Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2015-08-20 02:33:45
- mnelson
- Contributor
- From: Outside Denver, CO, USA
- Registered: 2015-06-05
- Posts: 33
Unknown 30-Bit FOB
I have a handful of FOBs that I'm trying to identify. My PM3 doesn't give me anything with "lf search" but I have a small USB RF reader from RFIDEAS that does give me something. It's telling me these are 30-Bit/HID. My best guess is that they are SENTEX Format (Format S10301).
proxmark3> lf search
#db# buffer samples: 81 81 81 81 81 81 81 81 ...
Reading 30000 bytes from device memory
Data fetched
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
proxmark3>Here's what I have (all are facility code:2) :
PRINTED SN #: RFIDEAS HEX Data: My Binary Translation:
1900 0x3E040ED8 00111110000001000000111011011000
1901 0x3E040EDB 00111110000001000000111011011011
1902 0x3E040EDD 00111110000001000000111011011101
1903 0x3E040EDE 00111110000001000000111011011110
1904 0x3E040EE1 00111110000001000000111011100001
1932 0x3E040F19 00111110000001000000111100011001
1949 0x3E040F3B 00111110000001000000111100111011
2257 0x3E0411A2 00111110000001000001000110100010
2266 0x3E0411B5 00111110000001000001000110110101
2278 0x3E0411CD 00111110000001000001000111001101
I'm new to the PM3, so maybe I'm just not following the right path of commands. Has anyone see these before, or know more about them. I'd like to clone the ones I have onto some T5557 FOBs, but I'm not getting anywhere.
Any thoughts? Thanks.
Offline
#2 2015-08-20 09:13:59
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: Unknown 30-Bit FOB
Looks like dec 1900 = 11101101100
and you set that in the binary translation of the RFIDAES hex.
00111110000001000000 -- could be some kind of header.
11101101100 - 1900 i decimal
0 - parity bit?
Offline
#3 2015-08-20 16:39:52
- mnelson
- Contributor
- From: Outside Denver, CO, USA
- Registered: 2015-06-05
- Posts: 33
Re: Unknown 30-Bit FOB
I noticed the same thing. The last bit must be a parity bit. Part of it looks like a normal card layout (I think), it's the stuff on the top end that's messing with me (see below).
Another thing I discovered: when I present the original FOBs to an HID reader it beeps, so I know it can see the FOB. This rules out a custom reader being required to read these little guys.
If I'm going to clone them using a T5557, I'm going to need to know the format for each of the blocks right? What should be my next step to figure that out?
Thanks.
Offline
#4 2015-08-20 17:39:18
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Unknown 30-Bit FOB
do an 'lf search u'
then a data plot
can you post both the output and the plot window?
Offline
#5 2015-08-20 17:43:32
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Unknown 30-Bit FOB
kinda looks like this format:
https://helpdesk.rs2tech.com/kb/article … ard-format
Offline
#6 2015-08-20 22:47:38
- mnelson
- Contributor
- From: Outside Denver, CO, USA
- Registered: 2015-06-05
- Posts: 33
Re: Unknown 30-Bit FOB
I don't think they're Kastle FOBs, but I could be wrong. But here's the good news: I can read it now!!!! My guess is that I had my PM3 antenna too close to one of my readers (I've been having trouble all week. I gave up earlier today and packed-up all my gear. I decided to give it another try after lunch). I've successfully cloned FOB# 01900.
Here's the lf search U:
proxmark3> lf search u
#db# buffer samples: 44 44 4a 90 a1 b4 be bf ...
Reading 30000 bytes from device memory
Data fetched
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
HID Prox TAG ID: 207e040ed8 (1900) - Format Len: 30bit - FC: 0 - Card: 0
Valid HID Prox ID Found!
proxmark3> Here's the trace: https://www.dropbox.com/s/ri0vwifnpwmqxm9/Sentex%20HID%20S10301%20FC2%20SN01900?dl
(this is my first time doing this, please let me know if it's wrong)
Offline
#7 2015-08-26 16:30:36
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Unknown 30-Bit FOB
you mentioned before the FC was 2, is that definite?
looks like you got a good read and the fact that you've cloned and it worked suggests you have it correct.
I've had interference issues before when the PM3 was too close to other readers or other electronics as well.
so the format appears to be a 30 bit as you suggested, probably with an even/odd parity at the ends respectively.
Offline
#8 2015-08-26 17:14:05
- mnelson
- Contributor
- From: Outside Denver, CO, USA
- Registered: 2015-06-05
- Posts: 33
Re: Unknown 30-Bit FOB
I'm sure it was FC:2, the original HID packaging was found later that day. Also confirmed it was Sentex S10301 format.
Offline
#9 2015-08-26 17:40:16
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: Unknown 30-Bit FOB
ok then you have a 3rd field with a value of 15, maybe a "Fixed Field" or FF.
FF = 15
FC = 2
Card = 1900
so format spec:
FF 2, 3, 4, 5
FC 6, 7, 8, 9,10,11,12,13
CN 14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
E 1 2, 3, 4, 5, 6, 7, 8, 9, 10,11,12,13,14,15
O 30 16,17,18,19,20,21,22,23,24,25,26,27,28,29Offline
Pages: 1