continued from above
Testing the Proxmark3 on known tags
Now I had a working Proxmark3. It was time to try and read some tags. Always use the help commands to figure out possible parameters! There’s a opaque tree of categories and commands in the pm3 software and there’s a help text at each branch and leaf.
I was able to read my xEM using lf search:
(I’ve replaced a bunch of numbers with N or n in these outputs to obfuscate data. No idea if that’s important but butter safe than sorry.)
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[+] EM410x pattern found
EM TAG ID : 0410NNNNNN
Possible de-scramble patterns
Unique TAG ID : 2008NNNNNN
HoneyWell IdentKey {
DEZ 8 : 04NNNNNN
DEZ 10 : 0272NNNNNN
DEZ 5.5 : 0415N.NNNNNN
DEZ 3.5A : 00N.NNNNN
DEZ 3.5B : 01N.NNNNN
DEZ 3.5C : 06N.NNNNN
DEZ 14/IK2 : 00017452NNNNNN
DEZ 15/IK3 : 000137581NNNNNN
DEZ 20/ZK : 02000008071211NNNNNN
}
Other : 03350_062_04NNNNNN
Pattern Paxton : 72NNNNNN [0x4NNNNNN]
Pattern 1 : NNNNNN [0xNNNNNN]
Pattern Sebury : 3350 62 4NNNNNN [0xNNN 0xNN 0xNNNNN]
[+] Valid EM410x ID found!
I could also read one of the tags that comes with the xEM Access Controller (configured the same way as the xEM):
[usb] pm3 --> lf em 410x_read
[+] EM410x pattern found
EM TAG ID : NNNNNN161B
Possible de-scramble patterns
blah blah
Using lf search I could also read my HID OneCard:
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[+] HID Prox TAG ID: 2c3fNNnNnn (NNN03) - Format Len: 35bit - OEM: 000 - FC: 5NN - Card: NNN03
[+] Valid HID Prox ID found!
This was great! I now knew a vital piece of information: 2c3fNNnNnn, the 40-bit ID for my OneCard. Soon (I thought) I would be able to use the command lf hid clone 2c3fNNnNnn to simply clone my HID OneCard’s data to my xEM!
Help page for lf hid clone:
Clone HID to T55x7. Tag must be on antenna.
Usage: lf hid clone [h] [l] ID
Options:
h - This help
l - 84bit ID
ID - HID id
Examples:
lf hid clone 2006ec0c86
lf hid clone l 2006ec0c86
A quirk of this command is that when running it the output is as follows:
[usb] pm3 --> lf hid clone 2c3fNNnNnn
[=] Preparing to clone HID tag with ID 2c3fNNnNnn
whether or not the command succeeded. Even if no tag is on the antenna, the output is the same. This makes it hard to tell whether the clone succeeded. To test, an lf hid read command must be issued to check if the tag now reads as the correct HID tag.
At this point, I started testing on the test T5577 card that came with the Proxmark3:
This is where I ran into trouble. Most of the commands in the pm3 software act automatically. lf read automatically reads on the low frequencies and tries to automatically parse the results and print them out. If it can do this, you have a strong signal and a valid tag and everything is good, it just prints the data! Everything is amazing and your life is perfect. However, if you’ve a bad tag, or a small, hard-to-read coil (*ahem* xEM) or something else going on, this automatic mode won’t work for you and you’ve gotta use the more manual tools in the pm3 software. These manual tools came first and are more powerful than the automatic functionalities, but they’re harder to learn. Here’s a good overview I read to start to understand interacting with an LF card without the automatic tools:
My sub-goal at this point is to clone my OneCard onto this test T5577 card. If I can do this, it’s the same process as cloning the OneCard to my xEM, but without all the issues caused by bad coupling between the xEM and scanner that have been common for people in the past. If I can do this, I’ll have cracked half of the puzzle: mastering the parts of the pm3 software that I need for my main goal (OneCard on xEM). The other half of the puzzle is getting the Proxmark3 to couple with the xEM, a challenge we’ll discuss later.
But something strange was happening with the T5577 card and the auto tools weren’t working as I expected them. lf t55xx info with the card on the reader gave no result. lf t5 dump gave no data. I decided I would have to use the manual tools, gathering the data, plotting, and demoding it in order to figure out what was up. I haven’t done this yet, so this log is up-to-date with regard to this software half of the puzzle.
In the next few days I’ll be experimenting with the T5577 card and Proxmark3 to find a consistent way to have the two interact. If you have advice about this, please tell me!
Another meta-hint: in the ~/.proxmark3 directory there’s log files with all your pm3 sessions. That’s what I’m using to go back and find out the commands I used and the results I got to write up this report!
Trouble writing to the xEM
In my initial floundering with the Proxmark3, I also played with scanning and writing to my xEM. It didn’t brick it, thank goodness. To my surprise, the xEM was able to be read really easily with the built-in antennae. No sweat whatsoever, just somewhat careful positioning. But not even that careful. (See above for the successful output from that).
However, I wasn’t able to write ANY data whatsoever to the tag. This is a KNOWN ISSUE and wasn’t unexpected to me.
In the past, @TomHarkness has talked about using the lf t55xx trace command to test whether the coupling was good enough to write data, but this command errored with the message: [-] The modulation is most likely wrong since the ACL is not 0xE0., so I couldn’t use that. Anyway, every attempt to lf hid clone 2c3fNNnNnn caused no change to subsequent scans of the xEM.
To isolate variables, I’m testing this with the T5577 card I have first to make sure I have the software process correct before assuming that the coupling between the xEM and Proxmark3 is bad. However, based on reports from others, it’s safe to assume that writing to the xEM won’t work without a non-default antenna.
Required reading:
- Here’s the story about the xEM and writing data: Quirks of the T5577 & cloning tags to the xEM
In short, many people were using these Chinese gun-shaped tag reader-writers. You had to get the positioning just right and they were causing xEMs to “soft-brick” (wouldn’t read or write but maybe salvageable with a Proxmark3). Dangerous Things stopped selling them because of this. - But GOOD NEWS! @TomHarkness has heard our cries and has designed a new antenna specifically made for the Proxmark3 RDV4 and specifically made to couple flawlessly with the xEM (and other implantable RFID tags). It’s not out yet, but there should be a pre-order soon. Here’s the thread with that whole story: Proxmark LF Antennas
So I’m waiting on Dangerous Things to sell these magic antennae, and in the mean time, I might try to make one that works out of my xEM Access Controller. But that’s for another time. Now this log is up-to-date with my efforts to solve the antenna part of the puzzle.
Next time: I don’t know yet! Let’s hope it’s something like “Writing to T5577 worked like a charm, no problem whatsoever”. We’ll see 
From now on, I’ll post here in near-realtime as I make new discoveries and units of progress.