Proxmark3 community

xavierrr

Contributor

Registered: 2018-02-04

Posts: 7

Sending raw 125kHz data

Hi all,

I am trying to use "lf cmdread" to send data retrieved from "lf snoop" which is a list of numbers ranging from -128-127. I am wondering how can I determine the parameters that I need to input in command "lf cmdread"? I am not sure how to determine the '0', '1' period and also wondering how to convert my data to binary to be the raw command?

We used "lf snoop" to capture the 125kHz signal from the car's keyless entry system. And we want to replay the signal using another proxmark3. So after we did the "lf snoop", we used "data save" to save the data to a text file.

Our hw version is: (I will update the firmware to support the bit bang mode)
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-307-ga37725f-dirty-suspect 2018-02-10 00:48:56
os: master/v3.0.1-307-ga37725f-dirty-suspect 2018-02-10 00:49:41
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 196768 bytes (38%). Free: 327520 bytes (62%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: Sending raw 125kHz data

data plot will show you the waves.  If it is strong signal anything above 0 is 1 and anything below is 0.
If is isn't so strong then it may take more effort.

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: Sending raw 125kHz data

For cmdread use I gave an example at http://www.proxmark.org/forum/viewtopic.php?id=5451

xavierrr

Contributor

Registered: 2018-02-04

Posts: 7

Re: Sending raw 125kHz data

Thank you for your reply. Then how do you determine the length on period of 1s and 0s? When I used "lf snoop" to get the data, I used the default lf config setting. Is there a corresponding lendth on period of 1s and 0s for that default setting?

iceman

Administrator

Registered: 2013-04-25

Posts: 9,505

Website

Re: Sending raw 125kHz data

You usually find period lengths in datasheets.  Try finding a datasheet for the tag / system.

or by looking at the collected trace signal in the data plot window.

xavierrr

Contributor

Registered: 2018-02-04

Posts: 7

Re: Sending raw 125kHz data

I am trying to understand how the command "lf cmdread" works. I have two Proxmark3s, I used one of them to send raw data using "lf cmdread d 0 z 20 o 20 c 110011001100" and another Proxmark3 is using "lf snoop" to listen to the signal sending out. The image below is what I got from "lf snoop". I am expecting the signal to be high for 40us and off for 40us and do the same pattern for three times while the captured signal seems not working like that.

I actually tried different values for delay, zero period and one period and also the snoop threshold, but whatever I tried it will give me the same signal shown in the image below except for the length of signal hold high at the very beginning (as shown in the image, the signal only holds high for a period at the very beginning).

Am I misunderstanding the command or there may be other problems? Thank you in advance for helping me out!

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: Sending raw 125kHz data

`lf snoop` with a threshold will not work with `lf cmdread` as there is a long power up period before the cmd starts.  So your snoop trace will run out of room before the `lf cmdread` begins.  Turn off the threshold and try to time it manually.

xavierrr

Contributor

Registered: 2018-02-04

Posts: 7

Re: Sending raw 125kHz data

Could you please further explain why the trace would run out of room before the cmdread begins? In my understanding, the snoop will begin to record the trace when the threshold reached, so it will not start to record until the cmdread begins, did I make any mistakes in my assumptions?

Also, I used lf snoop with a threshold of 5 to capture the signal from the car keyless entry system and the trace looks good to me. But based on your explanation for the lf snoop, does it mean the signal I captured is not complete and only contains a segment of the original signal from the car?

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: Sending raw 125kHz data

the threshold will be triggered by the power on that the `lf cmdread` starts with.  `lf cmdread` was originally designed (by someone else) to have a 2.5 second antenna off period followed by a 2 second antenna on period to (as the code comments say) ensure the tag has reset. I assume this is for tags looking for an authentication wakeup command that lock down after a failed authentication.

those wait periods still are in place.

that 2 second power on will trigger any and all thresholds set for the lf snoop.  and the following 2 second wait period before the bit bang antenna modulation begins is too long for the `lf snoop` memory to hold.

so set a threshold but send the `lf cmdread` on the one pm3 3 seconds before sending the `lf snoop` cmd on the second pm3 and you likely will capture the `lf cmdread`.

if you'd like to remove the "tag reset" procedure of `lf cmdread` then it is not too hard to remove those two lines of code and compile yourself a new version.