[ Proxmark3 Code ] Emulate Em410x
Earlier this year I wrote an additional bit of code for the Proxmark 3 revision number 702. This code allows functions as a spoofer for low-frequency RF entry panels utilizing these entry-chips.
These particular chips were of the em410x, FOB style, variety. The code instructs the proxmark to read the raw data from the tags, demodulate and de-encode the data to aquire the internal read-only numeric value assigned to the FOB tag.
Once the parity bits have been dealt with this is displayed to the user for confirmation the application has the ability to invert the bitstream before transmision.
Upon transmision the RF entry-panel registers the signal from the proxmark as the legitimate, emulated FOB tag.
Below is a screenshot of a successful tag-read. The demodulated waveform is displayed to the right. (click here for full )
This below screenshot is just the important information from the above screenshot:
This is an example em4102 FOB tag. The number printed on the exterior of the casing is the same as the Tag ID stored within.
The reader used, as a demonstration of a “real-world” scenario is the wildly popular ProxLock PSR-630 pictured below:
I will be adding another post all about RFID soon. For the mean time, some code. I have included both the origianl versions of the files I modified, as well as the modified versions.
The bulk of the code exists at the bottom of the cmdlfem4x.c source-file within the MWRem4xReplay() and ConfirmEm410xTagParity() functions.