Making a physical EM4100 Clone - Firmware V2.2

March 16, 2016

What you will need:

  • 1x Proxmark3
  • 1x LF Antenna
  • 1x EM4100
  • 1x T5577 

1. Connect your Proxmark3 to your computer.

2. Launch the Proxmark3 client. If you do not have the Proxmark3 client setup check out our Getting Started Guide.

3. Once connected to the client run the 'hw ver' command. You should see output similar to what is below. If the version is not v2.2 your steps and commands may differ from the ones below.

proxmark3> hw ver
Prox/RFID mark3 RFID instrument          
bootrom: master/v2.2 2015-07-31 11:28:11
os: master/v2.2 2015-07-31 11:28:12
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54
          
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 162219 bytes (31). Free: 362069 bytes (69).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory

4. Connect an LF Antenna to the Proxmark3 and run the 'hw tune' command in the client. You should see output similar to the one below.

proxmark3> hw tune

Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)                 
#db# DownloadFPGA(len: 42096)                 
          
# LF antenna: 14.44 V @   125.00 kHz          
# LF antenna: 27.77 V @   134.00 kHz          
# LF optimal: 29.15 V @   131.87 kHz          
# HF antenna:  0.74 V @    13.56 MHz          
# Your HF antenna is unusable.          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

5. Place the EM4100 Tag on the LF Antenna. Run the 'lf em4x em410xdemod 1' command. Take note of your TAG ID. The TAG ID in this example is 1c003ca6ee.

lf em4x em410xdemod 1
#db# EM TAG ID: 1c003ca6ee - (42734_060_03974894)

6. Remove the EM4100 Tag and place the T5577 Card on the LF Antenna. Run the 'lf em4x em410xwrite <TAG ID> 1' command. Replace <TAG ID> with the Tag ID you noted in step 5. 

proxmark3> lf em4x em410xwrite 1c003ca6ee 1
Writing T55x7 tag with UID 0x1c003ca6ee (clock rate: 64)          
#db# Started writing T55x7 tag ...                 
#db# Clock rate: 64                 
#db# Tag T55x7 written with 0xff8f0001b14677bc

7. Test that the tag is working correctly by running the 'lf em4x em410xdemod 1'. Your Tag ID should now match your previous EM4100 Tag.

proxmark3> lf em4x em410xdemod 1
#db# EM TAG ID: 1c003ca6ee - (42734_060_03974894)  

 






Also in Blog

Making a Physical Mifare 1K UID Clone
Making a Physical Mifare 1K UID Clone

January 10, 2019

Follow these steps to learn how to use a Chinese Magic Card 1K to make a Physical Mifare 1K UID clone. This blog is using a Proxmark3 running firmware V3.0.1.

View full article →

Making a physical HID Prox 2 Clone - Firmware V3.0.1
Making a physical HID Prox 2 Clone - Firmware V3.0.1

January 10, 2019

Follow these easy steps to make a physical HID Prox 2 clone using the Proxmark3 with firmware V3.0.1.

View full article →

Making a physical EM4100 Clone - Firmware V3.0.1
Making a physical EM4100 Clone - Firmware V3.0.1

January 10, 2019

Follow these steps to make a physical EM4100 clone using the Proxmark3 firmware version 3.0.1.

View full article →