Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-12-03 22:41:36

lockakey
Contributor
Registered: 2015-10-10
Posts: 19

Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Attempting to duplicate a new type of fob we ran into in the wild.
According to google searches the fob operates on two frequencies leading me to believe two rfid chips or coils.

I did search PAC on these forums and read through the " KeyFOB at 153mHz" post with Asper and Marshmallow.

Any education, insight on this system is greatly appreciated.
I will edit in some of the data sheet pdfs when I get home.

Here is a photo of the proximity fob.
k2010_back-50.jpg

Here are the traces from the pm3

-I tuned my radio.
hw tune

-I took four traces.
lf read
data samples 20000
http://www109.zippyshare.com/v/xrl1pLrv/file.html - [PAC1]

data samples 20000
http://www81.zippyshare.com/v/WAhAQ9DS/file.html - [PAC2]

data samples 20000
http://www13.zippyshare.com/v/1kjKDXDU/file.html - [PAC3]

data samples 16000
http://www108.zippyshare.com/v/mKsIBgVg/file.html - [PAC16]

edit1: added images
edit2: make links clickable

Last edited by lockakey (2017-12-03 22:42:42)


" There is an unarguable downside to unbreakable encryption " - Michael Hayden

Offline

#2 2017-12-04 10:10:00

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 76

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

That's a standard Stanley Pac fob, it's one of the most popular fobs on the market,
It doesn't run at 153Mhz but at 134Mhz 64RF ASK but can be copied with a 125Mhz Coil and can be copied to a standard 5577 tag.

You should get back 4 Blocks of 8 Hex characters with the first block (most of the time) coming in as FFC81264


Hardware: Proxmark RV2,  Elatec TWN4 dev kit / ACS ACR122U / IDTronic LF Reader / OmniKey 5321 / HT108 RW / Custom Read Write 125khz RW and a couple of other RW bits.

Offline

#3 2017-12-04 13:48:51

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,232

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

There are two varieties of PAC fobs.  One runs at 153khz and the other at 125khz.  There is no substitute for the 153 version at this time.  But as was mentioned the 125khz version can be cloned.

I have not had time to pull up the traces to id yours.

Offline

#4 2018-02-17 03:29:18

actionbias
Contributor
Registered: 2017-07-22
Posts: 16

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

I am also having issues duplicating the Stanley PAC key fob. But I was able to pull this data below. I tried to do a lf t55 dump but was not receiving any data. Any advice? Thanks!

proxmark3> lf sea u
NOTE: some demods output possible binary
if it finds something that looks like a tag 
False Positives ARE possible


Checking for known tags:

PAC/Stanley Tag Found -- Raw: FF2049906D8511C593155B56D5B2649F 

How the Raw ID is translated by the reader is unknown 

Valid PAC/Stanley ID Found!

Offline

#5 2018-02-17 09:57:20

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Just because its decoded to a PAC/Stanley doesn't mean the chipset used is a T55x7...


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2018-02-17 14:00:44

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,232

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

It appears you may have found a bug for us (the printed raw ID appears to be offset a few bits.)  I'll take a closer look in a day or so. 
BTW is there a number printed on the fob?  Or do you know what it reads as on the PAC reader?

Offline

#7 2018-02-17 14:32:03

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

the preamble is looking for FF204..    which matches @actiobias..

uint8_t preamble[] = {1,1,1,1 ,1,1,1,1 ,0,0,1,0 ,0,0,0,0 ,0,1,0};

given Onisan's suggestion of  FFC81264   it should be..

uint8_t preamble[] = {1,1,1,1 ,1,1,1,1 ,1,1,0,0 ,1,0,0,0 ,0,0,0,1};

Question is which preamble is the correct one...


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#8 2018-02-17 14:34:05

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,232

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

I have to check my notes.  The ff20 may be correct after all.

Offline

#9 2018-02-17 14:37:10

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,232

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

ff20 is correct, I spoke too soon.  No bug...

Offline

#10 2018-02-22 05:45:46

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,232

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

btw, most of the 125 khz PAC cards do appear to be a t55x7 or compatible type of tag, but they are password protected and some at least do not follow the standard atmel t55x7 page 1 TID settings.  these items make the t55x7 pm3 detection and config options useless.

Offline

#11 2018-02-22 08:44:58

iceman
Administrator
Registered: 2013-04-25
Posts: 4,850
Website

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

One of these days you might find time to do more research on them?


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#12 2018-02-22 10:17:53

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 76

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

I've never had a Stanley Pac tag I've not been able to duplicate on a SmartCard Deluxe machine.
It takes 5 seconds and equates to 16% of my business.


Hardware: Proxmark RV2,  Elatec TWN4 dev kit / ACS ACR122U / IDTronic LF Reader / OmniKey 5321 / HT108 RW / Custom Read Write 125khz RW and a couple of other RW bits.

Offline

#13 2018-02-22 13:15:06

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,232

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Cloning is not the intended purpose of the pm3.  I could make the pm3 clone the card easily as well. (It did detect the tag and output it's critical info that would be needed to clone)  But detect the fact that it is using a t55x7 chip is a little more involved.

Offline

#14 2018-02-22 13:33:57

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,232

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

As far as more research, we need samples that show how the raw ID equates to the data in the access control software (fc and card #?).
Although I believe this is even configurable on the readers so it may be different in each install.

Offline

#15 2018-09-16 20:58:22

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Is there an update to this at all? I'm able to read a PAC Tag, tried splitting it into 4, 4 byte chunks and loading it onto a T5577 tag but it dosen't read back as a PAC Tag.

Offline

#16 2018-09-16 22:13:45

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Interesting, it worked restoring to Block 1, it works on one door, but not another, I'm thinking it has something to do with the Config Block (0)

Offline

#17 2018-09-17 00:11:01

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Does anyone know what the default config block for PAC Keyfobs are?

Offline

#18 2018-09-17 16:37:09

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

So yeah, I think it literally is just a T55xx Tag, it's just using some weird config block, I'm trying to work out how mashmellow is decoding the Raw ID, if we need to find out what bits do what, I can look at Reverse Engineering the firmware running on the controller.

Last edited by dylanger (2018-09-17 16:48:32)

Offline

#19 2018-09-17 17:38:44

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Another Question, why is this data useful? Does it dictate what access you have? I would have thought that'd be controlled by the controller?

Offline

Board footer

Powered by FluxBB