Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2017-11-30 14:52:04
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Unknown 125Khz tag cloning strange error [SOLVED]
Hello community, hello all the smart people out there,
I have this LF tag, its pretty straightforward but, when I write the data to a new fob, it yields different output.
Not sure its a bug or Im doing something wrong.
My rig
Proxmark3 RFID instrument
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-19-gfeea1a45 2017-10-05 18:09:38
os: iceman/master/ice_v3.1.0-19-gfeea1a45 2017-10-05 18:09:44
[ FPGA ]
LF image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF image built for 2s30vq100 on 2017/05/17 at 17:48:26
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 220509 bytes (42%) Free: 303779 bytes (58%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
Measuring antenna characteristics, please wait......
# LF antenna: 36.16 V @ 125.00 kHz
# LF antenna: 21.45 V @ 134.00 kHz
# LF optimal: 36.16 V @ 125.00 kHz
# HF antenna: 33.82 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.Then the Initial detection
pm3 --> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 25600 repeating samples
Possible 3200 bytes
Possible 2 blocks, width 1600
Possible 4 blocks, width 800
Possible 8 blocks, width 400
Possible 16 blocks, width 200
DEBUG: (FSKrawDemod) Using Clock:50, invert:0, fchigh:10, fclow:8
FSK2 decoded bitstream:
1101100110101000
1101111001011111
1111111111011111
1101111111011111
1101111111011111
1101111111011111
1101111111011111
1101001101111001
1101100110101000
1101111001011111
1111111111011111
1101111111011111
1101111111011111
1101111111011111
1101111111011111
1101001101111001
1101100110101000
1101111001011111
1111111111011111
1101111111011111
1101111111011111
1101111111011111
1101111111011111
1101001101111001
1101100110101000
1101111001011111
1111111111011111
1101111111011111
1101111111011111
1101111111011111
11
Unknown FSK Modulated Tag Found!
Valid T55xx Chip Found
Try `lf t55xx` commands
pm3 --> lf t55 detect
Chip Type : T55x7
Modulation : FSK2a
Bit Rate : 4 - RF/50
Inverted : Yes
Offset : 32
Seq. Term. : No
Block0 : 0x80107080
pm3 --> lf t55 info
-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key : 8
reserved : 0
Data bit rate : 4 - RF/50
eXtended mode : No
Modulation : 7 - FSK 2a RF/10 RF/8
PSK clock frequency : 0
AOR - Answer on Request : No
OTP - One Time Pad : No
Max block : 4
Password mode : No
Sequence Start Terminator : No
Fast Write : No
Inverse data : No
POR-Delay : No
-------------------------------------------------------------
Raw Data - Page 0
Block 0 : 0x80107080 10000000000100000111000010000000
-------------------------------------------------------------
pm3 --> lf t55 read
Reading Page 0:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
255 | 01010101 | 00000001000000010000000100000001 | ....
pm3 --> lf t55 detect
Chip Type : T55x7
Modulation : FSK2a
Bit Rate : 4 - RF/50
Inverted : Yes
Offset : 32
Seq. Term. : No
Block0 : 0x80107080
pm3 --> lf read
#db# LF Sampling config:
#db# [q] divisor.............95 (125 KHz)
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 30 00 12 6c ae dc d8 7e ...
Reading 39999 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
pm3 --> data save new.pm3
saved to 'new.pm3'
pm3 --> lf t55 dump
Reading Page 0:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
00 | 80107080 | 10000000000100000111000010000000 | ..p.
01 | 00010101 | 00000000000000010000000100000001 | ....
02 | 01010101 | 00000001000000010000000100000001 | ....
03 | 01010164 | 00000001000000010000000101100100 | ...d
04 | 6265721A | 01100010011001010111001000011010 | ber.
05 | 00000000 | 00000000000000000000000000000000 | ....
06 | 00000000 | 00000000000000000000000000000000 | ....
07 | 00000000 | 00000000000000000000000000000000 | ....
Reading Page 1:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
00 | 80107080 | 10000000000100000111000010000000 | ..p.
01 | C02A1441 | 11000000001010100001010001000001 | .*.A
02 | 9567518D | 10010101011001110101000110001101 | .gQ.
03 | 00000000 | 00000000000000000000000000000000 | .... Now I tried to clone
lf t55 wr b 0 d 80107080
lf t55 wr b 1 d 00010101
lf t55 wr b 2 d 01010101
lf t55 wr b 3 d 01010164
lf t55 wr b 4 d 6265721A After cloning I dimp the new fob:
pm3 --> lf t55 dump
Reading Page 0:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
00 | 80107080 | 10000000000100000111000010000000 | ..p.
01 | 00020202 | 00000000000000100000001000000010 | ....
02 | 00040404 | 00000000000001000000010000000100 | ....
03 | 020202C8 | 00000010000000100000001011001000 | ....
04 | 6265721A | 01100010011001010111001000011010 | ber.
05 | 00000000 | 00000000000000000000000000000000 | ....
06 | 00000000 | 00000000000000000000000000000000 | ....
07 | 00000000 | 00000000000000000000000000000000 | ....
Reading Page 1:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
00 | 80107080 | 10000000000100000111000010000000 | ..p.
01 | 80542883 | 10000000010101000010100010000011 | .T(.
02 | 2E159924 | 00101110000101011001100100100100 | ...$
03 | 00A00003 | 00000000101000000000000000000011 | ....
pm3 -->As you can see, block 1,2,3 data is not identical to the original fob's. What I am doing wrong here? Or am I?
I tried following:
Tried a different blank, overwrote the blocks several times, change the fobs proximity to the antenna, etc
How do I get desired output , please help , thanks for your suggestion
Last edited by Heru (2017-12-19 23:25:06)
Offline
#2 2017-11-30 14:55:54
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Unknown 125Khz tag cloning strange error [SOLVED]
1. always use lf t55 detect after writing a config block.
2. its fsk, hard to get a starting point, sometimes you see that you will need a different offset when printing..
0202 -> 0101 is just one step away....
And to make sure, try out the pm3 official, and see if your tag gets identified correct.
Offline
#3 2017-11-30 15:04:34
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Unknown 125Khz tag cloning strange error [SOLVED]
Did you re detect the clone before running the t55xx dump cmd? T55xx read cmds require the detect cmd first to have a chance at being accurate.
That said the t55xx read blk (dump) can not perfectly identify the start bit of the stream as it is dependent on many variables. So the output can be offset by a bit now and then.
Edit- Iceman beat me to it 
Offline
#4 2017-11-30 15:10:58
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Unknown 125Khz tag cloning strange error [SOLVED]
Btw I always double-check the t-55 read commands of the broadcast blocks with the rawdemod commands
Offline
#5 2017-11-30 15:18:24
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: Unknown 125Khz tag cloning strange error [SOLVED]
For the record, I did re-detect the clone. before running dump command
Also, block 0,4 changes were immediate. It showed the correct output straight away, Did not have to re-detect,
@iceman, I'm obsessed with your build, Not really keen to change the firmware back and forth. to be honest
But maybe its a good opportunity to try the official build for me, thanks
Last edited by Heru (2017-11-30 15:32:33)
Offline
#6 2017-12-19 23:24:11
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: Unknown 125Khz tag cloning strange error [SOLVED]
This one is solved,
Apparently, this card is a cloned one, not the original card, The original card had 0x00107080 value which indicates its a Pyramid tag.
so this clone has 80107080 value and the original has 00107080, yet still the both keys works, that is funny.
Another funny thing is you cannot force write t55x5 successfully with following values
lf t55 wr b 0 d 80107080
lf t55 wr b 1 d 00010101
lf t55 wr b 2 d 01010101
lf t55 wr b 3 d 01010164It will always be shown as
pm3 --> lf t55 dump
Reading Page 0:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
00 | 80107080 | 10000000000100000111000010000000 | ..p.
01 | 00020202 | 00000000000000100000001000000010 | ....
02 | 00040404 | 00000000000001000000010000000100 | ....
03 | 020202C8 | 00000010000000100000001011001000 | .... Offline
#7 2017-12-20 03:53:36
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Unknown 125Khz tag cloning strange error [SOLVED]
Those values are one and the same in binary. Change tag position on the antenna or change antenna and your results will vary on t55x7 read.
In other words, depending on your antenna, tag position, and tag modulation lf t5 read may be a bit off in the conversion from binary to hex. Timing varies on the different pm3 equipment out there so...
Btw it works perfectly almost always on my setup...
Offline
#8 2017-12-20 04:22:24
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: Unknown 125Khz tag cloning strange error [SOLVED]
Those values are one and the same in binary. Change tag position on the antenna or change antenna and your results will vary on t55x7 read.
In other words, depending on your antenna, tag position, and tag modulation lf t5 read may be a bit off in the conversion from binary to hex. Timing varies on the different pm3 equipment out there so...
Btw it works perfectly almost always on my setup...
OK, good to know, thank you sir!
Offline