Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-01-25 05:11:27

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Help decode/clone LF card for carpark access

Hi all,

I need some help decoding/cloning this car park access card.
119ov1z.jpg

Card id on it: 1246037
I'm sure it is a LF card, did the HW TUNE to determine that.

How do i tell if it is a 125khz or 134 khz card?

here is the trace i did with:

lf read
data sample 16000

Trace here: http://www.filedropper.com/trace

It seems like a em4x, but i cannot get a proper tag using the following commands:
lf em4x em410xwatch

I tried using mandemod, doesn't seem to work:

proxmark3> lf read
#db# buffer samples: 16 11 0e 0b 09 07 06 05 ...
proxmark3> data sample 16000
Reading 16000 samples

Done!

proxmark3> data askdemod 0
proxmark3> data mandemod 1
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Error: too many detection errors, aborting.
proxmark3>


hw ver:
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 840 2014-01-23 12:58:08
#db# os: svn 840 2014-01-23 12:58:11
#db# FPGA image built on 2013/11/19 at 18:17:10
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3>



Thanks!!

Offline

#2 2014-01-25 07:09:45

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Help decode/clone LF card for carpark access

Try with hid commands.

Offline

#3 2014-01-25 07:24:18

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

Hey thanks for the reply.
I tried with lf hid fskdemod but no response also.

Any other suggestions?

Offline

#4 2014-01-25 09:03:04

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: Help decode/clone LF card for carpark access

proxmark3> data load ../../Downloads/trace.pm3
loaded 16000 samples         
proxmark3> data plot
proxmark3> lf hid
lf hid
help             This help         
demod            Demodulate HID Prox Card II (not optimal)         
fskdemod         Realtime HID FSK demodulator         
sim              <ID> -- HID tag simulator         
clone            <ID> ['l'] -- Clone HID to T55x7 (tag must be in antenna)(option 'l' for 84bit ID)         
proxmark3> lf hid demod
proxmark3> data mandemod
Warning: Manchester decode error for pulse width detection.         
(too many of those messages mean either the stream is not Manchester encoded, or clock is wrong)         
Unsynchronized, resync...         
(too many of those messages mean the stream is not Manchester encoded)         
Manchester decoded bitstream         
1 0 1 1 0 0 1 1 1 1 1 1 1 0 0 1         
1 0 1 0 1 0 1 0 1 0 0 0 0 0 0 0         
0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1         
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1         
1 0 1 1 0 0 1 1 1 1 1 1 1 0 0 1         
1 0 1 0 1 0 1 0 1 0 0 0 0 0 0 0         
0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1

But then the trace looks a bit strange? antenna problem?

Offline

#5 2014-01-25 09:12:41

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

Hi,

Don't think there is an antenna problem. I was able to decode other HID and EM410x cards.

Offline

#6 2014-01-25 09:19:38

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Help decode/clone LF card for carpark access

Send an "hw tune" command and post the result.

Those are mine WITH and WITHOUT a tag on it:

WITH TAG
proxmark3> hw tune
proxmark3> 
proxmark3> #db# Measuring antenna characteristics, please wait...                 
proxmark3> #db# Measuring complete, sending report back to host                 
proxmark3>           
proxmark3> # LF antenna: 17.05 V @   125.00 kHz          
proxmark3> # LF antenna: 30.48 V @   134.00 kHz          
proxmark3> # LF optimal: 30.48 V @   133.33 kHz          
proxmark3> # HF antenna:  0.16 V @    13.56 MHz          
proxmark3> # Your HF antenna is unusable.          

WITHOUT TAG
proxmark3> hw tune
proxmark3> 
proxmark3> #db# Measuring antenna characteristics, please wait...                 
proxmark3> #db# Measuring complete, sending report back to host                 
proxmark3>           
proxmark3> # LF antenna: 28.06 V @   125.00 kHz          
proxmark3> # LF antenna: 36.25 V @   134.00 kHz          
proxmark3> # LF optimal: 40.01 V @   129.03 kHz          
proxmark3> # HF antenna:  0.16 V @    13.56 MHz          
proxmark3> # Your HF antenna is unusable.          

I think it is an hid card looking at the plastic "case" but I am not sure of course.

Last edited by asper (2014-01-25 09:22:23)

Offline

#7 2014-01-25 09:19:52

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

May I know how do you guys determine that this is a HID card?

Offline

#8 2014-01-25 09:22:37

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Help decode/clone LF card for carpark access

See answer above.

Offline

#9 2014-01-25 11:49:00

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: Help decode/clone LF card for carpark access

http://www.securakey.com/PRODUCTS/CARDS/RADIO_KEY_Cards_Tags_6770.pdf

http://www.proxmark.org/forum/viewtopic.php?id=1840

Offline

#10 2014-01-25 11:59:56

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

hi all, hw tune as below
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...                 
#db# Measuring complete, sending report back to host                 
         
# LF antenna: 16.25 V @   125.00 kHz         
# LF antenna: 13.56 V @   134.00 kHz         
# LF optimal: 19.60 V @   127.66 kHz         
# HF antenna:  0.03 V @    13.56 MHz         
# Your HF antenna is unusable.         
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...                 
#db# Measuring complete, sending report back to host                 
         
# LF antenna:  5.24 V @   125.00 kHz         
# LF antenna:  5.50 V @   134.00 kHz         
# LF optimal:  9.27 V @   160.00 kHz         
# HF antenna:  0.10 V @    13.56 MHz         
# Your LF antenna is marginal.         
# Your HF antenna is unusable.         
proxmark3>

Offline

#11 2014-01-25 12:03:28

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Help decode/clone LF card for carpark access

As proxmark3 says, with the tag on your antenna is "marginal" so signal is not very good. Anway it probaly is a HID card (refer to app_o1 links and to this)

Last edited by asper (2014-01-25 12:04:34)

Offline

#12 2014-01-25 12:04:05

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

it does look like the securakey rfid clam shell type. can proxmark3 clone something like this? I need to start reading more on this...

Offline

#13 2014-01-25 12:05:35

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

is there anyway i can boost the signal?

Offline

#14 2014-01-25 17:45:40

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: Help decode/clone LF card for carpark access

can you post the details and a picture of your current antenna, maybe we can suggest improvements?

Offline

#15 2014-01-25 17:54:26

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

Hi, I bought my proxmark3 with low fr3quency antenna from this website. http://www.xfpga.com/e_products/?big_id=17

Its connected to my laptop or desktop USB 2.0 port.

Offline

#16 2014-01-26 05:02:42

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

guys

i did the following and this is the result. anybody able to help decode?

lf read
data samples 40000
data dec
data dec
data dec

data mandemod


results:

1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1         
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0         
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0


graph after DEC:
2s9900x.png

graph before anything:
rmju42.png

Offline

#17 2014-01-27 15:12:57

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

I put the below code into http://www.andrewmohawk.com/EM41X, but it gives an invalid parity. When i try to read the card at 134khz, the commands give a different code also.
Anybody else has any other ideas? I'm trying to fabricate another LF antenna with 30awg magnet wire. Going to take some time to do it...


midnitesnake wrote:

proxmark3> data load ../../Downloads/trace.pm3
loaded 16000 samples         
proxmark3> data plot
proxmark3> lf hid
lf hid
help             This help         
demod            Demodulate HID Prox Card II (not optimal)         
fskdemod         Realtime HID FSK demodulator         
sim              <ID> -- HID tag simulator         
clone            <ID> ['l'] -- Clone HID to T55x7 (tag must be in antenna)(option 'l' for 84bit ID)         
proxmark3> lf hid demod
proxmark3> data mandemod
Warning: Manchester decode error for pulse width detection.         
(too many of those messages mean either the stream is not Manchester encoded, or clock is wrong)         
Unsynchronized, resync...         
(too many of those messages mean the stream is not Manchester encoded)         
Manchester decoded bitstream         
1 0 1 1 0 0 1 1 1 1 1 1 1 0 0 1         
1 0 1 0 1 0 1 0 1 0 0 0 0 0 0 0         
0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1         
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1         
1 0 1 1 0 0 1 1 1 1 1 1 1 0 0 1         
1 0 1 0 1 0 1 0 1 0 0 0 0 0 0 0         
0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1

But then the trace looks a bit strange? antenna problem?

Offline

#18 2014-01-27 15:29:23

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

Added more traces
1)
lf read
data samples 16000
download: http://www.filedropper.com/trace16k


2)
lf read h
data samples 16000
download: http://www.filedropper.com/trace16kh

Offline

#19 2014-01-27 16:25:30

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: Help decode/clone LF card for carpark access

could it be an indala card?  Guessing now, tricky to work out.

Offline

#20 2014-01-27 16:28:17

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

I dont think so. I tried this before
lf read
data sample 16000
lf indalademod

the 'data plot' for the indala is really very very different. I tried creating a t5 with the "decoded" indala, but it doesn't work.

proxmark3> lf indalademod
Expecting a bit less than 500 raw bits
Recovered 442 raw bits
worst metric (0=best..7=worst): 6 at pos 20
UID=0000000000000000000000000000000010000100000000010001001000100000 (084011220)
Occurences: 1 (expected 5)

Offline

#21 2014-01-27 17:07:18

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

the trace is a 64 bit Manchester with a clock rate of 40

decoded:
0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 1 0 1 0 0 1 0 0
0 0 0 0 1 1 0 1 0 1 0 1 0 1 0 1

you can find a large part of the binary of the decimal number on the card in this string. (not 100% on the start and end of the 64 bits, but I think this is right)

should be able to program a clone from this data.

Offline

#22 2014-01-27 17:09:26

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

if you try a data mandemod 40 it should give you a repeating pattern of the decoded data I posted above.

Offline

#23 2014-01-27 17:12:38

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

Hey thanks!
I tried putting the string into the em41x decoder online, it doesn't seem to return any proper code.

How do I clone to  t5 with a proxmark3? I'm assuming its a EM41x right?

Offline

#24 2014-01-27 17:14:17

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

not sure what version everyone is on but the data mandemod should have detected the 40 clock rate and should have worked the first time for you.  I'm still running the older version 715.  is it possible mandemod auto has been broken lately?

just curious what does data detectclock show for you on this trace?

Offline

#25 2014-01-27 17:16:31

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

it is not a EM41x  it is a different format entirely.  you'd need to program the bits above to blocks 1 and 2 of a t5 and then alter the configuration block 0 to be Manchester with a 40 clock.

Offline

#26 2014-01-27 17:18:06

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

loaded 16000 samples
proxmark3> lf hid demod
proxmark3> data mandemod 40
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or clock is wrong)
Unsynchronized, resync...
(too many of those messages mean the stream is not Manchester encoded)
Manchester decoded bitstream
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 1 1 0 0 1 1 1 1 1 1
1 0 0 1 1 0 1 0 1 1 0 1 1 0 0 0
0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 0 1 1 0 0 1 1 1 1 1 1
1 0 0 1 1 0 1 0 1 1 0 1 1 0 0 0

and yes it detects it at 40
proxmark3> data detectclock
Auto-detected clock rate: 40
proxmark3>

Offline

#27 2014-01-27 17:19:14

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

what version is your proxmark firmware?

Offline

#28 2014-01-27 17:19:50

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

marshmellow wrote:

it is not a EM41x  it is a different format entirely.  you'd need to program the bits above to blocks 1 and 2 of a t5 and then alter the configuration block 0 to be Manchester with a 40 clock.

I can do this with a proxmark3? Could you walk me through on this?

Offline

#29 2014-01-27 17:20:56

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

i'm on 840.

Offline

#30 2014-01-27 17:23:33

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

something like:

lf t55xx writeblock 0000000001000000000000000000000000000000101001000000110101010101 1
lf t55xx writeblock 0000000001000000000000000000000000000000101001000000110101010101 2

?

Offline

#31 2014-01-27 17:29:11

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

writeblock takes hex values.  and only 32 bits per block (8 hex numbers).  (total 64 bits = 2 blocks)

I'm not sure what has happened to the most recent version(s) of the demod commands but it doesn't appear at all correct.  decoding the wave form manually (I'm not an expert) the decode from version 715 (my proxmark) looks very close.

Offline

#32 2014-01-27 17:29:28

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

i think i got it... it is

lf t55xx writeblock 4000000 1
lf t55xx writeblock 0A40D55 2

how do i code the block 0 with manchester 64 and 40?

Offline

#33 2014-01-27 17:33:01

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

block 2:  0x00400000
block 1:  0x00A40D55

might get you started.  i'm not 100% on the t5 config block settings for that config though

Offline

#34 2014-01-27 17:38:20

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Help decode/clone LF card for carpark access

Well T5 is different from T55x7 so I don't think it is supported by proxmark3 (T5 it is not recognized by my dedicated T55x7 reader/writer).

Offline

#35 2014-01-27 17:39:49

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

oh, its different...?
the card i have is a t55x7.

will this work?

Offline

#36 2014-01-27 17:41:35

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

you are correct asper a T5 is not the same as the chip genexis has been referring to in short as t5.

Offline

#37 2014-01-27 17:42:36

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

a t55x7 is compatible and can be configured to mimic the card in question.

Offline

#38 2014-01-27 17:44:33

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

but you'll need to know the specific version of t55x7 to get the config block settings correct.  (t5557 is slightly different from ata5567 which is slightly different from ata5577.)

Offline

#39 2014-01-27 17:46:35

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Help decode/clone LF card for carpark access

... and we know that wink

Last edited by asper (2014-01-27 17:46:51)

Offline

#40 2014-01-27 17:58:57

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

Thanks asper,  I forgot in normal mode the chips are set to be compatible with the same block 0 settings.  it is when you get into extended mode (or xmode) things get different per chip version.

Offline

#41 2014-01-28 01:50:08

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

Hey guys thanks for the input. I'll try it out tonight and I'll post the outcome!

Offline

#42 2014-01-28 07:39:15

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

Looking at the article linked by asper, i'm guessing that for a 64bit manchester, i should be using this as the block 0 config: 00148040
But how does the 40 clockrate comes into play? I dont see something that configures it in the block 0 config, unless it should be in the bit rate field? Which makes the configuration to be: 000c8040

In anycase, i'll be trying the following:

1)
lf t55xx writeblock 00148040 0
lf t55xx writeblock 00400000 2
lf t55xx writeblock 00A40D55 1

2)
lf t55xx writeblock 000c8040 0
lf t55xx writeblock 00400000 2
lf t55xx writeblock 00A40D55 1


i'll keep you guys posted! Please let me know if im interpreting the above config 0 wrong smile

Offline

#43 2014-01-28 10:32:44

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Help decode/clone LF card for carpark access

000c8040
This way it should be RF/40 (bits 13 and 14, starting from left [MSb] = 1, set both to 1), Mnachester modulation (bit17 set to 1) and 2 blocks (block1&block2) are transmitted in a cyclic way (bit26 set t 1) [data blocks transmitted should be 00400000->00A40D55].

00148040
Same as above but data rate is set to RF/64 (bits 12 an 14 set to 1).

If you need you can find ATA5567 datasheet here.

Last edited by asper (2014-01-28 10:35:23)

Offline

#44 2014-01-28 12:48:34

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

I tried writing a few t55xx cards with the commands below, but all failed to work...
lf t55xx writeblock 000c8040 0
lf t55xx writeblock 00400000 1
lf t55xx writeblock 00A40D55 2
6ohhr4.jpg



and

lf t55xx writeblock 000c8040 0
lf t55xx writeblock 00400000 2
lf t55xx writeblock 00A40D55 1
i3djqx.jpg

Compare to the original wave, its still quite different...

Offline

#45 2014-01-28 12:59:58

genexis
Contributor
Registered: 2014-01-25
Posts: 78

Re: Help decode/clone LF card for carpark access

I must add that this looks very similar to the original wave.
But there is no tapering on the original wave.... anybody has any idea how to work on this?

lf t55xx writeblock 000c8040 0
lf t55xx writeblock 00400000 2
lf t55xx writeblock 00A40D55 1
i3djqx.jpg
VS

ORIGINAL
rmju42.png

Offline

#46 2014-01-28 14:37:17

tissuepeanut
Member
Registered: 2014-01-28
Posts: 8

Re: Help decode/clone LF card for carpark access

I'm trying to follow this thread but I got lost here

I'm not sure how marshmellow arrived at this decode..
I have tried askdemod then mandemod but it doesn't work
I've also tried to threshold it to make it just 1/-1 then use mandemod but I still can't get this decode.

Can someone (marshmellow) please explain or point me in the right direction?

Thanks a lot!

marshmellow wrote:

the trace is a 64 bit Manchester with a clock rate of 40

decoded:
0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 1 0 1 0 0 1 0 0
0 0 0 0 1 1 0 1 0 1 0 1 0 1 0 1

you can find a large part of the binary of the decimal number on the card in this string. (not 100% on the start and end of the 64 bits, but I think this is right)

should be able to program a clone from this data.

Offline

#47 2014-01-28 15:43:22

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

@genexis the wave forms look almost identical.  we might just have a binary bit off.  I'll do a comparison when I've programmed a card and gotten a full trace.

@tissuepeanut  with Mandemod there should be no reason to do an askdemod first.   so if you were reading a card you'd do lf read  -  data samples 16000   - data mandemod
but from what I've been seeing  lately I think there may be an issue with mandemod in the latest version of Proxmark Firmware.  I'm currently using 715 and it's worked good for lf.

Last edited by marshmellow (2015-01-30 05:12:17)

Offline

#48 2014-01-28 16:11:05

tissuepeanut
Member
Registered: 2014-01-28
Posts: 8

Re: Help decode/clone LF card for carpark access

@marshmellow
Okay I'll downgrade to 715 and try again. By the way, did you get your decode from the pm3 trace or the serial number printed on the card?

Offline

#49 2014-01-28 16:15:08

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Help decode/clone LF card for carpark access

from the trace. I just did a data mandemod directly on the trace and it came up with the binary.  I then compared to the serial number.  it is close enough I believe it to be a pretty good demod.  (though a bit here or there may be misplaced possibly due to a poor read).

Offline

#50 2014-01-28 16:37:05

tissuepeanut
Member
Registered: 2014-01-28
Posts: 8

Re: Help decode/clone LF card for carpark access

@Marshmellow

which trace did you use mandemod on?
Now i've loaded v715 and ran mandemod on trace.pm3, trace16k.pm3 and trace16kh.pm3 but still can't get a similar decode. If you don't mind, can you run me through the steps you took. I'm not sure what i'm missing out here. thanks!

@Genexis, do you think you can upload another Fresh read of the trace at 125k and 134k? We would like to rule out a bad read.

Offline

Board footer

Powered by FluxBB