Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-12-03 22:41:36

lockakey
Contributor
Registered: 2015-10-10
Posts: 19

Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Attempting to duplicate a new type of fob we ran into in the wild.
According to google searches the fob operates on two frequencies leading me to believe two rfid chips or coils.

I did search PAC on these forums and read through the " KeyFOB at 153mHz" post with Asper and Marshmallow.

Any education, insight on this system is greatly appreciated.
I will edit in some of the data sheet pdfs when I get home.

Here is a photo of the proximity fob.
k2010_back-50.jpg

Here are the traces from the pm3

-I tuned my radio.
hw tune

-I took four traces.
lf read
data samples 20000
http://www109.zippyshare.com/v/xrl1pLrv/file.html - [PAC1]

data samples 20000
http://www81.zippyshare.com/v/WAhAQ9DS/file.html - [PAC2]

data samples 20000
http://www13.zippyshare.com/v/1kjKDXDU/file.html - [PAC3]

data samples 16000
http://www108.zippyshare.com/v/mKsIBgVg/file.html - [PAC16]

edit1: added images
edit2: make links clickable

Last edited by lockakey (2017-12-03 22:42:42)


" There is an unarguable downside to unbreakable encryption " - Michael Hayden

Offline

#2 2017-12-04 10:10:00

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 63

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

That's a standard Stanley Pac fob, it's one of the most popular fobs on the market,
It doesn't run at 153Mhz but at 134Mhz 64RF ASK but can be copied with a 125Mhz Coil and can be copied to a standard 5577 tag.

You should get back 4 Blocks of 8 Hex characters with the first block (most of the time) coming in as FFC81264


Hardware: Proxmark,  Elatec TWN4 dev kit / ACS ACR122U / IDTronic LF Reader / OmniKey 5321 / HT108 RW / Custom Read Write 125khz RW and a couple of other RW bits.

Offline

#3 2017-12-04 13:48:51

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,142

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

There are two varieties of PAC fobs.  One runs at 153khz and the other at 125khz.  There is no substitute for the 153 version at this time.  But as was mentioned the 125khz version can be cloned.

I have not had time to pull up the traces to id yours.

Offline

#4 2018-02-17 03:29:18

actionbias
Contributor
Registered: 2017-07-22
Posts: 4

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

I am also having issues duplicating the Stanley PAC key fob. But I was able to pull this data below. I tried to do a lf t55 dump but was not receiving any data. Any advice? Thanks!

proxmark3> lf sea u
NOTE: some demods output possible binary
if it finds something that looks like a tag 
False Positives ARE possible


Checking for known tags:

PAC/Stanley Tag Found -- Raw: FF2049906D8511C593155B56D5B2649F 

How the Raw ID is translated by the reader is unknown 

Valid PAC/Stanley ID Found!

Offline

#5 2018-02-17 09:57:20

iceman
Administrator
Registered: 2013-04-25
Posts: 4,381
Website

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Just because its decoded to a PAC/Stanley doesn't mean the chipset used is a T55x7...


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2018-02-17 14:00:44

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,142

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

It appears you may have found a bug for us (the printed raw ID appears to be offset a few bits.)  I'll take a closer look in a day or so. 
BTW is there a number printed on the fob?  Or do you know what it reads as on the PAC reader?

Offline

#7 2018-02-17 14:32:03

iceman
Administrator
Registered: 2013-04-25
Posts: 4,381
Website

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

the preamble is looking for FF204..    which matches @actiobias..

uint8_t preamble[] = {1,1,1,1 ,1,1,1,1 ,0,0,1,0 ,0,0,0,0 ,0,1,0};

given Onisan's suggestion of  FFC81264   it should be..

uint8_t preamble[] = {1,1,1,1 ,1,1,1,1 ,1,1,0,0 ,1,0,0,0 ,0,0,0,1};

Question is which preamble is the correct one...


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#8 2018-02-17 14:34:05

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,142

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

I have to check my notes.  The ff20 may be correct after all.

Offline

#9 2018-02-17 14:37:10

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,142

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

ff20 is correct, I spoke too soon.  No bug...

Offline

Board footer

Powered by FluxBB