Clever Geek Handbook

Making a copy of the pass card by photo

Once I urgently needed to get into a business center with a pass system in the form of turnstiles that can be opened using pass cards. The person who had the pass at that moment was far away, he could not give it to me, and due to bureaucratic peculiarities it would take a long time to issue a new card.





What are we dealing with



, , , , .

EM-Marin, EM4100. 125 ( β€” ID) 40 5 , . - . T5577 EM4305, .

- - , ( ) , . .

. Proxmark3, , T5577 ID . , .



, Β« Β», . , . ID, , .





: 9 Β«1Β», 1 Version Number, 2 Facility Code 2 , . , ( ).



– ID . - .





, . , ID. , , , :



  : 0013396136 204.26792
ID: 4A00CC68A8


ID HEX DEC, 317840976040, . : , , , :)



, , , Proxmark ID - :



lf search 
proxmark3> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

EM410x pattern found:

EM TAG ID      : 4A00CC68A8

Possible de-scramble patterns
Unique TAG ID  : 5200331615
HoneyWell IdentKey {
DEZ 8          : 13396136
DEZ 10         : 0013396136
DEZ 5.5        : 00204.26792
DEZ 3.5A       : 074.26792
DEZ 3.5B       : 000.26792
DEZ 3.5C       : 204.26792
DEZ 14/IK2     : 00317840976040
DEZ 15/IK3     : 000352190666261
DEZ 20/ZK      : 05020000030301060105
}
Other          : 26792_204_13396136
Pattern Paxton : 1256236712 [0x4AE0A6A8]
Pattern 1      : 10853441 [0xA59C41]
Pattern Sebury : 26792 76 5007528  [0x68A8 0x4C 0x4C68A8]

Valid EM410x ID Found!
proxmark3>


, 0013396136 204.26792 β€” , !

5 , ID . , Proxmark – open-source , . Β«DEZ 10Β» cmdlfem4x.c.



cmdlfem4x.c: 
...
    //output 88 bit em id
            PrintAndLog("\nEM TAG ID      : %06X%016" PRIX64, hi, id);
        } else{
            //output 40 bit em id
            PrintAndLog("\nEM TAG ID      : %010" PRIX64, id);
            PrintAndLog("\nPossible de-scramble patterns");
            PrintAndLog("Unique TAG ID  : %010" PRIX64,  id2lo);
            PrintAndLog("HoneyWell IdentKey {");
            PrintAndLog("DEZ 8          : %08" PRIu64,id & 0xFFFFFF);
            PrintAndLog("DEZ 10         : %010" PRIu64,id & 0xFFFFFFFF);
            PrintAndLog("DEZ 10         : %010" PRIu64,id & 0xFFFFFFFF);
            PrintAndLog("DEZ 5.5        : %05lld.%05" PRIu64,(id>>16LL) & 0xFFFF,(id & 0xFFFF));
            PrintAndLog("DEZ 3.5A       : %03lld.%05" PRIu64,(id>>32ll),(id & 0xFFFF));
            PrintAndLog("DEZ 3.5B       : %03lld.%05" PRIu64,(id & 0xFF000000) >> 24,(id & 0xFFFF));
            PrintAndLog("DEZ 3.5C       : %03lld.%05" PRIu64,(id & 0xFF0000) >> 16,(id & 0xFFFF));
...


, – ID :

0013396136 (DEZ 10) – 4 , .

204.26792 (DEZ 3.5C) – ( Facility Code) 2 .

, ID. , 4 , 5? 0 , . β€” .



, - , , , Wiegand-26. , 24 2 , 3 . , ID .

, , 255 , , .



, . T5577 ID ( β€” ):



proxmark3> lf em 410xwrite 0100CC68A8 1
Writing T55x7 tag with UID 0x0100cc68a8 (clock rate: 64)
#db# Started writing T55x7 tag ...
#db# Clock rate: 64
#db# Tag T55x7 written with 0xff80600630c8d23a

proxmark3>


, . lf search , DEZ 10 DEZ 3.5C .



ID .

, , , .



-



, , . . , . - , . , , - , EM-Marin ( , ). , MIfare, , AES. .



In any case, do not copy other people's cards without the consent of their owners.



More articles:


All Articles