Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-07-01 20:43:46

onebyte
Contributor
Registered: 2017-09-28
Posts: 37

Cloning hid prox to em4xxx fob

Hi. I tried to clone hid fob to t5577 with lf hid clone xxxx, succeeded

But same command to em4xxx fob, failed and fob bricked.

Lf hid clone xxxx, to em4xxx card, failed and card bricked, how can I clone hid card or t5577 card to em4xxx?

Sorry, could not find exact info. Thanks

Offline

#2 2019-07-02 08:45:37

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Cloning hid prox to em4xxx fob

Re bricked  card.
You said it was an em4xxx, do you know the exact  model?
What's the output  of
lf em 4x05dump

Offline

#3 2019-07-03 18:33:08

onebyte
Contributor
Registered: 2017-09-28
Posts: 37

Re: Cloning hid prox to em4xxx fob

blank is EM410x, EM TAG ID xxxxx

then

lf hid clone xxxxxxxxxx

then

lf search

it showed

NEDAP ID found, Raw ......

with iceman 2019/5/9 version, above.

with official version, no card found... so I thought card or fob bricked. Thanks.

Offline

#4 2019-07-03 22:16:00

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Cloning hid prox to em4xxx fob

The em4100 is a read only id card.  As such you cant change anything on it.  Cards such as the t5577 and em4305 can emulate the em4100.
I beleive the lf hid clone is to emulate the hid card on a t5577, so the command would not work on other chips unless the are compatable with the packet format.  Note that other chips could emulate it but not via that command.
I dont think you are writting to a 4100, but some other chip and you need to work out what sort of chip it is before you can work out how to program it.

Offline

#5 2019-07-05 00:54:32

onebyte
Contributor
Registered: 2017-09-28
Posts: 37

Re: Cloning hid prox to em4xxx fob

Thanks for checking.
I tried with iceman fork like above,
same fobs, but it showed, differently(do not know the reason).

Indala ID found,
Nedap ID found,
EM 410X found,
...

Anyway, if EM410x is read only, why it showed different result after I cloned HID fob(for example, at first EM410X, then Nedap after cloning)
And if possible, how I can try to clone HID fob to EM or Indala fob? All info in help? or any special procedure like initialize and format, then write? or change fob format then write?

Thanks. smile

Offline

#6 2019-07-05 01:57:51

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Cloning hid prox to em4xxx fob

I have not checked the iceman fork, so am working under the assumption that the lf hid clone is designed to write the the t5577
A t5577 and em4305 (and others) can emulate other Fobs/Cards depending on the config programmed.
The lf search will try a few things and look at the data that comes back to try to finger print what sort of card it is or could be.  e.g. An T5577 can be setup in such a way to ONLY show as a HID, or show as a HID and T55xx (depending on the config), thus more then one response.

So given that different cards have different ways/configs and encoding, I am guessing that when you sent the HID Clone data (that should go to a T5577 to a different card, it managed to program that other card/chip, but in a different way and is now giving unexpected results.

Cards like the T5577 and EM4305 use one form of communication to send commands to the card and a different form when getting data from the card.  So you can have a card that is accepting commands but responding in a way that cant be understood.
I have had cards where an invalid config will give no output to any command, yet I could send it a valid config and it works as normal again.

Before we can attempt to send a valid command to the card, we need to know what card it is, so we can try to work out what to send and where to put it.

While I don't know, I would NOT expect an EM card to accept the commands formatted for a t55xx, the modulation is wrong, parity would be "missing" and other things that SHOULD lead the card to ignore the command.

As such I don't expect its an EM4305 and don't think its a T5577 (unless something went wrong) but lets try.
lf em 4x05dump
and
lf t55 detect

As to the clone HID to and EM/Indala I have not looked into this.
First you would need to know the exact chip (as EM is a brand/series and how they work, what the offer can vary)
You then need to work out how the card will need to modulate the data to emulate the HID and  ensure your target card can support this.
Once you know the card should be able to do it (all the specs line up), then you can build the block data and write it to the card by hand (if the target card is support by the pm3)

e.g. basic clone cards will simply send out all the data (bit by bit) from that start of block X to the end of block Y, when powered on.
Lets look at the t5577, this will start at block 1 and can be told to go upto block 7.
Assuming the HID needs 96 bits (there are different sizes), then 96/32bit blocks = 3 blocks.
Let just say (made up) the HID data was 11223344 55667788 99AABBCC
Then we would write 11223344 to block 1, 55.. to block 2 and 99... to block 3
We would tell the card to send out upto block 3
So when the chip is powered it will send out 112233445566778899AABBCC and repeat.

Sorry, lots there, but I hope you get the idea. 
Homework first smile

Offline

#7 2019-07-06 18:49:26

onebyte
Contributor
Registered: 2017-09-28
Posts: 37

Re: Cloning hid prox to em4xxx fob

Thanks for long reply smile I understand and have to learn more...

The problem was very small piece of info from lf search and sometimes it is not exact, or confusing. there is no sign, no mark, only check with pm3 commands which card is which type. Maybe have to check card spec and command more as you explained.

Thank again for your time. smile

Offline

Board footer

Powered by FluxBB