Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-07-24 23:19:45

windyyy
Contributor
Registered: 2017-07-23
Posts: 6

Rfid Help! just getting started

until my proxmark arrives iv been messing around with some bit I already have. I have a Wigand 26 reader and I am reading Em Marin 4100 key fobs from work to clone it for a friend who has lost theirs, the data I receive from the reader is a 10 digit hex a 44 binary and a facility and card numbers. e.g.  card: 2007961cca, FC = 203, CC = 3685, BIN: 00000010000000000111100101100001110011001010. I then tried to write a new fob on a duplicator machine called smart card deluxe. to write the new fob the smart card deluxe wanted the 10 digit hex. when I punched in the hex numbers and wrote the fob it didn't work. I then used a different reader to read the fob and it gave me a hex value of 00F0-CBOE65. I quickly realised CBOE65 is the hex value of the facility and card number. I used this 10 digit hex to write new fob and it worked I just don't understand the reason for different hex values and were the 0F00 come from on the second reader any information would be really appreciated. I also Know how to break the binary up into 26 format and change it to hex i just don't know were the 0F00 come from as it must be important.

Offline

#2 2017-07-25 08:26:21

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 111
Website

Re: Rfid Help! just getting started

Some expensive and old machine you have there. Smart Card Deluxe. It has been some time since someone mention that name.

Wait till your proxmark is here and do a lf sea on your tag and maybe we can help you better.


You live, you learn.
You give you take.
You win, you lose.

Offline

#3 2017-07-25 10:59:02

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 43

Re: Rfid Help! just getting started

So what is the second reader.
The Smartcard Deluxe should duplicate an EM Marin fob/card with no difficulty at all and depending on the fob type you may not even need the fob to duplicate IE: Videx or Digicom.


Hardware: Elatec TWN4 dev kit / ACS ACR122U / IDTronic LF Reader / OmniKey 5321 / HT108 RW / Custom Read Write 125khz RW and a couple of other RW bits.

Offline

#4 2017-07-25 20:21:42

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 122

Re: Rfid Help! just getting started

@Windyyy
You need to be aware that most EM410x readers only spit out a wiegand code of the data payload and NOT the entire raw data stream.
In your case the wiegand data is 00000010000000000111100101100001110011001010.
The wiegand data stream has two parity bits appended that are different than the parity bit included in the "raw" data stream that the chip transmits.


The actual "raw" data for your card includes the header, 8-bit customer ID, 32-bit card data and row/column parity.
The raw 64-bit binary data for your card actually looks like this:

1111111111111000000000000000011000101110000011101011000101001010

If you look at the chart in the EM410X data sheet the above data stream will be broken down like this:

11111111 1  (9-bit header)
    1111 0  (8-bit customer ID) + row parity
    0000 0
    0000 0  (32-bit data) + row parity
    0000 0
    1100 0
    1011 1
    0000 0
    1110 1
    0110 0
    0101 0
    0101 0  (column parity) + row parity

The customer ID code is not normally output by the reader.
However, in order to duplicate the card correctly you MUST include this information.

To duplicate your card using a T55x7 you would use the following  Block values:

0x00148040 (Block 0)
0xFFF80006 (Block 1)
0x2E0EB14A (Block 2)
0x00000000 (Block 3-7)

This would yield a card that has a customer ID = 240 (0xF0) and a card number of 013307493 (0xCB0E65)

Offline

#5 2017-07-26 07:53:13

windyyy
Contributor
Registered: 2017-07-23
Posts: 6

Re: Rfid Help! just getting started

Thanks very much for reply much appreciated. So the data I get from the Wigand reader I would not be able to work out the 8 bit customer id?

Also I was unable to work out were you got some of your values from. (block-0) and how you got to the customer id and card number from the them.


Block values:

0x00148040 (Block 0)
0xFFF80006 (Block 1)
0x2E0EB14A (Block 2)
0x00000000 (Block 3-7)

This would yield a card that has a customer ID = 240 (0xF0) and a card number of 013307493 (0xCB0E65)

Offline

#6 2017-07-26 15:34:51

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 122

Re: Rfid Help! just getting started

As stated earlier, the 8-bit customer ID code is not normally transmitted to the backend controller. This allows the various reader manufacturers to build security products that will reject card populations that are not programmed to work with their particular systems. In other words "Vendor A" may use a customer ID code of 0x01 and "Vendor B" may use a customer ID code of 00x02. In this case, even though two cards may have the same identical 10-digit card number they will only work with readers that are from "Vendor A" if the customer ID code programmed into the card is 0x01.
The only way to obtain this code is to find a reader that outputs the complete code or to use a low-level tool like the PM3 that will give you access to the raw bit stream.

Regarding your question about the block data values ....

The Block 0 value was generated using the modulation, clocking, and data formatting parameters that are commonly known to be correct for the EM410X transponder chips. There are several threads on this forum that provide this information.
The block 1-7 data values were obtained from the bit stream information you provided in your first post. You just need to make sure that you either keep or delete the parity bits dependending on whether you are trying to do. You need to study the datasheet to get a full understanding of how this data is formatted. Hopefully it will all make sense after you read the datasheet a few times.

Offline

#7 2017-07-26 22:31:51

windyyy
Contributor
Registered: 2017-07-23
Posts: 6

Re: Rfid Help! just getting started

thanks again I will start reading until I fully understand. appreciate your reply!

Offline

#8 2017-07-27 10:05:57

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 43

Re: Rfid Help! just getting started

Put the original fob on the smartcard delux and you can copy it straight away.


Hardware: Elatec TWN4 dev kit / ACS ACR122U / IDTronic LF Reader / OmniKey 5321 / HT108 RW / Custom Read Write 125khz RW and a couple of other RW bits.

Offline

#9 2017-07-27 20:19:43

windyyy
Contributor
Registered: 2017-07-23
Posts: 6

Re: Rfid Help! just getting started

Onisan wrote:

So what is the second reader.
The Smartcard Deluxe should duplicate an EM Marin fob/card with no difficulty at all and depending on the fob type you may not even need the fob to duplicate IE: Videx or Digicom.



hi just wondering what is meant by videx and digicom?

Offline

Board footer

Powered by FluxBB