Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

  • Logged in as ikarus
  • Last visit: Today 11:22:42

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-03-27 01:36:30

mikef2501
Contributor
Registered: 2020-03-26
Posts: 5

Emulating simple HID with an EM4305

Hello,

I am just starting out playing with RFID and a Proxmark3 Easy I purchased recently.  I figured making a backup of a simple HID access key I have would be a good first project, but I'm having a little trouble finding information on how to configure my target chip.

The source chip (the one I'm trying to make a backup of) is an HID 26-bit card.  The target chip is an EM4305.  I just purchased the EM4305, and I don't believe it has been password-protected, as I can dump all of the blocks without issue.  I have heard that one of the great features of the 4x05 series is that it can be configured to behave like many other chips.

My questions are: where can I find information on how to configure the em4x05 to behave in different ways with proxmark and, specifically, how can it be configured to behave like my HID card when queried?  I've done some searches on this forum and elsewhere and I haven't found a guide.  Actually, I'm starting to see signs that the proxmark doesn't have commands set up yet to write/configure the 4x05.  Is this the case, and should I try to find something like the T5577?

Thanks for any and all your input,
Mike F.

Offline

#2 2020-03-27 01:57:17

mikef2501
Contributor
Registered: 2020-03-26
Posts: 5

Re: Emulating simple HID with an EM4305

Here's the output from the em4305:

proxmark3> lf em 4x05dump
 Got Address 00 | 00040072
 Got Address 01 | 36DC130E
 PWD Address 02 | cannot read
 Got Address 03 | 00009A43
 Got Address 04 | 0011805F
 Got Address 05 | 2000E9FF
 Got Address 06 | 23D9DDBD
 Got Address 07 | 00000000
 Got Address 08 | 00000000
 Got Address 09 | 00000000
 Got Address 10 | 00000000
 Got Address 11 | 00000000
 Got Address 12 | 00000000
 Got Address 13 | 00000000
Lock Address 14 | 00008002
Lock Address 15 | 00000000

Here's the output of my HID card (some of the numbers have been changed to protect the guilty innocent:

proxmark3> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

HID Prox TAG ID: 0006181B01
--------------------------------------------------
       Format: H10301 (HID H10301 26-bit)
Facility Code: 12
  Card Number: 3456
       Parity: Valid
--------------------------------------------------

Valid HID Prox ID Found!

Is there a better way to dump the HID than just a lf search?

Offline

#3 2020-03-27 16:42:39

Sentinel
Contributor
Registered: 2012-11-26
Posts: 190

Re: Emulating simple HID with an EM4305

read the documents on the 4305 chip.
it does not support frequency modulation.
It is not possible to make an HID card from it.

Offline

Quick reply

Write your message and submit

Board footer

Powered by FluxBB