RadioKey ( Secura key) Tags ??

joe · 2014-01-25 10:43:33

Hello,

Does anyone know any details about radiokey or secura key ??

Thank for the info.

app_o1 · 2014-01-25 11:48:00

http://www.securakey.com/PRODUCTS/CARDS/RADIO_KEY_Cards_Tags_6770.pdf

http://www.proxmark.org/forum/viewtopic.php?id=1837

asper · 2014-01-25 11:51:49

2,5 seconds of google search: datasheet - other infos.

It is a Wiegand 26 or 32 bit format (by default) but factory can use other transponder types by request (see last sentence in the datasheet).

joe · 2014-01-25 14:21:21

Thanks to app_01, asper for your info.

any chance that I can use T5577 rewritable blank card to clone this radiokey ??

please advise, thanks.

Upgrade · 2014-12-17 20:10:14

Joe or anyone else on the forum - did you have luck cloning the Radio Secura Key?

I'm trying to clone the Radio Secura Key Tag (it's wiengand 26 or 32 format but it doesn't say proximity).

I'm farely new to the scene. Any direction or steps to decode and clone this key would be most helpful!

marshmellow · 2014-12-17 21:15:25

i don't believe there are specific functions for the PM3 to currently auto demodulate or clone this tag. that doesn't mean it can't be done though. you will need to first identify the modulation of the tag (as we already know the frequency is LF). you can do this by lf read - data samples 12000 - data plot - and identifying the waveform. (look around for examples on the forum there are many) after you know the modulation you can learn to demodulate it to get the binary string. then you need to identify the start and end (or repeating binary) of the chip transmission. then you can take that information and figure out how to clone it to an ATA5577.

joe · 2014-12-18 16:11:13

after trying many times, there is no direct command to decode secura tag. nobody can clone this tag at the moment.

marshmellow · 2014-12-18 16:25:07

I'd like to see a trace before I agree that "nobody can clone this tag". it appears to be a simple format from the datasheets.

Upgrade · 2014-12-18 23:20:50

Any idea if these securakeys are FSK wave length format?

when I do data fskdemod I get the hex but it's different everytime.

Upgrade · 2014-12-18 23:27:41

Here's the wavelength btw

marshmellow · 2014-12-19 00:25:36

Definitely ask modulation. Can you post a trace file?
lf read
data samples 20000
data save c:\trace1.pm3

Then post the pm3 file to some file share and link to it here.

Upgrade · 2014-12-20 04:46:35

Hi Marshmellow,

Thank you once again for your reply. Unfortunately I don't have access to the Secura Key anymore.

Next time when I come across it I will make sure to post the trace file.

joe · 2015-01-15 08:36:51

marshmellow wrote:

I'd like to see a trace before I agree that "nobody can clone this tag". it appears to be a simple format from the datasheets.

HI, marshmellow,

Here, i have the tag now ...

proxmark3> lf search
#db# buffer samples: eb e3 de d8 ca ca c1 b8 ...
Reading 20000 samples
Done!
Checking for known tags:
Using Clock: 40 - Invert: 0 - Bits Found: 400
ASK/Manchester decoded bitstream:
0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000
1111111110011000
0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000
1111111110011000
0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000
1111111110011000
0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000
1111111110011000
0000000000001000
Recovered 499 raw bits, expected: 625
worst metric (0=best..7=worst): 8 at pos 792
UID=0000000000000000000000000000000000000000000000000000000000000000 (000000000)
Occurrences: 7 (expected 7)
proxmark3>

joe · 2015-01-15 08:46:03

please help me to decode it, any other tag info you need ??

marshmellow · 2015-01-15 17:05:54

can you save a trace and post it ( data save [path/filename] )?

marshmellow · 2015-01-15 17:08:54

also is there any markings on the tag? an id number or anything?

joe · 2015-01-15 17:42:37

http://speedy.sh/aBPqb/11691secura.pm3

tag no. 11691

marshmellow · 2015-01-15 17:50:26

see this thread:
http://www.proxmark.org/forum/viewtopic.php?id=2189

your tag matches it's demod.

the repeating binary string you got above will help you understand what you need to do (along with the linked thread)
it was demodulated correctly
let me know if you have further questions after reading that thread.

joe · 2015-01-15 17:53:16

yes, but i can't get the Block 0 data. no info for that ..

marshmellow · 2015-01-15 17:58:22

block 0 is the configuration block for ata55x7 tags. it will be the same for each tag TYPE you are trying to emulate. look at the first post in http://www.proxmark.org/forum/viewtopic.php?id=1767. it will help you understand what the block 0 bits mean.

also the demod you received above identifies all the information needed to build a block 0.

Using Clock: 40 - Invert: 0 - Bits Found: 400
ASK/Manchester decoded bitstream:

(plus the length of repeating pattern)

joe · 2015-01-15 20:06:01

total will be 3 blocks , which bit is the 1st bit for block 1 ?

marshmellow · 2015-01-15 20:27:46

i would follow what worked for http://www.proxmark.org/forum/viewtopic.php?id=2189...

joe · 2015-01-15 20:42:17

Ok, thanks. I'm just a end-user. I will try.... to understand!

joe · 2015-01-17 10:06:03

but i can't determine the start and end bits..

0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000
1111111110011000
0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000

iceman · 2015-01-17 14:16:41

hint: If you read about the em410x tags and how to decode them

joe · 2015-01-17 14:48:24

Anyway，I just managed to clone it successfully, it works well.

Block 1 fxxxxxxx
Block 2 4xxxxxxx
Block 3 1xxxxxxx

iceman · 2015-01-17 15:07:25

Well done!

Upgrade · 2015-04-09 20:24:44

I'm trying to decode this key, can I please get a sanity check to see if I am doing this right?

1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000

Block 0: 000C8060
Block 1: Fxxxxxxx
Block 2: 0xxxxxxx
Block 3: 7xxxxxxx

Any help or feedback appreciated! Thanks in advance.

Last edited by Upgrade (2015-04-09 22:52:48)

marshmellow · 2015-04-09 20:38:04

looks about right.

Upgrade · 2015-04-09 22:02:40

Just tried it on a reader and it is not working.

Now I am totally lost...

marshmellow · 2015-04-09 22:14:53

Now I have to ask... The x's in the blocks 1-3 are a mask to attempt to not give out your cards ID?
Block 1 is really FF96.......

Upgrade · 2015-04-09 22:36:45

Correct.

But if it helps I end up getting this:

Block 1: FF968000
Block 2: 00210800
Block 3: 7B400000

So not sure if I am doing this correctly.

Last edited by Upgrade (2015-05-30 18:47:19)

marshmellow · 2015-04-09 23:00:15

after you write that to your card did you read it with the pm3 and verify the write took?

Upgrade · 2015-04-09 23:23:17

Yes, did another search and the same sequence shows up.

Upgrade · 2015-04-09 23:24:20

I also have a 2nd key here.

0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000

Is it possible that I only have the repeating signal for 2 blocks only?

This seems to be the case for this key, the 3rd block is just a repeat of block 1.

Any ideas?

Upgrade · 2015-04-09 23:28:54

If my observation is correct and from here: http://proxmark.org/forum/viewtopic.php?id=1767

Does that mean this secura key is a em410x key due to the fact it only has 2 blocks?

marshmellow · 2015-04-10 04:59:07

for the first tag you had 3 repeating blocks and looks like the securakey, but you didn't show the detected clock or modulation.

the second tag it looks similar to a EM410x since you only have 64 bits repeating, but it doesn't match the parities of an em410x. so it may be something else. again you don't show the detected clock or modulation.

the clock and modulation is important for getting the correct block 0 settings. the joe's tag had a clock of rf/40.

Last edited by marshmellow (2015-04-10 05:00:30)

Upgrade · 2015-04-13 23:16:19

Here's the info for the 2nd key

lf search
#db# buffer samples: df de d8 cf c5 be b9 b4 ...
Reading 20000 samples from device memory

NOTE: some demods output possible binary
if it finds something that looks like a tag

Checking for known tags:

Using Clock: 40 - Invert: 0 - Bits Found: 400
ASK/Manchester decoded bitstream:
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
No Known Tags Found!

ntk · 2015-07-07 04:23:50

this was Joe's post #13

Upgrade wrote:

I'm trying to decode this key, can I please get a sanity check to see if I am doing this right?
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
Block 0: 000C8060
Block 1: Fxxxxxxx
Block 2: 0xxxxxxx
Block 3: 7xxxxxxx
Any help or feedback appreciated! Thanks in advance.

from this binary data I have difference result

A000007F
CB400000
1084003D

Last edited by ntk (2015-07-07 04:41:35)

ntk · 2015-07-07 04:40:55

Sorry to hijack this thread.

I would like to consolidate the knowledge here. How can you be certain without any further measurement that this
ASK
clock 40
no inverse

is it based on experience or on the post #13 from Joe, where lf search given the reasonable looking binary bits, without any 7 equal error, after guessing ASK/manchester Mod alone?

I wonder if you run "data clockdetect a" what would you receive? 8? 32? 40? 64?

I dont have the card & reader so I can not test myself, but my hex for data bits result from binary is different than I read here so I wonder what is going on where is that shifting of bit happening when we start with same binary strings

marshmellow · 2015-07-07 04:59:35

learn what repeating bits means. LF dumb tags just spit out repeating bits. it is up to you to pick out where the data begins and ends.

ntk · 2015-07-07 06:44:34

@Marshmellow

"Learn what repeating bits means. it is up to you to pick out where the data begins and ends."
I always fall in that "repeating bits"

and please answer for me too " How can you be certain without any further measurement that this
ASK
clock 40
no inverse
" Is it from lf search result?

marshmellow · 2015-07-07 12:50:00

If you are referring to this

Using Clock: 40 - Invert: 0 - Bits Found: 400
ASK/Manchester decoded bitstream:

then yes it is part of the output of lf search u

ntk · 2015-07-07 13:12:14

marshmellow wrote:

If you are referring to this
Using Clock: 40 - Invert: 0 - Bits Found: 400
ASK/Manchester decoded bitstream:
then yes it is part of the output of lf search u

thank wish I have secure to play to test with

Upgrade · 2015-07-17 03:12:05

lf search u found this.

I am having trouble identifying the blocks. Any help would be greatly appreciated!

proxmark3> lf search u
#db# Sampling config:
#db# [q] divisor: 95
#db# bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample

#db# buffer samples: ff ff ff ff ff ff fe f4 ...
Reading 20000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

DEBUG: error during fskdemod
DEBUG: Error - problem during FSK demod
DEBUG: Error demoding fsk
DEBUG: Error - problem during FSK demod
DEBUG: Error demoding fsk
Error1: 0
DEBUG: Bitlen from grphbuff: 20000

Using Clock: 40 - Invert: 0 - Bits Found: 500
ASK/Manchester decoded bitstream:
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
Using Clock: 40 - invert: 0 - Bits Found: 1000
ASK demoded bitstream:
0101001011001010
1010101010101101
0101010101010101
0101010101010101
0101010101010101
0101010101001011
0010110100110011
0101010101001101
0101001011001010
1010101010101101
0101010101010101
0101010101010101
0101010101010101
0101010101001011
0010110100110011
0101010101001101
0101001011001010
1010101010101101
0101010101010101
0101010101010101
0101010101010101
0101010101001011
0010110100110011
0101010101001101
0101001011001010
1010101010101101
0101010101010101
0101010101010101
0101010101010101
0101010101001011
0010110100110011
0101010101001101
Biphase Decoded using offset: 0 - # errors:0 - data:
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
Error gProxII_Demod

No Known Tags Found!

Checking for Unknown tags:

Possible Auto Correlation of 2560 repeating samples
DEBUG: Bitlen from grphbuff: 20000

Using Clock: 40 - Invert: 0 - Bits Found: 500
ASK/Manchester decoded bitstream:
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011

Unknown ASK Modulated and Manchester encoded Tag Found!

if it does not look right it could instead be ASK/Biphase - try 'data rawdemod a
b'
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
proxmark3>

Last edited by Upgrade (2015-07-17 03:19:17)

marshmellow · 2015-07-17 14:39:59

You shouldn't need to have 'data setdebug' on (1).
The ask/Manchester data looks similar to previous tags. Is there a number printed on the tag? I'd guess the preamble is the 111111111

Upgrade · 2015-07-18 20:54:39

Please shed light on the blocks so I can reverse engineer?

Last edited by Upgrade (2015-07-20 04:49:07)

iceman · 2015-07-18 21:06:16

if you take these blocks (as a starting point in your repeating output

0000000000000011
0110010100000010
0001101111111110
0000000000000000

You'll get:

1790019 ( 0x1B5043 ) ( 110110101000001000011 )
-              110110   10100000   1000011
 00000000000000110110 0 10100000 0 1000011 0 1111111110 0000000000000000

Last edited by iceman (2015-07-18 21:07:00)

Upgrade · 2015-07-19 19:25:39

iceman wrote:

if you take these blocks (as a starting point in your repeating output

0000000000000011
0110010100000010
0001101111111110
0000000000000000

You'll get:

1790019 ( 0x1B5043 ) ( 110110101000001000011 )
-              110110   10100000   1000011
 00000000000000110110 0 10100000 0 1000011 0 1111111110 0000000000000000

Wouldn't I still need the other blocks?

iceman · 2015-07-19 20:53:47

You asked for how to reverse it... not how to clone it...

Proxmark3 community

Announcement

#1 2014-01-25 10:43:33

RadioKey ( Secura key) Tags ??

#2 2014-01-25 11:48:00

Re: RadioKey ( Secura key) Tags ??

#3 2014-01-25 11:51:49

Re: RadioKey ( Secura key) Tags ??

#4 2014-01-25 14:21:21

Re: RadioKey ( Secura key) Tags ??

#5 2014-12-17 20:10:14

Re: RadioKey ( Secura key) Tags ??

#6 2014-12-17 21:15:25

Re: RadioKey ( Secura key) Tags ??

#7 2014-12-18 16:11:13

Re: RadioKey ( Secura key) Tags ??

#8 2014-12-18 16:25:07

Re: RadioKey ( Secura key) Tags ??

#9 2014-12-18 23:20:50

Re: RadioKey ( Secura key) Tags ??

#10 2014-12-18 23:27:41

Re: RadioKey ( Secura key) Tags ??

#11 2014-12-19 00:25:36

Re: RadioKey ( Secura key) Tags ??

#12 2014-12-20 04:46:35

Re: RadioKey ( Secura key) Tags ??

#13 2015-01-15 08:36:51

Re: RadioKey ( Secura key) Tags ??

#14 2015-01-15 08:46:03

Re: RadioKey ( Secura key) Tags ??

#15 2015-01-15 17:05:54

Re: RadioKey ( Secura key) Tags ??

#16 2015-01-15 17:08:54

Re: RadioKey ( Secura key) Tags ??

#17 2015-01-15 17:42:37

Re: RadioKey ( Secura key) Tags ??

#18 2015-01-15 17:50:26

Re: RadioKey ( Secura key) Tags ??

#19 2015-01-15 17:53:16

Re: RadioKey ( Secura key) Tags ??

#20 2015-01-15 17:58:22

Re: RadioKey ( Secura key) Tags ??

#21 2015-01-15 20:06:01

Re: RadioKey ( Secura key) Tags ??

#22 2015-01-15 20:27:46

Re: RadioKey ( Secura key) Tags ??

#23 2015-01-15 20:42:17

Re: RadioKey ( Secura key) Tags ??

#24 2015-01-17 10:06:03

Re: RadioKey ( Secura key) Tags ??

#25 2015-01-17 14:16:41

Re: RadioKey ( Secura key) Tags ??

#26 2015-01-17 14:48:24

Re: RadioKey ( Secura key) Tags ??

#27 2015-01-17 15:07:25

Re: RadioKey ( Secura key) Tags ??

#28 2015-04-09 20:24:44

Re: RadioKey ( Secura key) Tags ??

#29 2015-04-09 20:38:04

Re: RadioKey ( Secura key) Tags ??

#30 2015-04-09 22:02:40

Re: RadioKey ( Secura key) Tags ??

#31 2015-04-09 22:14:53

Re: RadioKey ( Secura key) Tags ??

#32 2015-04-09 22:36:45

Re: RadioKey ( Secura key) Tags ??

#33 2015-04-09 23:00:15

Re: RadioKey ( Secura key) Tags ??

#34 2015-04-09 23:23:17

Re: RadioKey ( Secura key) Tags ??

#35 2015-04-09 23:24:20

Re: RadioKey ( Secura key) Tags ??

#36 2015-04-09 23:28:54

Re: RadioKey ( Secura key) Tags ??

#37 2015-04-10 04:59:07

Re: RadioKey ( Secura key) Tags ??

#38 2015-04-13 23:16:19

Re: RadioKey ( Secura key) Tags ??

#39 2015-07-07 04:23:50

Re: RadioKey ( Secura key) Tags ??