Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I might have a unique tag in my hands and I could use any assistance possible!
The tag (encased in plastic) holds credits and can be "re-written/filled" by a PC reader/writer which seems to be proprietory and is NOT sold to end users.
The tag was introduced in the market circa 2002 in Italy by a (now defunct) company named "OTR". OTR's founder holds many patents and the company had a lot of R&D stuff plus an assembly line. So there is a huge possibility that the PCB was printed inhouse and the chip is "custom".
The tag's, marketing name was "Genius". When OTR ceased to exist, a new Italian company named "Paytec" carried on marketing and selling the tags and hardware. Nowadays, "Paytec" does not seem to market any more the "Genius" but an other Italian company is still selling tags and hardware (only to B2B). The tags are extremely popular in the Mediterranean countries! (see relevant photos; link below)
Proxmark3:
-------------
I am currently running on iceman's latest firmware (I have also tried with the latest official firmware; results are identical).
The proxmark3 can read all my various (diffent types) of tags I throw at it; so it works fine.
If not mistaken, "130 LF" is imprinted on the PCB and it seems to draw power in the LF.
Proxmark can't however detect anything valuable (see relevant photos; link below)
I have no clue what the tag really is. Is it supposed to wake up with a special pattern?
Is it proprietary?
I can even ship/send it if anyone wants to investigate 1st hand.
Thanks in advance!
*** Please see all relevant photos at:
https://photos.app.goo.gl/D7tMf4rhMt8h7hvS7
https://photos.app.goo.gl/atCHyfa3YM3qmGNR6
Last edited by jamesmat (2019-09-26 20:33:58)
Offline
that looks like an ASK based signal from the tag trace.
Save a trace file and share it here
lf read
data save otr_lf130.pm3
data detect a
data raw am
data print x
And if you have more of those tags, I am interested in one but start with a trace file.
[edited]
Offline
Thanks iceman for your prompt reply!
1) "lf read" commands outcome (note that "data raw am" and "data print x" produced no output):
https://photos.app.goo.gl/LupF3t8KVKF8f26C7
2) "otr_lf130.pm3" file uploaded: https://we.tl/t-QgPzAgV1CN
3) Excuse my ignorance. What exactly do you mean with "that look like and ASK based trace."?
4) Yes, of course I can provide you with a tag!
PS: would you be interested in a Teamviewer/AnyDesk session? This way you can examine the tag live
Last edited by jamesmat (2019-09-26 20:35:01)
Offline
That was just my bad spelling. I edited the post.
Anyway, thanks for the trace. The signal is kind of bad, the carrier spills over.
Which Proxmark3 device are you using?
"data correleation w 8000 g" shows a correlation of 6272.
"data detectclock a" shows a clock of 32
Which gives 6272 / 32 = 196 bits repeating pattern.
which would be 196/8 = 24bytes.
...some few tries later....
It looks manchester encoded.
[usb] pm3 --> da manraw Manchester Decoded - # errors:0 - data:
10010101000101010000000010110110
10001000000000000110001110111110
11000111110001100001010001110011
11000111110001100001010001110011
10001000000100110000000011001111
00000100000000000111011010110011
10010101000101010000000010110110
10001000000000000110001110111110
11000111110001100001010001110011
11000111110001100001010001110011
10001000000100110000000011001111
00000100000000000111011010110011
10010101000101010000000010110110
10001000000000000110001110111110
11000111110001100001010001110011
11000111110001100001010001110011
Which finally leads to the repeating 24bytes.
95 15 00 B6 88 00 63 BE
C7 C6 14 73 C7 C6 14 73
88 13 00 CF 04 00 76 B3
ASK/Manchester, clk 32...
now... decode that to a number.
Did you have any ID / printing on the tag?
or number from when presenting it from a reader?
Offline
1) there is a high probability that the ID is = 136. I am not 100% sure as when I removed the plastic encasing I might have mixed its key ring (the plastic encasing does not always have something written on it. Most of the times their key rings have a hand written number). In the 24 bytes you have posted I see 0x88 twice (136 decimal). Is this what you mean?
2) I am sending you 2 more traces of 2 other tags. The one has "98" written on it, the other "99". Please note that each tag I have sent you (3 in total) belong to different "locations"/customers. When a tag is inserted in the reader, -indeed- a number is displayed and it is always "small" (between 1-200). So, the 136, 98 and 99 numbers should be what we are after.
3) "Which Proxmark3 device are you using?": you will see in the attachment
4) Sorry for repeating myself: would a remote session help you in any way? Or are the dumps sufficient?
5) Finally, I am trying to recreate your steps in order to reach your "repeating 24 bytes" pattern but cant. If its no hassle to you, can you please write what exact steps you did in order to reach them?
Files: https://we.tl/t-TQE3TgU8HG
Last edited by jamesmat (2019-09-27 05:55:20)
Offline
1,2 ) its a bit too few numbers to determine the start of the signal data. Using more traces from same "locations/customers" is needed in order to figure out the correct start offset. And if there is an preamble etc.
3) RDV2, cool, you should be able to get a nice clean signal of the tag from that device. You should be using latest source from either offical repo or RRG/Iceman. The one you are on is a bit old.
4) I don't really need a remote session
Some different ways to get a better decode from your tags. I suggest you try several times to collect traces and share So we can make a proper demod for it.
method 1
data load otr_lf130.pm3
data plot
data detect a
data norm
data raw ar
data manraw
data bin2hex ....
method 2
data load otr_lf130.pm3
data plot
data iir 1
data norm
data detect a
data raw am
data print x
data bin2hex ...
Offline
1) I have made 5 new traces for each of the 3 tags. So now you will have 1+5 for each. Let me know if you need more. I can make as many as you like/need. Please keep in mind that if ultimately a capture between the reader/tag will be needed, it is close to impossible. Reasons: a) the readers are in public places and (b) the tag is inserted in a slot. I highly doubt that radio waves escape sufficiently enough for a valid capture. All traces can be downloaded from https://we.tl/t-PoOJ3eioS6 (each tag has its own folder. Read included "readme.txt")
2) I will of course update to the latest if needed.
3) I tried both your methods. None works for me I will post below a detailed step-by-step so you can see.
Last edited by jamesmat (2019-10-01 12:11:37)
Offline
I found an other user in this forum who has an identical tag in his hands.
The relevant posting named "New LF Tag" is at http://www.proxmark.org/forum/viewtopic … 285#p44285
Unfortunately he doesnt seem to have any luck. If anyone can help please let me know.
Last edited by jamesmat (2022-01-30 20:40:24)
Offline
Pages: 1