Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1 2 3 4

#151 2017-02-09 14:13:13

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decode LF tag NORALSY (KCP3000)

Often the twn4 will output a translated output not a raw output.  But some information is often better than none.

Offline

#152 2017-04-04 13:05:24

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Decode LF tag NORALSY (KCP3000)

Next time I copy a Noralsy tag I'll take the raw number from the tag and the hex data, the newer KP3000 Has a ten digit code on them the first three digits are the site code and then the next 7 are the incremental numbers.
my reader will give me 3 hex blocks of data, 8 hex chars in length each which should help.
It would be great if we had a way of getting the hex directly from the number.

Offline

#153 2017-04-04 14:53:28

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Decode LF tag NORALSY (KCP3000)

Hope it will help @Marshmellow. I have two NORALSYS traces with number on the back ( i kept together in the file name)

Last edited by ntk (2017-04-04 15:08:29)

Offline

#154 2017-04-04 16:38:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Decode LF tag NORALSY (KCP3000)

Share the noralsy tags w hex and printed numbers here?

Offline

#155 2017-04-07 16:47:39

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Decode LF tag NORALSY (KCP3000)

I have a guy coming to see me to clone his Noralsy Tag next Friday.
It's a 10 digit one where the first three digits are the site code.

I will take a hex dump of the tag and will write down the number to share with you so you can test.
he has sent the number that was on the one he lost so hopefully the facility codes match then I can try to duplicate the actual lost one when I've checked the raw data of the one he is bringing.

Last edited by Onisan (2017-04-13 15:02:12)

Offline

#156 2017-04-14 12:08:32

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Decode LF tag NORALSY (KCP3000)

OK I can now share the following
10 Digit KCP3000 decodes to the following

BB0314FF
78611000
55960000

786 is the site code as Per Noralsy Specs
1100055 is the Serial Number
9 is the XoR of Site code and Serial Number "7861100055" which is also printed on the tag

No idea what the 6 relates to (why did I get a 6 and all others had a 7?)
this customer had sequentially numbered tags so it was easy to test.

Last edited by Onisan (2017-04-14 12:15:39)

Offline

#157 2017-04-15 01:57:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Decode LF tag NORALSY (KCP3000)

look at page three in this thread,  I've written down what I know of the data mapping.
it indicates that your tag is a bit newer than I thought of this old system

Offline

#158 2018-02-15 15:56:57

martinlbb
Contributor
Registered: 2016-12-13
Posts: 7

Re: Decode LF tag NORALSY (KCP3000)

Hi there.

Another dump for finding the secret of KCP3000:

00088C6A bb0214ff 29797000 04670000

ID is 2970004.

Offline

#159 2018-02-15 16:25:43

martinlbb
Contributor
Registered: 2016-12-13
Posts: 7

Re: Decode LF tag NORALSY (KCP3000)

Hi there.

I think I got the final answer and the last byte!

Tag ID is 2970004
Raw tag is:
00088C6A bb0214ff 29797000 04670000

00088C6A is the specific T55 header for such tags
297 is the site code as Per Noralsy Specs
97000 004is the Serial Number
6 is the XoR of Site code and Serial Number "2979700004" which is also printed on the tag
7 is the Xor of the first block (BB214FF).

This match followings dumps:
00088C6A    BB0214FF    10298001    87C70000
00088C6A    BB0214FF    20000101    91A70000
00088C6A    BB0214FF    31801002    23870000
00088C6A    BB0214FF    53999000    03C70000
00088C6A    BB0214FF    31801002    23870000
00088C6A    BB0214FF    68102013    16870000
00088C6A    BB0214FF    64202001    57170000
00088C6A    BB0214FF    24205002    13170000
00088C6A    BB0214FF    39402007    54A70000
00088C6A    BB0314FF    85700001    52C60000
00088C6A    BB0314FF    25299001    16360000
00088C6A    BB0314FF    56897019    19560000
00088C6A    BB0314FF    31801004    82560000
00088C6A    BB0314FF    04099001    45460000
00088C6A    BB0314FF    78611000    55960000

Offline

#160 2018-02-15 16:26:45

martinlbb
Contributor
Registered: 2016-12-13
Posts: 7

Re: Decode LF tag NORALSY (KCP3000)

That the reason why the second number does not change so much.
It is either:
* 7 for BB214FF
* 6 for BB314FF

Offline

#161 2018-02-15 19:47:07

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decode LF tag NORALSY (KCP3000)

thanks for the dump summary.
but your conclusions are the same as was found a while ago on page 3 of this thread:
http://www.proxmark.org/forum/viewtopic … 225#p25225

what we don't know is why BB02 sometimes is BB03, or what the 3 nibbles in the middle of the serial number represent (why they change)..

do the readers / access control software care about these nibbles?  (are there invalid values?)

Offline

#162 2018-02-15 20:10:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Decode LF tag NORALSY (KCP3000)

The BB2/BB3 is the one thing left unknown.

The other three nibbles, two of them are year, and the last one should be production quarter according to some product pdf I read.

Offline

#163 2018-02-19 12:12:01

martinlbb
Contributor
Registered: 2016-12-13
Posts: 7

Re: Decode LF tag NORALSY (KCP3000)

Oh sorry, you cleared the point for me.

About the mysterious BB2/BB3, I may change a BB2 in BB3 an test it over a reader. I'll let you know.

Offline

Pages: 1 2 3 4

Board footer

Powered by FluxBB