Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2021-01-29 08:33:48

Einstein2150
Contributor
Registered: 2021-01-27
Posts: 9

(solved) EM4x50 Simulation unstable/bug

Can someone confirm that a simulation of a dumped EM4x50 ist not really successful? With the original token the reader reacts with a long beep - while using the simulation on the Proxmark it only reacts with two short beeps. Could there be a problem with the default dual-antenna? I know that reading 125 kHz Token is sometimes really hard and often only a litte move of the token on the reader away :-/

I read here that a little time ago the simulator had timing issues ...

So can someone tell me the current state of EM4x50 simulations on the Proxmark?

Last edited by Einstein2150 (2021-02-08 09:51:31)

Offline

#2 2021-02-02 09:05:26

tharexde
Contributor
Registered: 2020-06-14
Posts: 6

Re: (solved) EM4x50 Simulation unstable/bug

The EM4x50 simulation indeed reacts critical on timing issues.
So far this function has only be tested against a second proxmark running the available EM4x50 commands and a reader from Elatec (TWN4, director software). For these devices the sim function should work properly.
Unfortunately I don't have more readers to provide accurate tests. Which model do you use?

Offline

#3 2021-02-03 09:23:30

Einstein2150
Contributor
Registered: 2021-01-27
Posts: 9

Re: (solved) EM4x50 Simulation unstable/bug

We use this Honeywell-Readers in our company:

https://www.security.honeywell.de/de/pr … er/023320/

Offline

#4 2021-02-03 22:03:22

tharexde
Contributor
Registered: 2020-06-14
Posts: 6

Re: (solved) EM4x50 Simulation unstable/bug

I've read the description of your access system. If you are really using rolling codes there's a password check involved. Do you know the password? It will not be in the dump of your IK3 key fob.
The two short beeps you mentioned may indicate that the reader has received data from the Proxmark, but authentication has failed.

Offline

#5 2021-02-08 08:04:29

Einstein2150
Contributor
Registered: 2021-01-27
Posts: 9

Re: (solved) EM4x50 Simulation unstable/bug

tharexde wrote:

The two short beeps you mentioned may indicate that the reader has received data from the Proxmark, but authentication has failed.

After a few tries I think it would be the key-exchange which secures the token from being copied. I think this system is under the current configuration secure. Thats good for our company big_smile

Offline

#6 2021-02-08 13:30:36

tharexde
Contributor
Registered: 2020-06-14
Posts: 6

Re: (solved) EM4x50 Simulation unstable/bug

Thanks for your reply.

Einstein2150 wrote:

I think this system is under the current configuration secure.

Although the system claims to be encrypted, the password sent by the reader is not encrypted. So there are possibilities...

Offline

#7 2021-02-08 14:06:09

Einstein2150
Contributor
Registered: 2021-01-27
Posts: 9

Re: (solved) EM4x50 Simulation unstable/bug

tharexde wrote:

Thanks for your reply.

Einstein2150 wrote:

I think this system is under the current configuration secure.

Although the system claims to be encrypted, the password sent by the reader is not encrypted. So there are possibilities...

There is theoretically a small slot. While MitM the Code and copy the token the secret key on the token is in sync with the background system. After the first use of the token (original token or the simulated one) the secret key on the token gets changed. After the first use of the other token with the old unchanged code the token gets rejected and blocked from the background system big_smile

Offline

Board footer

Powered by FluxBB