Proxmark3 community

hlange

Member

Registered: 2013-05-09

Posts: 8

Something like EM4100

Hey there,

I got a tag here that should be a EM4100. Wanted t post the Datasheet, but I'm not allowed. So here are the specifications from the datasheet:

Standard Keyfob, Best.-Nr. 130245
- Technology: EM4100
- Operating Frequency: 125 kHz

If I try the em410xread command, I get the following errors:

Auto-detected clock rate: 64          
Thought we had a valid tag but failed at word 1 (i=21)          
Thought we had a valid tag but failed at word 6 (i=52)          
#db# buffer samples: a5 a1 9d 9a 99 97 94 91 ...                 
Reading 4000 samples
Done!
Auto-detected clock rate: 64          
Thought we had a valid tag but failed at word 1 (i=28)          
Thought we had a valid tag but failed at word 1 (i=34)          
#db# buffer samples: 39 3d 41 45 4a 4c 4f 52 ...                 
Reading 4000 samples
Done!
Auto-detected clock rate: 64          
Thought we had a valid tag but failed at word 1 (i=34)          
Thought we had a valid tag but failed at word 1 (i=40)          
#db# buffer samples: 8b 89 88 87 66 4b 40 2c ...                 
Reading 4000 samples
Done!
Auto-detected clock rate: 64          
Thought we had a valid tag but failed at word 1 (i=27)          
Thought we had a valid tag but failed at word 1 (i=33)          
#db# buffer samples: e2 da d3 cc c5 bf ba b5 ...                 
Reading 4000 samples
Done!
Auto-detected clock rate: 64          
Thought we had a valid tag but failed at word 1 (i=14)          
#db# buffer samples: 96 93 92 90 8e 8c 8a 88 ...                 
Reading 4000 samples
Done!
Auto-detected clock rate: 64          
Thought we had a valid tag but failed at word 4 (i=1)          
Thought we had a valid tag but failed at word 1 (i=9)          
#db# buffer samples: 4c 4f 52 55 58 5a 5b ff ...                 
Reading 4000 samples
Done!
Auto-detected clock rate: 64          
Thought we had a valid tag but failed at word 5 (i=1)          
#db# buffer samples: e2 da d3 cd c7 c0 bb b5 ...                 
Reading 4000 samples
Done!
Auto-detected clock rate: 64          
Thought we had a valid tag but failed at word 1 (i=52)          
Thought we had a valid tag but failed at word 5 (i=22)          
#db# buffer samples: 24 2a 2f 34 39 3e 42 46 ...                 
Reading 4000 samples
Done!

hlange

Member

Registered: 2013-05-09

Posts: 8

Re: Something like EM4100

I just post some news of my research:

My System is Proxmark3 OS: svn715, Bootloader: svn709

I managed to clone the tag with the following commands:

proxmark3>lf read
proxmark3>data samples 10000
proxmark3>data askdemod 1
proxmark3>data mandemod 0

I decoded the output with an online tool and managed to write the HEX-ID to an Q7 Card.

So finally I got the facts:
* EM4100 Chip
* RF/64 ASK Manchester

But still the command "lf em4x em410xwatch" is not working. The Output of the command can be found in the previous post.

Any idea why it's not working?

Thanks.

hlange

Member

Registered: 2013-05-09

Posts: 8

Re: Something like EM4100

Ok, some more research stuff:

I think the problem of the 'em410xwatch' command is the Line 254 in the 'cmdlfem4x.c' file:

CmdSamples("2000");

In svn715 you put this value to 4000. But perhaps it's too low. Isn't it possible to put this value as a variable in the commandline or to the GUI? I'm no programmer guy, so unfortunately I can't do it.

holiman

Contributor

Registered: 2013-05-03

Posts: 566

Re: Something like EM4100

in  http://www.proxmark.org/forum/viewtopic … 6988#p6988 it seems like the samples now work differently, so we need to multiply all occurrences like these by four in order to get them working as before again.

So, if you change it to 8000, compile and make, does it work?

Last edited by holiman (2013-05-15 19:25:15)

hlange

Member

Registered: 2013-05-09

Posts: 8

Re: Something like EM4100

yep. the command is working now. thanks for giving some background and confirmation.

Neuer_User

Contributor

Registered: 2013-03-26

Posts: 88

Re: Something like EM4100

In r715 apresence changed the samples to 4000 at that line because of a lower data clock. So I guess, we need to move to 16000 here to have it working with lower data clock tags.

holiman

Contributor

Registered: 2013-05-03

Posts: 566

Re: Something like EM4100

Changed to 16000 in r716, yell if something broke

Last edited by holiman (2013-05-16 19:11:42)