Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
OK, this time I have it. I guess even version 715 doesn't decode it right... no idea why the proxmark mandemod functions aren't working on this data rate Manchester card. ANYONE? with a manual decode you get -
11111111100000000000000000000000 0xFF800000 (block 2)
00000000100110000000110010100100 0X00980CA4 (block 1)
no idea how this translates to your serial number. asper? but with the block 0 used above this gives you the exact same trace as the original.
Last edited by marshmellow (2014-01-28 17:33:21)
Offline
proxmark3> lf t55xx writeblock FF800000 2
Writting block 2 with data FF800000
proxmark3> lf t55xx writeblock 00980CA4 1
Writting block 1 with data 00980CA4
proxmark3> lf t55xx writeblock 000c8040 0
Writting block 0 with data 000C8040
proxmark3> lf read
#db# buffer samples: ff ff ff ff ff ff ff f9 ...
proxmark3> data sample 16000
Reading 16000 samples
Done!
proxmark3> data detectclock
Auto-detected clock rate: 39
proxmark3> data plot
Offline
@genexis - let me know how it looks and if it works on your end.
Offline
Comparing to the original, this one seems to have some tapering at the max and min. Does this matter?
I'm not able to try the card yet, but i'll do it tomorrow and revert.
Offline
as long as the spacing at the middle and up's and down's are the same it should work. (each read and each chip may have slight power variations thus different tapering.)
Offline
any idea what system this works in, or who the maker of the tag is?
Offline
We tried gathering some information from the management (because i accidentally ruined one of the cards), and we were told it is from a local security firm. I called them up and they shared that they are using EM card system. Not too sure which one though. SO right now, i really need to get this to work because i only have 1 card left, and to replace it costs me like... near 200 dollars.
Offline
it does appear to be using EM's header but it is not the standard EM41xx format. can you take a pic of one of your readers? or give a model/make of it?
Offline
Sure, i'll try it tomorrow.
But i did take a look, it really look like just a black glossy square box.
Offline
If you want to "navigate" in the wide EM ocean please refere to this tag list and feel free to identify your possible tag candidate
To my knowledg only 1 EM tag is stated to support RF/40 data rate, EM4205-4305, but it is not a RFID ROM, it is a R/W RFID EEPROM often used in door locks. EM mainly use for 125kHz tags 32 or 64 datarates, sometimes 16.
If you still have your ruined card it should be possible to find out the exact chip inside (no guarantee).
About bits decoding I found a very weird pattern but it does not fulfill exactly the number printed on it, only 17 consecutive bits... marshmellow are you absolutely sure those are the bits sent by the tag to the reader ? I mean are you sure that 1st bit is really the starting bit ? (I mean are you sure this value: 00980CA4 is correct ?).
Last edited by asper (2014-01-28 20:13:45)
Offline
the bit string is correct, however, it is possible the starting point might be mixed up. (it could start with 8 1's not 9 and that one might need to be shifted to the end)
example:
11111111100000000000000000000000 0xFF800000 (block 2)
00000000100110000000110010100100 0X00980CA4 (block 1)
could also be
11111111000000000000000000000000 0xFF000000 (block 2)
00000001001100000001100101001001 0X01301949 (block 1)
Offline
Well so I think I have the correct "pattern" and I think your last byte sequence is the correct one:
1) decode 01301949 to bin -> 1001100000001100101001001
2) remove bit 9, 15, 20 and 23 (starting from 1) from the step 1 bit sequence and "concatenate" the result -> 100110000001101010101
3) convert the prevuois bin value to decimal -> 1246037 <-- BINGO!
Of course this must be confirmed with another "sister" tag.
Last edited by asper (2014-01-28 21:50:45)
Offline
PS. Is there someone able to make a small software to decode the "scambling" patterns we found here and in other threads ? It will be good to press a button and see all the possible "decoded" decimal values, maybe one of them can be the one printed on your card ! Anyone ?
Last edited by asper (2014-01-28 19:52:55)
Offline
@asper, do you think the decode could be added to the windows GUI for the proxmark? I'll try to take a look at the source code when I get a chance.
Offline
Well, if gaucho will add specific decoding/bit managing functions yes (now is not possible) but he has not much spare time so I think someone else should try to code something.
Offline
I can probably write a vba script within excel to automate the decoding but i'll need to know what steps would a human take to manually decode it.
something that might look like -> first get mandemod, next find recurring pattern, next remove x bits in nth positions, then generate Decimal to match serial number. But i'm new to RF so if you could give me an algorithm that you would use, I can try to put it into automated code.
PS. Is there someone able to make a small software to decode the "scambling" patterns we found here and in other threads ? It will be good to press a button and see all the possible "decoded" decimal values, maybe one of them can be the one printed on your card ! Anyone ?
Offline
Thank you for your availability tissuepeanut; the program/script should work like this:
0 - I assume that you already got the HEX tag ID value;
1 - the program must have an imput mask/box in which you can put 1 HEX value (26,32,35,37,40 bits are the most common hex ID value leghts);
2 - once user put the hex value, the press of a button should generate binary from it, including all zeroes on the left side (MSB);
3 - binary must be elaborated (moved, shifted, etc) following the common/less common patterns and different results should be showed in different boxes, which should have a specific name, at the same time.
Common patterns can be found here under "BITS EXPLANATION (various tags)" field; as you can see bit positions had been named with number starting from 1.
Less common patterns can be found here.
If you have the time, I would like to take advantage of your availability to make also a program/script that will produce the correct hex string to write to block0 of a T55x7 tag; the tag is an "hardware emulator" for 125kHz-most-common-working-conditions; here is block0 bits meaning (in blue the default configuration):
The script should contains 15 fields that will manage the 33bits string value.
Fields must be, starting from left to right:
1 - LOCK BIT (1 bit)
2 - SAFER KEY (4 bits)
3 - RESERVED (7 bits - this field must be left to all 0000000)
4 - Data Bit Rate (3 bits)
5 - X-Mode (1 bit)
6 - Modulation (5 bits)
7 - PSKCF (2 bits)
8 - AOR (1 bit)
9 - OTP (1 bit)
10 - MAXBLK (3 bits)
11 - PWD (1 bit)
12 - SST-Tem. (1 bit)
13 - FAST WRITE (1 bit)
14 - Inverse Data (1 bit)
15 - POR-Delay (1 bit)
bits meanings are shown in the picture above.
Please let me know if you can do that, if you want in the same script/program/mask.
Last edited by asper (2014-01-29 07:44:50)
Offline
Hey guys!
I'm happy to report back that BOTH string works!! Wooohooo!
0xFF800000 (block 2)
0X00980CA4 (block 1)
and
0xFF000000 (block 2)
0X01301949 (block 1)
The next step i guess is to try and understand how did you guys manually decode the string, so that we can "automate" this process. I may be able to write something in PERL or PHP to do that.
Marshmellow/asper, could you guys try to take some time to provide a step by step guide to how did you derive those values? How did you get a list of binary from the trace? Was it by mandemod 40?
Are we assuming that this is some sort of EM type card?
Offline
If you Google Manchester waveform image you should find a decode tutorial
Offline
PS. Is there someone able to make a small software to decode the "scambling" patterns we found here and in other threads ? It will be good to press a button and see all the possible "decoded" decimal values, maybe one of them can be the one printed on your card ! Anyone ?
This is where you remove all the fun. What is the point ? Saving 15 minutes of your time... And having 10k new users registering and asking stupid question that have been answered million times ?
Look how many answers there are on this post ! already 3 pages. That is why I like to hang around here. I am learning a lot of things and we are all trying to help...
.
We used to have some people like Adam Laurie, the guys working on breaking Mifare, iclass (...) posting answers and tips...
Give some people advices and have them "think", that is what this forum was all about. Now give people some pre-cooked tools where you have to download, extract and press the button... That is no fun.
And don't get me wrong. i love what you did with the "pre-compiled windows environment". But when someone asks how to install the drivers... They should not be here at the first place.
Last edited by app_o1 (2014-01-29 15:05:41)
Offline
@app_o1 (I say this with no intention to offend) but...
I asked how to install the drivers my first day with my proxmark. the fact is there are many old posts that are incorrect on how to do this. I had to be pointed to the "Current" way.
However, I agree with what you're saying in principle, but we have to understand that while some new users will be just "takers", others will be "contributors". I'm not always sure where the line is drawn or how to identify between the two as we were all newbes at one time. Of course we like contributors as we all grow in knowledge. And yes, you have to be able to think and learn on your own to use the proxmark. However, tools have been built in the proxmark to clone indala cards, to read/decipher hid 26 bit cards. Could you have it just output a image of the waveform, and manually decipher it, sure. But we now have tools to decipher it for us. Should we continue this effort?
maybe one or two of the main designers/moderators can chime in...
One thing that I think most of us can agree on is that security by obscurity is not a good model to follow ever. Just because not everyone knows yet how to do something doesn't make it secure.
my 2cents (probably not worth even that.)
Offline
My 0,5 cent: I like to explain things and make them clear, that's all. If someone want to "profit" (?) he can but it is not my purpose (look at the mifare access bit calculator for example, it is there only for "comfort"); if people asks "stupid" questions simply ignore them, ignoring makes them leaving the forum, arguing with them makes things worse.
Anyway we are far off topic so if someone want to contribute with a software/script he will have my gratitude
Offline
could this be a possible chip?
http://ww1.microchip.com/downloads/en/devicedoc/51115f.pdf
or is the EM42xx still a possibility?
EDIT:
another possibility?
http://www.atmel.com/Images/Atmel-9167-RFID-ATA5575M1_Datasheet.pdf
Last edited by midnitesnake (2014-01-30 00:47:07)
Offline
midnitesnake, thanks for the pdf link, it has a lot of good information on the different wave form modulations as well as the data encoding schemes.
this card in particular could be programmed on a number of different chips, I'm not sure if it is a specific chip that is readonly or if it is one of the programmed variants. not sure how to tell without a more thorough dissection of the tag.
Offline
@asper: i'm still working on a simple tool to get Block 0 for T55x7 cards based on the configuirable options
Data Bit Rate
Modulation
PSKCF
MaxBlk
While creating variants for the binaries from the UID, I realised that I could be duplicating previously completed effort. The tool will take input as UID, and create binaries for KNOWN card types. But because these decodes (indala, em4, hid etc) are known, they are already available in the latest PM3.
Not sure if I intepreted your requirements correctly..
@marshmellow: If I understand correctly, to manually decode, you looked at the RAW wave form, put a 40 clockspeed grid over it and then literally wrote a 1/0 when the wave changed from above the zero line to below the zero line... and you did this until you saw a repeatable pattern?! If that's how you did it, I'm in Awe here!
Offline
@asper: i'm still working on a simple tool to get Block 0 for T55x7 cards based on the configuirable options
Data Bit Rate
Modulation
PSKCF
MaxBlkWhile creating variants for the binaries from the UID, I realised that I could be duplicating previously completed effort. The tool will take input as UID, and create binaries for KNOWN card types. But because these decodes (indala, em4, hid etc) are known, they are already available in the latest PM3.
Not sure if I intepreted your requirements correctly..
I hope you will release your tool and also you will add the other T55x7 parameters, for now thank you for your effort
About the second question PM3 is able to read the HEX ID but is not able to make so much variants about HEX ID bit "scrambling" to interpret bit data and show the numbers usually printed on tags; I can be wrong about this because I started to "swim" in 125kHz "ocean" only few weeks ago, correct me if you know for sure this is not ture.
Offline
@marshmellow: If I understand correctly, to manually decode, you looked at the RAW wave form, put a 40 clockspeed grid over it and then literally wrote a 1/0 when the wave changed from above the zero line to below the zero line... and you did this until you saw a repeatable pattern?! If that's how you did it, I'm in Awe here!
That is basically how I did it. However, you can easily isolate the repeating pattern in the wave form if you zoom out a bit. Then I isolate a section that looks like all zeroes and start putting 1s and 0s in. If I started with an area that looked like zeros but actually was 1s I'd eventually run into an incorrect wave form (two ups or two downs.) So I switch it and begin again.
It really isn't that hard once you know the rules.
Offline
you can almost get it with
proxmark3> data load trace16k.pm3
loaded 16000 samples
proxmark3> data ltrim 1870
proxmark3> data mandemod 40
Manchester decoded bitstream
0 0 0 0 1 1 1 0 1 1 0 0 1 0 0 1
0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 0 0 1 0 0 0 1 1
1 1 1 1 0 0 0 1 0 0 1 1 0 1 1 0
1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 *
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 *
0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 0 *
0 0 0 0 1 1 1 0 1 1 0 0 1 0 0 1 *
0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 %
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 %
1 1 1 1 1 1 1 1 0 0 1 0 0 0 1 1 %
1 1 1 1 0 0 0 1 0 0 1 1 0 1 1 0 %
1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 0
0 0 0 0 1 1 1 0 1 1 0 0 1 0 0 1
0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
marked the almost got it with *
then the pattern looks like it inverts %
EDIT:
think it may be the way mandemod handles transitions?
Last edited by midnitesnake (2014-01-30 22:42:03)
Offline
it is a timing issue with mandemod, it doesn't handle a data rate of 40 (and possibly others) properly.
Offline
apologies for the delay... took me longer than expected.
Anyway here's a simple tool that will allow a person to select the various options for a T55x7 header block and generate the associated binary/hex. Given a known 10 digit Hex UID for EM4x, it will also generate the binary and hex for block 1-2.
Just enter a 10digit HEX into the blue box.
I just realised that there's no upload file function on the forum.... I'll find a way to get it up asap
tissuepeanut wrote:@asper: i'm still working on a simple tool to get Block 0 for T55x7 cards based on the configuirable options
Data Bit Rate
Modulation
PSKCF
MaxBlkWhile creating variants for the binaries from the UID, I realised that I could be duplicating previously completed effort. The tool will take input as UID, and create binaries for KNOWN card types. But because these decodes (indala, em4, hid etc) are known, they are already available in the latest PM3.
Not sure if I intepreted your requirements correctly..I hope you will release your tool and also you will add the other T55x7 parameters, for now thank you for your effort
About the second question PM3 is able to read the HEX ID but is not able to make so much variants about HEX ID bit "scrambling" to interpret bit data and show the numbers usually printed on tags; I can be wrong about this because I started to "swim" in 125kHz "ocean" only few weeks ago, correct me if you know for sure this is not ture.
Offline
You can use sendspace.com
Offline
http://www.filedropper.com/em4xshare
Here you go
Offline
Link doesn't work.
Offline
try again Just re-uploaded
Offline
Superb work man !
When I have time I think I will edit it to add full T55x7 support (if you give me your permission of course!).
Offline
@asper: pls feel free to add to it! happy to contribute something
@genexis: thanks for helping with the uploading
Offline
@genexis
saw your thread at http://www.proxmark.org/forum/viewtopic.php?id=1876
it looks like another variant of the em4x. if you use the spreadsheet and put in the serial number, you might get lucky. of course this is just stabbing in the dark haha
Offline
Hi Tissue,
unfortunately there isn't any serial number on the card.
all i have is the data sample
Offline
Here it is; thank you again guys!
Offline
So, I have a card that I believe is the same as the OP's. It also has a similar number to OP's. It is 1851496. I was able to read the card as follows:
1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 1
0 0 0 0 0 0 0 0 1 1 0 1 0 0 0 0
Does anyone know what format this is? The card number is similar in situation to the OP's where it does show-up converted to binary but with some blanks filled in...it doesn't make a lot of sense to me. Even accounting for parity bits, I can't figure this out. I thought the format would be similar to OP's but the bits added from OP's are different than the bits added from my card. Can anyone explain?
Binary of 1851496:
111000100000001101000
Card read data:
111000010000000011010000
Something like this makes sense:
111X 0001 0000 000X 1101 000X
1110 0001 0000 0000 1101 0000
BTW - I can clone the card the same way as OP did using a T5XX7. When I write the clone, I use the read data (and not the binary of the card number (1851496)) and it works fine. My clock was detected at 40. Does anyone have an explanation or know a card that works like this?
Offline
The starting 9 1s seems to say "i am an EM4100".
Offline
Yeah it is similar to EM4100 like OP's. But still doesn't explain extra bits? Maybe they're parity bits...but I couldn't match them up with OP's bits that needed to be removed to match decimal to binary.
Offline
it looks similar to other formats, though I've never seen this particular one.
similar to some ioprox and other formats I've seen.
i'd guess:
1110X00100000X01101000X but that is just a guess. more samples would be necessary to confirm.
Offline
very interesting .... is this tag include in the windows client ?? I can't find it ?
Offline