Formatting needed to write to a EM4305?

gcfiend · 2019-09-20 23:45:00

So purchased some RFIDs from China and when I try to lf search, it doesn't return any data nor can I write to it. I have to wait until Monday to talk to the supplier so the last message I have from them is that I needed to format the EM4305 before I can write to it.

Wanted to check with the this group if this makes sense. If so, would someone be able to point me to the commands, wiki, documentation on how to format a EM4305 so I can write to it? Chips have 512 mem.

mwalker · 2019-09-21 04:59:49

Not sure what they mean by format. Maybe they mean write the data to the card to emulate a card (e.g. EM4100)

Have you tried the lf em 4x05 commands ?
From memory the default password will be 00000000 which if not supplied should be the default.

try something like this

lf em 4x05_read 7
-> read block 7 (should be 00000000 on a new card)
lf em 4x05_write 7 12345678
-> will write 12345678 to block 7
now, read back
lf em 4x05_read 7
-> read block 7 (should new be 12345678)

gcfiend · 2019-09-21 18:26:49

Thank for the reply mwalker.

I tried and get a Read Address 07 | failed

anybody · 2019-09-21 19:17:06

lf read
If you can see data, then "needed to format"=needed password... China..

gcfiend · 2019-09-22 14:48:05

@anybody

lf read outputs:
proxmark3> lf read
#db# LF Sampling config:
#db# [q] divisor: 95
#db# [b.] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# [s.] samples to skip: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 9f a3 a3 a4 a3 a3 a0 9f ...
Reading 39999 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1

Does that mean it can "see" data? Needs a password?

mwalker · 2019-09-23 03:48:24

gcfiend wrote:

Thank for the reply mwalker.
I tried and get a Read Address 07 | failed

On a new card the "use password" flags in the config should not be set, thus no need for a password.

You could try with the default password.

e.g.
lf em 4x05_read 7 00000000

Did you supplier come back with anything ?

Side note: I have seen amazon suppliers just sell cards calling them X but sending Y (I am sure they dont know what they are).
e.g. I ordered 20 EM4305 and they come "setup" as EM4100 tags and were T5200 (T5577 almost) chips (so not even close).

As such, just to check, try
lf t55 detect
And see if anything comes back.

gcfiend · 2019-09-23 05:16:03

@mwalker

I have a meeting with the supplier tomorrow. She's supposed to send me a video.

Here's my results:

proxmark3> lf em 4x05read 7 00000000
Reading address 07 | password 00000000
Read Address 07 | failed

Tried the t55 and got this:

proxmark3> lf t55 detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

Not familiar with that command so not sure what manual config to put.

Appreciate the replies!

anybody · 2019-09-23 05:40:21

For new cards, usually no passwords are needed. These are new cards, but .. "checked" by the seller ..
I received cards with a set password from Chinese sellers .. "Everything is checked, everything works. You need our duplicator." In my case it was 51243648.
I agree, maybe T5200.

Last edited by anybody (2019-09-23 05:59:59)

iceman · 2019-09-23 18:36:49

ha, checked with a blue / white gun. That made me laugh.

gcfiend · 2019-09-24 04:23:48

So I spoke with the person in China and they said because it's not formatted I need a writer like this one: https://www.newegg.com/p/2ZM-0112-002X5

Is this valid?

mwalker · 2019-09-24 05:57:31

Without knowing what you really have its all a little weird.

A real EM4305 would not need formatting. Its a card with a fixed block layout, no password set, ready to read and write.
A real T55xx same as, no formatting needed.

Of course you do need to write the config and data to the cards in order for them to "emulate" real cards like the HID Proxcard II, EM4100 etc, but that can be done with the pm3 no problems.

A quick look at the unit in your link, that just looks like a programmer OF the 4305 etc.

So I am guessing there is some sort of password on the card.
The EM4305 should allow reading of block 0/1 even if a password is set.

So lets try
lf em 4x05_read 0
lf em 4x05_read 1

what firmware are you running on the proxmark ? some of the T55xx is a little different between the rrg and official repos.

gcfiend · 2019-09-25 14:40:02

Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-118-g096dee1-suspect 2019-07-22 23:14:08
os: master/v3.1.0-118-g096dee1-suspect 2019-07-22 23:14:09
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07
SmartCard Slot: not available

uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 210815 bytes (80). Free: 51329 bytes (20).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> lf em 4x05readword 0
Reading address 00
Read Address 00 | failed
proxmark3> lf em 4x05readword 1
Reading address 01
Read Address 01 | failed
proxmark3>

I'll see if I can get more detail on the RFID. The detail that they gave me was that these chips are blank and need to be formatted with a writer like the link that was posted.

anybody · 2019-09-25 15:01:10

Try pwd 05D73B9F
And..

Would be nice to get a trace file. Share it?
lf read
data save em4305.pm3

Last edited by anybody (2019-09-25 15:11:52)

gcfiend · 2019-09-25 21:50:20

Quick update. I purchased this RFID writer\reader to validate what the tech said from China. https://www.amazon.com/HFeng-125Khz-Handheld-Duplicator-Programmer/dp/B07DQR7GW9/ref=asc_df_B07DQR7GW9/?tag=hyprod-20&linkCode=df0&hvadid=242012522334&hvpos=1o2&hvnetw=g&hvrand=4312849785567228141&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9030098&hvtargid=pla-489511983358&psc=1

To my surprise, I was able clone a good em4305 (another one I had that works with Proxmark) to the "blank" rfid. lf search finally works. I'm trying to edit line 6 = lf em 4x05write a 6 d 5A003000, but it won't allow me to edit it. Wierd...

Does this site have the ability to share files? If not, I'll have to dropbox or something. Here's a snip it . (not sure if the snip it even helps.. way past my skill level)

-25
-25
-24
-23
-23
-23
-22
-21
-14
-7
-3
1
3
6
6
8
8
8
7
6
6
6
5
5
3
2
1
0
-1
-2
-3
-3
-4
-5
-6
-7
-8
-7
-8
-8
-10
-14
-18
-22
-26
-31
-35
-38
-40
-41
-42
-41
-41
-40
-38
-36
-35
-34
-33
-31
-30
-29
-28
-27
-26
-25
-24
-23
-23
-22
-23
-21
-14
-7
-3
1
4
6
7
9
9
8
6
7
8
8
5
4
2
2
1
0
-1
-1
-3
-3
-4
-5
-6
-7
-6
-7
-7
-7
-9
-12
-17
-21
-26
-31
-35
-38
-40
-41
-42
-41
-40
-39
-38
-37
-35
-32
-32
-31
-29
-28
-28
-27
-26
-25
-24
-23
-23
-23
-22
-21
-13
-7
-3
1
4
7
8
9
9
10
9
7
6
6
5
5
4
3
2
1
-1
-1
-2
-3
-5
-5
-7
-7
-6
-7
-7
-8
-9
-12
-17
-21
-25
-29
-34
-38
-41
-41
-41
-41
-40
-39
-38
-36
-35
-34
-32
-31
-30
-29
-28
-26
-25
-24
-24
-23
-23
-21
-21
-20
-13
-7
-4
0
4
7
8
9
8
9
8
8
7
6
5
6
4
2
1
0
-1
-1
-3
-3
-5
-5
-4
-5
-6
-7
-8
-8
-10
-13
-17
-21
-26
-31
-35
-38
-41
-42
-41
-40
-3

mwalker · 2019-09-25 22:23:55

Do the lf em 4x05 commands work now?
Can you post the output of the lf search that showed it was a 4x05.

anybody · 2019-09-26 05:40:00

@gcfiend, can you share traces from your Chinese device?

gcfiend · 2019-09-26 15:12:22

em command work.

proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

EM410x pattern found:

EM TAG ID : 0000000C31

Possible de-scramble patterns
Unique TAG ID : 000000308C
HoneyWell IdentKey {
DEZ 8 : 00003121
DEZ 10 : 0000003121
DEZ 5.5 : 00000.03121
DEZ 3.5A : 000.03121
DEZ 3.5B : 000.03121
DEZ 3.5C : 000.03121
DEZ 14/IK2 : 00000000003121
DEZ 15/IK3 : 000000000012428
DEZ 20/ZK : 00000000000003000812
}
Other : 03121_000_00003121
Pattern Paxton : 1329713 [0x144A31]
Pattern 1 : 2636 [0xA4C]
Pattern Sebury : 3121 0 3121 [0xC31 0x0 0xC31]

Valid EM410x ID Found!

Valid EM4x05/EM4x69 Chip Found
Try lf em 4x05... commands

Although once i zap the thing with the Handheld RFID reader, I can't use the Proxmark to edit, for example, address 7.

@anybody - when you say "share traces from you Chinese device", can you elaborate?

iceman · 2019-09-26 18:39:50

most likely your handheld chinese cloner configures your card with password protection. You would need to figure out which password it uses in order to "liberate" your cards once again.
In order to sort that, you will need to master the art of sniffing the traffic between cloner / tag with your proxmark when you run the cloner...

mwalker · 2019-09-27 01:48:51

Its sounding more like a EM4x69 then the EM4x05
A quick scan of the EM4169 data sheet

EEPROM organization
The EEPROM is organized in 8 words of 16 bits. EEPROM words are counted from 0 to 7. Bits in an EEPROM word are counted
from 0 to 15. When EEPROM readout is initiated (after POR or after return from command to read mode) read out is started from
word 0 and increments to word 7. Readout in a word is started by bit 0 and then increments up to bit 15. After word 7 bit 15 is
read readout continues with word 0 bit 0 without any pause. So it is very important to organize data written in EEPROM in a way
that reader can detect the position of bits in data stream. For Manchester encoding Word 0 and word 4 are factory programmed
and locked (see figure 7a), for BI-phase encoding the 8 words are user free (see figure 7b and 7c). Following tables show how
standard versions are factory programmed.

src : https://www.digchip.com/datasheets/parts/datasheet/147/EM4169-pdf.php

The way it reads, it tends to match with the sellers comment about "formatting" the card.
Also explain why the em4x05 commands don't work (even when blank)

Next step would be to as per @anybody request. Use the PM3 to capture what the "format/programmer" is sending.
I would try a capture without a card and one with the card (between the PM3 and programmer)

gcfiend · 2019-09-27 17:25:55

Ok, thank you. I'll capture a trace and upload to a file share.

@iceman - I ordered another "writer" that I can connect to a PC. There appears to be software that would allow more flexibility so I'll probably end up just returning handheld.... although this would be a great opportunity to learn how to sniff traffic since a use case does present itself

Last edited by gcfiend (2019-09-27 18:02:39)

iceman · 2019-09-28 10:10:03

You should definitly learn to sniff it. Mrwalker is quite good at it.

mwalker · 2019-09-29 02:29:49

@gcfiend

To start the sniffing process. note there are some little difference between the rrg repo and the official repo. I think you are on the official?

To get started try this.
pm3> data plot
This should bring up the wave form window.
pm3> lf config t 64
This will tell the proxmark to wait until i sample is > 64 (else it will just return lots of 0 samples)
pm3> lf snoop
then place the programmer over proxmark lf antenna and press the program button on the programmer/cloner.

All going well you should see a wave form on the screen.
You can then save that with
pm3> data save <filename>

Proxmark3 community

Announcement

#1 2019-09-20 23:45:00

Formatting needed to write to a EM4305?

#2 2019-09-21 04:59:49

Re: Formatting needed to write to a EM4305?

#3 2019-09-21 18:26:49

Re: Formatting needed to write to a EM4305?

#4 2019-09-21 19:17:06

Re: Formatting needed to write to a EM4305?

#5 2019-09-22 14:48:05

Re: Formatting needed to write to a EM4305?

#6 2019-09-23 03:48:24

Re: Formatting needed to write to a EM4305?

#7 2019-09-23 05:16:03

Re: Formatting needed to write to a EM4305?

#8 2019-09-23 05:40:21

Re: Formatting needed to write to a EM4305?

#9 2019-09-23 18:36:49

Re: Formatting needed to write to a EM4305?

#10 2019-09-24 04:23:48

Re: Formatting needed to write to a EM4305?

#11 2019-09-24 05:57:31

Re: Formatting needed to write to a EM4305?

#12 2019-09-25 14:40:02

Re: Formatting needed to write to a EM4305?

#13 2019-09-25 15:01:10

Re: Formatting needed to write to a EM4305?

#14 2019-09-25 21:50:20

Re: Formatting needed to write to a EM4305?

#15 2019-09-25 22:23:55

Re: Formatting needed to write to a EM4305?

#16 2019-09-26 05:40:00

Re: Formatting needed to write to a EM4305?

#17 2019-09-26 15:12:22

Re: Formatting needed to write to a EM4305?

#18 2019-09-26 18:39:50

Re: Formatting needed to write to a EM4305?

#19 2019-09-27 01:48:51

Re: Formatting needed to write to a EM4305?

#20 2019-09-27 17:25:55

Re: Formatting needed to write to a EM4305?

#21 2019-09-28 10:10:03

Re: Formatting needed to write to a EM4305?

#22 2019-09-29 02:29:49

Re: Formatting needed to write to a EM4305?

Board footer