I'm getting together some cards as you requested. I've got some sielox and checkpoint tags which both work on this unknown protocol. I can also send you 1 HF reader I was double sent by accident from EBay which came with some mifare tags if you like. I really don't know any way to contact you other than this forum. Give me a bell on my email when you read this. Send me some postal address so we can put this protocol to sleep
There is nothing on the net regarding the make and model of this tag. The closest I got was Myki which is to do with transport cards in Australia. From the photo, it sure is a HF tag. Im guessing the proxmark3 cant read the card because the tag needs authentication from the reader before it starts communicating. If this tag is used for building access im guessing it is a Mifare DESfire. Depending on the year the tag was made you could narrow this guess down further. What to do from here depends on more expeirienced users knowledge who are probably in hibernation right now. In the meantime its just you and me.
After some more searching I found this WebSite. Now we know it is Mifare and that it has 512 bytes memory capacity so if we do further searching maybe we can limit it down a Mifare Ultralight which fits into this category. (I'm guessing according to the Wiki.) What are your thoughts? I would brute force using "hf mf mifare" command on proxmark3 and see what happens.
Finally i got my Prox3 updated and all seems well. Thanks for your help.
On another note, I have a Sielox proximity fob i believe works on HF but it will not respond to anything I throw at it. Frustrating as it is, I would like to call upon anyone here that would like a go at this fob. Happy to send it anywhere. would anybody be willing to help?
Its been a while and yet im still having troubles. I cant seem to be able to flash my pm3 under windows vista 64. Compiling works great as I followed the latest guide to getting started. Im having difficulty understanding the "sudo ./flasher -b ../bootrom/obj/bootrom.elf" step. Where exactly do you type this cause so far its not happening for me.
Any help would be much appreciated.
The Keri fob you have is definately LF. I was able to read it using the proxmark however I never got a chance to play it back using the proxmark in order to confirm that it works. In order to clone this tag you need to find out what the UID is. I purchased a LF ACG USB reader from RFIDIOt and installed python and so on... I'm still having problems getting the scripts to run correctly but i did manage to extract the UID using one of the scripts. Once I get the scripts to run correctly I was hoping to program the UID on a Q5 tag using the scripts and reader I received from RFIDIOt. The guy that sells the readers is a member of this forum. His name is firstname.lastname@example.org - Hope that gives you some lead.
albertoparis, I know this is not related to your question but how did you get RFIDIOt to work on your pc? Whenever I import a module, for eg. transit.py, I keep getting =====restart====== in the idle without anything happening. What could be wrong?
Thanks for reading.
I finally found a reader that was able to spit out an ID of my key fob-KERI SYS. I purchased the ACG LF from RFIDIOt and I was so happy. If any one has RFIDIOt installed on their windows XP 32 machine I would appreciate some assistance. I would like to perform the same function adam did here in post 92. The problem im having is that when i try importing the module transit.py it runs and at the bottom of my IDLE I get ====restart==== It doesn't give me time to give it input. I've tried running it from command line but after the import the whole prompt crashes. The same thing happens with unique.py. Adam, if your reading this, could you please help me.
I also need help understanding. I don't mean to brag like a bitch all night but it's annoying trying to keep up with you guys. To me an ELF is santas little helper. How does that simplify things for the benefit of the user? cbergonzi, You would be doing a great honour for dummies like me if you could please post the process you took- from compile to flash so I could follow your steps.
I need help understanding what bushing has done here. Are the compiling source code instructions on the Wiki still valid for windows users? Do I still need to use Subcommander to get updates for source code? Are the procedures setout in the Wiki still the same? I just don't get whats happening here.
Very very interesting video you pointed out Henryk. Thanks for your response. All this tme I thought Wiegand was a type of modulation which the prox-card used to communicate with the reader. It's a shame Zac hasn't released the Gecko device he built-I so want one. I'm trying to program a Q5 card with the bits I read off my Keri tag which uses FSK. What is my chance of sucess Henryk. Have you ever worked with Q5 cards?
Couple more questions Henryk... What is it your studying at UNI and where will it lead you in the future?
Making a new Q5 adventure thread sounds good. These cards are awsome in that they can be programmed to replicate almost all modulations. The challenge is how its done. Adam python script allows us to program using ASK which is a great start. I need to figure out how FSK should be done. Then theres PSK and so on. Even timing can be varied. Really amazing card and not much has been explored or mentioned about it in this forum. Where to start John??
While your here take a look at www.rfdump.org This may be of help to us.
Maybe not. At the moment it only works with HF readers --+ Damn.
Can somebody please clarify what Wiegand 26 really is. correct me if i'm wrong- It's not a type of communication modulation between card and reader its the communication modulation that occurs between reader and server which is mainly used in access control where cabling needs to be streched long distances. right? Whats your opinion?
Ok John. which reader did you buy from Adam? was it the L&HF ACG or just the LF like mine? I also got the Omnikey 5325 as well- just incase I get bored Im starting a collecton of readers. My initial goal is to be able to program the Q5 cards using FSK modulation. How thats done- I don't know. Maybe somebody here has a few pointers and would like to help. In the meantime I'll do some googling on Q5 cards and see if there is a program out there already which will help me write in different modulation schemes. Stay tuned.
Sorry it's taken so long to reply. I've been Procrastinating all this time. Thanks 4 your email- heart warming. I also bought a ACG LF reader from Adam not long ago and I think its time to start playing with it. Tell me.. did you get your reader working? I mean, was it straight forward for you cause I have no idea where to start. I thought it's just a matter of plugging the damn thing in but there's a lot more to it. Let me know how things are.
Did you eventually come to the conclusion that the faulty tags were actually faulty cause I have a sus feeling that the building manager is trying to make money on these tags. My gut feeling is that whenever he is bored he picks you guys like flies and deletes fob UID's off the system. Afterall, these fobs are meant to last something like 200 years!
Need to ask you. Do any of your python scripts support FSK modulation for the Q5? I mean, If I was to program the bits described in POST 5 of another thread I hijacked, would I be able to program the Q5 card to use FSK modulation using your scripts?
Thanks Adam. I'm off to bed now.
It worked. It actually worked! I was having a lot of trouble at first cause it's not mentioned anywhere in the compile that I had to work out of the WINSRC folder in the command prompt after calling 0setpath.bat. I'm just wondering after all the errors I put this PM3 through while flashing how lucky I am. I'm so happy to actually get passed this. What a miracle this was. I know what your thinking Henryk- This guys a total moron -is he really that stupid!!- was this guy dropped at birth- can't he just leave me alone-
Where you been lately? Hope all is well.
I don't know much about Jtag and reading peoples posts- some work, some dont. I've been looking around and have found this one. Although I would prefer to buy one that has been tried and tested. Which did you buy Samy? From memory, I think you got 2?
Users: Due to this, firmware and host tools before and after revision 137 are mutually incompatible. I will prepare a new firmware release shortly and you are encouraged to update the firmware and bootrom when that is available.
Does that mean both Windows and Linux users? This is making me nervous cause I know I'm capable of really screwing things up and I don't even have a Jtag. Even if I had a Jtag I wouldn't know what to do with it -Thats another chapter of my prox adventure that hasn't been written yet.
On todays show John will hear a knock on his door- will it be the package he has been so eagerly waiting for? Will Adams' attemps to clone the fob actually pay off? And what will happen to John when his girlfriend finds out where the money has gone?
Stand-by guys. Season 1, episode 5 is about to begin
Hmmm. Jonathan Westhues wrote about something similar but it only relates to the PM3. I'm curious to know where the start point was programmed in the Q5 card and if it took into account the sync pattern. I've provided a reference to this article below. I'm pretty sure the reason the Q5 dosn't work is cause there is no sync pattern which tells the reader "Get ready, here it comes"
If all that I want is to clone the tag, then it is arbitrary which point in the signal I designate as t=0. The ID just loops, so the signal over the air is unaffected. That feature between the cursors looked sort of like a sync pattern, though, and it occurs in both tags’ traces. For want of a better idea, I will write my demod code to correlate for that, and use that as its reference. Then I can demodulate the received signal to a bit string.
Haha.. you make me smile. Gotta say though, It has been so challenging for me from the first day and still is. I just looked at some old posts and now I'm thinking- what a Fuckwit. Hopefully new guys can just read my posts, laugh and learn from my mistakes. One day soon I'll be able to write scripts and then I'll sign up again as HenrykBrother or sometning. In the meantime I'll just keep asking.
Dude, I need a favour.... can you post a screen shot of the Q5 wave plot the same way you did b4. I havn't got my pm3 on me and I'm curious to see whats happening.
Thanks Adam. I just realised Henryk must have used a calculator. I thought It was all done manually and that the answer was meant to be obvious. Thats why I got thrown off. I was sitting here like an idiot trying to merge 1's and 0's. Cool, Windows calculator helped me solve that one.
Guys, really sorry to hold you up but could you explain what XOR is. I've googled around, found explanations for it but cant seem to work out how Henryk arrived to the following answers:
0x04 xor 0x00 xor 0x80 xor 0x64 xor 0x5A = 0xBA
0x05 xor 0x01 xor 0x57 xor 0x49 xor 0x5A = 0x40
0x99 xor 0x53 xor 0x16 xor 0x70 xor 0x5A = 0xF6