Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device!

You are not logged in.

#26 2015-07-10 18:52:05

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 1,773

Re: IDTECK 125 kHZ tags

definitely PSK RF/32, RF/2 and 64 bits.  are there numbers on the tag?

Last edited by marshmellow (2015-07-10 18:53:09)

Offline

#27 2015-07-10 18:57:06

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 1,773

Re: IDTECK 125 kHZ tags

Use PSK1 and get following blocks:
block#0  00081040
block#1  5769D58C
block#2  DFD76D77

would be a valid attempt to clone to a t55x7.  (though the starting point for the repeating data is likely wrong to figure out the meaning of the bits)

Last edited by marshmellow (2015-07-10 18:57:23)

Offline

#28 2015-07-10 19:38:27

Lenox
Contributor
Registered: 2015-01-29
Posts: 40

Re: IDTECK 125 kHZ tags

The number :
11103 036 10359

Offline

#29 2015-07-10 21:50:01

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 1,773

Re: IDTECK 125 kHZ tags

hmmm. i am not seeing an easy correlation between the bits and the printed ID..

Offline

#30 2015-07-11 04:55:21

Lenox
Contributor
Registered: 2015-01-29
Posts: 40

Re: IDTECK 125 kHZ tags

It is working. Thanks.

Offline

#31 2015-07-11 14:59:33

iceman
Administrator
Registered: 2013-04-25
Posts: 3,138
Website

Re: IDTECK 125 kHZ tags

What do you say @marshmellow?  time for a "IDTECK 125 kHZ tag" demod ?  wink


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#32 2015-07-11 19:43:16

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 1,773

Re: IDTECK 125 kHZ tags

If we knew how to decode the bits...  But we don't...  We can't even identify the correct preamble, or starting point.

Offline

#33 2016-02-18 00:04:54

TiX
Member
Registered: 2013-06-17
Posts: 8

Re: IDTECK 125 kHZ tags

Any good news avout idteck cloning/decoding?

Offline

#34 2016-02-18 06:05:40

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 1,773

Re: IDTECK 125 kHZ tags

Should be possible.  No direct demodulation is currently built though.  If you have a tag to share and could run a couple tests on it we might get closer to a full demod.

Offline

#35 2016-02-29 13:39:43

TiX
Member
Registered: 2013-06-17
Posts: 8

Re: IDTECK 125 kHZ tags

Yep, got proxmark updated to latest revisions and ready for expiriments smile

What do you need firstly?

Offline

#36 2016-02-29 13:55:23

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 1,773

Re: IDTECK 125 kHZ tags

You could start with 'lf search u'. And post the results.

Offline

#37 2016-02-29 14:18:50

TiX
Member
Registered: 2013-06-17
Posts: 8

Re: IDTECK 125 kHZ tags

I`m sorry smile actually iv moved to another company and as wall readers are from idteck i though cards are also idteck.. but found that they are EM410 sad So no experiments with idteck for now sad sorry

Offline

#38 2016-02-29 15:10:10

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 1,773

Re: IDTECK 125 kHZ tags

don't be sorry.   most of the tags i've seen for idteck have been the EM410x format.  some, however, are not the normal bit rate or are week keyfobs so they sometimes are more difficult for the older auto demods to read them making many think there is a separate format for them.  recent firmware made this less of a problem.  (there also seems to be a PSK version of idteck)

it is good to confirm the EM410x format works on some idteck readers.  if you want to do me a favor just try a `lf t55xx detect` on the tag and if it finds something post it.  (might get the full chip configuration - depending on the chip and if it is pwd protected)

also if you could post the results of `data detectclock a`  for me.  (to verify the clock - standard em410x should be 64)

and do you have a model # for the readers?

Last edited by marshmellow (2016-02-29 15:13:03)

Offline

#39 2016-02-29 15:30:37

TiX
Member
Registered: 2013-06-17
Posts: 8

Re: IDTECK 125 kHZ tags

First part:

proxmark3> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
proxmark3> data detectclock a
Auto-detected clock rate: 64, Best Starting Position: 0
proxmark3>

Offline

#40 2016-05-13 08:20:17

hm
Member
Registered: 2016-05-13
Posts: 2

Re: IDTECK 125 kHZ tags

So i have an IDTECK card as i have been told its IDC80.
The printed ID on card is: I1507 128 00772
Need to replicate it to a t5557. Cant seem to get things right. Posted my logs in following links, if someone could have a look and see whats wrong?
HW Version: https://www.dropbox.com/s/j6ae7e4tx067235/HWVersion.txt?dl=0
Investigate LF: https://www.dropbox.com/s/yy0bmlwbogx8b3e/InvestigateLF.txt?dl=0
Investigated: https://www.dropbox.com/s/5qu4b0nsing21pm/investigated.txt?dl=0
LF55xxdetect: https://www.dropbox.com/s/6fmf1g14v5dgc7y/Lf55xxdetect.txt?dl=0
ReadLF: https://www.dropbox.com/s/qm6ca86iepwnq77/ReadLF.txt?dl=0
SearchLF: https://www.dropbox.com/s/y3wghrmmhlqygpf/SearchLF.txt?dl=0
IfSearch1U: https://www.dropbox.com/s/wdp2eat2nhr1nvx/lfsearchu1.txt?dl=0

Offline

#41 2016-05-13 09:38:19

iceman
Administrator
Registered: 2013-04-25
Posts: 3,138
Website

Re: IDTECK 125 kHZ tags

try a 

-lf se u
-data rawde p1

and you will se a raw hex output,   some earlier posts has the block0, needed when making a clone on t55x7.

you need to find the repeating pattering,  so everything you need is in this thread.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#42 2016-05-13 18:17:42

ntk
Contributor
Registered: 2015-05-24
Posts: 483

Re: IDTECK 125 kHZ tags

As iceman already told you, you should see here a repeating pattern of 2 data blocks, psk1 demodulation type, I can see similar what he saw.

The configuration data for block 0 should be in the threads somewhere, you can search with keys IDteck or Gotus. There is not much reading so don't be shy.

(If can not come forward, still can ring the bell at the upper right corner.)

Offline

#43 2017-01-11 05:24:04

lonewolf
Contributor
Registered: 2016-09-03
Posts: 17

Re: IDTECK 125 kHZ tags

I would love to get a demod for this card, but it seems it won't be easy sad  I have a number of cards if someone can crack the encryption.  They're 64-bit cards, with 32 bits fixed.  All of these are DoorKing (DKS) branded, with the 410 and I1605 sets being different groups of IDC170's, and the I1407 is a IDK50.  I aligned them so the fixed 32 bits are first, though for all I know it can be 16+32+16 or 8+32+24 or whatever.

data rawdemod p1:
01001001010001000101010001001011 11000101100011011000001001010000    410-192-18710
01001001010001000101010001001011 01111101110011101101111001100001    410-192-18711
01001001010001000101010001001011 10011111000100100110101110111010    410-192-18713
01001001010001000101010001001011 00010101011010000010010110111011    410-192-18714
01001001010001000101010001001011 01010001100110101010010101011111  I1407-005-31920
01001001010001000101010001001011 01011110110100100011000110101100  I1605-152-01926
01001001010001000101010001001011 00111001100110000101001100111001  I1605-152-01927
01001001010001000101010001001011 10000010101100110100101011001001  I1605-152-01928
01001001010001000101010001001011 00100110101000110000101000110001  I1605-152-01929
01001001010001000101010001001011 10111011001011001000010010001100  I1605-152-01930
01001001010001000101010001001011 01011100111100110000101111110101  I1507-128-00772 (from hm's post)
01001001010001000101010001001011 00010101001110011001000000010100  I1103-036-10359 (from Lenox's post)

Raw card data: http://guyver-i.hacker-nin.com/pm3/idtk-cards.tar.bz2

t55xx for the above would be:
block#0  00081040
block#1  4944544B
block#2  xxxxxxxx

(Side note, if you look up 4944544B it's "IDTK", so it's almost certainly 32+32 format)

Last edited by lonewolf (2017-01-11 18:20:49)

Offline

#44 2017-01-11 09:09:10

iceman
Administrator
Registered: 2013-04-25
Posts: 3,138
Website

Re: IDTECK 125 kHZ tags

@lonewolf,  the IDTK is good find, strange that I can't find it @hm 's trace.  But that is a IDC80 tag.
Since yr numbers follow sequence and the corresponsive 32bits are totally different, I say some kind of encryption going on.
There is no parity your samples either.  Do you get the same IDTK pattern if you decode as PSK2 ?

-----------------
IDTEC,   preamble = 0x4944544B,  psk1, 64bits. 
Should be able to identify IDC170, IDK50 tags with it.  Easy clone/sim aswell.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#45 2017-01-11 16:52:53

lonewolf
Contributor
Registered: 2016-09-03
Posts: 17

Re: IDTECK 125 kHZ tags

iceman wrote:

@lonewolf,  the IDTK is good find, strange that I can't find it @hm 's trace.

While looking at my captures, I discovered that if there's a DC offset then "rawdemod p1" inverts all the bits.

10110110101110111010101110110100 10100011000011001111010000001010 - hm's original trace (after shifting for alignment)
01001001010001000101010001001011 01011100111100110000101111110101 - hm's trace after a "data hpf" ("data norm" also works)
01001001010001000101010001001011 01001001010001000101010001001011 - my 410-192-18714

My data with "data rawdemod p2"
01101101111001100111111001101110 00100111010010110100001101111000 410-192-18710
11101101111001100111111001101110 11000011001010011011000101010001 410-192-18711
01101101111001100111111001101110 01010000100110110101111001100111 410-192-18713
11101101111001100111111001101110 10011111110111000011011101100110 410-192-18714
11101101111001100111111001101110 11111001010101111111011111110000 I1407-005-31920
01101101111001100111111001101110 11110001101110110010100101111010 I1605-152-01926
11101101111001100111111001101110 10100101010101000111101010100101 I1605-152-01927
11101101111001100111111001101110 01000011111010101110111110101101 I1605-152-01928
11101101111001100111111001101110 10110101111100101000111100101001 I1605-152-01929
01101101111001100111111001101110 01100110101110101100011011001010 I1605-152-01930

A manual review of the graphs ("data plot") agrees with the above ones/zeros as the first bit.  Unless the format is 31+33 it's not p2.

From a PDF:

IDC170 is pre-programmed at the factory with a unique encryption code and it has very flexible data format to meet any customer's requirement and any OEM format up to 64 bit ID is also available. It can be supplied without code and the customer can write their unique code by using STAR PGM1000 Programming Devices with Programming software.

I edited my other post, adding hm's and Lenox's cards (after inverting) and a download link to the card data.

Last edited by lonewolf (2017-01-11 18:34:25)

Offline

#46 2017-01-11 23:57:40

iceman
Administrator
Registered: 2013-04-25
Posts: 3,138
Website

Re: IDTECK 125 kHZ tags

I've made a demod for it and hooked it up in 'lf search'
even if it has to invert,  it still get the same raw block1. 

pm3 --> da load traces/idtec/card-410-192-18710-shifted.pm3
loaded 29272 samples
pm3 --> lf se  1
Checking for known tags:

IDTECK Tag Found: Card ID 0 ,  Raw: 4944544BC58D8250

Valid Idteck ID Found!
pm3 --> da load traces/idtec/card-410-192-18711-shifted.pm3
loaded 28720 samples
pm3 --> lf se  1
Checking for known tags:

IDTECK Tag Found: Card ID 0 ,  Raw: 4944544B7DCEDE61

Valid Idteck ID Found!
pm3 --> da load traces/idtec/card-I1407-005-31920-shifted.pm3
loaded 28890 samples
pm3 --> lf se  1
Checking for known tags:

IDTECK Tag Found: Card ID 0 ,  Raw: 4944544B519AA55F

Valid Idteck ID Found!
pm3 -->

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#47 2017-01-12 05:49:24

lonewolf
Contributor
Registered: 2016-09-03
Posts: 17

Re: IDTECK 125 kHZ tags

And to verify, I wrote hm's tag in 4944544B 5CF30BF5 format to a t55xx tag (0/00081040 1/4944544B 2/5CF30BF5) and my Star RF20 reader read it just fine.  Writing the tag was annoying though as I always verify the written data, and while blocks 0 and 1 were writing fine block 2 always returned A30CF40A and was driving me nuts until I realized the read was inverting lol

Reader Wiegand output for written t55xx tag (P 128 00772 P):
wg-out.png

Now the question is, do I tear my reader apart (ugh, de-potting) and try to dump the code to figure out the encryption routine, or do I call it quits here?  Would the routine be added to the demod if I do figure it out?

Offline

#48 2017-01-12 08:38:32

iceman
Administrator
Registered: 2013-04-25
Posts: 3,138
Website

Re: IDTECK 125 kHZ tags

Maybe another block0 which doesn't invert?

You should be able to use the "lf t55xx" commands to dump the t55x7 data. 

The block2 could  be xored, encrypted or scrambled.  If you figure it out,I'll add it to the demod.

[edit] saw yr ref to unique encryption code.  I think you can find the encryption by looking at the software referenced


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#49 2017-01-13 04:12:44

lonewolf
Contributor
Registered: 2016-09-03
Posts: 17

Re: IDTECK 125 kHZ tags

I think you misunderstood what I was saying.  Inverted bit set or not, shouldn't a "lf t55xx read" command done after a "lf t55xx write" return the value as written?  When writing a blank t55xx tag I'm seeing:

proxmark3> lf t55 detect
Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 2 - RF/32
Inverted   : No
Offset     : 32
Seq. Term. : Yes
Block0     : 0x000880E8

proxmark3> lf t55 write b 0 d 0x00081040
Writing page 0  block: 00  data: 0x00081040

proxmark3> lf t55 config b 32 d PSK1 o 28 i 1
Chip Type  : T55x7
Modulation : PSK1
Bit Rate   : 2 - RF/32
Inverted   : Yes
Offset     : 28
Seq. Term. : No
Block0     : 0x00000000

proxmark3> lf t55 read b 0
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 00081040 | 00000000000010000001000001000000                (<-- as expected)

proxmark3> lf t55 write b 1 d 4944544B
Writing page 0  block: 01  data: 0x4944544B

proxmark3> lf t55 read b 1
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  1 | 4944544B | 01001001010001000101010001001011                (<-- as expected)

proxmark3> lf t55 write b 2 d 5CF30BF5
Writing page 0  block: 02  data: 0x5CF30BF5

proxmark3> lf t55 read b 2
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  2 | A30CF40A | 10100011000011001111010000001010                (<-- ????? )


Since blocks 0 and 1 return the data exactly as written, why does block 2 return the data inverted?

Last edited by lonewolf (2017-01-13 04:18:07)

Offline

#50 2017-01-13 04:19:05

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 1,773

Re: IDTECK 125 kHZ tags

psk is difficult to get the initial phase correct unless there is a special format you expect.  when reading blocks on the ata55x7 chips there are not any format indicators.  so it essentially makes it's best guess.  and sometimes it will guess wrong.  it will depend on what data is being read, some starting bits are more prone to errors.

the result is as you have found - it can invert all the bits.

Offline

Board footer

Powered by FluxBB