Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Greetings All,
I have come here today seeking help with a strange problem.
I seem to have somehow overwritten or corrupted the EM4200 RFID implant in my hand. Please have patience as I am a completely new to the technology and do not have as a firm grasp as most of you guys/gals.
I have an implant in my hand which has been working since it was “installed” about two months ago. http://dangerousthings.com/shop/xemi-em4200-2x12mm-injection-kit/
I have two readers on the outside of my house and use these as access control for my property. Everything was working fine. Until today…
I received my PM3, HID and EMx handheld cloners from XFPGA this week and began tinkering. After cloning a few tags with the handheld HID cloner and testing that they worked I discovered that my implant stopped responding. It won’t read on my properties readers or my USB EMx reader.
I did however get it to read from my HID Handheld cloner, but I couldn’t write the reading to another blank chip…
I don’t know what has happened. I am know unable to use my implant as access control and cannot seem to get it to read from anything at all.
I was under the impression that the EM4200 chip implant from dangerous things was read only and would not be affected by this.
So that’s my situation… I’m hoping someone here is willing to help me investigate the issue and help me find a solution.
Offline
EM4200 is read only.
Offline
Thanks asper. That's what i thought.
However i doubt its purely coincidence that my EM4200 implant malfunctioned/stopped working, straight after I cloned some HID cards. Is there anyway there could of been any interference?
Offline
HID produces both 125kHz (prox) and 13.56MHz (iClass) tags [they also have hybrid ones]; EM4200 is a 125kHz one. Try to detect which kind of HID card do you have.
Offline
Everything I've been working with has been LF. So the HID cards i cloned very prox. The implant is also LF 125khz and only stopped responding after i was cloning the HID prox cards. I was also holding the blanks in the same hand as i implant when i was writing to them.
Is there something i can check with the proxmark that will help?
Offline
You can try to read it using PM3 using EM4x commands and see if the ID is correct if you backed it up somewhere. Be careful not to post here the result of the read otherwise someone can gain access to your house. I suggest you to change the way you access because read-ony 125kHz tecnology is really old and is really easy to duplicate just sitting next to you.
The command to read is: lf em4x em410xread: put your hand near the antenna and launch the command.
You can also try lf em4x em410xwatch : launch it and then put your hand near the antenna (to stop the command press the pm3 button).
Last edited by asper (2014-10-03 14:21:48)
Offline
Thanks. I will setup the PM3 and update the firmware and check back with an update.
I'm aware the technology is really old and is easy to duplicate, however for this project it was a risk I was willing to accept, also to meet the initial budget. Its still easier to throw a rock through a window, than to set next to me and try and duplicate the value of the rfid. I will be upgrading to an NFC implant later on, which will provide a little more protection.
Offline
The link provided appears to be for a "em4200 compatible" tag. That leaves the door wide open as to which exact tag is used... It appears that if it was messed up by a write command from a cloner it might be a r/w tag configured to em compatibility. In which case it could probably be reprogrammed if you can identify which chip it is you need to program to.
Offline
In which case it could probably be reprogrammed
Seems likely as ISO27001 reports it can be read by the HID handheld cloner but not any of the EM readers.
The lf hid fskdemod command on the PM3 should help carify if that's the case.
Offline
Thanks for your responses. I am in contact with the manufacturer to diagnose the cause of the issue. But it looks like the HID Cloner has overwritten the chip.
Also I think I may have bricked my PM3 while updating the firmware. While the unit is turning on, all LED’s are solid, then the green turns off almost instantly and the red and yellow remain solid. I don’t know what I have done.
I seem to have a knack for breaking things recently...
Offline
Thanks for your responses. I am in contact with the manufacturer to diagnose the cause of the issue. But it looks like the HID Cloner has overwritten the chip.
Also I think I may have bricked my PM3 while updating the firmware. While the unit is turning on, all LED’s are solid, then the green turns off almost instantly and the red and yellow remain solid. I don’t know what I have done.I seem to have a knack for breaking things recently...
It is not broken if it was "just" overwritten. Read an EM tag with that handheld programmer and rewrite your tag. Does it work ?
If yes, use the PM3, remove the password, rewrite your tag with the correct values. (assuming you have saved it somewhere ?)
Offline
ISO27001 wrote:Thanks for your responses. I am in contact with the manufacturer to diagnose the cause of the issue. But it looks like the HID Cloner has overwritten the chip.
Also I think I may have bricked my PM3 while updating the firmware. While the unit is turning on, all LED’s are solid, then the green turns off almost instantly and the red and yellow remain solid. I don’t know what I have done.I seem to have a knack for breaking things recently...
It is not broken if it was "just" overwritten. Read an EM tag with that handheld programmer and rewrite your tag. Does it work ?
If yes, use the PM3, remove the password, rewrite your tag with the correct values. (assuming you have saved it somewhere ?)
I have tried to write the correct info back to the implant with the handheld scanners, but have not had any any success. I have tried the following
Read EM410x good fob with RFID Cloner (reads successful) attempt to write to implant (does not work)
Read EM410x good fob with RFID HID Cloner (reads successful) attempt to write to implant (does not work)
Read Implant with RFID Cloner (does not read)
Read Implant with RFID HID Cloner (reads successfully) attempt to write to EM410x chip (does not write)
Read Implant with RFID HID Cloner (reads successfully) attempt to write to T55x7 chip (Writes successfully) But wont scan with any of my readers.
Offline
I think I may have bricked my PM3 while updating the firmware. While the unit is turning on, all LED’s are solid, then the green turns off almost instantly and the red and yellow remain solid. I don’t know what I have done.
After flashing the bootloader properly I have updated the PM3. I have attached a dump of 20000 lf read data samples at http://pastebin.com/JxMN4bwdto try and make sense of the current situation of the implant.
I know asper warned of uploading the data, as it may allow someone access to my property. However I have removed the chip from my access system and I don't see any risk of uploading the current data.
Offline
ISO27001 wrote:I think I may have bricked my PM3 while updating the firmware. While the unit is turning on, all LED’s are solid, then the green turns off almost instantly and the red and yellow remain solid. I don’t know what I have done.
After flashing the bootloader properly I have updated the PM3. I have attached a dump of 20000 lf read data samples at http://pastebin.com/JxMN4bwdto try and make sense of the current situation of the implant.
I know asper warned of uploading the data, as it may allow someone access to my property. However I have removed the chip from my access system and I don't see any risk of uploading the current data.
Sorry there should be a space before the "to" at the end of the link.
The correct URL is http://pastebin.com/JxMN4bwd
Offline
strange trace... are you sure your antenna has a good connection?
antenna power?
I see a pattern in it but it is not a fully developed wave. imo. what commands did you use to get the trace?
Offline
Yeah, there is definitly a pattern but the signal is too low. I had to "data norm" it, then it looks almost ok.
Are you sure you flashed yr bootrom, fpga full image with the changes where the lf-signal got an iir lowpass filter? Or maybe it's not in the v1.1.0 release? was it just in in the unstable branch? I forgot.
Offline
These are the current hw version hw tune and commands i ran to get the data samples
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: /-suspect 2014-09-19 10:31:37
#db# os: /-suspect 2014-09-13 11:21:04
#db# LF FPGA image built on 2014/ 6/23 at 9:25:13
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
proxmark3>
proxmark3> #db# Measuring antenna characteristics, please wait...
proxmark3> #db# Measuring complete, sending report back to host
proxmark3>
proxmark3> # LF antenna: 14.37 V @ 125.00 kHz
proxmark3> # LF antenna: 12.08 V @ 134.00 kHz
proxmark3> # LF optimal: 16.38 V @ 127.66 kHz
proxmark3> # HF antenna: 0.35 V @ 13.56 MHz
proxmark3> # Your HF antenna is unusable.
proxmark3> hw tune
proxmark3>
proxmark3> #db# Measuring antenna characteristics, please wait...
proxmark3> #db# Measuring complete, sending report back to host
proxmark3>
proxmark3> # LF antenna: 14.37 V @ 125.00 kHz
proxmark3> # LF antenna: 12.35 V @ 134.00 kHz
proxmark3> # LF optimal: 16.65 V @ 129.03 kHz
proxmark3> # HF antenna: 0.03 V @ 13.56 MHz
proxmark3> # Your HF antenna is unusable.
proxmark3> lf read
#db# buffer samples: 5c 58 58 55 56 57 56 58 ...
proxmark3>
proxmark3> data samples 20000
Reading 20000 samples
Done!
proxmark3> data save C:\proxmark\dump2.txt
saved to 'C:\proxmark\dump2.txt'
proxmark3>
Offline
My LF antenna voltage has never been over 10.5V since the day I bought my PM3 (which I realize is low) but I've not had any problems because of it.
I haven't looked at the trace, but as the handheld HID cloner can read the implant - and you mention you were cloning HID cards/tags at the time it stopped working - I'd try the command:
lf hid fskdemod
to see if it comes back with the code of any of the HID tags you were cloning at the time.
Offline
I suggest running,
lf read
data samples 16000
data plot
data norm
lf hid fskdemod
Offline
I have ran lf fskdemod however the orange LED remained solid and the red constanly flashed.
I ran the commands iceman suggested and upload the results to http://pastebin.com/zfzgxidj
I remeber reading somewhere that these chinese cloners set a password to the chip when writing, could this be causing an issue?
Offline
This is the data plot from the commands iceman sugguested.
Offline