Secura Key RKCM02 Cloning

atyppo · 2017-03-22 23:27:34

I need to clone a Secura Key RKCM02 card that I have. I have lots of extra cards with known facility codes and serial numbers that I can send out as samples to people interested in helping out. Willing to offer a reward if this can be done. Thanks.

marshmellow · 2017-03-22 23:41:20

if you have FC/Card# and PM3 read raw data by all means do post. if you don't have a pm3, then our options are limited...

atyppo · 2017-03-23 06:18:05

marshmellow wrote:

if you have FC/Card# and PM3 read raw data by all means do post. if you don't have a pm3, then our options are limited...

I don't unfortunately, but I can send several samples with known FC and SN. I have the FC and SN for the card I need to copy as well.

iceman · 2017-03-23 08:35:01

I'm guessing you are US-based, maybe its easiest (and cheapest) to send yr samples local. While it would have been to have some samples, I don't need it if someone like @marshmellow reads and collect the data for the community to take part of. He is one of our finest with regards to LF.

atyppo · 2017-03-23 15:41:47

iceman wrote:

I'm guessing you are US-based, maybe its easiest (and cheapest) to send yr samples local. While it would have been to have some samples, I don't need it if someone like @marshmellow reads and collect the data for the community to take part of. He is one of our finest with regards to LF.

Yes - I'm in California. I'm happy to send you some as well - I have 72 of them that I got for less than $1 apiece on eBay.

Last edited by atyppo (2017-03-23 15:42:09)

iceman · 2017-03-23 17:31:00

its ok, what do you say @marshmellow?

marshmellow · 2017-03-24 04:23:24

I just emailed atyppo.

Onisan · 2017-03-24 12:15:36

I'm happy to see if I can clone your card for you. you can email me info AT doorfobs dot com.
I've done a few different clamshell cards before so if it's straight forward I'm happy to share the steps.
All the best and good luck

Gary

marshmellow · 2017-04-01 01:02:47

ok so i implemented a demod / read command in the latest firmware...

what we know:

// 26 bit format
// preamble     ??bitlen   reserved        EPx   xxxxxxxy   yyyyyyyy   yyyyyyyOP  CS?        CS2?
// 0111111111 0 01011010 0 00000000 0 00000010 0 00110110 0 00111110 0 01100010 0 00001111 0 01100000 0 00000000 0 0000

// 32 bit format
// preamble     ??bitlen   reserved  EPxxxxxxx   xxxxxxxy   yyyyyyyy   yyyyyyyOP  CS?        CS2?
// 0111111111 0 01100000 0 00000000 0 10000100 0 11001010 0 01011011 0 01010110 0 00010110 0 11100000 0 00000000 0 0000

// x = FC? - does not match printed value
// y = card # printed on the tag
// standard wiegand parities.
// unknown checksum 11 bits? at the end

i have been unable to identify the checksum or how the FC relates to the printed number.

marshmellow · 2017-04-01 01:08:13

some samples to test:

PrintedFC  Printed ID   RAW ID
F3         0064161      7FCB400001ADEA4260380000
F3         0064162      7FCB400001ADEA4475100000
F3         0064163      7FCB400001ADEA473B800000
F3         0064164      7FCB400001ADEA485F800000
F3         0064151      7FCB400001ADEA2E0FB80000
F3         0064152      7FCB400001ADEA304FB00000
F3         0064153      7FCB400001ADEA3301200000
F3         0064102      7FCB400001ADE8CD5BB80000
F3         0064103      7FCB400001ADE8CE15280000
F3         0064104      7FCB400001ADE8D055200000
F3         0064105      7FCB400001ADE8D31BB00000
F3         0064136      7FCB400001ADEA1149300000
F3         0064137      7FCB400001ADEA1207A00000
F3         0064138      7FCB400001ADEA1412880000

atyppo · 2017-08-30 07:55:51

I now have a PM3 if there's anything that I should try. I have quite a few of these left to send out if anyone else is interested in taking a crack at it. I also have a couple of extra Doorking cards laying around.

iceman · 2017-08-30 08:04:05

I'm a taker

marshmellow · 2017-08-30 14:01:05

Or post traces of as many as you can.

atyppo · 2017-08-30 20:04:26

marshmellow wrote:

Or post traces of as many as you can.

I'm just starting out with this. What's the easiest way to post traces?

iceman · 2017-08-30 20:32:33

data save nnnnnn.pm3

and use a service like sendspace.com to share them here.

atyppo · 2017-08-30 21:19:01

iceman wrote:

data save nnnnnn.pm3
and use a service like sendspace.com to share them here.

Can you confirm that I'm doing this correctly before I go through all of the tags? Here's a link to the traces.

marshmellow · 2017-08-30 21:28:54

those will work, it might be nice to name the files according to all the printed numbers on the card (if there is more than the one ID #)

marshmellow · 2017-08-30 21:32:07

it might be simpler (faster) to just paste the output from the current `lf search` into a pastebin. that should give us enough to work with.

example output:

proxmark3> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

Securakey Tag Found--BitLen: 26, Card ID: 64169, FC: 0x35, Raw: 7FCB400001ADEA5344300000
Wiegand: 006BF553, Parity: Passed

How the FC translates to printed FC is unknown
How the checksum is calculated is unknown
Help the community identify this format further
 by sharing your tag on the pm3 forum or with forum members

Valid Securakey ID Found!
proxmark3>

but you really only would need to post the two lines:

Securakey Tag Found--BitLen: 26, Card ID: 64169, FC: 0x35, Raw: 7FCB400001ADEA5344300000
Wiegand: 006BF553, Parity: Passed

along with the printed numbers on the card

atyppo · 2017-08-30 21:38:03

marshmellow wrote:

those will work, it might be nice to name the files according to all the printed numbers on the card (if there is more than the one ID #)

All the cards have on them is the card number along with the FC, which is the same for all of them. It's F3.

iceman · 2017-08-30 21:39:20

hm.. very similar to @marshmellow's list. Anyway, his securakey demod works well.
If it is ok with @atyppo, I'd like to add one of these sample files to the traces folder. Nice to have a good secura trace in there.

atyppo · 2017-08-30 21:41:57

iceman wrote:

hm.. very similar to @marshmellow's list. Anyway, his securakey demod works well.
If it is ok with @atyppo, I'd like to add one of these sample files to the traces folder. Nice to have a good secura trace in there.

I'm actually the one that sent samples to him. I had between 64073 and 64172, but I'd estimate that I'm down to ~50 cards now. Feel free to do whatever you want with these.

atyppo · 2017-08-30 21:48:52

This is what I get when I try to replicate your command.

proxmark3> lf search
#db# DownloadFPGA(len: 42096)
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:


No Known Tags Found!

iceman · 2017-08-30 22:02:28

I noticed it when I saw the threadstart

You will need to pull the latest source from GitHub, compile & flash to enjoy @marshmellows additions.

atyppo · 2017-08-30 22:05:09

iceman wrote:

I noticed it when I saw the threadstart
You will need to pull the latest source from GitHub, compile & flash to enjoy @marshmellows additions.

Ok, is there a guide to do this? I'd like to make sure that I'm doing it correctly

iceman · 2017-08-30 22:11:05

...wiki, forum threads, compiling.txt, readme.md you name it.

atyppo · 2017-09-01 00:54:27

iceman wrote:

...wiki, forum threads, compiling.txt, readme.md you name it.

After I attempted to flash it, I've ended up with this error.

Qt: Untested Windows version 6.2 detected!
ERROR: invalid serial port

What should I do?

marshmellow · 2017-09-01 04:09:23

It looks like your proxmark changed serial ports. There are several threads on this issue.

iceman · 2017-09-01 07:13:14

try to keep the threads clean and to the subject.

atyppo · 2017-09-02 11:57:37

I'm also receiving this error. I've been trying to find a solution for a couple of hours, but can't seem to find anything. I'm using the latest compiled version.

                ====================================
                FLASHING bootrom.elf, please wait...
                ====================================

Loading ELF file '..\firmware_win\bootrom\bootrom.elf'...
Loading usable ELF segments:
0: V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94
1: V 0x00200000 P 0x00100200 (0x00000cc0->0x00000cc0) [RWX] @0x298

Waiting for Proxmark to appear on com5..........................................
.....

I also get this error when I try to run fullimage.bat. I'm positive that my PM3 is now set to COM5.

Dot.Com · 2017-09-02 14:15:01

Hold the button on the side if it doesn't detect.

Try another port if still doesn't work.

atyppo · 2017-09-03 00:15:03

Dot.Com wrote:

Hold the button on the side if it doesn't detect.
Try another port if still doesn't work.

I already tried both of those to no avail. How long should I expect it to take to flash? I held the button for close to 10 minutes.

marshmellow · 2017-09-03 02:02:18

Enough off topic troubleshooting. Please start a new topic. Also see http://www.proxmark.org/forum/viewtopic.php?id=4904

this topic is on Securakey tags

Sentinel · 2018-05-06 17:21:59

32 bit format (to be continued)
7FCC00042328B6560B380000
7FCC00042328B65731080000
7FCC00042328B65855080000
7FCC00042328B6596F380000
7FCC00042328B65A21A80000
7FCC00042328B65B1B980000
7FCC00042328B65C34800000
7FCC00042328B65D0EB00000
7FCC00042328B65E40200000
7FCC00042328B65F7A100000

Sentinel · 2018-05-06 17:28:25

26 bit format (to be continued)
7FCB40000100000032900000
7FCB40000100000108A00000
7FCB40000100000246300000
7FCB4000010000037C000000
7FCB40000100000453180000
7FCB40000100000569280000
7FCB40000100000627B80000
7FCB4000010000071D880000
7FCB40000100000879880000
7FCB40000100000943B80000
7FCB40000100000A0D280000
7FCB40000100000B37180000
7FCB40000100000C18000000
7FCB40000100000D22300000
7FCB40000100000E6CA00000
7FCB40000100000F56900000
7FCB4000010000102CA80000
7FCB40000100001116980000
7FCB40000100001258080000
7FCB40000100001362380000
7FCB4000010000144D200000
7FCB40000100001577100000
7FCB40000100001639800000
7FCB40000100001703B00000
7FCB40000100001867B00000
7FCB4000010000195D800000
7FCB40000100001A13100000
7FCB40000100001B29200000
7FCB40000100001C06380000
7FCB40000100001D3C080000
7FCB40000100001E72980000
7FCB40000100001F48A80000
7FCB4000010000200E200000
7FCB40000100002134100000
7FCB4000010000227A800000
7FCB40000100002340B00000
7FCB4000010000246FA80000
7FCB40000100002555980000
7FCB4000010000261B080000
7FCB40000100002721380000
7FCB40000100002845380000
7FCB4000010000297F080000
7FCB40000100002A31980000
7FCB40000100002B0BA80000
7FCB40000100002C24B00000
7FCB40000100002D1E800000
7FCB40000100002E50100000
7FCB40000100002F6A200000
7FCB40000100003010180000
7FCB4000010000312A280000
7FCB40000100003264B80000
7FCB4000010000335E880000
7FCB40000100003471900000
7FCB4000010000354BA00000
7FCB40000100003605300000
7FCB4000010000373F000000
7FCB4000010000385B000000
7FCB40000100003961300000
7FCB40000100003A2FA00000
7FCB40000100003B15900000
7FCB40000100003C3A880000
7FCB40000100003D00B80000
7FCB40000100003E4E280000
7FCB40000100003F74180000
7FCB4000010000404B300000
7FCB40000100004171000000
7FCB4000010000423F900000
7FCB40000100004305A00000
7FCB4000010000442AB80000
7FCB40000100004510880000
7FCB4000010000465E180000
7FCB40000100004764280000
7FCB40000100004800280000
7FCB4000010000493A180000
7FCB40000100004A74880000
7FCB40000100004B4EB80000
7FCB40000100004C61A00000
7FCB40000100004D5B900000
7FCB40000100004E15000000
7FCB40000100004F2F300000
7FCB40000100005055080000
7FCB4000010000516F380000
7FCB40000100005221A80000
7FCB4000010000531B980000
7FCB40000100005434800000
7FCB4000010000550EB00000
7FCB40000100005640200000
7FCB4000010000577A100000
7FCB4000010000581E100000

Abuzer · 2019-05-29 00:10:31

I know this is an old post but I could not find any conclusion on the topic. Did you able to clone the Securakey cards?

atyppo · 2019-12-23 05:13:38

Abuzer wrote:

I know this is an old post but I could not find any conclusion on the topic. Did you able to clone the Securakey cards?

I've not been able to. Would be nice if someone is able to get through them as they seem to be OEM for several other tags for other companies (Doorking comes to mind).

hkplus · 2021-08-03 02:05:56

// 26 bit format
// preamble ??bitlen reserved EPx xxxxxxxy yyyyyyyy yyyyyyyOP CS? CS2?
// 0111111111 0 01011010 0 00000000 0 00000010 0 00110110 0 00111110 0 01100010 0 00001111 0 01100000 0 00000000

I have a feeling that the bits at the first ?? in front of bitlen is just a start of data marker.
Could the unknown bits not be a checksum but instead parity bits?

Proxmark3 community

Announcement

#1 2017-03-22 23:27:34

Secura Key RKCM02 Cloning

#2 2017-03-22 23:41:20

Re: Secura Key RKCM02 Cloning

#3 2017-03-23 06:18:05

Re: Secura Key RKCM02 Cloning

#4 2017-03-23 08:35:01

Re: Secura Key RKCM02 Cloning

#5 2017-03-23 15:41:47

Re: Secura Key RKCM02 Cloning

#6 2017-03-23 17:31:00

Re: Secura Key RKCM02 Cloning

#7 2017-03-24 04:23:24

Re: Secura Key RKCM02 Cloning

#8 2017-03-24 12:15:36

Re: Secura Key RKCM02 Cloning

#9 2017-04-01 01:02:47

Re: Secura Key RKCM02 Cloning

#10 2017-04-01 01:08:13

Re: Secura Key RKCM02 Cloning

#11 2017-08-30 07:55:51

Re: Secura Key RKCM02 Cloning

#12 2017-08-30 08:04:05

Re: Secura Key RKCM02 Cloning

#13 2017-08-30 14:01:05

Re: Secura Key RKCM02 Cloning

#14 2017-08-30 20:04:26

Re: Secura Key RKCM02 Cloning

#15 2017-08-30 20:32:33

Re: Secura Key RKCM02 Cloning

#16 2017-08-30 21:19:01

Re: Secura Key RKCM02 Cloning

#17 2017-08-30 21:28:54

Re: Secura Key RKCM02 Cloning

#18 2017-08-30 21:32:07

Re: Secura Key RKCM02 Cloning

#19 2017-08-30 21:38:03

Re: Secura Key RKCM02 Cloning

#20 2017-08-30 21:39:20

Re: Secura Key RKCM02 Cloning

#21 2017-08-30 21:41:57

Re: Secura Key RKCM02 Cloning

#22 2017-08-30 21:48:52

Re: Secura Key RKCM02 Cloning

#23 2017-08-30 22:02:28

Re: Secura Key RKCM02 Cloning

#24 2017-08-30 22:05:09

Re: Secura Key RKCM02 Cloning

#25 2017-08-30 22:11:05

Re: Secura Key RKCM02 Cloning

#26 2017-09-01 00:54:27

Re: Secura Key RKCM02 Cloning

#27 2017-09-01 04:09:23

Re: Secura Key RKCM02 Cloning

#28 2017-09-01 07:13:14

Re: Secura Key RKCM02 Cloning

#29 2017-09-02 11:57:37

Re: Secura Key RKCM02 Cloning

#30 2017-09-02 14:15:01

Re: Secura Key RKCM02 Cloning

#31 2017-09-03 00:15:03

Re: Secura Key RKCM02 Cloning

#32 2017-09-03 02:02:18

Re: Secura Key RKCM02 Cloning

#33 2018-05-06 17:21:59

Re: Secura Key RKCM02 Cloning

#34 2018-05-06 17:28:25

Re: Secura Key RKCM02 Cloning

#35 2019-05-29 00:10:31

Re: Secura Key RKCM02 Cloning

#36 2019-12-23 05:13:38

Re: Secura Key RKCM02 Cloning

#37 2021-08-03 02:05:56

Re: Secura Key RKCM02 Cloning

Board footer