Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-12-13 20:43:33

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

[SOLVED] Approaching 125KHz FSK from noob perspective

Hi all,
as a noob I appreciated very much the wiki artiche on "LF Tag Operations" https://code.google.com/p/proxmark3/wiki/TagOps

Highly motivated after a successful decode of an ASK card, I tryed with a keyfob donated from a friend, but I think it's FSK and I'm stuck after "data samples 16000".
Here is some temporary screenshots after "data samples 16000":
htt*://www.tiikoni.com/tis/view/?id=251bed7
htt*://www.tiikoni.com/tis/view/?id=645cc00

Can you kick start me to some posts/articles to decode this fob?
Thanks,
HX

[EDIT]
Marked SOLVED this puzzle, as marshmellow found it is ASK, not FSK or PSK as I initially supposed.
If I will find the time I would begin my PM3 dev with a housekeeping exercise, for example by developing a demod command for this strange ASK waveform I found from an unknown tag.
marshmellow kindly recognized and decoded it by hand, so thanks to marshmellow and all contributors.
HX

Last edited by hx4u (2014-12-28 19:41:47)

Offline

#2 2014-12-13 21:04:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

looking good.

You can try the some of the different read commands under "LF" like  "lf em4x 410xread"
and you can try the "data mandemod" 

and if you save the collected data with  "data save fob.txt"   then you can share it here and the community can have a go at it.

Offline

#3 2014-12-13 21:05:45

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

looks like some kind of "fsk" modulation..  try counting the spikes and try the different "fskdemod"  under LF

Offline

#4 2014-12-13 22:51:22

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

Thank you for the reply, I digged around a bit, but I landed nowhere.

proxmark3> hw tune
proxmark3> data samples 16000
proxmark3> data fskdemod
actual data bits start at sample 540         
length 50/50         
bits: '111100001111000111110001111000001110000011100'         
hex: 00001e1e 3e3c1c1c

Here the screenshots after fskdemod:
http://www.tiikoni.com/tis/view/?id=856d642
http://www.tiikoni.com/tis/view/?id=0352719

"lf em4x em410xwatch" most of the hits auto-detects the clock rate 128, but sometimes 192 ad other values.

Another run:
proxmark3> data fskdemod
actual data bits start at sample 3505         
length 50/50         
bits: '010011100100101000011000001000011101011011101'         
hex: 000009c9 43043add         
proxmark3> lf em4x em410xread 128
Thought we had a valid tag but failed at word 1 (i=35)         
Thought we had a valid tag but failed at word 1 (i=41)         
Thought we had a valid tag but failed at word 1 (i=47)         
Thought we had a valid tag but failed at word 1 (i=53)         
Thought we had a valid tag but failed at word 2 (i=64)         
http://www.tiikoni.com/tis/view/?id=085f28c

"data mandemod 128" says only "Manchester decoded bitstream"
"data save fob1.txt" produces this http://pastebin.com/5iQJ8zzT

I'm on Linux, I've updated the pm3:
proxmark3> hw version
uC: AT91SAM7S256 Rev B         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory         
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 852-unclean 2014-12-13 16:54:17                 
#db# os: svn 852-unclean 2014-12-13 16:54:17                 
#db# FPGA image built on 2014/03/21 at 19:45:15             

Thank you.

Offline

#5 2014-12-13 22:57:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

version 852?!?  Are you sure you downloaded the latest source from GitHub?

Looks like your fskdemods seems to work.  There are some under "lf hid" and "lf io" too.

I realize that the "data fskdemod" changes the data you sampled, 
So can you save it again but this time, do like this:

lf read
data sample 16000
data save fob1.txt

Last edited by iceman (2014-12-13 22:58:09)

Offline

#6 2014-12-13 23:10:35

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

The second run above may be invalid, I forgot to initialize pm3 with lf read

proxmark3> lf read
#db# buffer samples: 3a 4c 5d 69 71 75 76 74 ...                 
proxmark3> data samples 16000
Reading 16000 samples
...
proxmark3> lf em4x em410xread
Auto-detected clock rate: 128
proxmark3> data fskdemod
actual data bits start at sample 6180         
length 50/50         
bits: '111000101111010101100111101100011110000011100'         
hex: 00001c5e acf63c1c         

Resulting:
http://www.tiikoni.com/tis/view/?id=67a3871
http://www.tiikoni.com/tis/view/?id=fafad9e

Thanks.

Offline

#7 2014-12-13 23:10:41

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

stick the card on the antenna and do a lf hid fskdemod (should read and display the id until you press the button on the proxmark, if it is an HID card (most FSK are))

if you get data it is an hid card.  if not it might be an io prox.

Offline

#8 2014-12-13 23:26:47

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

>>lf read
>>data sample 16000
>>data save fob2.txt
gives this http://pastebin.com/cRrFL1a3

>> version 852?!?  Are you sure you downloaded the latest source from GitHub?
I compikled this afternoon following this: https://code.google.com/p/proxmark3/wiki/Linux
So r852 is from: svn checkout http://proxmark3.googlecode.com/svn/trunk pm3

proxmark3> lf hid fskdemod
returns nothing.

"lf io" ??? no such command!

Offline

#9 2014-12-13 23:29:14

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

the current proxmark code is on git now not svn googlecode,  see: http://proxmark.org/forum/viewtopic.php?id=1902 
this http://proxmark.org/forum/viewtopic.php?id=1562 also has good links in the first post.

Offline

#10 2014-12-13 23:34:16

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

i finally was able to look at the trace.  it is not FSK.  i'm not 100% sure what it is..  i'm looking.

Offline

#11 2014-12-13 23:42:22

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

looks like a poor read of an ask modulated tag.  can you show a hw tune without the tag on the antenna?  might be your antenna isn't reading the small fob well.  you can data plot, and data grid 64 and line up to manually decode the binary.

Offline

#12 2014-12-13 23:54:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

doing a "data autocorr 2000"   you can measure between to two largest spikes.  and it is 4096 samples between them and repeating.

Offline

#13 2014-12-14 00:05:38

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

@marshmellow
Thank you, I landed over the old wiki sad
Just updated pm3 to gf4bad97-dirty-suspect smile
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: master/v1.1.0-40-gf4bad97-dirty-suspect 2014-12-13 22:49:11                 
#db# os: master/v1.1.0-40-gf4bad97-dirty-suspect 2014-12-13 22:49:12                 
#db# HF FPGA image built on 2014/ 6/19 at 21:26: 2                 
uC: AT91SAM7S256 Rev B         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory         

The antenna is this: http://ryscc.com/products/LFAPCB/
The fob is from a friend, I think it came from an arduino rfid shield.
proxmark3> hw tune         
# LF antenna: 13,16 V @   125.00 kHz         
# LF antenna: 23,90 V @   134.00 kHz         
# LF optimal: 25,65 V @   131,87 kHz         
# HF antenna:  0,68 V @    13.56 MHz         
# Your HF antenna is unusable.         

proxmark3> lf read
#db# buffer samples: 73 73 72 73 73 b4 d2 d9 ...                 
proxmark3> data sample 16000
...
proxmark3> data plot
proxmark3> data grid 64
gives:
htt*://www.tiikoni.com/tis/view/?id=7b15ab7
htt*://www.tiikoni.com/tis/view/?id=27a9b42
data save fob3.txt
htt*://pastebin.com/NtFJjEje

@iceman
proxmark3> data autocorr 2000
performing 14000 correlations         
yes, 4096 between cursorA and cursorB:
htt*://www.tiikoni.com/tis/view/?id=865d578

Offline

#14 2014-12-14 01:03:25

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

i've seen that wave form before, but i can't remember where.  i'll have to look when i get to my other pc.  long story short though there is no direct read command that will work on that tag (afaik).  and i'm not sure what the chip config would be to duplicate it, though with some testing it should be possible.
are there any markings on the fob?

Offline

#15 2014-12-14 11:41:54

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

First, thank you all.

Please consider decoding this fob is only a pure research interest, without any professional or other goals.
My goal here is understand the steps to decode an unknown waveform fob, which usually replys with some RF preamble and a modulated sequence of bits, the latter contains an optional binary preamble and the data.
The wiki LF ASK example is great, it would be nice to publish other modulations or a generic example.
My further goal could be learning some pm3 internals, by starting to develop some simple command inside it (i.e. a new read command), if it can be useful.

The fob probably cames from an arduino shield, here it is:
htt*://www.tiikoni.com/tis/view/?id=84c4050
htt*://www.tiikoni.com/tis/view/?id=ed8c3bb
htt*://www.tiikoni.com/tis/view/?id=0acaf13
The serial number on the side is 0001653950.

Offline

#16 2014-12-14 16:49:46

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

Found very similar waveforms in this recent posts by the pm3 forum contributor iZsh:
htt*s://fail0verflow.com/blog/2014/proxmark3-fpga-iir-filter.html
htt*s://fail0verflow.com/blog/2014/proxmark3-fpga-peak-detection.html

I will try to test the algo in C using these 40000 samples:
htt*://pastebin.com/download.php?i=YJP5Hu6H

Offline

#17 2014-12-14 18:11:49

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

Well, it's PSK, found it here:
htt*://adamsblog.aperturelabs.com/2013/08/rfidler-open-source-software-defined.html

So the decode should calc "whenever there is a phase change (i.e. a spike in either direction), the bit value changes. If there is no phase change, the bit value stays the same. The number of bits depends on how long the gap is between the spikes, so if one was to overlay a grid and you knew how long a bit period was, you could simply count off the periods between bit changes and you've got your bitstream."

This could be a "data pskdemod" command, someone already wrote it?

Offline

#18 2014-12-14 22:02:34

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

indala demod is psk

Offline

#19 2014-12-15 11:12:30

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

indala demod was one of the first try, it does not produce a meaningful decode.

Assuming PSK: as every spike, positive or negative, is a bit value transition, the grid should be every 32 samples.
Here is 16K samples saved and the resulting plot w/ grid 32:
htt*://pastebin.com/download.php?i=uVzXGPZ1
htt*://www.tiikoni.com/tis/view/?id=e7ccd8d

Manually applying the transitions algo to the above plot, with initial state=0:
1001101001101010101010101010101010101101

Is it right?

Offline

#20 2014-12-15 22:03:34

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

ok I got to my other computer.
it is not PSK
I believe it is a tag called Phidgets (at least I've seen one called phidgets that has the same waveform). 
the binary repeating value is:

1111111110000001001000000000000011100100011011000101111110101100

which follows the EM41xx data scheme which turns into the EM ID: 0400193CBE
which if you only take the last 6 of the hex and make it decimal you get 1653950
which is your card number.

it is an ASK modulation, it is just Weak, max 90,min-97 should be around 125.  it might be a 134khz tag.

Offline

#21 2014-12-20 17:46:03

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

Great marshmellow!!!

Well, the lesson is a waveform coud fail askdemod, visually seem PSK, but be ASK.
Since as a noob my goal is to study how to approach an undocumented tag, and this seemed a good example, I'm still curious.

data autocorr showed 4096, you found 64 bits, so there are 64 samples each bit.
data askdemod does not produce something meaningful with this waveform (pm3 software from github version 2014-12-13 22:49:12)
data mandemod does not decode, obviously.

Did you pre-process the waveform before askdemod?
Can you share what pm3 commands, or other tool or technique did you use to decode this ASK, so we can try to reproduce the solution?

Thank you for your time and patience!

(sorry for the delay, I got lot of workload before holidays)

Offline

#22 2014-12-20 17:54:44

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

What peoxmark excels at in lf is plotting the wave.  That plus a trained eye can demod a lot of tags that the built in commands of many readers can't. 
Like I said earlier,

you can data plot, and data grid 64 and line up to manually decode the binary.

. I then recognized the 111111111 as a sign of the em4xxx format so I lined the bits up with that as the start and ran the em calc (manually) on the bits to verify the parities all were correct and got the ID, which also confirmed it was the format I suspected

Last edited by marshmellow (2014-12-20 17:55:52)

Offline

#23 2014-12-28 22:01:11

hx4u
Contributor
Registered: 2014-12-13
Posts: 15

Re: [SOLVED] Approaching 125KHz FSK from noob perspective

Title marked SOLVED.
Thanks to marshmellow and all contributors.

Offline

Board footer

Powered by FluxBB