Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-12-14 00:38:54

Upgrade
Contributor
Registered: 2014-12-14
Posts: 36

AWID Key Tags

RFID enthusiast here!

I'm trying to demod and clone my AWID key fob with the Promark to no availability.

I've shifted through the thread here:
http://www.proxmark.org/forum/viewtopic.php?id=1635

And did a query for all the AWID info on this forum still to no luck.

Few quick questions to the community if you don't mind
1. What is the command to demod and clone?

Thank you very much in advance!

Offline

#2 2014-12-14 01:06:33

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

afaik there isn't any direct commands to demodulate it or clone it. (though the data fskdemod should work, but it isn't very reliable in my experience)  but you can plot it with data plot and apply a grid that allows you to manually demod the binary on the chip, and then it is just a matter of writing an ata5577 chip with the proper blocks per: http://www.proxmark.org/forum/viewtopic.php?id=1767 to clone it.

Offline

#3 2014-12-14 02:34:06

Upgrade
Contributor
Registered: 2014-12-14
Posts: 36

Re: AWID Key Tags

Marshmellow:thanks for the response.

To be honest I'm pretty new at this.

Is there a step by step guide on how to do the mentioned?
- data plot (with command)
- extracting the code?

Any help is gratefully and truly appreciated!

Offline

#4 2014-12-14 02:41:00

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

the command steps to get the graph to manually demod it are:
lf read
data samples 16000
data plot
data grid 50

then align the grid lines with the rise and fall of the wave(arrow keys (maybe hold ctrl and arrow key)).  Then every grid space that is high is a 1 and every one that is low is a 0.
(rarely the high is 0 and low is 1)

Offline

#5 2014-12-14 03:36:35

Upgrade
Contributor
Registered: 2014-12-14
Posts: 36

Re: AWID Key Tags

Thanks again for the reply.

Did all that was mentioned.

Pardon my newbiness,  how do I interpret the graph with peaks and valleys to the actual code I need to clone a new key fob?

Offline

#6 2014-12-14 04:48:00

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

each grid space with high peaks = a 1 and each grid space = 0
write them down (you will need at least 96bits). you will have more waves than you need because it is a repeating signal.  find the preamble as described in the image from the other forum threads.  that is the starting point.  then you can convert the binary string to hex and split it into the blocks as shown in the image, to write to the ata5577.  you will also need the config block set on the ata 5577, that is on the image as well.

Offline

#7 2015-01-28 01:22:27

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

Latest github version now has "data fskawiddemod" to demod these.

Offline

#8 2015-01-29 06:58:54

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

Currently the lf simulate commands would need the code tweaked to handle this.  You can however read up on the ata55x7, aka t55x7 write block commands and config block settings on the forum.  Post #2 has a link to some ata55x7 info

Offline

#9 2015-03-09 22:54:44

blogfish
Contributor
Registered: 2013-06-05
Posts: 17

Re: AWID Key Tags

I want to be able to use the new fskawiddemod command but am having trouble flashing the github code.

I was using svn version 852 for boot, fpga, and os. Everything works fine.
So I; git clone https://github.com/Proxmark/proxmark3.git .
Then: make clean && make all
Then try to flash with: ./flasher /dev/ttyACM0 -b ../bootrom/obj/bootrom.elf
I get solid yellow & red lights staying on.

What am I doing wrong to update my pm3 to using the github code? THANKS

Offline

#10 2015-03-09 23:20:25

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

try flashing the FPGA and the OS now.

Offline

#11 2015-03-10 02:11:09

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: AWID Key Tags

Upgrade, if you know the card format and the ID and FC that you want, I can give you the data that you can program into a 5577 to make a 5577 emulate your card.

Offline

#12 2015-04-14 01:01:45

Upgrade
Contributor
Registered: 2014-12-14
Posts: 36

Re: AWID Key Tags

My read shows this:

Valid AWID ID Found!
proxmark3> data fskawiddemod
AWID Found - BitLength: 50 -unknown BitLength- (1753) - Wiegand: 1f4000440db2, R
aw: 128817e4111121817772111
proxmark3>

How do I properly clone this on the the tag?

Offline

#13 2015-04-14 03:26:53

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: AWID Key Tags

Correct me if I am wrong:

Block 0 0x00107060
Block 1 0x128817e4
Block 2 0x11112181
Block 3 0x77721111

Last edited by Lenox (2015-04-14 03:41:37)

Offline

#14 2015-04-14 20:42:19

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: AWID Key Tags

If this is 50 bit AWID RBH format, then the FC would be 4000 and the ID would be 2229977.

Offline

#15 2015-04-14 22:10:12

Upgrade
Contributor
Registered: 2014-12-14
Posts: 36

Re: AWID Key Tags

@hkplus, you're correct but how does one go about cloning this key?

Offline

#16 2015-04-14 22:11:26

Upgrade
Contributor
Registered: 2014-12-14
Posts: 36

Re: AWID Key Tags

@lenox, I tried that but it does not work

Offline

#17 2015-04-14 22:22:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

You are missing the leading zero before the 1288...  The raw needs to be padded with zeros left to fill out the 96 bits or 24 hex chars

Offline

#18 2015-04-14 22:41:18

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: AWID Key Tags

@ marshmellow, try this?

Block 0 0x00107060
Block 1 0x0128817e
Block 2 0x41111218
Block 3 0x17772111

Offline

#19 2015-04-14 22:42:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

Lenox wrote:

@ marshmellow, try this?

Block 0 0x00107060
Block 1 0x0128817e
Block 2 0x41111218
Block 3 0x17772111

correct.

Offline

#20 2015-04-14 22:43:58

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

fyi, in newer firmware revisions i made the raw output include the leading zeros...

Offline

#21 2015-04-14 22:50:20

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: AWID Key Tags

You flashed the osimage.elf ?

blogfish wrote:

I want to be able to use the new fskawiddemod command but am having trouble flashing the github code.

I was using svn version 852 for boot, fpga, and os. Everything works fine.
So I; git clone https://github.com/Proxmark/proxmark3.git .
Then: make clean && make all
Then try to flash with: ./flasher /dev/ttyACM0 -b ../bootrom/obj/bootrom.elf
I get solid yellow & red lights staying on.

What am I doing wrong to update my pm3 to using the github code? THANKS

Offline

#22 2015-04-15 00:08:01

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

Does the 50 bit AWID RBH format you mentioned have the standard wiegand even left parity and odd right parity?  (I can add this format as a recognized format...)

Offline

#23 2015-11-06 00:15:35

theyhavelanded
Contributor
Registered: 2015-09-29
Posts: 7

Re: AWID Key Tags

I am trying to clone my apartment key. I get. Please let me know how I would write the data to a T5577 card. Thanks for any help!

             
proxmark3> lf awid fskdemod 1
#db# AWID Found - BitLength: 12 -unknown BitLength- (24576) - Wiegand: 0, Raw: 011711111111111117ed178b

Offline

#24 2015-11-06 03:59:54

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: AWID Key Tags

marshmellow wrote:

Does the 50 bit AWID RBH format you mentioned have the standard wiegand even left parity and odd right parity?  (I can add this format as a recognized format...)

The RBH 50 bit AWID should be a known format. Nobody knows?

Offline

#25 2015-11-06 06:40:30

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: AWID Key Tags

Lenox wrote:
marshmellow wrote:

Does the 50 bit AWID RBH format you mentioned have the standard wiegand even left parity and odd right parity?  (I can add this format as a recognized format...)

The RBH 50 bit AWID should be a known format. Nobody knows?

The 50 bit RBH format has a 16 bit FC and a 32 bit ID.  The parity bits are just like the 26 bit format, even parity bit 0 and last bit is odd parity.  The parities are computed by splitting the data bits down the middle. It's just an overgrown 26 bit format basically.

Last edited by hkplus (2015-11-06 06:43:19)

Offline

#26 2015-11-06 06:44:37

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

@Lenox, I've not had any tags myself.  nor have i seen a format definition anywhere.

i'll be happy to add it to the pm3 if someone knows/shares it.  - preferably with parity to weed out false positives.

Offline

#27 2015-11-06 06:45:38

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

thx hkplus.  i'll add it in

Offline

#28 2015-11-06 06:46:16

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: AWID Key Tags

marshmellow wrote:

@Lenox, I've not had any tags myself.  nor have i seen a format definition anywhere.

i'll be happy to add it to the pm3 if someone knows/shares it.  - preferably with parity to weed out false positives.

I have some of these cards in my file.  But format is as described.

Offline

#29 2015-11-06 06:50:44

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

theyhavelanded wrote:

I am trying to clone my apartment key. I get. Please let me know how I would write the data to a T5577 card. Thanks for any help!

             
proxmark3> lf awid fskdemod 1
#db# AWID Found - BitLength: 12 -unknown BitLength- (24576) - Wiegand: 0, Raw: 011711111111111117ed178b

this result is strange the bit length doesn't make sense and the std awid format isn't quite followed...  if it is an awid the "Raw" gives you the block 1-3 then you just need to figure out the config block.

is the tag marked with the standard AWID logo?

Offline

#30 2015-11-09 07:29:01

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: AWID Key Tags

I've tried this and worked for AWID,

lf t55 detect "since it is t55 based"
lf t55 dump "it will dump all sector of AWID on t55 format"
lf t55 SECTOR DUMP "sector 0 is AWID memic sector, the UID of AWID will start from sector 1 onwards".


Help this help.
big_smile

Offline

#31 2015-11-17 20:59:51

aid1305
Contributor
Registered: 2015-11-11
Posts: 6

Re: AWID Key Tags

Thank you marshmellow and Danz.
I was able to copy AWID tag using this methods.

Danz wrote:

I've tried this and worked for AWID,
lf t55 detect "since it is t55 based"
lf t55 dump "it will dump all sector of AWID on t55 format"
lf t55 SECTOR DUMP "sector 0 is AWID memic sector, the UID of AWID will start from sector 1 onwards".

marshmellow wrote:

if it is an awid the "Raw" gives you the block 1-3 then you just need to figure out the config block.
is the tag marked with the standard AWID logo?

May be someone will find it helpful.
Here's what I did to copy AWID tag to T5577

[== Undefined ==]
proxmark3> lf search           
Samples @ 8 bits/smpl, decimation 1:1           
Checking for known tags:
AWID Found - BitLength: 26, FC: 26, Card: 28240 - Wiegand: 234dca0, Raw: 011db1d8de24111111111111          
Valid AWID ID Found!     

proxmark3> lf t55 detect
Modulation : FSK2a          
Bit Rate   : 4 - RF/50          
Inverted   : Yes          
Offset     : 1          
Block0     : 0x00107060          
proxmark3> 
proxmark3> lf t55xx dump 
[0] 0x00107060  00000000000100000111000001100000          
[1] 0x011DB1D8  00000001000111011011000111011000          
[2] 0xBC482223  10111100010010000010001000100011          
[3] 0x11111111  00010001000100010001000100010001          
[4] 0x00000000  00000000000000000000000000000000          
[5] 0x00000000  00000000000000000000000000000000          
[6] 0x00000000  00000000000000000000000000000000          
[7] 0x00000000  00000000000000000000000000000000    

-- T55xx Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 0          
 reserved                  : 0          
 Data bit rate             : 4 - RF/50          
 eXtended mode             : No          
 Modulation                : 7 - FSK 2a RF/10  RF/8          
 PSK clock frequency       : 0          
 AOR - Answer on Request   : No          
 OTP - One Time Pad        : No          
 Max block                 : 3          
 Password mode             : No          
 Sequence Start Terminator : No          
 Fast Write                : No          
 Inverse data              : No          
 POR-Delay                 : No          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x00107060  00000000000100000111000001100000    

Then I set config and wrote blocks 0,1,2,3
I used "RAW" as marshmellow said for blocks 1,2,3
For some reason raw data from "lf search" and "dump" showing different block 2 information, anybody know why?
Anyway I used Raw data and it worked.

[== Undefined ==]
proxmark3> lf t55xx config b 50 d t55xxdem i 0 o 0

proxmark3> lf t55xx write 1 011db1d8 
Writing to block: 1  data  : 0x011DB1D8          
proxmark3> 
proxmark3> lf t55xx write 2 de241111 
Writing to block: 2  data  : 0xDE241111          
proxmark3> 
proxmark3> lf t55xx write 3 11111111 
Writing to block: 3  data  : 0x11111111          
proxmark3> 
proxmark3> lf t55xx write 0 00107060 
Writing to block: 0  data  : 0x00107060  

Offline

#32 2015-11-18 03:17:50

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

the reason the dump didn't show the correct data is a t55xx code FSK demodulation issue.  (the bits are correct just not in the correct starting position/order).  I've been working on it slowly and some improvements made it to the main trunk recently, and i have some more in my fork on one of my branches that is close to being done.  once i'm done testing it will be pushed to the main trunk.

Offline

#33 2015-11-26 10:07:30

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: AWID Key Tags

Great, we should have an option to directly copy AWID based on this method in GUI ?
Please ?

Offline

#34 2015-11-26 16:08:54

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

There is a AWID clone method that works with 26 bit cards already.  Not sure which method you are referring to. 

Also all the cade is open source, feel free to contribute.

Offline

#35 2015-12-01 07:06:57

aid1305
Contributor
Registered: 2015-11-11
Posts: 6

Re: AWID Key Tags

I downloaded new version 2.5.0 and I wasn't able to clone AWID.

[== Undefined ==]
proxmark3> lf t55xx config b 50 d t55xxdem i 0 o 0
Unknown modulation 't55xxdem'          
Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>]          
Options:          
       h                        This help          
       b <8|16|32|40|50|64|100|128>     Set bitrate          
       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A          
       i [1]                            Invert data signal, defaults to normal          
       o [offset]                       Set offset, where data should start decode in bitstream          
Examples:          
      lf t55xx config d FSK          - FSK demodulation          
      lf t55xx config d FSK i 1      - FSK demodulation, inverse data          
      lf t55xx config d FSK i 1 o 3  - FSK demodulation, inverse data, offset=3,start from position 3 to decode data          
proxmark3> 


proxmark3> lf t55xx write 0 00107060 
Unknown parameter '0'          
Usage:  lf t55xx wr [b <block>] [d <data>] [p <password>] [1]          
Options:          
     b <block>    - block number to write. Between 0-7          
     d <data>     - 4 bytes of data to write (8 hex characters)          
     p <password> - OPTIONAL password 4bytes (8 hex characters)          
     1            - OPTIONAL write Page 1 instead of Page 0          
Examples:          
      lf t55xx wr b 3 d 11223344            - write 11223344 to block 3          
      lf t55xx wr b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef          
proxmark3> 

I've done same steps with 2.4.0 and it worked fine.
Am I missing something or something wrong with 2.5.0 ?


I think Danz trying to say that we can add an option "AWID clone" like "Indala clone", cause now under AWID theres only Demodulate button ..

Offline

#36 2015-12-01 08:00:18

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: AWID Key Tags

if you actually read the help text, you will find what you did wrong...

Offline

#37 2015-12-01 16:02:07

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: AWID Key Tags

big_smile  big_smile  big_smile

Offline

#38 2015-12-03 15:25:20

felixhcat
Contributor
Registered: 2015-12-03
Posts: 4

Re: AWID Key Tags

I signed up just to thank you guys for how helpful this thread was in cloning a 50 bit AWID tag.

I did notice the weird block 2 bit-shifting issue with the raw 'lf search' output vs 'lf t55 dump'

Should I be watching out for this sort of thing more generally or is this an isolated issue? I'm gonna try building from source, perhaps you've had a chance to sort this out?

Anyway thanks for everything smile

Offline

#39 2015-12-03 18:11:34

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: AWID Key Tags

regarding the T55xx dump issue, my Pull Request on github now is done and it will get into a later release.  it will make the t55xx read commands MUCH more reliable.  however, there is always a chance of error.

Offline

#40 2016-03-31 19:07:04

bishop9
Contributor
Registered: 2016-03-31
Posts: 10

Re: AWID Key Tags

aid1305 wrote:

I downloaded new version 2.5.0 and I wasn't able to clone AWID.

[== Undefined ==]
proxmark3> lf t55xx config b 50 d t55xxdem i 0 o 0
Unknown modulation 't55xxdem'          
Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>]          
Options:          
       h                        This help          
       b <8|16|32|40|50|64|100|128>     Set bitrate          
       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A          
       i [1]                            Invert data signal, defaults to normal          
       o [offset]                       Set offset, where data should start decode in bitstream          
Examples:          
      lf t55xx config d FSK          - FSK demodulation          
      lf t55xx config d FSK i 1      - FSK demodulation, inverse data          
      lf t55xx config d FSK i 1 o 3  - FSK demodulation, inverse data, offset=3,start from position 3 to decode data          
proxmark3> 


proxmark3> lf t55xx write 0 00107060 
Unknown parameter '0'          
Usage:  lf t55xx wr [b <block>] [d <data>] [p <password>] [1]          
Options:          
     b <block>    - block number to write. Between 0-7          
     d <data>     - 4 bytes of data to write (8 hex characters)          
     p <password> - OPTIONAL password 4bytes (8 hex characters)          
     1            - OPTIONAL write Page 1 instead of Page 0          
Examples:          
      lf t55xx wr b 3 d 11223344            - write 11223344 to block 3          
      lf t55xx wr b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef          
proxmark3> 

I've done same steps with 2.4.0 and it worked fine.
Am I missing something or something wrong with 2.5.0 ?


I think Danz trying to say that we can add an option "AWID clone" like "Indala clone", cause now under AWID theres only Demodulate button ..


I was getting the same error, but then I noticed that we are using the wrong demodulation setting. This is an FSK2a. So i tried this:

lf t55xx config b 50 d FSK2a i 0 o 0

And then wrote the 4 blocks as shown above and that worked smile

Offline

#41 2016-04-03 00:13:51

ericlam2728
Contributor
Registered: 2015-09-26
Posts: 34
Website

Re: AWID Key Tags

Danz wrote:

Great, we should have an option to directly copy AWID based on this method in GUI ?
Please ?


Copying an AWID key is relatively easy already.

all you have to do is:

1. Run lf t55xx detect or lf t55xx config
2. Copy block 0 onto a t55xx card
3. run lf search
4. split the demodded output into three sections
5. write to other 3 blocks

Offline

#42 2016-04-03 18:11:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: AWID Key Tags

There is some dedicated AWID commands to use if you have the Facility Code and Card Number and the system is using wiegand 26bit,  the whole process becomes:

lf search -- get FC / CN
lf awid clone  yyy xxxx
lf search -- verify cloning went ok,

Offline

#43 2016-04-03 21:10:12

M&S
Contributor
Registered: 2015-12-15
Posts: 44

Re: AWID Key Tags

if Asper is busy atm, i could put the menu file somewhere with password so Asper can check then release to the forum. it has menu for AWID, pyramid and guard (may need to correct)

https://www.dropbox.com/s/lp9klmmrct3kq … u.gif?dl=0

Offline

#44 2016-04-03 23:39:18

M&S
Contributor
Registered: 2015-12-15
Posts: 44

Re: AWID Key Tags

tests with new command menu

******************************************
proxmark3> data askgproxiidemod 
G-Prox-II Found: FmtLen 36, FC 30, Card 10832

Clone manually with with R55wr is working
Direct clone failed perhaps iceman001 change  is not in top tof trunk yet.

*****************************************************************

proxmark3> lf awid clone 15 259
Preparing to clone AWID26 to T55x7 with FC: 15, CN: 259         
Blk | Data           
----+------------         
00 | 0x00107060         
01 | 0x011d817d         
02 | 0x11817111         
03 | 0x11111111         
proxmark3>
proxmark3> lf se
Reading 30000 bytes from device memory
Data fetched         
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag         
False Positives ARE possible
Checking for known tags:
AWID Found - BitLength: 26, FC: 15, Card: 259 - Wiegand: 1e0206, Raw: 011d817d1181711111111111         
Valid AWID ID Found!


******************************************

data fskpyramiddemod 
Pyramid ID Found - BitLength: 26, FC: 9, Card: 33278 - Wiegand: 21303fd, Raw: 000101010101010101010161980efb6e         
Checksum 6e passed         
proxmark3>
proxmark3> lf pyramid clone 9 33278
Preparing to clone Farpointe/Pyramid to T55x7 with Facility Code: 9, Card Number: 33278         
Blk | Data           
----+------------         
00 | 00107080         
01 | 00010101         
02 | 01010101         
03 | 01010161         
04 | 980efb6e         
proxmark3>
proxmark3> lf se
Reading 30000 bytes from device memory
Data fetched         
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag         
False Positives ARE possible
Checking for known tags:
Pyramid ID Found - BitLength: 26, FC: 9, Card: 33278 - Wiegand: 21303fd, Raw: 000101010101010101010161980efb6e         
Checksum 6e passed         
Valid Pyramid ID Found!         

------->>> Result

Direct clone command using parameters FC and CN  is working in AWID and Pyramid systems.

Offline

#45 2016-04-09 03:05:25

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: AWID Key Tags

proxmark3> lf awid clone 4000 2229977
Facility-Code Truncated to 8-bits (AWID26): 160         
Card Number Truncated to 16-bits (AWID26): 1753         
Preparing to clone AWID26 to T55x7 with FC: 160, CN: 1753         
Blk | Data           
----+------------         
00 | 0x00107060         
01 | 0x011d8b11         
02 | 0x17772111         
03 | 0x11111111         
proxmark3>
proxmark3> lf se
Reading 30000 bytes from device memory
Data fetched         
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag         
False Positives ARE possible
Checking for known tags:
AWID Found - BitLength: 26, FC: 160, Card: 1753 - Wiegand: 1400db2, Raw: 011d8b111777211111111111         
Valid AWID ID Found!

AWID needs one more parameter, for 50-bit format RBH this clone is not correct.

Also hand mapping result for FC=4000, CN=2229977 is


block1=0x0128817E
block2=0x41111218
block3=0x17772111

Last edited by ntk (2016-05-14 22:48:41)

Offline

#46 2016-04-09 06:04:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: AWID Key Tags

The awid commands handle currently 26-bit format.  Feel free to add the 50-bit variant to the code

Offline

#47 2016-05-14 21:41:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: AWID Key Tags

I added the AWID 50 format length support in the

   'LF AWID SIM'
   'LF AWID CLONE'
   'LF AWID BRUTE'

pm3 --> lf aw clone h
Enables cloning of AWID card with specified facility-code and card number onto T55x7.
The T55x7 must be on the antenna when issuing this command.  T55x7 blocks are calculated and printed in the process.

Usage:  lf awid clone <format> <facility-code> <card-number>
Options :
  <format>        :  format length 26|50
  <facility-code> :  8|16bit value facility code
  <card number>   :  16|32-bit value card number
  Q5              :  optional - clone to Q5 (T5555) instead of T55x7 chip

Samples
       lf awid clone 26 224 1337
       lf awid clone 50 2001 13371337

Offline

#48 2017-10-16 18:54:51

Blackhawks
Contributor
Registered: 2017-09-20
Posts: 21

Re: AWID Key Tags

hkplus wrote:

If this is 50 bit AWID RBH format, then the FC would be 4000 and the ID would be 2229977.

I am sorry for resurrecting a 2-year old post, but how did you figure this out using the following data:

AWID Found - BitLength: 50 -unknown BitLength- (1753) - Wiegand: 1f4000440db2, R
aw: 128817e4111121817772111

B.

Offline

#49 2017-10-30 23:06:05

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: AWID Key Tags

Blackhawks wrote:
hkplus wrote:

If this is 50 bit AWID RBH format, then the FC would be 4000 and the ID would be 2229977.

I am sorry for resurrecting a 2-year old post, but how did you figure this out using the following data:

AWID Found - BitLength: 50 -unknown BitLength- (1753) - Wiegand: 1f4000440db2, R
aw: 128817e4111121817772111

B.

There is a sticky post describing the lower level encoding of a AWID card.  You take the Hexidecimal data, convert it to binary and plug this data into the AWID encoding example.  From this you can extract the ID.  I would have to look back again to give you an example...

Offline

#50 2017-10-31 02:29:28

Blackhawks
Contributor
Registered: 2017-09-20
Posts: 21

Re: AWID Key Tags

hkplus wrote:
Blackhawks wrote:
hkplus wrote:

If this is 50 bit AWID RBH format, then the FC would be 4000 and the ID would be 2229977.

I am sorry for resurrecting a 2-year old post, but how did you figure this out using the following data:

AWID Found - BitLength: 50 -unknown BitLength- (1753) - Wiegand: 1f4000440db2, R
aw: 128817e4111121817772111

B.

There is a sticky post describing the lower level encoding of a AWID card.  You take the Hexidecimal data, convert it to binary and plug this data into the AWID encoding example.  From this you can extract the ID.  I would have to look back again to give you an example...

Looking at the master AWID_FSK 26-bit layout, do I:

1. Take the 8 character hexadecimal from Block 1 (or the first 8 hexadecimal from Raw source) and convert it to binary?
2. Will this give me 32 binary bits?
3. If so, do I take bits 21,22,23,25,26,27,29,30 (from Block 1) to make my 8 bit binary FC?
4. Then do I convert this 8 bit binary to decimal giving me a decimal FC?

B.

Offline

Board footer

Powered by FluxBB