Help Cloning Paradox 125khz Cards

Earman · 2015-02-12 21:00:35

Thanks!!!

Earman · 2015-02-13 07:23:31

marshmellow wrote:

Just have to split the 96 bit or 12 digit id over blocks 1-3

It is probably relatively trivial to do, but I have no idea on how to properly split the 12 hex digits onto block 1, 2 and 3. From my read of 4 Paradox FOBs I got a 9 digit hex id tag, a 2 or 3 digit FC a 4 or 5 digits Card and a Checksum. The FC+Card number is actually printed as the Reference number on the FOBs. I am assuming that the 12 hex digits are the 9 tag id digits plus the 3FC digits, adding a leading zero if only 2 digits...

I think I understand how to write to the t55XX once I know what values to use...

Also what to use for bloc 0? Should I use Block0 = 0x00107060? I understand that a wrong bloc 0 ruins the card, so I want to be cautious...

I tried to find a Manchester to Hex conversion online but could not find one. Maybe this is not even needed?

If the hex needs to be converted first into Manchester to be split and then output as several hex values again, is there some sort of calculator to do this?

I understand how to convert the binary stream into the 3 hex blocks (Bin to Hex) ie:
00011101 0101 0101 0101 0101 0101 0101 0101 0110 0110 0110 1010 1001 1010 1010 1010 0110 1010 0101 1010 1010 0110 1010
Block1 = 0x1D555555
Block2 = 0x5666A9AA
Block3 = 0xA6A5AA6A

but I can't figure out how to convert from the Tag ID, FC and CN...

If you can point me in the right direction I can read and research the solutions... Thanks!

Last edited by Earman (2015-02-15 20:19:05)

Earman · 2015-02-15 20:55:28

I obtained a raw FSF demod for my FOB and from there I was able to extract 3 blocks. However, the first block does not look at all like the one in the example from Carl55 http://www.proxmark.org/forum/viewtopic … 9379#p9379 where he changed 1 bit. in the start sentinel... so I am wondering if I did get the proper FSK demod output?

Here is my first block:
10101011 0100 1011 0010 1011 0010 1010
0xAB4B2B2A

Am I completely wrong or am I going in the right direction? What about block 0 to make it readable by a Paradox reader? I am lost, all this is totally new to me!

Thanks for your help!

marshmellow · 2015-02-15 21:15:19

the paradox format is discussed heavily in this and the other referenced posts. but i'm feeling generous... send the command:

data setdebug 1

this turns on additional verbose messages during a demod operation
then either lf search the tag again or use data fskparadox to demod a loaded tag's info from the graphbuffer

this will then output the full binary of blocks 1-3
your block 0 above looks fine.

Earman · 2015-02-15 22:28:19

Thanks a lot! I am trying to learn from scratch and the help I got here in really invaluable! I have a medical background and trying to decode this is totally new to me! I know I will be able to do this once I have done it one time but right now I am really under equipped for understanding the process, so I am learning through trial and error ! Thanks a lot for your great help!

Last edited by Earman (2015-02-15 22:34:17)

Earman · 2015-02-15 23:12:41

I got my 3 blocks and they look as expected! Thanks a million!

Earman · 2015-02-16 00:19:20

Success!!! I wrote the blocks and the cloned card works perfectly fine!!! You have been fantastically helpful, really, really appreciated! Sorry for being so ignorant!

BTW the built in GUI command TS55X WRITE BLOCK (lf t55xx wr <data> <block> ) does not work as is. Typing instead: lf t55xx writeblock <data> <block> does work. "wr" is not recognized.

Thanks a million, I owe you!!!

iceman · 2015-02-16 09:34:41

Asper updated GUI before I pushed my remake of the t55xx commands, and since Marshmellow did new demod functions, its been a bit more delayed.

Earman · 2015-02-16 09:55:28

No problem! I had updated my settings.xml file with the work done a few days ago by Marshmellow. I just added the T55xx "wr" correction today and everything is working smoothly for me... Thanks to all of you for the great work!

Upgrade · 2015-03-22 06:55:34

I am able to get my block 1,2,3 but have the following issue.

What is the block 0 or is it even used/written at all?

Also a tag that I have written 4 blocks to when I reread it, it says pre emble not found.

What am I doing wrong? Any helps appreciated!

Earman · 2015-03-22 10:09:58

Thanks to the help I got on this board I have cloned several Paradox so far. For block zero use 0x00107060.

iceman · 2015-03-22 10:59:50

@upgrade, if you read the data sheet for t55x7 you get your answer. In short, a t55x7 can be configured to mimic different modulations which makes it a good cloner tag. Like @earman suggests, that block0 is configured for a FSK modulation.

Its all in the data sheet

Last edited by iceman (2015-03-23 09:34:14)

Upgrade · 2015-03-23 08:53:59

EDIT - Thanks a bunch!

Problem resolved!!!

Last edited by Upgrade (2015-03-23 10:17:41)

iceman · 2015-03-23 09:37:20

You can always verify your own tag with trying to read it.

When it comes to t55xx commands, you do that with "lf t55xx read"

If you configured your tag to mimic another tag, you can test and see if it gets outputted correct with the normal LF/DATA commands. The new "lf search" is a good starting point.

Upgrade · 2015-03-23 10:17:47

Thanks a bunch!

Problem resolved!!!

ntk · 2015-07-07 12:23:40

Sorry to hijack, if I know I have a paradox tag in my hand I can use lf read, data fskparadoxdemod etc... But if a card has no name, no serial, and you have no real reader for that what are ways to coming forwards
1/ asking help here with only a picture
2/ lf you suspect it is 125 kHz, is 'lf read', 'lf search', 'lf search u' effective enough to find what type eg. this paradox tag/card/
3/ if no result you think maybe 13.56Mhz, but you have no reader to snoop, what to do

marshmellow · 2015-07-07 15:36:09

for HF vs LF identification look around at how people use hw tune with and without a tag.

paradox is included in lf search

ntk · 2015-07-07 21:04:18

marshmellow wrote:

for HF vs LF identification look around at how people use hw tune with and without a tag.

I know about reading the voltage drop guessing trick Marshmellow.

What I mean is if I stand with a tag definitely not 125kHz also not 132 nor 134 Khz so I can not use lf search lf read; data rawdemod. On the tag and on the reader there is nothing to indicate which protocol, in HF I don't have a general HF search nor HF detect, nor hf rawdemod etc. how would you guess the tag belong to one of the many protocol formats, and investigate in that direction.

Last edited by ntk (2015-07-07 21:04:47)

marshmellow · 2015-07-07 21:08:01

there is an hf search in the latest firmware. though it only checks iClass, ISO 14443A, 14443B, and 15693 protocols (which is just about all of the tags currently supported) .

otherwise try the "reader" option in each hf area.

Last edited by marshmellow (2015-07-07 21:09:08)

ntk · 2015-07-07 21:14:58

ok, I saw one of your thread too
http://www.proxmark.org/forum/viewtopic.php?id=2419

I did not know there is a hf search. Because still learning I stick with the mid June version. Thanks for the hint of hf search. I should upgrade firmware and rebuild/ flash soon

chintandarji · 2017-01-25 18:05:00

Did you figure algorithm or way of calculating checksum/parity ??

marshmellow wrote:

as discussed in http://www.proxmark.org/forum/viewtopic.php?id=1844 the proxmark's current programming can't decode the bitstream directly without code changes. but it can plot the wave and you can manually decode the fsk waveform (apply a 50 x grid over it and line it up). once you get a bit stream you can then program a ATA55xx chip card to match.
as far as your bitstreams, because you uploaded a trace I will decode 2 of the 3 for you:
108_01827:
Raw FSK Demod:
00001111010101010101010101010110100110100101  01010101011010100101100101011010  10101010101001011010
Manchester demod: 
         0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0   0 0 0 0 0 1 1 1 0 0 1 0 0 0 1 1   1 1 1 1 1 1 0 0 1 1
Bit Interpretation:
  			FC	108			Card	01827              Checksum/Parity?

96_40426:
00001111010101010101010101010110100101010101  10010110101001101010100110011001  10011010010110011010
         0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0   1 0 0 1 1 1 0 1 1 1 1 0 1 0 1 0   1 0 1 1 0 0 1 0 1 1
				96				40426		
the 00001111 appears to be the prefix or start of data (instead of HID's 00011101)
to clone, take hex of raw FSK Demod and program a ATA55xx blocks 1-3 and program the configuration block the same as an HID standard card (refer to other topics for details on these)

Earman · 2017-01-25 18:33:34

To clone a Paradox:

On a T55XX always use the following block 0:
Block0 = 0x00107060

For block 1, 2 and 3, divide the raw binary output in 3 8 bit sections and convert to Hex as in example below (from Carl55):

0000 1111 0101 0101 0101 0101 0101 0101 0101 0110 0110 0110 1010 1001 1010 1010 1010 0110 1010 0101 1010 1010 0110 1010

Use and Hex-Bin converter (I use: http://calc.50x.eu/) to get the HEX data.

For above example:
T5567 Registers to write:
Block0 = 0x00107060
Block1 = 0x0F555555 = 0000 1111 0101 0101 0101 0101 0101 0101
Block2 = 0x5666A9AA = 0101 0110 0110 0110 1010 1001 1010 1010
Block3 = 0xA6A5AA6A = 1010 0110 1010 0101 1010 1010 0110 1010

chintandarji · 2017-01-25 18:48:30

Thanks @earman, But I know about it and My question was how you calculate the checksum/parity. means
for FC 108 and CN 01827 checksum is 1 1 1 1 1 1 0 0 1 1 So, how did its come up to this bits??

Earman · 2017-01-25 20:41:33

Sorry, I did not read your question properly! Unfortunately I don't have your answer, I am not savvy enough for that!

marshmellow · 2017-02-11 15:34:04

To guess at the checksum we will need more valid tag samples. If you would like to contribute some we can look further at it.

Sentinel · 2018-09-27 10:14:10

Table for the first 256 values. The last byte - checksum/parity
as far as possible, I will continue to fill out the table
0000000047
00000001A5
00000002E4
0000000306
00000004F9
000000051B
000000065A
00000007B8
000000088D
000000096F
0000000A2E
0000000BCC
0000000C33
0000000DD1
0000000E90
0000000F72
0000001012
00000011F0
00000012B1
0000001353
00000014AC
000000154E
000000160F
00000017ED
00000018D8
000000193A
0000001A7B
0000001B99
0000001C66
0000001D84
0000001EC5
0000001F27
000000200A
00000021E8
00000022A9
000000234B
00000024B4
0000002556
0000002617
00000027F5
00000028C0
0000002922
0000002A63
0000002B81
0000002C7E
0000002D9C
0000002EDD
0000002F3F
000000305F
00000031BD
00000032FC
000000331E
00000034E1
0000003503
0000003642
00000037A0
0000003895
0000003977
0000003A36
0000003BD4
0000003C2B
0000003DC9
0000003E88
0000003F6A
000000406A
0000004188
00000042C9
000000432B
00000044D4
0000004536
0000004677
0000004795
00000048A0
0000004942
0000004A03
0000004BE1
0000004C1E
0000004DFC
0000004EBD
0000004F5F
000000503F
00000051DD
000000529C
000000537E
0000005481
0000005563
0000005622
00000057C0
00000058F5
0000005917
0000005A56
0000005BB4
0000005C4B
0000005DA9
0000005EE8
0000005F0A
0000006027
00000061C5
0000006284
0000006366
0000006499
000000657B
000000663A
00000067D8
00000068ED
000000690F
0000006A4E
0000006BAC
0000006C53
0000006DB1
0000006EF0
0000006F12
0000007072
0000007190
00000072D1
0000007333
00000074CC
000000752E
000000766F
000000778D
00000078B8
000000795A
0000007A1B
0000007BF9
0000007C06
0000007DE4
0000007EA5
0000007F47
00000080F3
0000008111
0000008250
00000083B2
000000844D
00000085AF
00000086EE
000000870C
0000008839
00000089DB
0000008A9A
0000008B78
0000008C87
0000008D65
0000008E24
0000008FC6
00000090A6
0000009144
0000009205
00000093E7
0000009418
00000095FA
00000096BB
0000009759
000000986C
000000998E
0000009ACF
0000009B2D
0000009CD2
0000009D30
0000009E71
0000009F93
000000A0BE
000000A15C
000000A21D
000000A3FF
000000A400
000000A5E2
000000A6A3
000000A741
000000A874
000000A996
000000AAD7
000000AB35
000000ACCA
000000AD28
000000AE69
000000AF8B
000000B0EB
000000B109
000000B248
000000B3AA
000000B455
000000B5B7
000000B6F6
000000B714
000000B821
000000B9C3
000000BA82
000000BB60
000000BC9F
000000BD7D
000000BE3C
000000BFDE
000000C0DE
000000C13C
000000C27D
000000C39F
000000C460
000000C582
000000C6C3
000000C721
000000C814
000000C9F6
000000CAB7
000000CB55
000000CCAA
000000CD48
000000CE09
000000CFEB
000000D08B
000000D169
000000D228
000000D3CA
000000D435
000000D5D7
000000D696
000000D774
000000D841
000000D9A3
000000DAE2
000000DB00
000000DCFF
000000DD1D
000000DE5C
000000DFBE
000000E093
000000E171
000000E230
000000E3D2
000000E42D
000000E5CF
000000E68E
000000E76C
000000E859
000000E9BB
000000EAFA
000000EB18
000000ECE7
000000ED05
000000EE44
000000EFA6
000000F0C6
000000F124
000000F265
000000F387
000000F478
000000F59A
000000F6DB
000000F739
000000F80C
000000F9EE
000000FAAF
000000FB4D
000000FCB2
000000FD50
000000FE11
000000FFF3

Proxmark3 community

Announcement

#51 2015-02-12 21:00:35

Re: Help Cloning Paradox 125khz Cards

#52 2015-02-13 07:23:31

Re: Help Cloning Paradox 125khz Cards

#53 2015-02-15 20:55:28

Re: Help Cloning Paradox 125khz Cards

#54 2015-02-15 21:15:19

Re: Help Cloning Paradox 125khz Cards

#55 2015-02-15 22:28:19

Re: Help Cloning Paradox 125khz Cards

#56 2015-02-15 23:12:41

Re: Help Cloning Paradox 125khz Cards

#57 2015-02-16 00:19:20

Re: Help Cloning Paradox 125khz Cards

#58 2015-02-16 09:34:41

Re: Help Cloning Paradox 125khz Cards

#59 2015-02-16 09:55:28

Re: Help Cloning Paradox 125khz Cards

#60 2015-03-22 06:55:34

Re: Help Cloning Paradox 125khz Cards

#61 2015-03-22 10:09:58

Re: Help Cloning Paradox 125khz Cards

#62 2015-03-22 10:59:50

Re: Help Cloning Paradox 125khz Cards

#63 2015-03-23 08:53:59

Re: Help Cloning Paradox 125khz Cards

#64 2015-03-23 09:37:20

Re: Help Cloning Paradox 125khz Cards

#65 2015-03-23 10:17:47

Re: Help Cloning Paradox 125khz Cards

#66 2015-07-07 12:23:40

Re: Help Cloning Paradox 125khz Cards

#67 2015-07-07 15:36:09

Re: Help Cloning Paradox 125khz Cards

#68 2015-07-07 21:04:18

Re: Help Cloning Paradox 125khz Cards

#69 2015-07-07 21:08:01

Re: Help Cloning Paradox 125khz Cards

#70 2015-07-07 21:14:58

Re: Help Cloning Paradox 125khz Cards

#71 2017-01-25 18:05:00

Re: Help Cloning Paradox 125khz Cards

#72 2017-01-25 18:33:34

Re: Help Cloning Paradox 125khz Cards

#73 2017-01-25 18:48:30

Re: Help Cloning Paradox 125khz Cards

#74 2017-01-25 20:41:33

Re: Help Cloning Paradox 125khz Cards

#75 2017-02-11 15:34:04

Re: Help Cloning Paradox 125khz Cards

#76 2018-09-27 10:14:10

Re: Help Cloning Paradox 125khz Cards

Board footer