Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-01-09 21:55:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

PSK Demodulation testing

I did some fast tests with a T55x7 card configured with PSK modulation,  this is the results.
Looks promising.


T55XX tests

//00088040  PSK RF/2 Man modulation
pm3 --> lf t55xx wr 00088040 0
pm3 --> lf re
pm3 --> da pskdet
Auto-detected clock rate: 16
pm3 --> da psknrz
pm3 --> da pskindala
Error1: -1
pm3 --> da psknrzraw

//00081040 PSK RF/2 psk1 modulation
pm3 --> lf t55xx wr 00081040 0
pm3 --> lf re
pm3 --> da pskclea
pm3 --> da pskdet
Auto-detected clock rate: 64
pm3 --> da psknrzraw
pm3 --> da pskindala
Error1: -1

//00082040 PSK RF/2 psk2 modulation
pm3 --> lf t55xx wr 00082040 0
pm3 --> lf re
pm3 --> da pskdet
Auto-detected clock rate: 32
pm3 --> da pskindala
Tried PSK/NRZ Demod using Clock: 32 - invert: 0 - Bits Found: 609
BitLen: 64
Indala UID=0000000000000000000000000000000000000001000000001100010010101010 (00100c4aa)
pm3 --> da psknrzraw
Tried PSK/NRZ Demod using Clock: 32 - invert: 0 - Bits Found: 609
PSK or NRZ demoded bitstream:
0111111110011101
1010101010000000
0000000000000000
0000000000000000
1000000001100010
0101010101111111
1111111111111111
1111111111111111
0111111110011101
1010101010000000
0000000000000000
0000000000000000
1000000001100010
0101010101111111
1111111111111111
1111111111111111
0111111110011101
1010101010000000
0000000000000000
0000000000000000
1000000001100010
0101010101111111
1111111111111111
1111111111111111
0111111110011101
1010101010000000
0000000000000000
0000000000000000
1000000001100010
0101010101111111
1111111111111111
1111111111111111
pm3 --> da pskclea

//00083040 PSK RF/2 psk3 modulation
pm3 --> lf t55xx wr 00083040 0
pm3 --> lf re
pm3 --> da pskdet
Auto-detected clock rate: 32
pm3 --> da pskindala
Tried PSK/NRZ Demod using Clock: 32 - invert: 0 - Bits Found: 609
Had to invert bits
BitLen: 64
Indala UID=0000000000000000000000000000000000000000000000011111111100111000 (00001ff38)
pm3 --> da psknrzraw
Tried PSK/NRZ Demod using Clock: 32 - invert: 0 - Bits Found: 609
PSK or NRZ demoded bitstream:
1111111110011100
0111111111111111
1111111111111111
1111111111111111
0000000001100011
1000000000000000
0000000000000000
0000000000000000
1111111110011100
0111111111111111
1111111111111111
1111111111111111
0000000001100011
1000000000000000
0000000000000000
0000000000000000
1111111110011100
0111111111111111
1111111111111111
1111111111111111
0000000001100011
1000000000000000
0000000000000000
0000000000000000
1111111110011100
0111111111111111
1111111111111111
1111111111111111
0000000001100011
1000000000000000
0000000000000000
0000000000000000

Offline

#2 2015-01-09 23:50:24

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: PSK Demodulation testing

I see an lf read (lf re) but no data samples ???

the detect clock has some issues.  it needs work.  (I actually haven't seen any that weren't RF/32)

what data was on the card you were testing?

Offline

#3 2015-01-10 00:36:18

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: PSK Demodulation testing

You can use a T55x7 to simulate the modulation and RF you desire.

Offline

#4 2015-01-10 00:38:37

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: PSK Demodulation testing

Yeah, just haven't got to it yet.  Thx

Offline

#5 2015-01-10 00:58:18

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: PSK Demodulation testing

BLOCK0

xxxx8xxx = PSK RF/2 with Manchester modulation
xxxx1xxx = PSK RF/2 with PSK1 modulation (phase change when input changes)
xxxx2xxx = PSK RF/2 with PSk2 modulation (phase change on bitclk if input high)
xxxx3xxx = PSK RF/2 with PSk3 modulation (phase change on rising edge of input)

XXXXX0XX = PSK RF/2
XXXXX4XX = PSK RF/4
XXXXX8XX = PSK RF/8

Last edited by asper (2015-01-10 01:01:18)

Offline

#6 2015-01-10 01:44:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: PSK Demodulation testing

@marshmellow,   I modded my "lf read" to include a "data samples"  (since we always do it in pair)..  One less command to type smile

Offline

#7 2015-01-10 01:49:58

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: PSK Demodulation testing

I was guessing, just didn't know.  smile


Oh and the rf/2 to rf/8 are each individual wave lengths.  When they add up to another rf/X length they = 1 demodulated bit = bit clock (as we define it). (Similar to FSK)

Offline

#8 2015-01-14 00:56:56

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: PSK Demodulation testing

someday i will revisit the code for PSK demod.  it should really work similar to fsk and be based of the number of samples in a wave not the peaks and valleys (though they help locating the starting position for the clock count).  that would help it detect weaker tags more easily.

also, though somewhat unrelated, the data norm command may help with "weak" tags for just about any demod.  but it could also make static be detected as a tag so i don't recommend using it in automated scripts or multi-command commands...

Offline

#9 2015-01-16 18:36:15

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: PSK Demodulation testing

i should clarify, the psknrzdemod is only for PSK1 (but should work at different RF clocks and RC clocks.)  I haven't quite figured out the other PSK's...  (nor had the time to look into them.)

Offline

Board footer

Powered by FluxBB