(solved) EM4x50 Simulation unstable/bug

Einstein2150 · 2021-01-29 08:33:48

Can someone confirm that a simulation of a dumped EM4x50 ist not really successful? With the original token the reader reacts with a long beep - while using the simulation on the Proxmark it only reacts with two short beeps. Could there be a problem with the default dual-antenna? I know that reading 125 kHz Token is sometimes really hard and often only a litte move of the token on the reader away :-/

I read here that a little time ago the simulator had timing issues ...

So can someone tell me the current state of EM4x50 simulations on the Proxmark?

Last edited by Einstein2150 (2021-02-08 09:51:31)

tharexde · 2021-02-02 09:05:26

The EM4x50 simulation indeed reacts critical on timing issues.
So far this function has only be tested against a second proxmark running the available EM4x50 commands and a reader from Elatec (TWN4, director software). For these devices the sim function should work properly.
Unfortunately I don't have more readers to provide accurate tests. Which model do you use?

Einstein2150 · 2021-02-03 09:23:30

We use this Honeywell-Readers in our company:

https://www.security.honeywell.de/de/pr … er/023320/

tharexde · 2021-02-03 22:03:22

I've read the description of your access system. If you are really using rolling codes there's a password check involved. Do you know the password? It will not be in the dump of your IK3 key fob.
The two short beeps you mentioned may indicate that the reader has received data from the Proxmark, but authentication has failed.

Einstein2150 · 2021-02-08 08:04:29

tharexde wrote:

The two short beeps you mentioned may indicate that the reader has received data from the Proxmark, but authentication has failed.

After a few tries I think it would be the key-exchange which secures the token from being copied. I think this system is under the current configuration secure. Thats good for our company

tharexde · 2021-02-08 13:30:36

Thanks for your reply.

Einstein2150 wrote:

I think this system is under the current configuration secure.

Although the system claims to be encrypted, the password sent by the reader is not encrypted. So there are possibilities...

Einstein2150 · 2021-02-08 14:06:09

tharexde wrote:

Thanks for your reply.
Einstein2150 wrote:
I think this system is under the current configuration secure.
Although the system claims to be encrypted, the password sent by the reader is not encrypted. So there are possibilities...

There is theoretically a small slot. While MitM the Code and copy the token the secret key on the token is in sync with the background system. After the first use of the token (original token or the simulated one) the secret key on the token gets changed. After the first use of the other token with the old unchanged code the token gets rejected and blocked from the background system

Proxmark3 community

Announcement

#1 2021-01-29 08:33:48

(solved) EM4x50 Simulation unstable/bug

#2 2021-02-02 09:05:26

Re: (solved) EM4x50 Simulation unstable/bug

#3 2021-02-03 09:23:30

Re: (solved) EM4x50 Simulation unstable/bug

#4 2021-02-03 22:03:22

Re: (solved) EM4x50 Simulation unstable/bug

#5 2021-02-08 08:04:29

Re: (solved) EM4x50 Simulation unstable/bug

#6 2021-02-08 13:30:36

Re: (solved) EM4x50 Simulation unstable/bug

#7 2021-02-08 14:06:09

Re: (solved) EM4x50 Simulation unstable/bug

Board footer