PM3. the other reader simply does not find any tag at all - so I hook up a scope: the PM3 does nothing - not even deactivating the 125khz generator (which it should, since as a tag you are passive and wait for the readers field, not generate your own)

but even when i reset the PM3 before, the other reader does not detect an ID.

in former (svn262) svn versions, i could abort the simulation by pressing the key on the pm3, since i've installed 314 this doesnt work either

Andreas · 2010-01-25 20:47:25

I wanted to do some debugging on this issue and added two statements
which somehow solved problem :-/ ...

I guess the ARM crashes during the sample download (timing issue)
the attached patch is not a fix, its only a very ugly workaround.

Index: appmain.c
===================================================================
--- appmain.c   (revision 314)
+++ appmain.c   (working copy)
 #ifdef WITH_ISO15693
                case CMD_SIMTAG_ISO_15693:
                        SimTagIso15693(c->arg[0]);
@@ -718,12 +722,14 @@
                case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
                        BYTE *b = (BYTE *)BigBuf;
                        memcpy(b+c->arg[0], c->d.asBytes, 48);
+                        Dbprintf("position: %u", c->arg[0]);
                        break;
                }

 #ifdef WITH_LF
                case CMD_SIMULATE_TAG_125K:
                        LED_A_ON();
+                        Dbprintf("CMD_SIMULATE_TAG_125K");
                        SimulateTagLowFrequency(c->arg[0], 1);
                        LED_A_OFF();
                        break;

adam@algroup.co.uk · 2010-01-28 16:25:54

Funny - I just had the same problem - I've put a debug message into the latest commit, but it's commented out because I wasn't sure if it was just my machine... It does definitely seem to be a USB timing thing though... Guess we need to look into this further!

adam@algroup.co.uk · 2010-01-29 10:30:06

OK, I think I've fixed this by having the proxmark ACK the transfer of each block... r317...

proxcat · 2010-01-29 14:48:37

I was having the same problem when running in Linux. Did anyone observe the same behavior under Windows?

After updating to r317 things are now working for me under Linux. Thanks for the fix!

Ground Loop · 2010-02-01 05:00:05

SVN 317 here, and EM410x sim works great. It has better range than the real card, in fact.

I found that I did have to put leading zeros on the ID value.. 000018618F instead of 18618F. Odd?

adam@algroup.co.uk · 2010-02-01 23:20:17

EM410x IDs are 10 HEX digits, so it's not unreasonable that you needed to put the leading zeros... Or the code could be tweaked of course...

atrox · 2010-02-02 20:01:20

thanks for response - will test it soon.

I noticed a similar bug (?) in the hi15reader, which hangs/crashes if a card is in vicinity, but continues without a card. i will post this in the appropriate forum anyway.

Raymond · 2011-12-05 01:22:40

Hi Samy, does the EM cloner feature still work?

Will the command be like,

Lf EM clone (the data of the EM card you are cloning)?

ghaber · 2012-02-14 21:51:55

Hi guys,

I have a EM card that I need to clone on a T5567 and I am wondering if that function is already implemented or not?? At the beginning of this post, it is said that there is a cloner but I do not see the function.

Regards

Bugman1400 · 2012-02-17 15:42:28

ghaber wrote:

Hi guys,
I have a EM card that I need to clone on a T5567 and I am wondering if that function is already implemented or not?? At the beginning of this post, it is said that there is a cloner but I do not see the function.
Regards

Read the posts by Cex. He has developed the PM3 code to write to the T5567 cards. I've tried it many times and it works great! The code is on the Wiki......

Raymond · 2012-03-02 20:10:06

Hi ghaber,

I was able to to clone HID tags to T5567 card, using Cex r499.

Don think r499 is able to clone EM card yet.

Regards

Cex · 2012-05-16 13:40:11

Raymond wrote:

Hi ghaber,
I was able to to clone HID tags to T5567 card, using Cex r499.
Don think r499 is able to clone EM card yet.
Regards

EM cloning feature was added in r528.

urkis · 2012-07-02 15:08:23

I found a problem that seems to be around for a while.

For example, I'm trying to write ID 010AABCDEF to my T55x7-card.
After when I read the tag-id it says 000AABCDEF.

It seems to be the first two chars always is set to 00. Is there a fix for this?

Cex · 2012-07-04 07:26:25

urkis wrote:

I found a problem that seems to be around for a while.
For example, I'm trying to write ID 010AABCDEF to my T55x7-card.
After when I read the tag-id it says 000AABCDEF.
It seems to be the first two chars always is set to 00. Is there a fix for this?

Maybe the problem is the sscanf in cmdlfem4x.c in the client. I think that the sscanf(Cmd, "%lx %d", &id, &card); at line 406 may be reading only 32 bits due to the L modifier.

Try this dirty hack to check if this fix the problem (then I'll try to make a little bit more elegant):

int CmdEM410xWrite(const char *Cmd)
{
  uint64_t id = 0;
  unsigned int card;
////////////////
  int i;
///////////////

  sscanf(Cmd, "%lx %d", &id, &card);
  
///////////////////////////////////
  id = 0;
  while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
    id = (id << 4) | (n & 0xf);
  }
///////////////////////////////////

  if (id >= 0x10000000000) {
    PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
    return 0;
  }

The rest of the file shall remain the same (just add the code between the ////////////// lines).

Please post if this solves the issue.

Last edited by Cex (2012-07-04 07:27:37)

rule · 2012-07-04 07:44:46

For the following code:

  uint64_t id = 0;
  unsigned int card;

  sscanf(Cmd, "%lx %d", &id, &card);

I would indeed suggest to use the "long long" directive:

  sscanf(Cmd, "%llx %d", &id, &card);

Cex · 2012-07-04 08:35:12

roel wrote:

For the following code:
  uint64_t id = 0;
  unsigned int card;

  sscanf(Cmd, "%lx %d", &id, &card);
I would indeed suggest to use the "long long" directive:
  sscanf(Cmd, "%llx %d", &id, &card);

Much better... I'm not a C programmer, so I didn't know of that directive and did it the dirty way.
Thank you.

urkis · 2012-07-04 14:56:56

Got some errors when compiling, something about undeclaired variable "n", so I modified the code but it still doesn't work as intended.

int CmdEM410xWrite(const char *Cmd)
{
  uint64_t id = 0;
  unsigned int card;
  int i;
  int n = 0;

   sscanf(Cmd, "%llx %d", &id, &card);
   
     id = 0;
  while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
    id = (id << 4) | (n & 0xf);
  }


  if (id >= 0x10000000000) {
    PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
    return 0;
  }

  if (card > 1) {
    PrintAndLog("Error! Bad card type selected.\n");
    return 0;
  }

  PrintAndLog("Writing %s tag with UID 0x%010lx", card ? "T55x7":"T5555", id);
  UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
  SendCommand(&c);

  return 0;
}

I tried this:

proxmark3> lf em4x em410xwrite 0100ABCDEF 1
Error! Given EM410x ID is longer than 40 bits.

And when I remove the last F:

proxmark3> lf em4x em410xwrite 0100ABCDE 1
Writing T55x7 tag with UID 0x000abcde11
#db# Started writing T55x7 tag ...
#db# Tag T55x7 written with 0xff8c00a5f1be8c7e

Reading the T55x7:
Auto-detected clock rate: 64
Thought we had a valid tag but failed at word 1 (i=42)
Thought we had a valid tag but failed at word 1 (i=106)
EM410x Tag ID: 100abcde11

There must be some other error in the code?
I'm not that good at C, but can it be the uint32_t that is the problem on this line?

UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};

Last edited by urkis (2012-07-04 15:23:09)

rule · 2012-07-05 07:09:52

Don't know exactly, but looking at the code, you should of course also change:

PrintAndLog("Writing %s tag with UID 0x%010lx", card ? "T55x7":"T5555", id);

To the long long notation for printing:

PrintAndLog("Writing %s tag with UID 0x%010llx", card ? "T55x7":"T5555", id);

Cex · 2012-07-05 07:19:33

Urkis,

You have mixed Roel's code and mine.

Use only the Roel suggestion ( ''ll' instead on 'l' ).

If this still fails I'll try to test myself and upload the patch once it works.

urkis · 2012-07-05 15:37:27

Tried restoring the original code and only used
sscanf(Cmd, "%llx %d", &id, &card);

But it stills write 00 on the first chars to the T55x7

The compiler gives a warning on this line:
cmdlfem4x.c:406: warning: unknown conversion type character 'l' in format

t0m4 · 2012-07-07 10:07:46

Here is the fix :

In client/cmdlfem4x.c,

add line 13 :
```
#include <inttypes.h>
```

edit line 407 :

sscanf(Cmd, "%" PRIx64 " %d", &id, &card);

edit line 419 :

PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, card ? "T55x7":"T5555", id);

compile (no more warning), and now :

proxmark3> lf em4x em410xwrite ffffffffff 1
Writing T55x7 tag with UID 0xffffffffff
#db# Started writing T55x7 tag ...
#db# Tag T55x7 written with 0xfffbdef7bdef7bc0

proxmark3> lf em4x em410xwatch
#db# buffer samples: 00 00 00 00 16 1d 15 1b ...
Reading 2000 samples

Done!

Auto-detected clock rate: 64
EM410x Tag ID: ffffffffff

Hope this helps.

I'll try to commit it on SVN as soon as I'm a member...

urkis · 2012-07-07 10:29:53

It works, thank you very much!

MilkThief · 2014-11-02 10:21:37

rfidshop wrote:

Hello，
I have two kinds of readers that can do clone for the EM410 cards or tags on T5557,T5567 or T5577 cards or tags .
http://www.rfidshop.net/EM4100--ATA5577-LF-Passive-RFID-Desktop-Reader-Writer_p205.html
http://www.rfidshop.net/Portable-RFID-Copier-Kit--125KHz-Handheld-Reader_p388.html
Any questions ,please let me know.
Market@d-think.net

This is the PM3 forum, please post that kind of AD on ebay or payment ecommerce sites!

samy · 2015-06-26 01:45:12

You should just ask your question...I could have read it by now!

Proxmark3 community

Announcement

#1 2009-07-01 06:09:32

Now available: EM410x tag simulator AND cloner!

#2 2010-01-22 17:19:20

Re: Now available: EM410x tag simulator AND cloner!

#3 2010-01-25 20:47:25

Re: Now available: EM410x tag simulator AND cloner!

#4 2010-01-28 16:25:54

Re: Now available: EM410x tag simulator AND cloner!

#5 2010-01-29 10:30:06

Re: Now available: EM410x tag simulator AND cloner!

#6 2010-01-29 14:48:37

Re: Now available: EM410x tag simulator AND cloner!

#7 2010-02-01 05:00:05

Re: Now available: EM410x tag simulator AND cloner!

#8 2010-02-01 23:20:17

Re: Now available: EM410x tag simulator AND cloner!

#9 2010-02-02 20:01:20

Re: Now available: EM410x tag simulator AND cloner!

#10 2011-12-05 01:22:40

Re: Now available: EM410x tag simulator AND cloner!

#11 2012-02-14 21:51:55

Re: Now available: EM410x tag simulator AND cloner!

#12 2012-02-17 15:42:28

Re: Now available: EM410x tag simulator AND cloner!

#13 2012-03-02 20:10:06

Re: Now available: EM410x tag simulator AND cloner!

#14 2012-05-16 13:40:11

Re: Now available: EM410x tag simulator AND cloner!

#15 2012-07-02 15:08:23

Re: Now available: EM410x tag simulator AND cloner!

#16 2012-07-04 07:26:25

Re: Now available: EM410x tag simulator AND cloner!

#17 2012-07-04 07:44:46

Re: Now available: EM410x tag simulator AND cloner!

#18 2012-07-04 08:35:12

Re: Now available: EM410x tag simulator AND cloner!

#19 2012-07-04 14:56:56

Re: Now available: EM410x tag simulator AND cloner!

#20 2012-07-05 07:09:52

Re: Now available: EM410x tag simulator AND cloner!

#21 2012-07-05 07:19:33

Re: Now available: EM410x tag simulator AND cloner!

#22 2012-07-05 15:37:27

Re: Now available: EM410x tag simulator AND cloner!

#23 2012-07-07 10:07:46

Re: Now available: EM410x tag simulator AND cloner!

#24 2012-07-07 10:29:53

Re: Now available: EM410x tag simulator AND cloner!

#25 2014-11-02 10:21:37

Re: Now available: EM410x tag simulator AND cloner!

#26 2015-06-26 01:45:12

Re: Now available: EM410x tag simulator AND cloner!

Board footer