Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-06-10 06:25:39

mwalker
Contributor
Registered: 2019-05-11
Posts: 128

Looking for a chip data sheet

Hi, does anyone know where I can find a copy of the data sheet for a 125Khz chip called 5200
I have seen it refereed to as T5200 and cet5200.  I believe its an em4100 with changeable ID (but not sure).
This is refereed to in many cloners and cheap fobs.

If you know were i can download the data sheet that covers the downlink protocol please let me know.

Thanks

Offline

#2 2019-06-11 04:41:09

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Looking for a chip data sheet

These ones: https://www.aliexpress.com/i/32809586461.html ?

If so interesting. Might have to get on WeChat for this one!

Offline

#3 2019-06-11 04:52:36

mwalker
Contributor
Registered: 2019-05-11
Posts: 128

Re: Looking for a chip data sheet

That link showed as "100pcs RFID EM4305 / EM5200 125KHZ frequency Rewritable RFID access card / key tags /can rewrite code "
while it quotes the "EM5200" in the description, it does not have the data sheet.  Part of the description talks about the 4305 and the other about the 5200. mmmm
What I want is the data sheet for the 5200.  I.e. the file the explains that read/write protocols, so if you have a link to the data that would be great.

Offline

#4 2019-06-11 06:38:49

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Looking for a chip data sheet

I have a feeling the actual IC is:

AT-C-TK4100

Also known as: SMC4100

And that datasheet is apparently under NDA as the IC is very new. I have one supplier that I get 100s of blank custom made t5577 cards from to bulk program for work. I'll see if they can possibly get me some info.

Last edited by Tom5ive (2019-06-11 06:39:11)

Offline

#5 2019-06-11 06:41:23

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Looking for a chip data sheet

Maybe: http://www.mave.si/e_files/docs/tk4100-datasheet.pdf

Offline

#6 2019-06-11 06:53:08

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,295

Re: Looking for a chip data sheet

pretty sure tk4100 is a mimic of em4100 which is a read only chip.  (as your datasheet confirms.)

Offline

#7 2019-06-11 06:55:37

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Looking for a chip data sheet

Makes sense! I just found that on a whim while working on other things.

Offline

#8 2019-06-11 17:57:59

gjuny
Contributor
From: Brazil
Registered: 2019-06-04
Posts: 18

Re: Looking for a chip data sheet

I found some information about an EM5200 blue fob in an AliExpress vendor page.

Chip: EM5200
Block 1, 512, EEPROM, divided into 16 sectors, each sector 32 bit
2, 32 bit UID (unique identification number)
3, compatible EM agreement
4, 32 password to read and write protection
Block 5, can make the EEPROM sector into a read-only lock state
6, 2 kind of coding way, the Bi - phase (Manchester)
7, a variety of data transfer rate (8, 16, 32, 64 RF clock)
8, has the characteristics of the reader first inquiry
9, frequency range is125 KHZ
10, temperature range: - 45  ~ 85


He who controls the past, commands the future.
He who commands the future, conquers the past.
-- Kane (Command & Conquer Series)

Offline

#9 2019-06-17 04:12:00

mwalker
Contributor
Registered: 2019-05-11
Posts: 128

Re: Looking for a chip data sheet

Sounds like a em4305, almost a cut n paste from the 4305 data sheet.

Offline

#10 2019-06-18 04:03:33

mwalker
Contributor
Registered: 2019-05-11
Posts: 128

Re: Looking for a chip data sheet

A little more info, but again just seller blurb.

CET5200, is Freevision's branded RFID chip, 125kHz, read/write, compatible of EM4100/EM4102, could write to EM ID type, like EM4100, EM4102, EM4200, TK4100.
CET5200: Write to EM ID

The same seller also talked about the t5577 and its features that matched the t5577.

So its looking like the T5200 could just be an EM410x with changeable ID.

Offline

#11 2019-06-19 22:48:57

gjuny
Contributor
From: Brazil
Registered: 2019-06-04
Posts: 18

Re: Looking for a chip data sheet

Interesting... I wish we could find more information and have it eventually implemented in the Proxmark client.


He who controls the past, commands the future.
He who commands the future, conquers the past.
-- Kane (Command & Conquer Series)

Offline

#12 2019-07-06 10:05:40

mwalker
Contributor
Registered: 2019-05-11
Posts: 128

Re: Looking for a chip data sheet

I thought I would move the tech chat about this Chip here as well as I/we move forwards.
As i have posted on a different thread, I have extracted what I think are the 4 command sequences that get sent.
I did this by sniffing every packet sent from the cloner, then decoded (by hand) every bit.
I then removed the 5577 commands and the E4305 commands (I did try to send those commands but no response from the card as expected), so what was left must be what is writing to the cards (in theory).
wave1.png
While not the full wave, its the start the first line below.
Note, while the bits below may not be 100% the EM data was decoded to be correct, so happy this is ok and think it is.
I have run over it many times now, and paid close attention to anything that did not line up.

01 0000100 0101 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1           
01 0000000 1010 00000000 11111111 10000011 01100000 00000010 1 <- EM4100 Data
01 0000000 1010 10000000 01001100 01101100 00100100 11001100 1 <- EM4100 Data
01 0000000 1010 11111111 00000101 00000000 00000000 00000000 1 

At the moment, this is my theory.
the 01 is a sync, as the "1" is wider then all the other ones.  the 0 could just be the result of the field on.
the Next 7 bits are a pre-amble of some sort (as I cant think of anything else)
then next 4 bits are the opcode (e.g. 3 bits + parity)
next few bits is an address e.g. for the middle em data we have 00000000 and 10000000
then the data
The last bit I think is just the end of field, not an actual bit, but again, all guess work atm.


Still not luck with the data sheets.
Any comment and the wave form or hints.  I have been playing with trying to get something that looks the same based on the bits, but no luck yet.

Offline

#13 2019-07-06 13:51:19

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,295

Re: Looking for a chip data sheet

Can you post links to the traces?

Offline

#14 2019-07-06 19:20:23

mwalker
Contributor
Registered: 2019-05-11
Posts: 128

Re: Looking for a chip data sheet

3 "raw" Trace files, first has some t5577, the 2nd has the remainder of the t5577 and some em4305 and the last one has the end of the 4305 and the unknown. If a packet was not complete at the end of the file, then the next file should hold the complete packet.

blue_1_1.pm3
blue_1_2.pm3
blue_1_3.pm3

Offline

#15 2019-07-10 03:10:51

mwalker
Contributor
Registered: 2019-05-11
Posts: 128

Re: Looking for a chip data sheet

Hoping someone can check my logic here and give me some ideas.

Summary:
- I have an unknown fob supplied with a cheap cloner.
- I have some cards sent to me that they claim are T5200 cards (they also claim there are the same as the EM4305, but a cheap seller).
- My blue cloner can write an EM4100 ID to an T5577, EM4305 and the above two chips
- Running the T5577 commands to the unknown/5200 does not work.
- Running the EM4305 commands to the unknown/5200 does not work.
- I decoded every bit in the (posted) traces and am very happy that there are 3 types, T5577, EM4305 and unknown.
  As such, I know the configs sent and passwords used, so confirming that the unknown is not a T5577/EM4305 (most likely)

Assumption/Conclusion
a) The unknown fob and 5200 are the same chip (or close enough) as that's all that seems left from the cloner.
    or
    They are in fact one of the other two, but with different timings then the pm3 is currently using, thus don't accept the commands.

c) The 3rd set of packets looks very similar to the OOK used for the T5577, just much shorter timings and a long pulse "1" at the start.

I managed to get a wave form that looked very close, but for a novice, this has been a trial,error, tune and repeat process, so while looking very close, still does not work, so not right (yet).

At the moment, I want to focus on the timings.
Whats the best way to work out the (exact/very close) pulse width times from the trace?  i.e. can we convert the delta time from the plot to a micro-second value (assuming no decimation) ?

Any other big/small holes in my logic.

Thanks

Offline

#16 2019-07-10 03:40:39

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,295

Re: Looking for a chip data sheet

If you capture at 125 khz then each grid point is 8us
I'd recommend setting up the lf cmdread for testing variations of bit timings.

Offline

#17 2019-07-10 04:33:29

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,295

Re: Looking for a chip data sheet

did you have decimation set on the traces shared above?

Offline

#18 2019-07-10 04:58:01

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,295

Re: Looking for a chip data sheet

this is what i get: (close to yours)

each bit begins with 14fc off 
0 = 6 fc on (so 20fc total)
1 = 14 fc on (so 28fc total)
* = 21 fc on (so 35fc total)
fc = 8us or one 125khz sample

316fc power up cycle

0* 0000100 0101 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 off14fc ON466fc      
0* 0000000 1010 00000000 11111111 10000011 01100000 00000010 off14fc ON968fc
0* 0000000 1010 10000000 01001100 01101100 00100100 11000100 off14fc on968fc
0* 0000000 1010 11111111 00000101 00000000 00000000 00000000 off14fc on968fc

Last edited by marshmellow (2019-07-10 05:03:50)

Offline

#19 2019-07-10 08:19:00

mwalker
Contributor
Registered: 2019-05-11
Posts: 128

Re: Looking for a chip data sheet

Thanks for the decode, good to get confirmation (I accept a bit error here or there as I mostly did it by hand).

I found that the T5200 named cards I got sent ended up looking like a T5577 but not 100% the same.
The fob is still resisting, so different chip again (???) and I still really want to know what that command set is smile

The T5200 named cards I got sent:
The first 2 i used/tested were not the same as the rest (used maybe??), they had a password that I missed (normal blue password), and once cleared did show up as a T5577 and commands seem to work, the remainder of the pack was pre-programmed as EM4100 tags, but no password. 

The interesting bit:
The Block 3 Page 1 config was 00A00003 on all of them (note, for that to be active first nibble should be 6 or 9, and the last 2 bits are set to 3 where the t5577 doc states 00, reserved.

I then set that to a valid page 1 config to setup leading 0 and it did NOT apply.
I tried 1 of 4 and again it did not apply
It did write the data and I could read the data, just not applied as the analog front end config.

So these cards while looking like a T5577 are a clone(?) and not fully featured, so I tend to believe these are the named T5200 chips.


The original fob I got still is not responding to anything i do yet, so will keep looking into that and see what I can find.

Last edited by mwalker (2019-07-11 03:55:04)

Offline

Board footer

Powered by FluxBB