Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hello all....
I am a newbie in this field and about to get myself a proxmark. I have been on a mission to try and clone my building access fob and after buying a few readers on the market i have been unsuccesful... can somebody please explain to me what i need to do to extract to code from this 26bit wiegand key fob.... please. The company that makes it is called KERI. here is the site with a picture and data sheet. http://www.kerisys.com/pages/products/psp/psk-3.asp
Offline
xeroeffect,
This should be a trivial tag to read, replay, simulate, and clone. In fact, the HID functions *may* already work on this (hidfskdemod and hidsimtag). By "trivial", it may require some coding if the HID functions don't already work, but nothing too complex.
Learn more about the format here:
http://www.hidglobal.com/documents/unde … _wp_en.pdf
In fact, you won't really need to even understand the format if you just want to simulate the tag with the proxmark3. Just using "loread + losamples + losim" will replay the tag for you. It will take some code to make it replay when not connected to a PC, though.
If you have any tags that you know the ID of (or if it has some ID printed on it), then it should be easy to confirm. In fact, if you had that information, you're welcome to send me a tag and I can implement the functions into the proxmark3 for you, or you could send a few traces of the tag from the proxmark3 and I could try with those, as well.
Offline
Hey Samy,
Thanks for your quick reply..... Really appreciate!!
I thought this was a pretty trivial tag to clone...... Ive bought 2 reader/writers form net and i've had no luck with both... most expensive was 400 pounds, I live in australia so you can imagine. here is the link of my current reader writer... I have the TS- RW34.
http://www.ukcoding.co.uk/gis.html
what could be so hard about this tag???
I have tried all formats....
I think the only solution would be to get the proxmark.....
do you think 400 pounds is justified for this reader or am i a fool?
Offline
xero,
It's a bit pricy, but at least it has read/write functionality on a bunch of tag types.
If you can though, I would return it and get the proxmark3 instead -- pre-built, it's cheaper, too.
You should also check out http://rfidiot.org as it may have functionality to read/clone the type of tag you have, but I'm not sure about that. It also has various devices that might be helpful.
Offline
Ouch 400 pounds! As a rule I never buy anything ex UK or in UK pounds, most all I need is available cheaper from the States or China.
The PM3 is great in that if doesn't do what you want and you don't mind getting your hands dirty, you can program it to do it. A bought device like your is OK if you don't like getting too involved with the details and you just want to click some buttons and be done with it, but if it doesn't do what you want you're a bit stuck.
Offline
I stumbled upon the proxmark3 after both readers failed and I was getting desperate.....
Yes, i got SHAFTED..... I thought the more pricey the product... the more it does..... wrong!
I needed something that was convieinient.... like D18c7db stated...
Samy... I took a look at rfidiot... and thats exactly how i feel!
I think i need to buy a proxmark3 and join you guys. I have no idea how this python thing works Samy. im running vista 64 bit and i think its having trouble loading the dll for the reader. Im gonna try on my xp machine.
at least if I buy this proxy3 we will all be on the same page right..... i hope you guys will help me crack this tag.
I'm determined to succeed people!!
i'm off to buy my proxy3 for $449...... wish me luck... cause if it doesn't work... im gonna play tennis with it.
Offline
i'm from sydney australia.......
anyone else from my neck of the woods?
Offline
xero,
Cool, when you get it, you'll want to do a:
loread
losamples 6000
save psk
Also, read https://www.lafargue.name/article2754.html
Just reading through the manual starting here will help too.
If you send us the 'psk' file created, we can take a look, or send a tag if you have a spare to one of us to create the code to decode it.
Offline
Yeah, NZ here.
Offline
NZ here too.
Offline
Nice to meet you both Duran97 & D18c7db...... hope all is ok after that earthquake last week.... was there much damage done??
Last edited by XEROEFFECT (2009-07-20 08:44:33)
Offline
Guys.... what do the numbers printed on most proximity cards mean??? if i was to copy those exact numbers using my reader/writer on a new card, would the reader grant me access??
Offline
xero, depends on the type of card.
What card are you specifically talking about? If you mean the HID ProxCards, one of the numbers is relevant but doesn't provide all the information necessary, however does open up a more likely brute force attack.
Of course if you had physical access to the card and not just distant line of sight or the printed number, you could simply read and simulate the card.
Offline
Sammy, I've been familirising myself with the documentation link that you provided......
https://www.lafargue.name/article2754.html
Do i have to go through the same process in order to get the card to spit out the key I need for the KERI key fob??
I also have another card to the same building similar to the picture in the documentation which i cannot read with my hopeless reader..... but... this card has numbers which i presume must be the key..... do i make sense??
I was hoping if I take those numbers and programme them on another card it might work??
what is your instinct?
Offline
That 7.8 earthquake on Wed? Didn't feel a thing, it was miles south
The numbers printed on most cards aren't usually the full number transmitted by the card. For example HID cards only print on the tag the last 15-16 bits of the total 45 bit code. Those bits are the serial number which is unique to each tag. The rest of the bits (not printed) are the site code which generally is the same for all tokens at the site (in theory) or at least doesn't vary much.
Offline
Xeroeffect, I'm not sure if you can achieve what you want to do with the reader / writers you have.
For most access control systems, access is granted based upon the card ID. The card ID cannot however be written to a new card (for the large majority of access control systems). The cards that allow you to write data to them, write to a data area that's seperate to the ID. This can be used, for example, to store a value e.g. a value to represent money to pay a train fare.
There are some access card systems that use the data and not the ID. These are however far and few between in my experience.
You can however write the ID of an EM4x02 card / keyfob to another card / keyfob (not exactly the same card, but the outcome is the same). If you google "125KHz RFID Card Copier/Duplicator" you'll see the device I've got to do this. This cost about $AUD 80. This will work with very simple access control systems, which potentially you have. I've not seen these in use with any corporates, but have with a few smaller businesses.
Offline
ok.... i get you now.....
so in order to get the tag to work i need all those bits.... and thats were the pm3 comes into play.....
but in the documentation.... there didn't seen to be any other bits except for the last one. Not a very sucure tag hey.....
Offline
Xeroeffect, the earthquake was the largest recorded earthquake in the world this year so far, however it was in a very isolated area, and only caused very minor damage luckily.
Offline
Duran97, my sister was holidaying in NZ, southhampton, i think it was...... she said she definately felt it were they were... I was hoping we would get a tsunami..... take a few days off work...
Back to this topic..... so Duran.... what's the difference between your reader and the PM3 appart from the fact that the PM3 won't write cards??
Offline
There was a tsunami generated - it measured 20 cm (8 inches).
The reader / writer I have has the ability to read the ID value of one specific type of 125 Khz card (that is not commonly used), and write the ID to one specific type of card.
"The Proxmark3 is a powerful generic purpose RFID tool designed to snoop, listen and emulate everything from LF to HF tags (125kHz to 13.56MHz).". I'm sure it can be configured to write to the same card the Chinese reader / writer can, but no one has had the need to do it.
There's really no comparison - one is a simple tool for doing one purpse, the other a multi-function tool that can do a a range of tasks.
Offline
I have some Q5 cards I just received. Once I have my PM3 back up and running, I'll be working on implementing writing to Q5 cards in order to emulate EM410x cards (and others, if possible -- HID would be nice).
Xero, we may be able to clone your card as well with the Q5 cards, though I'm not positive. I'll need to see a real trace of your card.
Offline
Cool Samy, im inspired by your work...... soon as i get my PM3 ill be sure to post the trace! The reader/writer I bought from uk allows me to write to those q5 cards..... i have 6 of them lying around..... i have no idea how to program them cause there are so many different fileds i have to fill in. Originally I had 10, I stuffed 4 while i was playing around with what i believe was the modulation type...... psk1, psk2, psk3 and so on. It would be a bonus if you could emulate cards or fobs. The building i'm living in now only allows 4 swipes/appartment. I need to get some more people living in here cause the rent keeps going up! Landlords keep taking advantage of the rental situation we have here and keep pupming the prices. It's getting harder and harder people. I'm so glad I found you guys. Samy....... you have a mission to complete.
Offline
Samy, I hear you need a Jtag to get your PM3 up again....... if you could, post a link to the jtag you need, just incase i'll need one in future. I don't even know what a JTAG is appart from the fact it debugs. I'll be happy to send over to you, and whoever else needs it. It would be a travelling JTAG.
Would it be something like this
http://cgi.ebay.com.au/TDS510USB-TI-DSP … .m20.l1116
Last edited by XEROEFFECT (2009-07-21 01:44:57)
Offline
Kind of but you don't need one that expensive. This post has some links to some suggested JTAG dongles. Ideally it needs to be USB based as parallel ports have become obsolete and don't exists on most new laptops or desktops. Another recent (cheap) option is the Bus Pirate though I'm not 100% sure what it would take to use that to program a PM3, it probably won't just work with the standard software we use the other dongles with.
Offline
How about if someone could suggest something that has already been tried and tested so we can standardise the repair process, perhaps we could write up a "how to JTAG" procedure. I'll hate to be stuck with a PM3 brick. Anyone make any suggestions??
Last edited by XEROEFFECT (2009-07-21 08:45:54)
Offline
And to answer my own question....... i'ts already been done.
But we still need something that works via usb...... where have all the brainiacks gone??
Offline
It's been done thanks to Roel - see http://www.proxmark.org/files/index.php … -howto.pdf
The problem is getting this assumes access to a parallel port (and Windows). That works for many people, but unfortunately not everyone. I had to dig out a 6 year old computer from the garage to find a parallel port.
Offline
Hey Duran.... would something like this help??
Offline
Or shop in China for half the price, free shipping. I can't vouch for the suitability of these when it come to JTAG though, never had the chance to try it.
Offline
I don't know either, as I've never tried. Some of the USB to parallel adaptors don't fully emulate a parallel port, and essentailly are aimed at just printing.
Offline
Just ordered my PM3...... can't wait to get my hands on this little beauty!! I'm gonna need all the help I can get guys cause i really feel i'm not up to speed when it comes to writing scripts and so on.... I get nervous reading some posts and keep thinking..... "what the heck are they on about". will anyone be willing to take me on as an apprentice??
Offline
Just follow your signature's advice
Also use the forum search function and read the posts that come up, you may find your questions have been asked before.
Offline
None of you have mentioned to Xero that the PM3 also needs an antenna. You might have bought one with your PM3 which will give you a leg up. Probably the more frustrating part of using this device is standardizing the antenna and placement. You'll need patience. FWIW, the USB -> parallel port devices never worked for me. Need a PCI/Express card for native comm. Or get a port replicator if it's a laptop.
Cheers,
dj
Offline
Thank you D18c7db & Dj for your kind remarks, I shall keep you posted as to how everything goes along the way. I'm trying very hard to absorb all I can at this point and hopefully soon ill be able to speak the same language you guys can. I will appreciate any help.
Offline
Hey guys.... hope you've all been well. Just received my PM3 2day and im following the manual..... doing all I can to learn.
https://www.lafargue.name/article2754.html
Question is why can't I perform the askdemod and how would a novice like me upgrade the firmware without crashing anythng. I understand that i have to get up to firmware 20090328 but I dont know where to start.
Please help.
Offline
anyone?? samy?? djmanning?? d18c7db?? duran97?? where are you guys?
Offline
Xeroeffect, it's reasonably straight forward to update the firmware.
Essentially plug the USB cable in, and then from the command line (from the directory where prox.exe and the new firmware is located) run the command "prox.exe bootrom bootrom-merged.s19". It won't work properly the first time - the PM3 will reboot and then you need to issue the same command again.
After than you need to pull the USB out, hold down the button, and while continuing to hold down the button plug the canle back in and issue the commands "prox.exe fpga fpgaimage.s19" and then once it's done "prox.exe load osimage.s19" and you should be all done. You need three hands to do all of that :-)
From there on run the new prox.exe that came with the new firmware.
If it all mucks up and you can no longer use the PM3, you need to find a computer with a parallel port, and buy a JTAG wiggler cable - perhaps $AUD 15. You can then reflash the original firmware.
Offline
Duran, every-time I click on prox.exe a dos prompt window appears and vanishes within a split second. Am I doing something wrong?
I really appreciate your help.
Offline
yep you are :-)
To get the gui up type in a dos box: Prox Gui
Prox.exe is awaiting an input such as "gui" or commands such as "bootrom" as above.
Offline
Duran... I DID IT! WOW...... Why hasnt this been documented like you explained to me??? I've been searching all day for this. I really need to hand it to you!
THANK YOU DURAN!!!!!!!!!!
Offline
ok finally......... I have been doing a lot of homework and have learnt a few things. Could some one please take a look at my keri card, I have uploaded it here.
http://www.proxmark.org/files/index.php?dir=Uploads%2F
What information could be extracted from the wave form? I have been starring at it all day and really feel like throwing up!!..... please offer some advice. The card itself has 1460 3411 printed on it.
Many thank yous.
Last edited by XEROEFFECT (2009-07-30 17:10:56)
Offline
Good morning everyone,
I saved my trace as a .pm3 after looking at some traces that Sammy had posted which had the same extension. I now remember Sammy asking me to save as .psk extension........ would someone please be kind enough to explain to me what the difference between the two is and what would be best for sharing eachothers traces.
Many thanks guys.........
Offline
Guys,
I beg for someone to please explain how to read the graph and interpret it. How can i extract 1's and 0's manually using the graph?? I really need this tag number. Its doing m head in.
Offline
For those that wanna know more about wiegand here's the link.
http://en.wikipedia.org/wiki/Wiegand_interface
I need to get 26 bits out of this fob...... I will continue to interrogate and use my electrofied antannae to torture my suspect fob until it releases my bits!!
Offline
Patience my friend, it's Friday night so we have more important things to do here like drinking some chicks and groping some beers... oh wait...
Offline
D18c7db...... You the Man!
Which brings us to >>>>>
This weeks Friday Joke............
Q: What's the worst thing about a gay BBQ?
A: The sausages taste like shit
Last edited by XEROEFFECT (2009-07-31 11:36:00)
Offline
Guys,
Am I missing smething here?? is there something i should know??
According to the wiki page I do have the latest svn version......... I have installed the first one on the list.... take a look.
http://code.google.com/p/proxmark3/downloads/list
I can also see a lot of revisions that have been done since then, including the grid function....... but I don't know how to upload it to my pm3...... take a look
http://code.google.com/p/proxmark3/updates/list
I cannot find any other recent fpgaimage.s19, osiimage.s19, bootrom.s19, bootrom-merged.s19 other than the ones i have now. I have downloaded the proxspace file and quite frankly it freeks me out...... when I look at the cockpit files and see they were built in 2008 i don't know what to think.......
I'm all confused again and still cant find the grid function or fskdemod.
Should I just go hang myself on the tree outside??
Last edited by XEROEFFECT (2009-08-04 03:16:54)
Offline
Samy, d18c7db......
If its not too much to ask for.... could you please upload your current fpgaimage.s19, osiimage.s19, bootrom.s19, bootrom-merged.s19 files..... please........ I beg on bended knees.
Your Friend, Xero.
Last edited by XEROEFFECT (2009-08-05 12:49:39)
Offline
<- me... please, I beg of you...
Would you not prefer to read up the post on how to set the compile environment so you can compile it yourself instead of asking for the files every time there's a code change?
Since you said previously you have the compile environment, click on the file 0 in the cockpit then run file 5 to build all. You also need to have the current source code in a directory called proxmark, here's a sample of what the directory tree looks like:
+-devkitARM
+-arm-elf
+-bin
+-include
+-lib
+-libexec
+-devkitWIN
+-bin
+-include
+-lib
+-proxmark
+-armsrc
+-bootrom
+-cockpit
+-common
+-doc
+-fpga
+-include
+-linux
+-tools
+-traces
+-winsrc
Last edited by d18c7db (2009-08-04 05:32:52)
Offline
YES....ok..... this will be interesting....... few questions though.......
-Does PM3 need to be plugged in whilst i'm compiling or does it get saved to somewhere and i upload it after?
-What needs to be present in the proxmark folder ie? bootrom bootrom-merged.s19 fpga fpgaimage.s19
-Do i need anything else other than those files listed in the cockpit?
-Do i need to work on those .s19 files? if so, how do i open them?
-Do I just copy the script in the revisions updates and paste somewhere?
-When I look at the source code on wiki page, why are some things highlighted in red and others green?
Please be patient with me guys.
Looking forward to compiling........ I have a feeling I'm going to stuff this drastically.
Last edited by XEROEFFECT (2009-08-04 14:01:08)
Offline