Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-04-30 21:37:34

ntk
Contributor
Registered: 2015-05-24
Posts: 701

[abandoned] I have got something for Marshmellow...

Intrigued by a question of a user I did a small experiment and found that small different at the end of this msg

We know
HID 35bit Corporate 1000
SC    3, 4, 5, 6, 7, 8, 9, 10,11,12,13,14
CN    15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34
E  2  3, 4, 6, 7, 9, 10,12,13,15,16,18,19,21,22,24,25,27,28,30,31,33,34
O  35 2, 3, 5, 6, 8, 9, 11,12,14,15,17,18,20,21,23,24,26,27,29,30,32,33
O  1  2, 3, 4, 5, 6, 7, 8, 9, 10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35

when run lf search on this tag we get
HID Prox TAG ID: 2e29a5fb91 (64968) - Format Len: 35bit - FC: 333 - Card: 196040         
Valid HID Prox ID Found!

Question is how to calculate the tag internal CN?
There are two methods

Method A
If we use the result from lf search, the TAG ID in HEX is 2e29a5fb91 (Hummmmn ..why nobody asks about this 38bits!) convered to bin is:  10111000101001101001011111101110010001
drop last bit 1
count back 20bit: 00101111110111001000
take above bin string and convert to DEC ----> CN=196040


Method B
If we look in the mapping excel file, https://www.dropbox.com/s/pptw22qjr00lj … e.jpg?dl=0 and also pls pay attention on what supposes to make OP2   the wiegand 35 bits sequence (OP1+EP1+ (12 bits from FC)+ (20 bits from CN)+OP2 makes 35 bits) is  01000101001101001011111101110010000 (converted to HEX equal 229A5FB90) drop last bit count back 20bit, copy that 20bit string and turn that in DEC ---> we have CN=196040

Why 38 bits in this environment?If we iron out this small difference could we solve ... anything new?

		if (((hi>>5)&1)==1){//if bit 38 is set then < 37 bit format is used
			uint32_t lo2=0;
			lo2=(((hi & 31) << 12) | (lo>>20)); //get bits 21-37 to check for format len bit
			uint8_t idx3 = 1;
			while(lo2>1){ //find last bit set to 1 (format len bit)
				lo2=lo2>>1;
				idx3++;
			}
			fmtLen =idx3+19;
			fc =0;
			cardnum=0;
			if(fmtLen==26){
				cardnum = (lo>>1)&0xFFFF;
				fc = (lo>>17)&0xFF;
			}
			if(fmtLen==34){
				cardnum = (lo>>1)&0xFFFF;
				fc= ((hi&1)<<15)|(lo>>17);
			}
			if(fmtLen==35){
				cardnum = (lo>>1)&0xFFFFF;
				fc = ((hi&1)<<11)|(lo>>21);
			}
		}
		else { //if bit 38 is not set then 37 bit format is used
			fmtLen = 37;
			fc = 0;
			cardnum = 0;
			if(fmtLen == 37){
				cardnum = (lo>>1)&0x7FFFF;
				fc = ((hi&0xF)<<12)|(lo>>20);
			}
		}
		PrintAndLog("HID Prox TAG ID: %x%08x (%d) - Format Len: %dbit - FC: %d - Card: %d",
			(unsigned int) hi, (unsigned int) lo, (unsigned int) (lo>>1) & 0xFFFF,
			(unsigned int) fmtLen, (unsigned int) fc, (unsigned int) cardnum);
	}

(If I only could understand this program part for a start ... then I could modify PM3 for cover also HID type 27, 31, 32, 33, 35, 36, 40, 48, 50, 75, 107, 128 bit; and I would add PM3 SW cover for AWID RBH type 50bit and 64bit too -although I never see them, apart from the one and only HID PROXII came with PM3...- I could check indala part, and anything using the concept of FC and CN ... and perhaps implement a public control function warning of this fault... What an insane dream)

Now we concentrate at the two HEX numbers
2e29a5fb91 (equal TAG ID )
229A5FB90 (equal the 35 bit Wiegand sequence)

What can we see?

Last edited by ntk (2016-05-08 12:40:34)

Offline

Board footer

Powered by FluxBB