[ Proxmark3 Code ] Emulate Em410x

Earlier this year I wrote an additional bit of code for the Proxmark 3 revision number 702. This code allows functions as a spoofer for low-frequency RF entry panels utilizing these entry-chips.

These particular chips were of the em410x, FOB style, variety. The code instructs the proxmark to read the raw data from the tags, demodulate and de-encode the data to aquire the internal read-only numeric value assigned to the FOB tag.
Once the parity bits have been dealt with this is displayed to the user for confirmation the application has the ability to invert the bitstream before transmision.

Upon transmision the RF entry-panel registers the signal from the proxmark as the legitimate, emulated FOB tag.

Below is a screenshot of a successful tag-read. The demodulated waveform is displayed to the right. (click here for full )

This below screenshot is just the important information from the above screenshot:

This is an example em4102 FOB tag. The number printed on the exterior of the casing is the same as the Tag ID stored within.

The reader used, as a demonstration of a “real-world” scenario is the wildly popular ProxLock PSR-630 pictured below:

I will be adding another post all about RFID soon. For the mean time, some code. I have included both the origianl versions of the files I modified, as well as the modified versions.

The bulk of the code exists at the bottom of the cmdlfem4x.c source-file within the MWRem4xReplay() and ConfirmEm410xTagParity() functions.

Unmodified Files (Revision 702):
[ C Code ]cmddata.c
[ C Code ]cmddata.h
[ C Code ]cmdlfem4x.c
[ C Code ]cmdlfem4x.h

Modified Files:
[ C Code ]cmddata.c
[ C Code ]cmddata.h
[ C Code ]cmdlfem4x.c
[ C Code ]cmdlfem4x.h


~ by Rhys Mossom on June 1, 2013.

2 Responses to “[ Proxmark3 Code ] Emulate Em410x”

  1. Wow your credentials are over wellming
    I know I might sound like a little kid that don’t even know’s his ABC’s yet but truth be told in the cyber world I am that eliterit ..
    SORRY BTW my name is bobby I’m from phoenix arizona
    I work for a larg company here for 7 yrs
    And in the last year I lost my badge 2 time’s and if I go and ask for a new badge they will diffentley “fire me”
    For the last few weeks I’ve been walking in with frinds
    So my ? I guess is there like a skilaton key for LF HID reader that I can use or something you can sugest

    Best regard’s

  2. Sorry please EMAIL me back at

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: