Help Cloning Paradox 125khz Cards

blogfish · 2014-08-16 21:07:13

Hello all and thank you in advance for your help. I need help cloning 3 125khz cards from the manufacturer Paradox.

I have the traces of 3 cards available here:
http://yourfilelink.com/get.php?fid=957619

The numbers on each card are in the filename for each trace.
Paradox--96:40426-APJN08.pm3
Paradox--108:01827-APOC11.pm3
Paradox--112:10262-APOC13.pm3

There was someone else who working with a paradox card on the forum here:
http://www.proxmark.org/forum/viewtopic.php?id=1844

What steps are necessary to decode / clone these suckers?

Thanks!

marshmellow · 2014-08-18 15:38:32

as discussed in http://www.proxmark.org/forum/viewtopic.php?id=1844 the proxmark's current programming can't decode the bitstream directly without code changes. but it can plot the wave and you can manually decode the fsk waveform (apply a 50 x grid over it and line it up). once you get a bit stream you can then program a ATA55xx chip card to match.

as far as your bitstreams, because you uploaded a trace I will decode 2 of the 3 for you:

108_01827:
Raw FSK Demod:
00001111010101010101010101010110100110100101  01010101011010100101100101011010  10101010101001011010
Manchester demod: 
         0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0   0 0 0 0 0 1 1 1 0 0 1 0 0 0 1 1   1 1 1 1 1 1 0 0 1 1
Bit Interpretation:
  			FC	108			Card	01827              Checksum/Parity?

96_40426:
00001111010101010101010101010110100101010101  10010110101001101010100110011001  10011010010110011010
         0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0   1 0 0 1 1 1 0 1 1 1 1 0 1 0 1 0   1 0 1 1 0 0 1 0 1 1
				96				40426

the 00001111 appears to be the prefix or start of data (instead of HID's 00011101)

to clone, take hex of raw FSK Demod and program a ATA55xx blocks 1-3 and program the configuration block the same as an HID standard card (refer to other topics for details on these)

Last edited by marshmellow (2014-08-26 02:12:55)

blogfish · 2014-08-18 17:09:06

Thanks for your help!

So can you tell me where I am going wrong?

I cant get it to output the manchester decoding.

Here are the commands I have used:

lf read
data samples 16000
data fskdemod
data grid 50 0
data hpf
data threshold 0

At this point my plot has gone from analog to digital between -1 and 1 with a grid. How do I output the raw fsk?

Also, when I try to "data mandemod" or "data mandemod 50" the data I get: dozens of "Warning: Manchester decode error for pulse width detection. (too many of those messages mean either the stream is not Manchester encoded or the closk is wrong). What am I missing Marshmellow?

marshmellow · 2014-08-18 20:55:56

marshmellow wrote:

the proxmark's current programming can't decode the bitstream directly without code changes. but it can plot the wave and you can manually decode the fsk waveform (apply a 50 x grid over it and line it up).

by manually decode I meant look at the wave plot and MANUALLY decode it by hand. then manually decode the Manchester data. or if you are good at coding, you could look to adjust the fskdemod to work properly.

So:
lf read
data samples 16000
data plot
data grid 50 0

then left and right arrows (or trim grid) to line up the grid to your waveform.

Last edited by marshmellow (2014-08-18 20:58:52)

blogfish · 2014-08-18 21:21:30

Oh you meant MANUALLY manually decode it.

Thank you very much for your help.

Send me a private message if you want a free case of beer.

marshmellow · 2014-08-18 21:26:35

Last edited by marshmellow (2014-08-18 21:27:07)

Earman · 2015-01-20 02:07:01

I am a total newbie. Is there a set of commands or script to clone Paradox FOBs automatically? I don't understand enough to decode manually! Or, is there another system (other than Proxmark 3) that would do it automatically? I have used ProxClone to easily clone HID FOBs, but Paradox are not possible with it... Any recommendation appreciated! Thanks!

marshmellow · 2015-01-20 02:10:05

The new fskrawdemod can demod these but you will need to learn a bit to clone. But all the info is on the forum

Earman · 2015-01-23 22:37:30

Thanks!

marshmellow · 2015-01-24 00:53:22

Actually, in my github fork there is a auto demod command for this and other FSK tags.. I'm still working on others so I haven't pushed it to the main... The output from the demod could be used to write a copy. If you have a lot to copy I suggest you learn some code.

marshmellow · 2015-01-28 01:24:37

The new "data fskparadoxdemod" can demod these. Cloning is an extra few steps.

Earman · 2015-02-01 04:03:09

marshmellow wrote:

The new "data fskparadoxdemod" can demod these. Cloning is an extra few steps.

Thanks for your help!

Earman · 2015-02-12 02:57:57

marshmellow wrote:

The new "data fskparadoxdemod" can demod these. Cloning is an extra few steps.

I received my Proxmark3 a week ago and flashed it to CDC and the latest version I found for windows (756).

I cloned a few HID and Indala.

To try reading and cloning, if I am lucky, a Paradox I would love to use the fskparadoxdemod command.
Where can I get the proper patch file and where can I find instructions on how to patch the file into the version I have (Windows 7)? I Googled it but could not find the answer...

Also, probably another stupid question: to stop reading I can press the Proxmark3 button. Is there a keyboard shortcut in the GUI that would do the same thing (like Ctrl Break or ESC...), I did not see anything like that in the doc I read...

Thanks for your time!

marshmellow · 2015-02-12 03:08:42

You need the github code, or aspers compiled windows client files.

There is no keyboard key that mimics the proxmark button

Earman · 2015-02-12 03:55:58

Thank you so much Marshmellow!

Earman · 2015-02-12 05:16:13

Well I guess I did something wrong

I downloaded Asper's 0.0.7 and flashed the full FPGA then the OS. Both flashes went smoothly and indicated they succeeded. However the Proxmark is now stuck with both yellow and red light s lit! Unplugging and waiting a while did not change anything. I tried re-flashing both and it succeeded again but did not fix the problem... I did not touch the bootrom.

Even though I did not flash the bootrom, do I need to flash it with the bootrom included in 0.0.7? I thought the bootrom rarely needed to be changed... I don't want to risk screwing the Proxmark more than it is as I don't have a JTAG...

Any suggestion on what I can do ? Thanks!

Last edited by Earman (2015-02-12 05:23:27)

marshmellow · 2015-02-12 05:20:17

Should have flashed the bootrom first. Might still be able to

Last edited by marshmellow (2015-02-12 05:20:35)

Earman · 2015-02-12 05:24:17

Just read your reply. I did not realize that the bootrom had to be flashed. So, for each new bin the bootrom needs to be flashed?

Earman · 2015-02-12 05:27:13

Just flashed bootrom and everything OK now. A HUGE thanks for your help! I thought of trying it but was afraid to make it worse... Can you confirm that bootrom must be flashed first for each revision? Thanks.

marshmellow · 2015-02-12 05:29:20

From the old 756 to the new code the bootrom has changed. It doesn't change often but 756 is hundreds of commits behind.

marshmellow · 2015-02-12 05:39:40

It isn't usually changed often, but shouldn't hurt to flash it when in doubt. If you keep up with github it is mentioned in an update if a bootrom change happened.

Earman · 2015-02-12 05:44:22

OK. Thanks! I just tried the fskparadoxdemod which is in bin 0.0.7 GUI but it does not seem to work. I only get the Help list (like if the command is not recognized). It may not be the latest version for that parameter...

marshmellow · 2015-02-12 05:47:26

data fskparadox
Should work

marshmellow · 2015-02-12 05:51:28

Is it in the data menu?

Earman · 2015-02-12 05:55:27

data fskparadox is not in this version of GUI. I tried direct lf data fskparadox but that was not recognized either. I may have to wait for next version.

marshmellow · 2015-02-12 05:58:22

Hmmm. I thought I had that in before 0.0.7 was made... I'll check tomorrow, when I'm at my pc

Earman · 2015-02-12 06:00:21

Thanks!

marshmellow · 2015-02-12 06:10:38

Are you using the GUI or the command line?

marshmellow · 2015-02-12 06:14:26

It appears the GUI has some issues with the settings.xml file. At the top of the GUI window it should let you type a command in. Try typing just data and look through the list of commands. It should be there. I hope to get some time tomorrow to go through the settings.xml file to see what other errors exist

asper · 2015-02-12 09:28:44

I put the paradox demod under LF -> TAGs (I would like to separate specific cards/tags commands form generic commands and in the GUI I can do that ).
Anyway the command is "lf data fskparadoxdemod" (it can be not working in the 0.0.7, maybe I forgot to add "data" between lf and fskparadoxdemod).

I hope to get some time tomorrow to go through the settings.xml file to see what other errors exist

Great ! Please use this file to test, it is my latest with new lf and hf additions (this file is not fully compatible with 0.0.7 because some stuff was not yet implemented in that version). It only misses the very latest lf modifications (I updated it almost 2-3 days ago).

Last edited by asper (2015-02-12 10:05:18)

iceman · 2015-02-12 10:00:33

or you download the latest source from GitHub and run the command prompt instead.

Earman · 2015-02-12 10:36:32

I was using the GUI but I also tried lf data fskparadox and lf data fskparadoxdemod from the command line (in DOS window) and that was not recognized.

iceman · 2015-02-12 10:44:32

"lf data fskparadoxdemod" ??

Usually its:

lf read
data samples
data fskparadoxdemod

marshmellow · 2015-02-12 15:40:24

I'm going to post a few changes needed to the settings.xml file in this post: http://www.proxmark.org/forum/viewtopic.php?id=2260

Earman · 2015-02-12 19:32:22

marshmellow wrote:

I'm going to post a few changes needed to the settings.xml file in this post: http://www.proxmark.org/forum/viewtopic.php?id=2260

Thanks for your work! Does the paradox command work on your Proxmark3? On mine the command is not recognized even when I use the proper command "lf data fskparadoxdemod" directly in line command mode... so I am wondering if it's not only the XML file which has some errors but the flashed code also as it does not recognize the command, at least with the 0.0.7 version I flashed. I am assuming that the flashed ode must match the commands set... The other commands I tries (HID and INDALA) work fine.

marshmellow · 2015-02-12 19:46:45

lf data fskparadoxdemod is not the proper command.

It should be as iceman said
data fskparadoxdemod

But you need to do either an lf search or lf read - data samples first

Earman · 2015-02-12 19:56:38

I applied all your corrections to the xml settings file... (should I upload the updated file?) and the tags Paradox command is now recognized. However, it does not start reading the paradox fob I tried. It just shows: proxmark3> data fskparadoxdemod and stops.

marshmellow · 2015-02-12 19:57:36

Did you try a lf search?

Earman · 2015-02-12 20:06:20

Yes, it says valid Paradox ID found

marshmellow · 2015-02-12 20:07:15

Congrats

Earman · 2015-02-12 20:08:59

So, why is it not starting reading with the fskparadoxdemod command if it recognizes it as a proper Paradox? Anything I should do differently?

Last edited by Earman (2015-02-12 20:10:50)

Earman · 2015-02-12 20:10:00

When I try an HID or INDALA it does start reading immediately...

Last edited by Earman (2015-02-12 20:10:26)

marshmellow · 2015-02-12 20:12:04

The "data" demod commands require (as we've said) two other commands to be sent before using them
lf read
data samples

Or else a data load... To load from a saved trace.
Without one of those there is no data to demod.

Earman · 2015-02-12 20:13:15

OK, I get it! Thanks a lot, sorry for asking stupid questions!!! I really appreciate the help you gave me. I hope I will learn fast! Thanks again.

marshmellow · 2015-02-12 20:13:56

If you got the lf search to demod it why are you still trying to demod it again?

Earman · 2015-02-12 20:17:37

I did not realize the search would give the tag id so easily and I thought I needed the fskparadoxdemod to get the full information... My bad!

Earman · 2015-02-12 20:19:24

Now I am going to try writing one. Any keyword I should search for of this board?

Earman · 2015-02-12 20:20:54

Have to go now, I'll continue trying to learn this afternoon. Thanks again!

marshmellow · 2015-02-12 20:25:40

Carl's post should give you an idea if you have an ata5577 http://www.proxmark.org/forum/viewtopic … 9379#p9379

marshmellow · 2015-02-12 20:26:54

Just have to split the 96 bit or 12 digit id over blocks 1-3

Proxmark3 community

Announcement

#1 2014-08-16 21:07:13

Help Cloning Paradox 125khz Cards

#2 2014-08-18 15:38:32

Re: Help Cloning Paradox 125khz Cards

#3 2014-08-18 17:09:06

Re: Help Cloning Paradox 125khz Cards

#4 2014-08-18 20:55:56

Re: Help Cloning Paradox 125khz Cards

#5 2014-08-18 21:21:30

Re: Help Cloning Paradox 125khz Cards

#6 2014-08-18 21:26:35

Re: Help Cloning Paradox 125khz Cards

#7 2015-01-20 02:07:01

Re: Help Cloning Paradox 125khz Cards

#8 2015-01-20 02:10:05

Re: Help Cloning Paradox 125khz Cards

#9 2015-01-23 22:37:30

Re: Help Cloning Paradox 125khz Cards

#10 2015-01-24 00:53:22

Re: Help Cloning Paradox 125khz Cards

#11 2015-01-28 01:24:37

Re: Help Cloning Paradox 125khz Cards

#12 2015-02-01 04:03:09

Re: Help Cloning Paradox 125khz Cards

#13 2015-02-12 02:57:57

Re: Help Cloning Paradox 125khz Cards

#14 2015-02-12 03:08:42

Re: Help Cloning Paradox 125khz Cards

#15 2015-02-12 03:55:58

Re: Help Cloning Paradox 125khz Cards

#16 2015-02-12 05:16:13

Re: Help Cloning Paradox 125khz Cards

#17 2015-02-12 05:20:17

Re: Help Cloning Paradox 125khz Cards

#18 2015-02-12 05:24:17

Re: Help Cloning Paradox 125khz Cards

#19 2015-02-12 05:27:13

Re: Help Cloning Paradox 125khz Cards

#20 2015-02-12 05:29:20

Re: Help Cloning Paradox 125khz Cards

#21 2015-02-12 05:39:40

Re: Help Cloning Paradox 125khz Cards

#22 2015-02-12 05:44:22

Re: Help Cloning Paradox 125khz Cards

#23 2015-02-12 05:47:26

Re: Help Cloning Paradox 125khz Cards

#24 2015-02-12 05:51:28

Re: Help Cloning Paradox 125khz Cards

#25 2015-02-12 05:55:27

Re: Help Cloning Paradox 125khz Cards

#26 2015-02-12 05:58:22

Re: Help Cloning Paradox 125khz Cards

#27 2015-02-12 06:00:21

Re: Help Cloning Paradox 125khz Cards

#28 2015-02-12 06:10:38

Re: Help Cloning Paradox 125khz Cards

#29 2015-02-12 06:14:26

Re: Help Cloning Paradox 125khz Cards

#30 2015-02-12 09:28:44

Re: Help Cloning Paradox 125khz Cards

#31 2015-02-12 10:00:33

Re: Help Cloning Paradox 125khz Cards

#32 2015-02-12 10:36:32

Re: Help Cloning Paradox 125khz Cards

#33 2015-02-12 10:44:32

Re: Help Cloning Paradox 125khz Cards

#34 2015-02-12 15:40:24

Re: Help Cloning Paradox 125khz Cards

#35 2015-02-12 19:32:22

Re: Help Cloning Paradox 125khz Cards

#36 2015-02-12 19:46:45

Re: Help Cloning Paradox 125khz Cards

#37 2015-02-12 19:56:38

Re: Help Cloning Paradox 125khz Cards

#38 2015-02-12 19:57:36

Re: Help Cloning Paradox 125khz Cards

#39 2015-02-12 20:06:20

Re: Help Cloning Paradox 125khz Cards