troubleshooting lf em 4x05dump

gcfiend · 2019-07-23 15:03:38

Experts!
I'm fairly new to Proxmark and RFIDs and looking for some guidance on results I'm getting when attempting to do a em 4x05 dump.

I'm using a Proxmark3 EASY clone.

Here's my hw and antennae info:

-------------------------------------------
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-118-g096dee1-suspect 2019-07-22 23:14:08
os: master/v3.1.0-118-g096dee1-suspect 2019-07-22 23:14:09
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07
SmartCard Slot: not available

uC: AT91SAM7S256 Rev C
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 210815 bytes (80). Free: 51329 bytes (20).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune

Measuring antenna characteristics, please wait.........
# LF antenna: 47.02 V @ 125.00 kHz
# LF antenna: 39.19 V @ 134.00 kHz
# LF optimal: 52.11 V @ 127.66 kHz
# HF antenna: 30.45 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
-----------------------------------------------

I can lf search without issues:

-----------------------------------------------
proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

EM410x pattern found:

EM TAG ID : 0000000C0F

Possible de-scramble patterns
Unique TAG ID : 00000030F0
HoneyWell IdentKey {
DEZ 8 : 00003087
DEZ 10 : 0000003087
DEZ 5.5 : 00000.03087
DEZ 3.5A : 000.03087
DEZ 3.5B : 000.03087
DEZ 3.5C : 000.03087
DEZ 14/IK2 : 00000000003087
DEZ 15/IK3 : 000000000012528
DEZ 20/ZK : 00000000000003001500
}
Other : 03087_000_00003087
Pattern Paxton : 1329679 [0x144A0F]
Pattern 1 : 1652 [0x674]
Pattern Sebury : 3087 0 3087 [0xC0F 0x0 0xC0F]

Valid EM410x ID Found!
--------------------------------------------------------------

But when I do a lf em 4x05dump, it fails to read the address:

Is this an issue with my hardware? What would be some reasons why I can read the address spaces?

gcfiend · 2019-07-23 21:16:56

Interesting.. I starting moving the RFID item to different orientations in the lf antennae "circle" and it reads some of the address spaces? Is this because of a tuning issue or underpowered antennae?

gcfiend · 2019-07-23 21:37:55

My goal was to change Address space 6. After doing the lf em 4x05writeword command about 7 times, it finally took. Success!

So for the experts, is this because I have a crappy Proxmark3, needs to be tuned, or is normal operations?

marshmellow · 2019-07-24 00:58:34

Em410x not = EM4x05

iceman · 2019-07-24 17:54:02

Em410x not = EM4x05

+1

gcfiend · 2019-07-24 20:28:46

Thanks for the feedback. If EM410x is not EM4x05, does this mean that the lf search results is incorrect? Would it be possible to for me to apply a em4x05 command and do a successful write?

proxmark3> lf em 4x05writeword a 6 d 18003000
Writing address 6 data 18003000
Write Verified

marshmellow · 2019-07-24 23:16:39

I don't see where lf search found an em4x05 chip, did you omit it?

It is possible to get a false positive on the reading of the response after a write command, especially if is not an actual em4x05 chip

gcfiend · 2019-07-25 07:00:06

No editing. Heres an lf search followed by a dump:

proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

EM410x pattern found:

EM TAG ID : 0000000C00

Possible de-scramble patterns
Unique TAG ID : 0000003000
HoneyWell IdentKey {
DEZ 8 : 00003072
DEZ 10 : 0000003072
DEZ 5.5 : 00000.03072
DEZ 3.5A : 000.03072
DEZ 3.5B : 000.03072
DEZ 3.5C : 000.03072
DEZ 14/IK2 : 00000000003072
DEZ 15/IK3 : 000000000012288
DEZ 20/ZK : 00000000000003000000
}
Other : 03072_000_00003072
Pattern Paxton : 1329664 [0x144A00]
Pattern 1 : 68 [0x44]
Pattern Sebury : 3072 0 3072 [0xC00 0x0 0xC00]

Possible this item has two rfids? I have to position the item on the lf antennae just right or the em 4x05dump wont read it. Takes a bit for me to successfully run the em 4x05 command. The item needs to be positioned just right and even then I retry a couple times to get Read Address 06.

marshmellow · 2019-07-25 13:28:25

Em410x can be a chip or a format programmed on a configurable chip.

Em4x05 is a configurable chip. In you're case it looks as if you're antenna is just on the edge of successfully coupling with the chip. As it does indeed appear you have an em4x05 chip based on some of the dump values.

Are you running the most current firmware from the master repo? some adjustments were made a week ago or so to this.

The em4x05 is sensitive to the build of the antenna not the voltage. (But the Q value) often antennas that come with newer devices aren't good enough.

You might be able to find a sweet spot to get some results, but make sure you're on the latest code too.

Proxmark3 community

Announcement

#1 2019-07-23 15:03:38

troubleshooting lf em 4x05dump

#2 2019-07-23 21:16:56

Re: troubleshooting lf em 4x05dump

#3 2019-07-23 21:37:55

Re: troubleshooting lf em 4x05dump

#4 2019-07-24 00:58:34

Re: troubleshooting lf em 4x05dump

#5 2019-07-24 17:54:02

Re: troubleshooting lf em 4x05dump

#6 2019-07-24 20:28:46

Re: troubleshooting lf em 4x05dump

#7 2019-07-24 23:16:39

Re: troubleshooting lf em 4x05dump

#8 2019-07-25 07:00:06

Re: troubleshooting lf em 4x05dump

#9 2019-07-25 13:28:25

Re: troubleshooting lf em 4x05dump

Board footer