# Identfying mystery rfid keyfob

A couple of weeks ago I installed a bit of access control in our reception at work. Nothing complex or exciting, a camera with face recognition & temperature monitoring connected to a magnetic door lock.
It’s worked well so far, so I’m looking at adding further access control throughout the premises. Face recognition isn’t required inside, so I’m interested in using rfid keyfobs.
It would be nice to re-use the keyfobs from our time attendance system, but I’m struggling to conclusively identify them.
Time attendance is a Bodet Timebox X1, about 10 years old. The only specification I can find for the fobs is 125khz ISO. Only extra info our Bodet rep can supply is that they are Stid and might be weigand compatible.
The access control system would be based around
this

So:–

1. how do I go about identifying the keyfob chip? I have a cheap HID reader on the way, which should work if it’s an EM chip.

2. If it’s an EM, how confident can I be that it’ll just work with a weigand reader?

3. What obvious things am I missing?

If I end up with incompatible fobs between the two systems, it’s not the end of the world. I’ll just make everyone carry two fobs.
But let’s face it, I want to jab a chip in my hand so a bit of research right now would pay off

1 Like

Caveat: I am one of the less qualified people here to answer so wait for confirmation maybe. Based on the 125khz and the age, I’d say you are on the right track with the EM. I find it odd that I can’t find anyone selling replacement cards or fobs for that model, which tells me they aren’t selling branded cards (like the Samsung cards, for example) and they expect 125khz to be enough info, which leads me to guess that they didn’t add any strange bit codes or anything either (like ioProx) so it might be an easy process.

I’d say a scan of an existing badge/fob with a Proxmark would be useful, but wait for someone with more background to chime in.

The proper way would be using a proxmark to identify it.
But whatever it is, it’s very likely it’s clonable to a t5577 (the chip in the xEM), afaik most LF chips are reprogrammed t5577s.

I guess you want to clone it to your chip anyways, so a proxmark easy would be a good investment IMO. But lets wait for the HID reader results.

A couple of ideas for you:-

ANOTHER OPTION Grab yourself as many different LF cards as you can ( ebay / amazon ) and try to enroll them into your system, the one(s) that work will be your answer.
You will mainly be looking for the common ones: EM41xx, EM4200, HID 1326 ProxCard II, HID 1346 ProxCard III, and Indala.

Where are you located?
You may be able to send a spare fob to one of our community members nearby with a proxmark.
That would probably be your FASTEST and CHEAPEST option.

The BEST option, especially If your work will pay for it.
Send an enrolled fob to Amal ( with your access profile on it ), he can scan and enroll it onto a NExT ( or xEM or FlexEM etc ) and send it back.
This will give you the implant you want NEED ready to install, PLUS you will get the answer as to what LF cards you need for the rest of the staff.

THE PROBLEM IS:
This service is no longer available on the website, so you may have to ask Amal super nicely

DT are also on holiday until 1st Jan, so If you can hold out sending an @ Amal on here, or using the Orange help on the webpage until after then, that would be nice ( They are having a well deserved break, over the past year, Amal has been on the forum 354 of the 365 days, that’s not including the other platforms he monitors and work he may be dong outside of communicating with the community )
This is what you are looking for on the webpage

THEN, convince others at your work to get some implants

2 Likes

I’m in the UK.

For once, time isn’t an issue. This is a project of my own devising and I can work on it at my leisure. That being said, once I’ve had a tinker and got all the bits in, it won’t take long to commission it all.

I’ve started mandatory isolation today, so access to the existing system isn’t possible until late next week at the earliest.
Grabbing some common cards sounds like a good idea, I can get them before I’m allowed back in.

A proxmark3 is on my shopping list, I might bump that up and get it much sooner than later.

I’ll avoid getting someone to clone a chip for the time being. I’ll learn more by doing and asking questions when I break things…

1 Like

Good plan! However, if you wan’t somebody to tell you what cards you have to save you some time ( You will still learn )

There are a few people on here in the UK.
Once they see this I’m sure you will get some offers…

I am almost the complete antipodes from you, in NZ, otherwise, I would do it for you.

We discontinued the cloning service for a couple reasons but the availability of a cheap upgraded proxmark3 is the primary reason.

I am going to be following up with some basic how-to write-ups for the iceman firmware soon too.

1 Like

Bit of an update.
The USB HID arrived (14 days delivery, 30 miles from me…).
My Proxmark3 Easy & NExT arrived (24 hours, US to UK!).
I’ve built up a test rig with the access control board and enrolled our existing keyfobs. Picked up a couple of random em fobs and they work too. The HID scans the fobs not problem. All looking good so far.

@amal A couple of observations for the proxmark3 getting started. This is on Windows 10 with Proxspace 3.7.1. You might want to note these variations in the guide.

1. First couple if installations failed pretty early on, I had to suspend antivirus to get it to complete successfully.
2. I didn’t get any break and re-run prompt. Installation seemed to run all the way through with no issues.

Firmware update appears to have gone well. I can lf search various tags and get results back. I haven’t gotten around to copying/cloning/writing anything yet. I have a couple of spare tags to mess with, but they are showing as “couldnt identify a chipset”, but show a valid EM421x ID. My original tag is a T55xx.

I’ve ordered a stack of T5577/EM4305 tags from amazon, they should be with me tomorrow.
What should be my next step? Copy the ID of the existing tag to a new tag?

2 Likes

LF search doesn’t usually manage to identify a chipset unless it’s a perfect antenna / couple. Try running LF t55 det if you want to find out if any of your existing tags are T5577.

Yeah, this would be a great thing to learn. Try to clone as many different LF card types as possible.

1 Like

Had some time to fiddle tonight, but don’t seem to be getting anywhere.
Here’s a tag a want to copy

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 32006B5D31
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 4C00D6BA8C
[=] HoneyWell IdentKey
[+] DEZ 8 : 07036209
[+] DEZ 10 : 0007036209
[+] DEZ 5.5 : 00107.23857
[+] DEZ 3.5A : 050.23857
[+] DEZ 3.5B : 000.23857
[+] DEZ 3.5C : 107.23857
[+] DEZ 14/IK2 : 00214755401009
[+] DEZ 15/IK3 : 000326431586956
[+] DEZ 20/ZK : 04120000130611100812
[=]
[+] Other : 23857_107_07036209
[+] Pattern Paxton : 847223601 [0x327F9B31]
[+] Pattern 1 : 10406478 [0x9ECA4E]
[+] Pattern Sebury : 23857 107 7036209 [0x5D31 0x6B 0x6B5D31]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

Couldn’t identify a chipset

If I try to copy it to a T5577 I get

[usb] pm3 --> lf em 410xwrite 32006B5D31 1
help This help
410x EM 4102 commands…
4x05 EM 4205 / 4305 / 4369 / 4469 commands…
4x50 EM 4350 / 4450 commands…
4x70 EM 4070 / 4170 commands…
[usb] pm3 -->

Suggestions?

lf em 410xwrite 32006B5D31 1
Should that not be
lf em410x write 32006B5D31 1

1 Like

Or
lf em 410x_write 32006B5D31 1
Or
lf em 410x write 32006B5D31 1

by the looks of the lf help section, i think it might be an icky chinese firmware on that thing… get yo self iceman…

alternatively you could use the built-in help menus to explore the proper commands you need to use for your firmware… though it’s probably a huge mess and likely not clear at all.

@amal it’s one of yours, so iceman should be on there

I’ve been through the permutations of em410x_write, em410xwrite, em410x write, all give the same result

Anything standing out here as incorrect?

[=] Session log D:\Working\ProxSpace\pm3/.proxmark3/logs/log_20210112.txt
[+] loaded from JSON file D:\Working\ProxSpace\pm3/.proxmark3/preferences.json
[=] Using UART port com3
[=] Communicating with PM3 over USB-CDC

██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ Iceman
╚═╝ ╚═╝ ╚═╝╚════╝ bleeding edge

https://github.com/rfidresearchgroup/proxmark3/

[ Proxmark3 RFID instrument ]

[ CLIENT ]
client: RRG/Iceman/master/v4.9237-2834-gb60daea57 2021-01-10 12:38:47
compiled with MinGW-w64 10.2.0 OS:Windows (64b) ARCH:x86_64

[ PROXMARK3 ]
firmware… PM3OTHER

[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-2834-gb60daea57 2021-01-10 12:40:24
os: RRG/Iceman/master/v4.9237-2834-gb60daea57 2021-01-10 12:40:55
compiled with GCC 8.4.0

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev B
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 274623 bytes (52%) Free: 249665 bytes (48%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory

[usb] pm3 -->

I’m banging my head against a wall now.
I’ve tied reinstalled proxspace and tried recompiling the firmware, it ends with the following warning

GEN lualibs/mfc_default_keys.lua
[=] LD proxmark3
[*] MAKE bootrom/all
compiler version:
[=] GEN version.c
[-] CC version.c
make[1]: arm-none-eabi-gcc: No such file or directory
make[1]: *** […/common_arm/Makefile.common:124: obj/version.o] Error 127
make: *** [Makefile:131: bootrom/all] Error 2
pm3 ~/proxmark3\$

So, I’ve abandoned that and tried the precompiled binaries at https://proxmarkbuilds.org/
Flashed bootrom & full image. Client starts up, I can hw tune, lf search, lf t55 det no problem, but when it comes to writing to a tag with lf em 410x_write xxxxxxxx 1, I’m back to a non helpful help listing.

So, is the current Iceman release broke? Is it worth me stealing my freshly wiped laptop from work and trying on that, could it be a pc issue?

whaaaa? no… much wow!

what version firmware and client are you on right now?

██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ Iceman
╚═╝ ╚═╝ ╚═╝╚════╝ bleeding edge

https://github.com/rfidresearchgroup/proxmark3/

[ Proxmark3 RFID instrument ]

[ CLIENT ]
compiled with MinGW-w64 10.2.0 OS:Windows (64b) ARCH:x86_64

[ PROXMARK3 ]
firmware… PM3OTHER

[ ARM ]
compiled with GCC 8.4.0

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev B
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 274623 bytes (52%) Free: 249665 bytes (48%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory

Hey @vworp, if you’re on the latest iceman build, the command for writing / cloning to an em410x has changed (not sure exactly when they’ve changed). Instead of lf em 410x write try lf em 410x_clone.

Here’s where you can find the commands, and the command specific help: lf em and lf em [command] help (e.g. lf em 410x_clone help)

Hope that helps!

2 Likes