Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-07-19 12:42:27

vento123
Contributor
Registered: 2020-07-18
Posts: 6

EM4305 tag clone

Is it possible to clone EM4305 tag to T5577 tag?

I have the access controller on my desk. If i check em4100 or t5577 tag the controller doesn't recognise tags and there isn't any sound ot light indication. If i check another em4305 card, not added in controller, there is "denied" sound and red light. If i clone tag like em4100 card there isnt any indication on the controller. 

Also how to crack EM4305 password? I tried with 00000000 and all other passwords from t55xx_default_pwds.dic manually one by one. It is possible to use some kind ot bruteforce or backdoor to find the password?

I have PM3 easy with last firmware rrg_other-64-20200716.


[usb|script] pm3 --> lf em 4x05_info

[+]  Chip Type:   9 | EM4305

[+]   Cap Type:   3 | 330pF
[+]  Cust Code: 512 | Default

[+]   Serial #: 396A0F92

[=] ConfigWord: 0011805F (Word 4)

[=] Config Breakdown:
[=]  Data Rate:  31 | RF/64
[=]    Encoder:   1 | Manchester
[=]     PSK CF:   0 | RF/2
[=]      Delay:   0 | no delay
[=]  LastWordR:  06 | Address of last word for default read - meaning 2 blocks are output
[=]  ReadLogin:   0 | Read login is not required
[=]    ReadHKL:   0 | Read housekeeping words login is not required
[=] WriteLogin:   1 | Write login is required
[=]   WriteHKL:   0 | Write housekeeping words login is not Required
[=]     R.A.W.:   0 | Read after write is off
[=]    Disable:   0 | Disable command is not accepted
[=]     R.T.F.:   0 | Reader talk first is disabled
[=]     Pigeon:   0 | Pigeon mode is disabled


[=]       Word:  00 | write Locked
[=]       Word:  01 | write Locked
[=]       Word:  02 | unlocked
[=]       Word:  03 | unlocked
[=]       Word:  04 | unlocked
[=]       Word:  05 | unlocked
[=]       Word:  06 | unlocked
[=]       Word:  07 | unlocked
[=]       Word:  08 | unlocked
[=]       Word:  09 | unlocked
[=]       Word:  10 | unlocked
[=]       Word:  11 | unlocked
[=]       Word:  12 | unlocked
[=]       Word:  13 | unlocked
[=]       Word:  14 | unlocked
[=]       Word:  15 | unlocked
[usb|script] pm3 --> lf em 4x05_dump
Addr | data     | ascii |lck| info
-----+----------+-------+---+-----
  00 | 00040072 | ...r  |   |
  01 | 396A0F92 | 9j..  | x |
  02 |          |       |   | cannot read
  03 | 000055C7 | ..U.  |   |
  04 | 0011805F | ..._  |   |
  05 | BD1DDFFF | ....  |   |
  06 | 2B15EBA4 | +...  |   |
  07 | A6FA0000 | ....  |   |
  08 | 2C2BE480 | ,+..  |   |
  09 | 00000000 | ....  |   |
  10 | 00000000 | ....  |   |
  11 | 00000000 | ....  |   |
  12 | 00000000 | ....  |   |
  13 | 00000000 | ....  |   |
  14 | 00008002 | ....  |   | Lock
  15 | 00000000 | ....  |   | Lock
[usb|script] pm3 --> lf em 410x_read

[+] EM410x pattern found

EM TAG ID      : FECBA9E753

Possible de-scramble patterns

Unique TAG ID  : 7FD395E7CA
HoneyWell IdentKey {
DEZ 8          : 11134803
DEZ 10         : 3416909651
DEZ 5.5        : 52137.59219
DEZ 3.5A       : 254.59219
DEZ 3.5B       : 203.59219
DEZ 3.5C       : 169.59219
DEZ 14/IK2     : 01094338602835
DEZ 15/IK3     : 000549010663370
DEZ 20/ZK      : 07151303090514071210
}
Other          : 59219_169_11134803
Pattern Paxton : 4273874259 [0xFEBE2553]
Pattern 1      : 3584942 [0x36B3AE]
Pattern Sebury : 59219 41 2746195  [0xE753 0x29 0x29E753]

Last edited by vento123 (2020-07-19 12:45:30)

Offline

#2 2020-07-20 04:42:16

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: EM4305 tag clone

There is a few thing in your post.

Is it possible to clone EM4305 tag to T5577 tag?

yes and no.  the EM4305 and T5577 both can modulate and encode with some different formats.  As a general statement the T5577 should be able to emulate the same sort of emulations as the EM4305, but the EM4305 may not be able to do all that the T5577 can.

But, without knowing what your system expects, its hard to tell if the T5577 can do it.  If you system MUST use EM4305 in its native format where it uses em4305 commands to read/write data to the card as you swipe it, then No, the T5577 wont be able to do that.
If the em4305 is just emulating an EM4100 tag (or something) then Yes the T5577 can do that.

I would suggest you confirm the system card type first then see what cards can be used to emulate that.

If i check another em4305 card, not added in controller, there is "denied" sound and red light.

what to you find with lf search ?  the above may happen IF it knows its a 4305, but may also do it as there is some compatible modulation happening with the "blank" card.

For the dump, your current DUMP looks like it has read all the blocks.
The protection block says that block 2 (password) is locked from read, which is default for a new card.  To date, I have not seen a way to reset the config blocks.  you can lock more data blocks, but cant clear them. 

Is the dump from a working card ?
It looks like the dump and lf search shows a matching EM4100 tag ID (which the T55x7 can emulate).
i.e. with a writable T5577 on the pm3

lf em 410x_write FECBA9E753 1
then
lf seach
shows
EM TAG ID      : FECBA9E753   <- match

Possible de-scramble patterns

Unique TAG ID  : 7FD395E7CA
...

If the clone from the original does not work, the system may have some smarts to detect.
1st thing to try would be to copy the T5577 blocks 1 and 2 page 1 to blocks 1 and 2 page 2
(some times the read sends a different command that results in page 2 blocks getting sent back).
there are other things that can help like setting passwords and changing downlink modes, all to make the card ONLY send back the em 4100 data.

Offline

#3 2020-07-20 07:46:42

vento123
Contributor
Registered: 2020-07-18
Posts: 6

Re: EM4305 tag clone

[usb|script] pm3 --> lf search

[=] NOTE: some demods output possible binary

[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 

[+] EM410x pattern found


EM TAG ID      : FECBA9E753

Possible de-scramble patterns

Unique TAG ID  : 7FD395E7CA
HoneyWell IdentKey {
DEZ 8          : 11134803
DEZ 10         : 3416909651
DEZ 5.5        : 52137.59219
DEZ 3.5A       : 254.59219
DEZ 3.5B       : 203.59219
DEZ 3.5C       : 169.59219
DEZ 14/IK2     : 01094338602835
DEZ 15/IK3     : 000549010663370
DEZ 20/ZK      : 07151303090514071210
}
Other          : 59219_169_11134803
Pattern Paxton : 4273874259 [0xFEBE2553]
Pattern 1      : 3584942 [0x36B3AE]
Pattern Sebury : 59219 41 2746195  [0xE753 0x29 0x29E753]

[+] Valid EM410x ID found!

This is from the same card. It is working card for the controller. If i clone card like em4100 card to t5577 card, the t5577 card is not recognised from this controller. In the same time if i read the both card like em41x card their ID is FECBA9E753. Also both card works fine if i tested them to normal controller with em4100 cards.
If you are right and the controller use em4305 commands to read cards how can test this with pm3? There isn't command to simulate em4305 card.
How to change downlink modes on t5577 card?

1st thing to try would be to copy the T5577 blocks 1 and 2 page 1 to blocks 1 and 2 page 2

This doesn't work. Also tried with password.

Here is a another working card.

[usb|script] pm3 --> lf em 4x05_info

[+]  Chip Type:   9 | EM4305

[+]   Cap Type:   3 | 330pF
[+]  Cust Code: 512 | Default

[+]   Serial #: 3969E2DC

[=] ConfigWord: 0011805F (Word 4)

[=] Config Breakdown:
[=]  Data Rate:  31 | RF/64
[=]    Encoder:   1 | Manchester
[=]     PSK CF:   0 | RF/2
[=]      Delay:   0 | no delay
[=]  LastWordR:  06 | Address of last word for default read - meaning 2 blocks are output
[=]  ReadLogin:   0 | Read login is not required
[=]    ReadHKL:   0 | Read housekeeping words login is not required
[=] WriteLogin:   1 | Write login is required
[=]   WriteHKL:   0 | Write housekeeping words login is not Required
[=]     R.A.W.:   0 | Read after write is off
[=]    Disable:   0 | Disable command is not accepted
[=]     R.T.F.:   0 | Reader talk first is disabled
[=]     Pigeon:   0 | Pigeon mode is disabled


[=]       Word:  00 | write Locked
[=]       Word:  01 | write Locked
[=]       Word:  02 | unlocked
[=]       Word:  03 | unlocked
[=]       Word:  04 | unlocked
[=]       Word:  05 | unlocked
[=]       Word:  06 | unlocked
[=]       Word:  07 | unlocked
[=]       Word:  08 | unlocked
[=]       Word:  09 | unlocked
[=]       Word:  10 | unlocked
[=]       Word:  11 | unlocked
[=]       Word:  12 | unlocked
[=]       Word:  13 | unlocked
[=]       Word:  14 | unlocked
[=]       Word:  15 | unlocked


[usb|script] pm3 --> lf em 410x_read

[+] EM410x pattern found

EM TAG ID      : 897C1E55E7

Possible de-scramble patterns

Unique TAG ID  : 913E78AAE7
HoneyWell IdentKey {
DEZ 8          : 01988071
DEZ 10         : 2082362855
DEZ 5.5        : 31774.21991
DEZ 3.5A       : 137.21991
DEZ 3.5B       : 124.21991
DEZ 3.5C       : 030.21991
DEZ 14/IK2     : 00590492882407
DEZ 15/IK3     : 000623818353383
DEZ 20/ZK      : 09010314070810101407
}
Other          : 21991_030_01988071
Pattern Paxton : 2301793255 [0x893293E7]
Pattern 1      : 5098295 [0x4DCB37]
Pattern Sebury : 21991 30 1988071  [0x55E7 0x1E 0x1E55E7]


[usb|script] pm3 --> lf em 4x05_dump

Addr | data     | ascii |lck| info
-----+----------+-------+---+-----
  00 | 00040072 | ...r  |   |
  01 | 3969E2DC | 9i..  | x |
  02 |          |       |   | cannot read
  03 | 00003184 | ..1.  |   |
  04 | 0011805F | ..._  |   |
  05 | 03F263FF | ..c.  |   |
  06 | 1FAEA55F | ..._  |   |
  07 | 72FA0000 | r...  |   |
  08 | 0B2BE480 | .+..  |   |
  09 | 00000000 | ....  |   |
  10 | 00000000 | ....  |   |
  11 | 00000000 | ....  |   |
  12 | 00000000 | ....  |   |
  13 | 00000000 | ....  |   |
  14 | 00008002 | ....  |   | Lock
  15 | 00000000 | ....  |   | Lock
 

Unfortunately now i don't have new clean em4305 card for test. And i don't know password to erase one of working tags for test.

Last edited by vento123 (2020-07-20 08:03:09)

Offline

#4 2020-07-20 08:08:43

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: EM4305 tag clone

At the moment lets assume that the reader is an EM4100 reader (but is checking for a clone card somehow)

If you take the clone card (T5577) that has the same EM4100 ID but does not work and perform the follow.

1. lf t55 detect
    lf t55 dump
(And post the results)

2. Set the password. (if using rrg)
     lf t55 protect n 00000000

this will set the password to 00000000 and alter the config to enable the password.

Then retest the card.

Offline

#5 2020-07-20 10:50:48

vento123
Contributor
Registered: 2020-07-18
Posts: 6

Re: EM4305 tag clone

[usb|script] pm3 --> lf t55xx detect

[=]      Chip Type      : T55x7

[=]      Modulation     : ASK
[=]      Bit Rate       : 5 - RF/64
[=]      Inverted       : No
[=]      Offset         : 33
[=]      Seq. Term.     : Yes
[=]      Block0         : 0x00148040
[=]      Downlink Mode  : default/fixed bit length
[=]      Password Set   : No


[usb|script] pm3 --> lf t55xx dump

[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------

[+]  00 | 00148040 | 00000000000101001000000001000000 | ...@

[+]  01 | FFFBB8BD | 11111111111110111011100010111101 | ....

[+]  02 | 25D7A8D4 | 00100101110101111010100011010100 | %...

[+]  03 | 00000000 | 00000000000000000000000000000000 | ....

[+]  04 | 00000000 | 00000000000000000000000000000000 | ....

[+]  05 | 00000000 | 00000000000000000000000000000000 | ....

[+]  06 | 00000000 | 00000000000000000000000000000000 | ....

[+]  07 | 00000000 | 00000000000000000000000000000000 | ....

[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------

[+]  00 | 00148040 | 00000000000101001000000001000000 | ...@

[+]  01 | FFFBB8BD | 11111111111110111011100010111101 | ....

[+]  02 | 25D7A8D4 | 00100101110101111010100011010100 | %...

[+]  03 | 00000000 | 00000000000000000000000000000000 | ....

[+] saved to json file lf-t55xx-FFFBB8BD-25D7A8D4-dump-4.json
[+] saved 12 blocks to text file lf-t55xx-FFFBB8BD-25D7A8D4-dump-4.eml

[+] saved 48 bytes to binary file lf-t55xx-FFFBB8BD-25D7A8D4-dump-4.bin
[usb|script] pm3 --> lf t55 protect n 00000000

[=] Checking current configuration

[+] Wrote new password

[+] Validated new password

[+] Wrote modified configuration block

[!] Safety check: Could not detect if PWD bit is set in config block. Exits.

[=] Block0 write detected, running `detect` to see if validation is possible

[=]      Chip Type      : T55x7

[=]      Modulation     : ASK
[=]      Bit Rate       : 5 - RF/64
[=]      Inverted       : No
[=]      Offset         : 33
[=]      Seq. Term.     : Yes
[=]      Block0         : 0x00148050
[=]      Downlink Mode  : default/fixed bit length
[=]      Password Set   : Yes
[=]      Password       : 00000000


[+] New configuration block 00148050 password 00000000

[+] Success, tag is locked

The same result. Controller didn't recognise the tag. Maybe if i can dump commands sent from controller to tag with pm3 we can understand what check to recognise tags?

Offline

#6 2020-07-21 03:44:27

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: EM4305 tag clone

You can have a play with sniff
in RRG

lf config
and
lf sniff

config will setup the options, while sniff will do the actual capture
the catch 22 here will be at most 40,000 samples can be retrieved, so it may or may not get it all; but there are options
have a look and a play.
Something like
lf config t 128    <- set a trigger level may need to try different values
lf sniff
place the card on the pm3, then move the to the reader, such that the PM3 is between the the reader and card.

then save the data (have a look at the data options)

Offline

#7 2020-07-26 17:41:51

vento123
Contributor
Registered: 2020-07-18
Posts: 6

Re: EM4305 tag clone

Here are the data from several experiments. What is the next step?

https://pastebin.com/kFJxFR4t
https://pastebin.com/eMEjjt0C
https://pastebin.com/m5QF21Kr
https://pastebin.com/eLVCXJMY
https://pastebin.com/cFh66RNx

Offline

#8 2020-07-26 23:55:18

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: EM4305 tag clone

From a quick look
1: EM TAG ID      : FECBA9E753
2: EM TAG ID      : FECBA9E753
3: ?? What was this from ?
4: EM TAG ID      : FECBA9E753 - weaker (but still strong) signal
5: ?? What was this from ?

So samples 1,2,4 all look like EM4100 tag reads, nothing special.
Samples 3,5 look a little weird, do you have any context around those two samples ?

Offline

#9 2020-07-27 00:54:41

vento123
Contributor
Registered: 2020-07-18
Posts: 6

Re: EM4305 tag clone

They are all from the same tag. I was just testing different positions.
If they are like EM4100 why doesn't the controller respond to a simple EM4100 or copied EM4100 (T5577) tag?

I found that, there are two different read commands: Read Word Command and Default Read. Which of them is used in my case?
How do I see the sequence of 0 and 1 of the saved data?


P.S. I found only one empty tag em4305. It was successfully readed and writed with chinese blue clonner. And there was no password or bit set to 1 in word 14 and 15. PM3 read tag but can't write anything on it.

  
  14 | 00000000 | ....  |   | Lock
  15 | 00000000 | ....  |   | Lock

After that i tried to read/dump tag and after few times to find best position for tag over pm3 word 14 was set to 00008002. Now i can not write this tag with chinese blue cloner. This is part ot log file.


[usb|script] pm3 --> lf em 4x05_dump
Addr | data     | ascii |lck| info
-----+----------+-------+---+-----
  00 | 00040072 | ...r  |   |
  01 | 03DBB2B9 | ....  |   |
  02 |          |       |   | cannot read
  03 | 0000D2D3 | ....  |   |
  04 | 0011805F | ..._  |   |
  05 | BD1DDFFF | ....  |   |
  06 | 2B15EBA4 | +...  |   |
  07 |          |       |   | Fail
  08 | 00000000 | ....  |   |
  09 | 00000000 | ....  |   |
  10 | 00000000 | ....  |   |
  11 |          |       |   | Fail
  12 | 00000000 | ....  |   |
  13 |          |       |   | Fail
  14 | 00000000 | ....  |   | Lock
  15 | 00000000 | ....  |   | Lock
[usb|script] pm3 --> lf em 4x05_dump
Addr | data     | ascii |lck| info
-----+----------+-------+---+-----
  00 |          |       |   | Fail
  01 |          |       |   | Fail
  02 |          |       |   | cannot read
  03 |          |       |   | Fail
  04 |          |       |   | Fail
  05 |          |       |   | Fail
  06 |          |       |   | Fail
  07 |          |       |   | Fail
  08 |          |       |   | Fail
  09 |          |       |   | Fail
  10 |          |       |   | Fail
  11 |          |       |   | Fail
  12 | 00000000 | ....  |   |
  13 |          |       |   | Fail
  14 | 00000000 | ....  |   | Lock
  15 | 00000000 | ....  |   | Lock
[usb|script] pm3 --> lf em 4x05_dump
Addr | data     | ascii |lck| info
-----+----------+-------+---+-----
  00 |          |       |   | Fail
  01 |          |       |   | Fail
  02 |          |       |   | cannot read
  03 |          |       |   | Fail
  04 |          |       |   | Fail
  05 |          |       |   | Fail
  06 |          |       |   | Fail
  07 |          |       |   | Fail
  08 |          |       |   | Fail
  09 |          |       |   | Fail
  10 |          |       |   | Fail
  11 |          |       |   | Fail
  12 |          |       |   | Fail
  13 |          |       |   | Fail
  14 | 00000000 | ....  |   | Lock
  15 | 00000000 | ....  |   | Lock
[usb|script] pm3 --> lf em 4x05_dump
Addr | data     | ascii |lck| info
-----+----------+-------+---+-----
  00 |          |       |   | Fail
  01 |          |       |   | Fail
  02 |          |       |   | cannot read
  03 |          |       |   | Fail
  04 |          |       |   | Fail
  05 |          |       |   | Fail
  06 |          |       |   | Fail
  07 |          |       |   | Fail
  08 |          |       |   | Fail
  09 |          |       |   | Fail
  10 |          |       |   | Fail
  11 |          |       |   | Fail
  12 |          |       |   | Fail
  13 |          |       |   | Fail
  14 | 00000000 | ....  |   | Lock
  15 | 00000000 | ....  |   | Lock
[usb|script] pm3 --> lf em 4x05_read 7
Reading address 07
Read Address 07 | Fail
[usb|script] pm3 --> lf em 4x05_read 7
Reading address 07
Read Address 07 | Fail
[usb|script] pm3 --> lf em 4x05_read 7
Reading address 07
Address 07 | 00000000 - 
[usb|script] pm3 --> lf em 4x05_dump
Addr | data     | ascii |lck| info
-----+----------+-------+---+-----
  00 | 00040072 | ...r  |   |
  01 | 03DBB2B9 | ....  | x |
  02 |          |       |   | cannot read
  03 | 0000D2D3 | ....  |   |
  04 |          |       |   | Fail
  05 | BD1DDFFF | ....  |   |
  06 | 2B15EBA4 | +...  |   |
  07 | 00000000 | ....  |   |
  08 | 00000000 | ....  |   |
  09 | 00000000 | ....  |   |
  10 | 00000000 | ....  |   |
  11 | 00000000 | ....  |   |
  12 |          |       |   | Fail
  13 | 00000000 | ....  |   |
  14 | 00008002 | ....  |   | Lock
  15 | 00000000 | ....  |   | Lock
[usb|script] pm3 --> lf em 4x05_info

[+]  Chip Type:   9 | EM4305

[+]   Cap Type:   3 | 330pF
[+]  Cust Code: 512 | Default

[+]   Serial #: 03DBB2B9

[=] ConfigWord: 0011805F (Word 4)

[=] Config Breakdown:
[=]  Data Rate:  31 | RF/64
[=]    Encoder:   1 | Manchester
[=]     PSK CF:   0 | RF/2
[=]      Delay:   0 | no delay
[=]  LastWordR:  06 | Address of last word for default read - meaning 2 blocks are output
[=]  ReadLogin:   0 | Read login is not required
[=]    ReadHKL:   0 | Read housekeeping words login is not required
[=] WriteLogin:   1 | Write login is required
[=]   WriteHKL:   0 | Write housekeeping words login is not Required
[=]     R.A.W.:   0 | Read after write is off
[=]    Disable:   0 | Disable command is not accepted
[=]     R.T.F.:   0 | Reader talk first is disabled
[=]     Pigeon:   0 | Pigeon mode is disabled

[=]       Word:  00 | write Locked
[=]       Word:  01 | write Locked
[=]       Word:  02 | unlocked
[=]       Word:  03 | unlocked
[=]       Word:  04 | unlocked
[=]       Word:  05 | unlocked
[=]       Word:  06 | unlocked
[=]       Word:  07 | unlocked
[=]       Word:  08 | unlocked
[=]       Word:  09 | unlocked
[=]       Word:  10 | unlocked
[=]       Word:  11 | unlocked
[=]       Word:  12 | unlocked
[=]       Word:  13 | unlocked
[=]       Word:  14 | unlocked
[=]       Word:  15 | unlocked

Last edited by vento123 (2020-07-28 09:50:58)

Offline

Board footer

Powered by FluxBB