Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2013-11-12 19:26:46

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

New 125kHz tag - Help to identify.

Here it is the file obtained with the following commands:

proxmark3> lf read 
#db# buffer samples: 40 44 46 4a b4 ff ff ff ...                 
proxmark3> 
proxmark3> data bitsamples
proxmark3> 
proxmark3> data plot
proxmark3> 
proxmark3> data save test.txt
saved to 'test.txt'          
proxmark3> 

Here it is a screenshot of the plot:
7nke2hDs.jpg

Here is the file obtained with the following commands:

proxmark3> lf read 
#db# buffer samples: 00 03 0a 11 18 1e 23 27 ...                 
proxmark3> 
proxmark3> data samples 4000
Reading 4000 samples
Done!
proxmark3> 
proxmark3> data plot
proxmark3> 
proxmark3> data save test2.txt
saved to 'test2.txt'          
proxmark3> 

Plot screenshot:
ZzNX6Sbs.jpg


The tag has a series of numbers prited on it: 00077xxxxx 118,yyyyy  (x and y are decimal values).

Producer seems to support only Wiegand format for 125kHz cards (I don't have producer data at the moment): can it be Wiegand ? It seems to be the same as this one.

Here the best Wiegand data format I was able to find; maybe it is a 83 bits...

Last edited by asper (2013-11-12 21:25:40)

Offline

#2 2013-11-12 22:35:18

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: New 125kHz tag - Help to identify.

Solved: it is an EM4100, a very simple 64 bit read only id-chip.

Steps to decode:

1 - Read ID
2 - convert in binary
3 - remove 1st 17 bits
4 - take 7 bits and convert in decimal = 3-value code printed on card
5 - take next 16 bits and convert in decimal = 5-value code printed on card
6 - take bits of step 4 & 5 together, convert in decimal, and you will get the 10-value code printed on card

Example:

If card id (read with a reader, es. proxmark3) is 140156c3ef:

decode in binary: 10100000000010(17bits) 1010110(7bits) 1100001111101111(16bits)
remove 1st 17 bytes: 1010110(7) 1100001111101111(16)  convert in decimal  -->  86  50159
all together  -->  10101101100001111101111(7+16bits)  -->  5686255

so the final number printed on tag will be: 5686255 86,50159.

Maybe 1st 17 bits are used for some kind of checks.

Last edited by asper (2013-11-13 12:35:31)

Offline

#3 2014-01-24 05:26:57

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: New 125kHz tag - Help to identify.

It doesn't work in my case...

ID 0x0F008882
Card No. 0012641
---------
0x0F0076E0
0122381

Last edited by app_o1 (2015-06-06 10:16:27)

Offline

#4 2014-01-24 19:49:53

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: New 125kHz tag - Help to identify.

Is it an EM4100 ? If so probably there is a different number generating "algo".

Offline

#5 2014-01-25 11:33:46

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: New 125kHz tag - Help to identify.

Maybe I found a "scramble pattern" for your bits:

Columns = different tags
- 0F00887882 (hex) => 111100000000100010000111100010000010 (bin)
-- 002412641 (dec) => 001001001101000001100001 (bin)

- 0F00E376E0 = 111100000000111000110111011011100000
-- 012245381 = 101110101101100110000101

Lines = HEX ID (H), only 1st 24bits / DECIMAL VALUE WRITTEN ON TAG (D) both converted to binary

Green = same hex 0 between tags
Red = same hex 1 between tags
Orange = same dec 0 between tags
Blue = same dec 1 between tags
0PLoRuX.png

Anyway more examples (tags) are needed to know if I am right.

Last edited by asper (2014-01-25 11:43:33)

Offline

#6 2014-01-25 12:10:08

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: New 125kHz tag - Help to identify.

00823969 = 0x0F00B4A7 (190-58535)
00825460 = 0x0F00BE57 (190-65111)
---
00654518 = 0x0F009F3D (149-32573)

Last edited by app_o1 (2015-06-06 10:16:13)

Offline

#7 2014-01-25 13:18:52

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: New 125kHz tag - Help to identify.

A working pattern for all data you provided (except 2 bits that are always 1 so I cannot determine where to put them but there are only 2 possibilities) is this:
0lZJ1Nn.png

So, if you have a decoded Hex ID to bin like:
0F00887882 (hex) => 0000111100000000-100010000111100010000010 (bin);

you need to remove 1st 16bis obtaining a 24-bits only value: 100010000111100010000010

Now label these 24 bits from b0 do b23:
b0 b1 b2 b3 - b4 b5 b6 b7 - b8 b9 b10 b11 - b12 b13 b14 b15 - b16 b17 b18 b19 - b20 b21 b22 b23

now scramble bits this way (I am not sure for x and y [b9-b10] but they can be easily switched):

b1 b3 b0 b2 - b6 b4 b7 b5 - b9 b11 b8 b10 - b18 b15 b23 b17 - b14 b12 b22 b21 - b19 b13 b20 b16

finally convert the scrambled bits to decimal and you should obtain the numebr printed on the card.


If someone is able to do a small software to elaborate bytes that way we can have a confirmation.

@app_o1: If you have other tags please test wink

Last edited by asper (2014-02-17 09:45:56)

Offline

#8 2014-01-26 03:19:07

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: New 125kHz tag - Help to identify.

Nice ! if I have other examples I will test them and let you know !

Offline

#9 2014-02-12 14:01:16

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: New 125kHz tag - Help to identify.

0144389 -> 0x0F0074DB or 0x0F00DC01
0152032 -> 0x0F007EDB or 0x0F00DC01

0x0F007EDB (gives 145235 ??)
0x0F020C01 (gives  24641 ??)

I do not know which hex ID  goes with which card no... sorry

Last edited by app_o1 (2015-06-06 10:16:46)

Offline

#10 2014-02-17 06:07:30

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: New 125kHz tag - Help to identify.

0x0F00AEAF94     1010 1110 1010 1111 1001 0100
004010207           0011 1101 0011 0000 1101 1111

Last edited by app_o1 (2014-02-17 06:07:40)

Offline

#11 2014-02-17 09:49:15

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: New 125kHz tag - Help to identify.

This seems to be the final correct pattern (found b19 and b10 position and reverted b15 with b20):

b1 b3 b0 b2 - b6 b4 b7 b5 - b9 b11 b8 b10 - b18 b20 b23 b17 - b14 b12 b22 b21 - b19 b13 b15 b16

It works with your latest posted value also, so F00D20C01 = 015204932.

Last edited by asper (2014-02-17 11:46:27)

Offline

#12 2014-06-11 07:33:29

eskizle
Contributor
Registered: 2011-07-18
Posts: 26

Re: New 125kHz tag - Help to identify.

asper wrote:

Solved: it is an EM4100, a very simple 64 bit read only id-chip.

Steps to decode:

1 - Read ID
2 - convert in binary
3 - remove 1st 17 bits
4 - take 7 bits and convert in decimal = 3-value code printed on card
5 - take next 16 bits and convert in decimal = 5-value code printed on card
6 - take bits of step 4 & 5 together, convert in decimal, and you will get the 10-value code printed on card

Example:

If card id (read with a reader, es. proxmark3) is 140156c3ef:

decode in binary: 10100000000010(17bits) 1010110(7bits) 1100001111101111(16bits)
remove 1st 17 bytes: 1010110(7) 1100001111101111(16)  convert in decimal  -->  86  50159
all together  -->  10101101100001111101111(7+16bits)  -->  5686255

so the final number printed on tag will be: 5686255 86,50159.

Maybe 1st 17 bits are used for some kind of checks.


did you manage to get the binary == 10100000000010(17bits) 1010110(7bits) 1100001111101111(16bits) == with  the data bitsamples (or data bitstream) command ?

Last edited by eskizle (2014-06-11 07:34:25)

Offline

#13 2014-06-29 15:26:31

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: New 125kHz tag - Help to identify.

Just reading the id with the correspondant command and converted it to bin.

Offline

#14 2014-12-05 06:21:03

slayercho
Contributor
Registered: 2014-11-19
Posts: 12

Re: New 125kHz tag - Help to identify.

Help me to identify my card. 125khz card with normal keyboard emulated reader uid is 747B00DE936080FF but in access control system card is converted in this number 0007799037. What kind of converting is that? I thing they use something like wiegand reader but not shure, and the question is how to convert 747B00DE936080FF -> 0007799037. I have over 1000 cards...

Offline

#15 2014-12-05 07:17:26

slayercho
Contributor
Registered: 2014-11-19
Posts: 12

Re: New 125kHz tag - Help to identify.

Examples of card - converted number


9c8d01de936080ff -> 7799062
fe8d01de936080ff -> 7799063
208e01de936080ff -> 7799064


Maybe its need to reverse hex bytes

ff806093de01d8c9 ..

Last edited by slayercho (2014-12-05 11:46:25)

Offline

#16 2014-12-05 11:55:13

Sentinel
Contributor
Registered: 2012-11-26
Posts: 190

Re: New 125kHz tag - Help to identify.

747B00DE936080FF
rearrange the sequence from right to left:
FF806093DE007B74

F       F       8      0      6      0      9      3       D      E     0       0       7      B      7      4
1111 1111 1000 0000 0110 0000 1001 0011 1101 1110 0000 0000 0111 1011 0111 0100

divide the sequence according to the protocol EM4100:
111111111 00000 00011 00000 10010 01111 01111 00000 00000 11110 11011 10100

111111111 - 9 header bits
0000 0  0
0001 1  1
0000 0  0
1001 0  6
0111 1  7
0111 1  7
0000 0  0
0000 0  0
1111 0  F
1101 1  D
1010 0  A - XOR


7700FD(HEX) = 0007799037(DEC)

Offline

#17 2014-12-08 18:13:42

slayercho
Contributor
Registered: 2014-11-19
Posts: 12

Re: New 125kHz tag - Help to identify.

Thank you very much!

111111111 - 9 header bits
0000 0  0
0001 1  1
0000 0  0
1001 0  6 - here is 9
0111 1  7
0111 1  7
0000 0  0
0000 0  0
1111 0  F
1101 1  D
1010 0  A - XOR

01097700FDA

I found 01 is customer ID information, but what is 09 if not using in hex to dec converting?

Is there a method to get back full hex FF806093DE007B74 if i know only 0007799037?

Offline

#18 2014-12-09 00:21:47

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: New 125kHz tag - Help to identify.

There was someone on the forum, who made a webbased em4100 decoder to just online.   I got inspired from that and build something in dotnet.

You can throw sniffed data to it,  it is not very picky.   Either hex values or the output from "data mandemod"
It tries to reverse,inverse, endianswap, on the binarystring. If it find something that is 55bits long and have 9 '1''s it trieds to decode it.

As you see from the pic below, it takes your sniffed data and found 2 different intepretations.

decode4100.png

Offline

#19 2014-12-09 16:32:39

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: New 125kHz tag - Help to identify.

iceman wrote:

There was someone on the forum, who made a webbased em4100 decoder to just online.

Some context here http://andrewmohawk.com/2013/01/27/bypa … y-systems/ and the tool is here http://andrewmohawk.com/EM41X/.

Offline

#20 2014-12-10 12:46:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: New 125kHz tag - Help to identify.

Just for the fun of it.

I built a WebService which you can call to decode a Em41xx tag,   either  you call it with sniffed hexvalues or the command "data mandemod" output (binary string)

http://www.icesql.se/Services/Em41xxDec … ervice.svc

why?  If someone wants to build in a decode into a mobile-app perhaps?

Offline

Board footer

Powered by FluxBB