[finished] Jablotron functionality demod/clone/sim

iceman · 2016-07-29 09:52:30

From the following discussions where @hexa3e8 , had a Jablotron system.

REF: www.proxmark.org/forum/viewtopic.php?id=3332&p=1
REF: http://www.proxmark.org/forum/viewtopic.php?id=3387

I've implemented a command set for it: "LF JABLOTRON"

pm3 --> lf jablotron
help             This help
read             Attempt to read and extract tag data
clone            clone jablotron tag
sim              simulate jablotron tag

pm3 --> lf jablotron clone h
clone a Jablotron tag to a T55x7 tag.
Usage: lf jablotron clone [h] <card ID> <Q5>
Options:
      h          : This help
      <card ID>  : jablotron card ID
      <Q5>       : specify write to Q5 (t5555 instead of t55x7)

Sample: lf jablotron clone 112233

pm3 --> lf jablotron sim h
Enables simulation of jablotron card with specified card number.
Simulation runs until the button is pressed or another USB command is issued.

Usage:  lf jablotron sim [h] <card ID>
Options:
      h          : This help
      <card ID>  : jablotron card ID

Sample: lf jablotron sim 112233

pm3 --> lf jablotron clone 101630
Preparing to clone Jablotron to T55x7 with FullCode: 101630
Blk | Data
----+------------
 00 | 0x00158040
 01 | 0xffff0000
 02 | 0x1016306c
pm3 -->

pm3 --> lf search
Reading 30000 bytes from device memory

Data fetched
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

Jablotron Tag Found: Card ID 101630
Raw: FFFF00001016306C
Checksum: 6C [OK]
Printed:  1410-00-0010-1630

Valid Jablotron ID Found!

[edit] changed the output and corrected it here also.

ntk · 2016-07-29 11:20:12

... Although I had followed, mid-way I have not understood well your sorts of revenge's number experiments then I lost it ...

Tag is reported as Nedap or Non-Nedap, have symmetry in the hex ID ... Now uses Reserved Modulation and not bi-phase and tag still function well...

Very interesting... Will play with it this weekend.

Thank for the great work iceman, Marshmellow and hexa3e8 for an interesting study on new tag/card type

Last edited by ntk (2016-08-01 17:21:32)

iceman · 2016-07-29 11:30:32

The confusing part is that NEDAP has Biphase modulation, and a preamble of 1111110
where JABLOTRON has Diphase (inverted biphase) and a preamble of 1111 1111 1111 1111 0

The nedap parity checks should (when imp correct) have detected a failure. It also did.

Nedap has 128bit
Jablotron has 64bit.

thats why it was so confusing.

Credits goes to @hexa3e8 aswell.

hexa3e8 · 2016-07-29 19:12:43

I have to say again, A big thumbs up for marshmellow and iceman! Great to have a new fork. I have tested the new version.
I post my comments below here. I hope my remarks are understandable.

-lf search [works great, card recognised]

-Is it possible to make the command shorter? lf jab instead of jablotron (especially after testing )

-lf read I see printed: 1410-00-0010-1630 [is correct]
the card ID = 101630 [that is right, but the system thinks card id=14100000101630 maybe print:systemnumber:14100000101630 , so print also without the -] or something similar.

-lf jablotron sim

pm3 --> lf jablotron read
Reading 30000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
Jablotron Tag Found: Card ID 101630          
Raw: FFFF00001016306C          
Checksum: 6C [OK]          
Printed:  1410-00-0010-1630

Usage: lf jablotron sim h <card ID>
Options:
h : This help
<card ID> : jablotron card ID

Sample: lf jablotron sim d 112233

lf jablotron sim d 101630 [does not work when Card ID found is used like this] number becomes: 14100000000013
should the card iD be like 0000101630?
test: same result --> 14100000000013
I think card ID can be up to 10 digits? (that test is on another post)

In the text in post above here it says: Sample : lf jablotron sim d 123456789
but when I perform:

lf jablotron sim help

I see: Sample: lf jablotron sim d 112233
does this mean we have to use hex instead of the found card ID? not really sure but it looks different to me. the Card-ID doesn work.
so far some results. I will test later the clone function.

marshmellow · 2016-07-29 19:29:13

the sim function has a bug in the implementation
try `lf jab sim 18CFE`

i assume iceman will find and fix it soon

Last edited by marshmellow (2016-07-29 19:29:36)

hexa3e8 · 2016-07-29 19:32:05

the reader spesonds with: 14100000019364

I have no doubts iceman will solve it.

Last edited by hexa3e8 (2016-07-29 19:33:24)

marshmellow · 2016-07-29 19:32:11

clone has the same bug

marshmellow · 2016-07-29 19:33:30

hexa3e8 wrote:

the reader spesonds with: 14100000019364

Thanks!

Last edited by marshmellow (2016-07-29 19:47:11)

hexa3e8 · 2016-07-29 19:34:52

I noticed it, so I wait with testing clone function.

hexa3e8 · 2016-07-29 19:36:54

@marshmellow, it is early in the afternoon in your location? here the evening starts and the weekend begins... so some more time for the forum.

iceman · 2016-07-29 19:37:43

The cardID is a hex, but you can only use 0-9 instead of normal 0-F..

so the clone or sim will happily take the HEX, but the valid reader will not recognise it.

lf jab clone 292829 should be fine
lf jab clone 2f2829 should fail

marshmellow · 2016-07-29 19:42:55

the bug is that the help shows a d in front of the data in the example/sample and there should not be one.
try `lf jab sim 101630`

Last edited by marshmellow (2016-07-29 19:50:00)

hexa3e8 · 2016-07-29 19:48:11

lf jab clone 292829 works on t55xx card. reader output --> 14100000292829

lf jab sim 101630 works, reader output --> 14100000101630

marshmellow · 2016-07-29 19:50:37

hexa3e8 wrote:

@marshmellow, it is early in the afternoon in your location? here the evening starts and the weekend begins... so some more time for the forum.

looks like we will have to find a new tag type to discover as this one is pretty well put to bed.

iceman · 2016-07-29 19:53:31

Ok, fixed. The help text has been changed. Pull the changes and try

And thanks for point it out!

hexa3e8 · 2016-07-29 20:03:42

Totally smashed. I have some more tags which I can donate to the forum but it could be that it is my knowledge (or the lack of it) or the tag isn't completely uncovered.(sort of) I have posted some about HT2 tag. a paxton. After finishing the jablotron I will focus again on that one.
I will update it right away.

iceman · 2016-07-29 20:14:17

@hex3e8, once you're hitting that big wave just ride it bro. Like a champ.
Jablontron is quite done, just the minor hex over wrapping of values @marshmellow42 mentioned in the other thread.

Go wild with the HT2 tag or Paxton.

I've updated the first post, to reflect the changes done.
And your idea of the printing id, was it in another way you wanted it? Do you have a picture of the tag?

hexa3e8 · 2016-07-29 20:19:08

lf jab sim 101630

reader output: 14100000101630

lf jab sim 12101630

so a longer number works: 14100012101630

lf jab sim 1212101630

also works: 14101212101630

 lf jab clone 1212101630

readers responds the same as the previous one.
works extremely easy now!

hexa3e8 · 2016-07-29 20:32:35

I guess it is perfect! especially the clone function, to easy now.
You guys Rock!

@iceman , Thinking of it, I like it the way you created it. just leave it as it is. the printed number on the card is exactly the way you present it.
Jablotron Tag Found: Card ID 294467
Raw: FFFF0000294467EE
Checksum: EE [OK]
Printed: 1410-00-0029-4467

al the info a person would need is in here.
Wonderful!

iceman · 2016-07-29 22:26:22

I changed the demod printing to deal with the hex number,
It shows card id right, the raw bytes is right, and checksum is still calc over raw bytes (has to be verified)

Jablotron Tag Found: Card ID 294485
Raw: FFFF000029447FD6    <<--- difference here 
Checksum: D6 [OK]
Printed: 1410-00-0029-4485

Meaning that we can call clone/sim with a raw hexbytes (from a sniff?) or cardid from a printed badge.

hexa3e8 · 2016-07-29 23:42:15

pulled and tested, now also with the new raw data.
(search,read,sim and clone work perfect)
A fun thing I noticed is that the reader takes a longer time to respond, like an extra sec and I have to be much closer to the reader before it finally beeps when I use the "lf sim FFFF00001016306C" command (with the raw data) compared to the "lf jab sim 101630" command. The reader reacts but the lf jab sim command seems a lot stronger signal. (Does that sound plausible by the way both commands work?)

the "lf simask c 64 i b d FFFF00001016306c" works as fast as the "lf jab sim 101630" command.

iceman · 2016-07-29 23:58:54

In the code behind, "lf jab sim" uses "lf simask" function. They should execute in the same time.
but the "lf sim" I don't know why it is seem to send a bad signal. Maybe @marshmellow knows? He re-wrote a lot of it.

marshmellow · 2016-07-30 03:11:33

I believe you misunderstand what `lf sim` does.

lf sim doesn't take a raw data parameter. it only attempts to simulate a read tag from the buffer so you must read a tag first then attempt to simulate it. (it tries to mimic the read waveform without understanding it)

it works pretty well with strong ask tag reads, but not so well with fsk or psk (sometimes works with fsk). if you have the raw data you must use the specific modulation and encoding sim cmd.

Last edited by marshmellow (2016-07-30 03:15:32)

hexa3e8 · 2016-07-30 18:56:03

that makes sense, I tried to use the RAW data to test,since it was changed, but because lf jab sim and clone work fine (you don't need the RAW for that) I thought lets use the lf sim function. my mistake. If I am right we don't need the RAW data anymore to (re)produce cards.(since the sim and clone function is perfect). It is there for the total picture. right?
The title of the post is finished. I totally agree. If I encounter some problems or have some new findings about jablotron I will let you guys know. Now I am waiting for my batteries from china so I can use the proxmark3 without a pc,to put it in the sim mode and experience some adventures.

iceman · 2016-07-31 21:21:36

Didn't HID have this same number format for its HID Clock & Data / H10320 format? Where hex only can contain 0-9 ?

marshmellow · 2016-08-01 15:41:53

yes clock & data format uses a hex number as a decimal, but it errors if the value doesn't conform (0-9) and it has multiple parities. (Clock & Data is a common transmission protocol used often instead of Wiegand)

Last edited by marshmellow (2016-08-01 15:42:25)

Proxmark3 community

Announcement

#1 2016-07-29 09:52:30

[finished] Jablotron functionality demod/clone/sim

#2 2016-07-29 11:20:12

Re: [finished] Jablotron functionality demod/clone/sim

#3 2016-07-29 11:30:32

Re: [finished] Jablotron functionality demod/clone/sim

#4 2016-07-29 19:12:43

Re: [finished] Jablotron functionality demod/clone/sim

#5 2016-07-29 19:29:13

Re: [finished] Jablotron functionality demod/clone/sim

#6 2016-07-29 19:32:05

Re: [finished] Jablotron functionality demod/clone/sim

#7 2016-07-29 19:32:11

Re: [finished] Jablotron functionality demod/clone/sim

#8 2016-07-29 19:33:30

Re: [finished] Jablotron functionality demod/clone/sim

#9 2016-07-29 19:34:52

Re: [finished] Jablotron functionality demod/clone/sim

#10 2016-07-29 19:36:54

Re: [finished] Jablotron functionality demod/clone/sim

#11 2016-07-29 19:37:43

Re: [finished] Jablotron functionality demod/clone/sim

#12 2016-07-29 19:42:55

Re: [finished] Jablotron functionality demod/clone/sim

#13 2016-07-29 19:48:11

Re: [finished] Jablotron functionality demod/clone/sim

#14 2016-07-29 19:50:37

Re: [finished] Jablotron functionality demod/clone/sim

#15 2016-07-29 19:53:31

Re: [finished] Jablotron functionality demod/clone/sim

#16 2016-07-29 20:03:42

Re: [finished] Jablotron functionality demod/clone/sim

#17 2016-07-29 20:14:17

Re: [finished] Jablotron functionality demod/clone/sim

#18 2016-07-29 20:19:08

Re: [finished] Jablotron functionality demod/clone/sim

#19 2016-07-29 20:32:35

Re: [finished] Jablotron functionality demod/clone/sim

#20 2016-07-29 22:26:22

Re: [finished] Jablotron functionality demod/clone/sim

#21 2016-07-29 23:42:15

Re: [finished] Jablotron functionality demod/clone/sim

#22 2016-07-29 23:58:54

Re: [finished] Jablotron functionality demod/clone/sim

#23 2016-07-30 03:11:33

Re: [finished] Jablotron functionality demod/clone/sim

#24 2016-07-30 18:56:03

Re: [finished] Jablotron functionality demod/clone/sim

#25 2016-07-31 21:21:36

Re: [finished] Jablotron functionality demod/clone/sim

#26 2016-08-01 15:41:53

Re: [finished] Jablotron functionality demod/clone/sim

Board footer