Proxmark3 community

yikatong

Contributor

Registered: 2015-10-26

Posts: 11

I have new & unknown LF card

Hi,

I was expecting HID or Indala or EM..
But it showed something different.

What is this card?
I can see 13bytes - 7604279000315 on the card.

[== Undefined ==]
proxmark3> lf search u
Reading 30000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          

No Known Tags Found!
          

Checking for Unknown tags:
          
Possible Auto Correlation of 5120 repeating samples          

Using Clock:32, Invert:0, Bits Found:513          
ASK/Manchester - Clock: 32 - Decoded bitstream:          
0000000010000111
0110000001000010
0111100100000000
0000001100010101
0001011000000000
0000101100000000
0000000001111101
1000111000110101
0000000011101001
0101001100110001
0000000010000111
0110000001000010
0111100100000000
0000001100010101
0001011000000000
0000101100000000
0000000001111101
1000111000110101
0000000011101001
0101001100110001
0000000010000111
0110000001000010
0111100100000000
0000001100010101
0001011000000000
0000101100000000
0000000001111101
1000111000110101
0000000011101001
0101001100110001
0000000010000111
0110000001000010
          

Unknown ASK Modulated and Manchester encoded Tag Found!          

if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'          
proxmark3> 

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: I have new & unknown LF card

7604279000315 is printed on the tag?  I've never seen a 20 byte ask/Manchester rf/32 tag before this one.   Are there any other markings on the tag or reader that might help identify it?

yikatong

Contributor

Registered: 2015-10-26

Posts: 11

Re: I have new & unknown LF card

7604279000315 is printed on the tag?  I've never seen a 20 byte ask/Manchester rf/32 tag before this one.   Are there any other markings on the tag or reader that might help identify it?

Probably there are hidden mechanism to read a tag.
And probably I made wrong command to get the data.

I can see the values are changing randomly whenever I read it.

I've heard that the tag is based on T55xx and they made it only for them.

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: I have new & unknown LF card

Post a second output.  I bet it isn't "random"

yikatong

Contributor

Registered: 2015-10-26

Posts: 11

Re: I have new & unknown LF card

Here is the result of reading the tag 3 times.

[== Undefined ==]
proxmark3> lf search u
Reading 30000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          

No Known Tags Found!
          

Checking for Unknown tags:
          
Possible Auto Correlation of 5120 repeating samples          

Using Clock:32, Invert:0, Bits Found:513          
ASK/Manchester - Clock: 32 - Decoded bitstream:          
0111110110001110
0011010100000000
1110100101010011
0011000100000000
1000011101100000
0100001001111001
0000000000000011
0001010100010110
0000000000001011
0000000000000000
0111110110001110
0011010100000000
1110100101010011
0011000100000000
1000011101100000
0100001001111001
0000000000000011
0001010100010110
0000000000001011
0000000000000000
0111110110001110
0011010100000000
1110100101010011
0011000100000000
1000011101100000
0100001001111001
0000000000000011
0001010100010110
0000000000001011
0000000000000000
0111110110001110
0011010100000000
          

Unknown ASK Modulated and Manchester encoded Tag Found!          

if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'          
proxmark3> lf search u
Reading 30000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          

No Known Tags Found!
          

Checking for Unknown tags:
          
Possible Auto Correlation of 5120 repeating samples          

Using Clock:32, Invert:0, Bits Found:513          
ASK/Manchester - Clock: 32 - Decoded bitstream:          
0110001010100010
1100000000000001
0110000000000000
0000111110110001
1100011010100000
0001110100101010
0110011000100000
0001000011101100
0000100001001111
0010000000000000
0110001010100010
1100000000000001
0110000000000000
0000111110110001
1100011010100000
0001110100101010
0110011000100000
0001000011101100
0000100001001111
0010000000000000
0110001010100010
1100000000000001
0110000000000000
0000111110110001
1100011010100000
0001110100101010
0110011000100000
0001000011101100
0000100001001111
0010000000000000
0110001010100010
1100000000000001
          

Unknown ASK Modulated and Manchester encoded Tag Found!          

if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'          
proxmark3> lf search u
Reading 30000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          

No Known Tags Found!
          

Checking for Unknown tags:
          
Possible Auto Correlation of 5120 repeating samples          

Using Clock:32, Invert:0, Bits Found:513          
ASK/Manchester - Clock: 32 - Decoded bitstream:          
0000000010000111
0110000001000010
0111100100000000
0000001100010101
0001011000000000
0000101100000000
0000000001111101
1000111000110101
0000000011101001
0101001100110001
0000000010000111
0110000001000010
0111100100000000
0000001100010101
0001011000000000
0000101100000000
0000000001111101
1000111000110101
0000000011101001
0101001100110001
0000000010000111
0110000001000010
0111100100000000
0000001100010101
0001011000000000
0000101100000000
0000000001111101
1000111000110101
0000000011101001
0101001100110001
0000000010000111
0110000001000010
          

Unknown ASK Modulated and Manchester encoded Tag Found!          

if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'          
proxmark3> 

yikatong

Contributor

Registered: 2015-10-26

Posts: 11

Re: I have new & unknown LF card

Hi, marshmellow

You're right.
There is a pattern.

But I'm not sure where is the starting point.

yikatong

Contributor

Registered: 2015-10-26

Posts: 11

Re: I have new & unknown LF card

Hi, marshmellow,

Finally I could see full 20 bytes.
And it seems to be correct as I can see 13bytes are included in repeated 20 bytes.

The issue that I have is what IC is in the card.
I've heard that IC is T5577 but I couldn't get the good result using 'lf t55xx detect' with several 'lf t55xx config' options.
If it is not T5577, what will be? (ASK, 1bit=32clk, and Manchester coding...)

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: I have new & unknown LF card

The detect will not work if the chip is properly locked down without the password.  It likely is the t5577, as that is the most common chip capable of this type of message.

yikatong

Contributor

Registered: 2015-10-26

Posts: 11

Re: I have new & unknown LF card

Hi marshmellow,

Thank you.

I have two more question.

If the chip is locked down without password, how can I read block1,block2,block3@page0 separately?
And why it send data as a stream? (Is it normal?)

iceman

Administrator

Registered: 2013-04-25

Posts: 9,506

Website

Re: I have new & unknown LF card

Do you have the latest source from github and flashed/compiled it?    Actually, you should take the PR from @marshmellow since it comes with some fixes to LF commands.    Maybe that will increase you chances of success for the "lf t55xx detect"...

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: I have new & unknown LF card

And why it send data as a stream? (Is it normal?)

Yes it is normal for LF

If the chip is locked down without password, how can I read block1,block2,block3@page0 separately?

you would need a password if it is locked down.

if it is not lf t5 detect might work.

iceman

Administrator

Registered: 2013-04-25

Posts: 9,506

Website

Re: I have new & unknown LF card

[edit]

If you run
- data plot
- lf t55 det

if its Answer-On-Request AOR you'll no signal  just somewhat flat line...
if its not AOR you'll see a signal, that signal might not always be detectable by the decoding algos.  Thats why we have the set config manually...

And @marshmellow has made some nice adjustments to the signal gathering method (device side)  where it increases the chances to get a good result from "lf t55 det"...

Last edited by iceman (2015-10-28 20:48:25)

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: I have new & unknown LF card

If you'll have the  "data plot" up,   and do a "lf t55 det",  if its passworded you'll no signal  just somewhat flat line...

you are confusing AOR and password protected.  you will not see just a flat line you will see the standard repeating pattern instead of the block 0 read.

iceman

Administrator

Registered: 2013-04-25

Posts: 9,506

Website

Re: I have new & unknown LF card

You are correct,  I had to test it. Now I know why two of my t55x7 tags looked strange,    Good thing that we implemented that wakeup command.

yikatong

Contributor

Registered: 2015-10-26

Posts: 11

Re: I have new & unknown LF card

Hi marshmellow, and iceman,

Have you ever seen this kind configuration for T55x7?
Somebits are set to '1' while the data sheet shows '0' only.

[== Undefined ==]
proxmark3> lf t55 info
          
-- T55xx Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 14          
 reserved                  : 74          
 Data bit rate             : 4 - RF/50          
 eXtended mode             : Yes - Warning          
 Modulation                : 0x13 (Unknown)          
 PSK clock frequency       : 0          
 AOR - Answer on Request   : No          
 OTP - One Time Pad        : Yes - Warning          
 Max block                 : 0          
 Password mode             : No          
 Sequence Start Terminator : No          
 Fast Write                : No          
 Inverse data              : No          
 POR-Delay                 : No          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0xE9533100  11101001010100110011000100000000          
-------------------------------------------------------------          
proxmark3> lf t55 dump
[0] 0xE9533100  11101001010100110011000100000000          
[1] 0xE9533100  11101001010100110011000100000000          
[2] 0xE9533100  11101001010100110011000100000000          
[3] 0xE9533100  11101001010100110011000100000000          
[4] 0xE9533100  11101001010100110011000100000000          
[5] 0xE9533100  11101001010100110011000100000000          
[6] 0xE9533100  11101001010100110011000100000000          
[7] 0xE9533100  11101001010100110011000100000000          
proxmark3> 

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: I have new & unknown LF card

you have not found the configuration, as without the correct password your tag is just outputting the first part of the data stream.. as you cannot access direct access mode (block read mode) without a password on your tag.  (which is why lf t5 detect didn't work)

what you have found out about your tag is that the data stream likely starts with 0xE9533100  (block 1)

yikatong

Contributor

Registered: 2015-10-26

Posts: 11

Re: I have new & unknown LF card

Hi, marshmellow,

Hope it is my final question.

Are LF tags(T55xx) normal to send Blk1 to Max block when 125kHz tag is in the field?
(HF tags are not responding until getting REQx/WUPx.)

If yes, how the reader knows the first block?

I put the oscilloscope into LF reader, but I can't see any command.
What I can see is only field on and off.

iceman

Administrator

Registered: 2013-04-25

Posts: 9,506

Website

Re: I have new & unknown LF card

That is the hard question..   Either you have a very precise timing in the reader when to start reading the signal.
Or you try to find, as with pm3,  where you get a proper demodulation of raw signal -> into a proper decode of manchester (or other) -> and finally a proper decode of signal into data with correct parity checks etc for HID, AWID,EM4xxx, etc

If you take all those decoding steps, you usually end up with one possible byte pattern...

yikatong

Contributor

Registered: 2015-10-26

Posts: 11

Re: I have new & unknown LF card

Hi iceman,

I have a 125kHz tag with 20 bytes data and USB type reader.
When I put the tag on the reader, the reader sent only 10 characters.

For example, T5577 has below data:
blk1 : AABBCCDD
blk2 : 01020304
blk3 : 05060708
blk4 : 090A0B0C
blk5: 0D0E0F00

and USB reader sents 0203040506 as a character type.

But I couldn't see any command from the reader using the oscilloscope.
That's the reason why I'm asking 125kHz tag's operation in the field.

And the reader knows the pattern and can decode HID tag and T5577 with ASK/Manchester.
I was wondering the normal operation of 125kHz tag.

yikatong

Contributor

Registered: 2015-10-26

Posts: 11

Re: I have new & unknown LF card

Oh... I just understood how general 125kHz tag works.
It doesn't require any command to read the data normally unlike HF tags.