Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi,
I have an implant 4305
I can read write by the white multi frequency china cloner.
I need to change the uid by proxmark3
I can read the implant by lf read and get valid data.
I tried to write uni by:
lf em 410xwrite abffcc2021 1
Also tried with p 19920427 (the cloner uses this pass on t55xx)
But it doesn't write
I tried also lf em 4x05write a 1 d abffcc2021
Also no success
Anyone know how to clone the uid to 4305?
RRG/Iceman repo https://github.com/rfidresearchgroup/proxmark3
Seems like my white china cloner set a pass to my implant.
Seems to be non of the pass listet in the pass lists.
I wrote a 5577 card, copied it with the white cloner to my implan, OK
read back the implant, copy to a new 5577 card, cannot read it and chk also cannot find pass.
If i clone the first 5577 to a 3th new 5577 i can read it with pm3 and pass 19920427
Any idea how i can get my 4305 implant to be read/write by PM3?
Unfortunately it seems there is almost no infos about the 4305 on the internet.
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] EM 410x ID ABFFCC2021
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : D5FF330484
[=] HoneyWell IdentKey
[+] DEZ 8 : 13377569
[+] DEZ 10 : 4291567649
[+] DEZ 5.5 : 65484.08225
[+] DEZ 3.5A : 171.08225
[+] DEZ 3.5B : 255.08225
[+] DEZ 3.5C : 204.08225
[+] DEZ 14/IK2 : 00738730975265
[+] DEZ 15/IK3 : 000919109567620
[+] DEZ 20/ZK : 13051515030300040804
[=]
[+] Other : 08225_204_13377569
[+] Pattern Paxton : 2883608097 [0xABE05E21]
[+] Pattern 1 : 10820096 [0xA51A00]
[+] Pattern Sebury : 8225 76 4988961 [0x2021 0x4C 0x4C2021]
[=] ------------------------------------------------
[+] Valid EM410x ID found!
Couldn't identify a chipset
[usb] pm3 --> lf t5 chk --em ABFFCC2021
[=] press 'enter' to cancel the command
[=] testing 86CDA923 generated
[=] Chip Type : T55x7
[=] Modulation : ASK
[=] Bit Rate : 5 - RF/64
[=] Inverted : Yes
[=] Offset : 63
[=] Seq. Term. : Yes
[=] Block0 : 0x80168084 (Auto detect)
[=] Downlink Mode : default/fixed bit length
[=] Password Set : Yes
[=] Password : 86CDA923
[+] found valid password : [ 86CDA923 ]
[+] time in check pwd 0 seconds
[usb] pm3 --> lf em 4x05 write --addr 3 --pwd 86CDA923 --data 11223344
[=] Writing address 3 data 11223344 using password 86CDA923
[!!] Tag denied Write operation
[?] Hint: try `lf em 4x05 read` to verify
lf em 4x05 dump and lf em 5x05 info just do nothing
with another antenna i cn at least use the 4x05 commands
[usb] pm3 --> lf em 4x05 dump -p 11223344
[=] Found a EM4305 tag
[!] Password is incorrect, will try without password
[=] Addr | data | ascii |lck| info
[=] -----+----------+-------+---+-----
[=] 00 | 00040072 | ...r | ? | Info/User
[=] 01 | 41FA0515 | A... | ? | UID
[=] 02 | | | | Password write only
[=] 03 | | | | User read denied
[=] 04 | | | | Config read denied
[=] 05 | | | | User read denied
[=] 06 | | | | User read denied
[=] 07 | | | | User read denied
[=] 08 | | | | User read denied
[=] 09 | | | | User read denied
[=] 10 | | | | User read denied
[=] 11 | | | | User read denied
[=] 12 | | | | User read denied
[=] 13 | | | | User read denied
[=] 14 | | | | Lock read denied
[=] 15 | | | | Lock read denied
Anyone have more information about the lf em 4x05 unlock command?
I found this side, https://blog.quarkslab.com/rfid-new-pro … dings.html
But it is not helping me.
when i run lf em 4x05 unlock
it fails almost immediately.
[usb] pm3 --> lf em 4x05 unlock
[=] --------------- EM4x05 tear-off : target PROTECT -----------------------
[=] initial prot 14&15 [ 11B7B3DF, 00000000 ]
[=] automatic mode [ enabled ]
[=] target stepping [ 2000 ]
[=] target delay range [ 2000 ... 6000 ]
[=] search value [ 11B7B3DF ]
[=] write value [ 00000000 ]
[=] ----------------------------------------------------------------------------
[=] press 'enter' to cancel the command
[=] --------------- start -----------------------
[#] Tear-off triggered!
[!] failed unlock write
[usb] pm3 -->