Fix a Locked Kyber Crystal with a Proxmark3
ฝัง
- เผยแพร่เมื่อ 5 ก.พ. 2025
- Certain RFID writers can set configuration options on the RFID chip in Kyber Crystals that leave them in a state that their RFID cannot be changed. This video shows how to fix kyber crystals that have been 'locked' by a bad RFID writer using a Proxmark3.
The command I used to fix my crystal with the proxmark 3 was:
lf em 4x05writeword a 4 d 0001805F p 0
My previous video exploring these RFID writers
• Not All RFID Writers W...
The Proxmark3 Github Wiki includes documentation on how to setup the Proxmark3
github.com/Pro...
You are such a life saver!! I was a dumb dumb and used the obo one recklessly and locked my crystal. Your videos have been so helpful with solving all of this!! Thank you so much!
I bought the OBO hands one and hate myself for not researching into it beforehand, locked all 3 of my crystals, one of them i used an incorrect code so the saber wont even shine anymore, but im so glad you made this video im gonna buy the good reader/writer and the promarkx
you can hear the pain that stupid little scanner put you through. thanks for these videos, im looking for the correct scanner but they are hard to come by.
I locked one of my crystals with an OBO reader and this was amazingly helpful. I was having trouble with the chipset being read but putting a spoon over the crystal fixed that. My password was one of the known passwords you listed in another comment - 7686962A. Thank you for the great videos!
Hooray! I was able to use my proxmark3 to unlock and use my version 1cannister red kyber crystal work with my Sith wayfinder, as well as my new version 2 Silver Sith Holocron. I am not having the same success reprogramming the new version 2 cannister red kyber crystal released on May the 4th.Any suggestions or ideas would be greatly appreciated. Regards, Sally
after dump command, its shows as READ DENIED from address 3 and on?
So, i used an obohands rfid reader writer on my purple crystal, and after watching some videos and experiencing it myself, i thought my crystal was locked cause it wouldnt change colors. However i just got my zonsin reader writer, and it was both able to read, and write to my crystal just fine, which is a good thing to cause the proxmark software refused to work on my pc.
It seems that a good position is, usually, when the crystal is slightly off-center, the top and bottom parts (relative to it's position in holocron) slightly on the antenna copper ring, but do not go beyond it. But I'm not sure if this works in all cases...
Unfortunately I received the bad reader and locked my son's two crystals before I came across your extremely important videos. As another commented would you consider offering your expertise to unlock these? I'm not confident that I can get through the lengthy firmware update process to be able to unlock these on my own. If you would consider please let me know!
Sure, email me at ruthsarian@gmail.com and we can figure something out.
When I input
lf em 4x05_info 0 ---> addr 02 data 00000000
that's it
I don't get multiple lines of different addresses. I can't seem to get past this part.
the pm3 can't read the data off the crystal, which is why it's not displaying the addresses. you need to keep trying different positions with the crystal until the dump command starts showing more information.
address 2 is where the password is stored. this address is not readable under any condition. as such, the author(s) of the client have made the choice to, rather than display nothing in address 2, it displays the password you've entered as part of the dump command. if you tried the dump command again with some other value for the password, you'd see that password value is mirrored in the output of the dump command.
sorry to bother you at this late of a date. i have a locked disney kyber crystal, i also have the proxmark3 and the software for it is installed correctly but the proxsafe software is up to date, when scanning "lf search" my crystal does pull up but it is a em410x chip not the em 4x05 one. the syntax for the em410x chips seems vastly different than the em4x05 one and i cant seem to find a "dump" syntax. is the em410x a newer chip and thus unable to change, or are there different instructions to messing with those versus the 4x05 ones? no rush, thank you.
kyber crystals have an em4305 RFID tag in them, however they initially present themselves as an em4100 and the proxmark3 needs to perform extra steps to confirm it as an em4305. if the proxmark3 has trouble communicating with the RFID tag while it's performing this confirmation step it will not report it as an em4x05 and instead will just report it as an em410x. this happens because the crystal isn't quite in the 'sweet spot' and your proxmark3 is still having problems reading it.
you may get better results if you try using a spoon. take a look at this video: th-cam.com/video/mWSUwQ7S9Ug/w-d-xo.html
you'll know you've got it working when lf search reports you have an em4x05 RFID chip.
@@Ruthsarian ah, thank you... I will definitely start messing with the positioning of the crystal then. Thank you for the info.
Hi, I have a programmed red kyber crystal and it keeps denying me to update address 4?
Can you help??? when typing "lf em 4x05 dump 0" I do not get the same results.
try another password other than 0
@@Ruthsarian i tried 0 through 10 and no luck. I am using the ICEMAN firmware on my proxmark3. So the syntax is not the same as in your video but still no luck. The version 1 sith holocron reads all the SNOKE messages on the crystal.
@@Jubella-wt8kb other passwords you should try:
7686962A
F9DCEBA0
2A968676
84AC15E2
@@Ruthsarian ok, will try but from address 02 to 15 it shows as READ DENIED
@@Jubella-wt8kb this happens because there is a password.
Hello, I bought a ProxMark3 and just changed a crystal that I have that works well. A second crystal I tried to change with a previous RFID copier now sporadically returns a message saying "Valid Indala ID found" and "couldn't identify a chipset". Is this something that you could help with?
that sounds like your previous RFID copier wrote the wrong data to your kyber crystal. the RFID tag is still an em4305 tag and em4305 commands like the ones used in this video will still work with it even if it has the wrong data on it. the only possible issue is if your rfid copier wrote a password to your kyber crystal you won't be able to change the data unless you know the password.
start by using the command 'lf em 4x05info' and see if it returns information about your kyber crystal. if it doesn't, you need to try to keep repositioning the kyber cyrstal until you're able to get information about the RFID tag with the 4x05info command. take a look at this video: th-cam.com/video/mWSUwQ7S9Ug/w-d-xo.html using a spoon may help in getting your proxmark3 to consistently read the rfid tag in a kyber crystal.
once you've got your pm3 reading the crystal with the 4x05info command, it's time to write new data to the tag. you can use this spreadsheet which contains a table with all the data seen in kyber crystals for several different colors:
docs.google.com/spreadsheets/d/13P_GE6tNYpGvoVUTEQvA3SQzMqpZ-SoiWaTNoJoTV9Q/edit#gid=1434754068
but the short version is you'll want to use commands like these:
lf em 4x05writeword a 4 d 0001805F
lf em 4x05writeword a 5 d 000001FF
lf em 4x05writeword a 6 d 0C803000
You may need to add 'p 0' to the end of those commands. p is password, 'p 0' means use a password of 0. A lot of writers use a password of 0, so if a password is set on your kyber crystal, try 'p 0' to see if that lets you write to the rfid tag. If not here are some known passwords, one of them may work:
7686962A, F9DCEBA0, 2A968676, 84AC15E2
Good luck
@@Ruthsarian thanks so much for your quick reply. I tried all of the tips you suggested but it cannot read info. It's making me think the the RFID chip is fried, as I recall it may have been malfunctioning on and off a long time ago
Thanks for your helpful videos. I want buy a RFID scanner (reader/writer) Can you please help which one is better like Zonsin, icopy8 pro, chameleon, Proxmark3 easy or proxmark3 ultimate.
I prefer the proxmark3 easy. You can find a lot of documentation on how to set it up and use it here:
github.com/RfidResearchGroup/proxmark3
Hey this is great! I have been looking forward to chaning my saber solors. Today I finally got the tool I have been waiting for and when I read I am getting a EM4100 type chip. From what I can tell these are read only, has Disney taken away our fun? Has any one else run into this yet?
no, it's an em4305. the data the em4305 is programmed to emit makes it behave as an em4100 rfid tag. the reader then executes commands that work only for specific types of tags to further identify the actual rfid chip
getting it to detect it's an EM4305 requires a lot of trial-and-error to find just the right position for it to work. I've done several videos on writing kyber crystals; a few cover finding this sweet spot'. for example, my most recent on RFID shows using a spoon to help the reader have better success at detecting the em4305 tag.
I bought a ProxMark and it only shows valid em410x ID found. Version of program is 3_0_1. Not sure if a different version will work or where to get one. Was wondering if you would put together how to start/configure ProxMark from box to working?
So for some odd reason after I did all the steps in the github docs it stopped working after I flashed it to latest firmware. I got another version of software and it works now.
What address do you use to change to the code without buying a handheld scanner. When I was in Disney I bought 2 whites and both are Ahsoka Tano. I know the number to make Chirrut Imwe and would like to try.
I'm also seeing 'valid em410x ID found' when I expect it to reference 4x05. Did you figure out why?
Hey Ruthsarian! I'm having an issue unlocking my crystal after locking it up originally. Following your video should have worked but it didn't and I'm wondering if you could give me a hint to try.
When I use command: 'lf em 4x05 write -a 4 -d 0001805f -p 00000000'
I get a command back the says: 'Writing address 4 data 0001805f using password 00000000'
Then it tells me: "Hint: try 'lf em 4x05 read' to verify
If I command 'dump' again it still shows that address 4 was not re-written to 0001805f and is still 0015805f
Any thoughts on how to get it to take 0001805f?
Just did a reset on everything and checked it and it worked! Thank you for your videos!
your configuration (address 4) has read login and write login enabled. this means you need a password to both read from and write to the crystal. the "try .. to verify" is being displayed because it can't read back the data.
my guess is the password 00000000 is not the password that was used to lock your crystal. thus the write does not work, so it cannot read the data back.
I've decoded a few passwords used by RFID writers, you could try the write command again using each of these passwords and see if it works:
7686962A, F9DCEBA0, 2A968676, 84AC15E2, 126C248A, 121AD038
If any of them do work, please let me know which one. my guess is it'll be the first one.
if none of those work, you could try to decode the password yourself. i documented the steps I took to decode the password of a few different RFID writers I have using just a proxmark3 here:
docs.google.com/spreadsheets/d/13P_GE6tNYpGvoVUTEQvA3SQzMqpZ-SoiWaTNoJoTV9Q/edit#gid=1859397091
I tried to do this and got stuck setting up my proxmark... it will not show up on my PC and the green(A) and orange (c) lights stay lit and will not go away. Any help would be greatly appreciated
hold down the button on the pm3 then plug it into your computer with the button still down. see if your computer recognizes it then. if it does, you should be able to reflash it.
if that doesn't work, you may have to try de-bricking it.
instructions for setting up, flashing, and de-bricking the pm3 can be found on the proxmark3 wiki:
github.com/Proxmark/proxmark3/wiki/Getting-Started
Did you ever consider selling your service for unlocking the crystals? You might be able to throw your name out there on some of the Facebook groups. I know if mine were locked up I would gladly pay at least 1/2 the price of a new crystal to get them fixed.
I got my proxmark3 but am having a hard time installing on windows 10. Is there a guide you can direct me to that can get this up and running? I too locked the white crystal to yellow using a OBO hands writer and would really like to get this fixed.
This is what I get from the proxmark client.
Checking for known tags:
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
Command timed out
#db# Starting Hitag reader family
#db# Error, unknown function: 26
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
#db# unknown command:: 0x0225
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
command execution time out
No Data Found! - maybe not an LF tag?
These are the instructions I followed to get mine up and running.
github.com/Proxmark/proxmark3/wiki/Windows
@@robpotter5130 did you update the firmware on your pm3 when you installed the client?
@@Ruthsarian No. I did not. Could that be causing the issue? I rebooted and got this.
proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found:
EM TAG ID : 0000000C03
Possible de-scramble patterns
Unique TAG ID : 00000030C0
HoneyWell IdentKey {
DEZ 8 : 00003075
DEZ 10 : 0000003075
DEZ 5.5 : 00000.03075
DEZ 3.5A : 000.03075
DEZ 3.5B : 000.03075
DEZ 3.5C : 000.03075
DEZ 14/IK2 : 00000000003075
DEZ 15/IK3 : 000000000012480
DEZ 20/ZK : 00000000000003001200
}
Other : 03075_000_00003075
Pattern Paxton : 1329667 [0x144A03]
Pattern 1 : 612 [0x264]
Pattern Sebury : 3075 0 3075 [0xC03 0x0 0xC03]
Valid EM410x ID Found!
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
Command timed out
@@robpotter5130 that looks like good output to me. looks like the firmware on your pm3 is compatible with the client you're using. i think your pm3 is good.
next step is to figure out the sweet spot where the pm3 client also recognizes the crystal is an em4x05 and not just an em410x.
I'm not sure if you're still actively checking comments, but when I use the dump command, everything after 02 just says read denied. Any idea what I'm doing wrong or how to fix?
there's a password on it. try running the dump command with one of these passwords:
00000000, 7686962A, F9DCEBA0, 2A968676, 84AC15E2
if one of them works, that's the password. the next step is to rewrite the configuration word (address 4) with the value 0001805F which will remove the password checks for reading and writing.
@@Ruthsarian Neither of those passwords worked...
@@MisterBenprodemo just want to confirm. 'neither' implies you tried two. there are 5 different passwords. you tried all 5?
the read denied is happening because a password was placed on the RFID tag. the most likely source of this password is a non-proxmark3 RFID writer. do you still have access to this writer? if you do, you can use the proxmark3 to analyze the write command that's being generated by that RFID writer and figure out the password it's used to lock your crystal.
The "RFID writer signal analysis" tab of this spreadsheet: docs.google.com/spreadsheets/d/13P_GE6tNYpGvoVUTEQvA3SQzMqpZ-SoiWaTNoJoTV9Q/edit#gid=1859397091 will help guide you through that process.
@@Ruthsarian Indeed, I tried all five.
The password I found when using your guide is 19920427, however with several attempts with three crystals I found something odd happening.
Sometimes proxmark would say the password was correct but still 03-15 were Read Denied, and this would happen several times in a row.
At this point I don't know how to proceed, and reversing the binary before converting to hex yields an incorrect password.
@@MisterBenprodemo is this a kyber crystal or some other RFID tag?
is the writer able to still write to the RFID tag?
Would you be willing to share the capture you made of the RFID writer with your proxmark3? I'd be willing to double-check that the number you got for the password is correct. you can email it to ruthsarian@gmail.com or post it online somewhere like mega.nz and share the link with me.
Could you use the proxmark to write a new code to the crystal as well?
Yes. You would need to change the value in address 6 to change the crystal's code. You can use this spreadsheet, which contains dumps of several different crystals, as reference for which value is needed in address 6 to get which code.
docs.google.com/spreadsheets/d/13P_GE6tNYpGvoVUTEQvA3SQzMqpZ-SoiWaTNoJoTV9Q/edit#gid=1434754068
@@Ruthsarian Your videos are extremely helpful! Is there any chance you could make a video of changing a kyber crystal code using the Proxmark3? There are a number of videos about using other reader/writers to change crystal codes and even more recommending the Proxmark3 as the go-to device for RFID editing but I haven't been able to find a single video on using the Proxmark3 for the purposes of changing the crystal code. Your comment suggests you've tried doing this successfully and I'd love to see that prior to the Proxmark3 I've ordered arriving. Thanks.
Sure, but if it takes me a little while to get to it, take a look at this spreadsheet, docs.google.com/spreadsheets/d/13P_GE6tNYpGvoVUTEQvA3SQzMqpZ-SoiWaTNoJoTV9Q/edit#gid=1434754068, specifically the "crystals by rfid tag & color" tab. I've added a column called "address 6". set the value of address 6 of your crystal to that value to change your crystal to another. I covered how to write to address 4 in this video, it'll be the same syntax for address 6.
@@haydncain9078 th-cam.com/video/o_LeK3G1KKo/w-d-xo.html
Will this fix a crystal that is not being read ?
short answer is no. even a locked crystal should be readable.
does the crystal work in a holocron or lightsaber, but fails to be read by some other RFID reader? if YES, then this could fix that issue. but if a holocron or savi's hilt can't read it, and an RFID reader can't read it, the RFID tag in the crystal has probably gone bad.
i had a new, sealed red crystal that had a bad RFID tag. i cut it open (imgur.com/gallery/6WAiVDv) and was able to replace the RFID chip with one from an little blue key fob. I then used some clear epoxy to glue it back together and it works now. The seam where I cut it open is not as noticeable as you'd think because the red resin of the crystal is carried through the clear epoxy, making the epoxy seam look red as well.
@@Ruthsarian you have a video on how to do all that ?
@@BreakingRain16 i don't, i'm sorry. it was a something i did on a whim, not really expecting it to work and didn't think about filming the process.