Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-12-03 22:41:36

lockakey
Contributor
Registered: 2015-10-10
Posts: 22

Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Attempting to duplicate a new type of fob we ran into in the wild.
According to google searches the fob operates on two frequencies leading me to believe two rfid chips or coils.

I did search PAC on these forums and read through the " KeyFOB at 153mHz" post with Asper and Marshmallow.

Any education, insight on this system is greatly appreciated.
I will edit in some of the data sheet pdfs when I get home.

Here is a photo of the proximity fob.
k2010_back-50.jpg

Here are the traces from the pm3

-I tuned my radio.
hw tune

-I took four traces.
lf read
data samples 20000
http://www109.zippyshare.com/v/xrl1pLrv/file.html - [PAC1]

data samples 20000
http://www81.zippyshare.com/v/WAhAQ9DS/file.html - [PAC2]

data samples 20000
http://www13.zippyshare.com/v/1kjKDXDU/file.html - [PAC3]

data samples 16000
http://www108.zippyshare.com/v/mKsIBgVg/file.html - [PAC16]

edit1: added images
edit2: make links clickable

Last edited by lockakey (2017-12-03 22:42:42)

Offline

#2 2017-12-04 10:10:00

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

That's a standard Stanley Pac fob, it's one of the most popular fobs on the market,
It doesn't run at 153Mhz but at 134Mhz 64RF ASK but can be copied with a 125Mhz Coil and can be copied to a standard 5577 tag.

You should get back 4 Blocks of 8 Hex characters with the first block (most of the time) coming in as FFC81264

Offline

#3 2017-12-04 13:48:51

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

There are two varieties of PAC fobs.  One runs at 153khz and the other at 125khz.  There is no substitute for the 153 version at this time.  But as was mentioned the 125khz version can be cloned.

I have not had time to pull up the traces to id yours.

Offline

#4 2018-02-17 03:29:18

actionbias
Contributor
Registered: 2017-07-22
Posts: 26

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

I am also having issues duplicating the Stanley PAC key fob. But I was able to pull this data below. I tried to do a lf t55 dump but was not receiving any data. Any advice? Thanks!

proxmark3> lf sea u
NOTE: some demods output possible binary
if it finds something that looks like a tag 
False Positives ARE possible


Checking for known tags:

PAC/Stanley Tag Found -- Raw: FF2049906D8511C593155B56D5B2649F 

How the Raw ID is translated by the reader is unknown 

Valid PAC/Stanley ID Found!

Offline

#5 2018-02-17 09:57:20

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Just because its decoded to a PAC/Stanley doesn't mean the chipset used is a T55x7...

Offline

#6 2018-02-17 14:00:44

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

It appears you may have found a bug for us (the printed raw ID appears to be offset a few bits.)  I'll take a closer look in a day or so. 
BTW is there a number printed on the fob?  Or do you know what it reads as on the PAC reader?

Offline

#7 2018-02-17 14:32:03

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

the preamble is looking for FF204..    which matches @actiobias..

uint8_t preamble[] = {1,1,1,1 ,1,1,1,1 ,0,0,1,0 ,0,0,0,0 ,0,1,0};

given Onisan's suggestion of  FFC81264   it should be..

uint8_t preamble[] = {1,1,1,1 ,1,1,1,1 ,1,1,0,0 ,1,0,0,0 ,0,0,0,1};

Question is which preamble is the correct one...

Offline

#8 2018-02-17 14:34:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

I have to check my notes.  The ff20 may be correct after all.

Offline

#9 2018-02-17 14:37:10

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

ff20 is correct, I spoke too soon.  No bug...

Offline

#10 2018-02-22 05:45:46

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

btw, most of the 125 khz PAC cards do appear to be a t55x7 or compatible type of tag, but they are password protected and some at least do not follow the standard atmel t55x7 page 1 TID settings.  these items make the t55x7 pm3 detection and config options useless.

Offline

#11 2018-02-22 08:44:58

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

One of these days you might find time to do more research on them?

Offline

#12 2018-02-22 10:17:53

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

I've never had a Stanley Pac tag I've not been able to duplicate on a SmartCard Deluxe machine.
It takes 5 seconds and equates to 16% of my business.

Offline

#13 2018-02-22 13:15:06

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Cloning is not the intended purpose of the pm3.  I could make the pm3 clone the card easily as well. (It did detect the tag and output it's critical info that would be needed to clone)  But detect the fact that it is using a t55x7 chip is a little more involved.

Offline

#14 2018-02-22 13:33:57

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

As far as more research, we need samples that show how the raw ID equates to the data in the access control software (fc and card #?).
Although I believe this is even configurable on the readers so it may be different in each install.

Offline

#15 2018-09-16 20:58:22

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Is there an update to this at all? I'm able to read a PAC Tag, tried splitting it into 4, 4 byte chunks and loading it onto a T5577 tag but it dosen't read back as a PAC Tag.

Offline

#16 2018-09-16 22:13:45

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Interesting, it worked restoring to Block 1, it works on one door, but not another, I'm thinking it has something to do with the Config Block (0)

Offline

#17 2018-09-17 00:11:01

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Does anyone know what the default config block for PAC Keyfobs are?

Offline

#18 2018-09-17 16:37:09

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

So yeah, I think it literally is just a T55xx Tag, it's just using some weird config block, I'm trying to work out how mashmellow is decoding the Raw ID, if we need to find out what bits do what, I can look at Reverse Engineering the firmware running on the controller.

Last edited by dylanger (2018-09-17 16:48:32)

Offline

#19 2018-09-17 17:38:44

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Another Question, why is this data useful? Does it dictate what access you have? I would have thought that'd be controlled by the controller?

Offline

#20 2019-12-25 10:05:54

Rjevski
Contributor
Registered: 2019-12-20
Posts: 4

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Does anyone have news on this? I've got the same tag and am interested in copying it.

Offline

#21 2019-12-25 12:29:36

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Collect some lf signal trace data and share here? The prefered way is to use a filesharing service and link in a post.

rrg/iceman repo
pm3-> lf read
pm3-> data save f lf_unk_nnnnn

official repo
proxmark3-> lf read
proxmark3-> data save lf_unk_nnnnn.pm3

Offline

#22 2020-01-01 21:05:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Thanks to the user @danshuk  PAC/Stanley is solved when it comes to  decode/encode from raw to cardid.   Awesome!

[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] PAC/Stanley Tag Found -- Card ID: CD4F5552, Raw: FF2049906D8511C593155B56D5B2649F

[+] Valid PAC/Stanley ID found!

Offline

#23 2020-09-05 16:27:17

Rjevski
Contributor
Registered: 2019-12-20
Posts: 4

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Hello everyone, I've finally got my hands on a Proxmark 3 (the "easy" cheap version but it seems to work after loading the latest firmware from the Proxmark repo).

Prox/RFID mark3 RFID instrument          
bootrom: master/v3.1.0-200-ge6158a4-suspect 2020-09-05 11:21:35
os: master/v3.1.0-200-ge6158a4-suspect 2020-09-05 11:27:41
fpga_lf.bit built for 2s30vq100 on 2019/11/21 at 09:02:37
fpga_hf.bit built for 2s30vq100 on 2020/03/05 at 19:09:39
SmartCard Slot: not available
          
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 209033 bytes (40%). Free: 315255 bytes (60%).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory

I'm now trying to read a PAC keyfob and had some problems. Using the code from the repo, "lf search" didn't find anything. I am getting somewhere with the following though:

proxmark3> lf read
#db# LF Sampling config:           
#db#   [q] divisor:           95           
#db#   [b] bps:               8           
#db#   [d] decimation:        1           
#db#   [a] averaging:         1           
#db#   [t] trigger threshold: 0           
#db#   [s] samples to skip:   0           
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample          
#db# buffer samples: 7b 7b 7a 78 7a 78 48 0e ...          
Reading 39999 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1

proxmark3> data samples 20000
Reading 20000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
proxmark3> data autocorr 2000
performing 18000 correlations          
Possible Correlation: 4096 samples

Now I don't have the exact commands at hand but I've managed to extract the raw bitstream from that and then searched for the PAC preamble (https://github.com/Proxmark/proxmark3/blob/fdee1ffa8419e8357913582f53e74218cae5b3d4/client/cmdlfpac.c#L32) in there to no avail. However inverting the preamble (converting ones to zeros and the reverse) I found a repeating pattern - somehow the demodulation is inverted?

As a hack I've changed the "NRZrawDemod" function to always default to inverted mode (set invert=1 instead of invert=0 at line 907 of client/cmddata.c) and after recompiling, "lf search" is now successfully recognizing the PAC keyfob:

proxmark3> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
Tried NRZ Demod using Clock: 32 - invert: 1 - Bits Found: 936          
NRZ demoded bitstream:          
1011001010001100
[truncated]
0010100111011000
          
PAC/Stanley Tag Found -- Raw: FF2049906[truncated]          

How the Raw ID is translated by the reader is unknown          

Valid PAC/Stanley ID Found!

Now my questions are:

1) what is going on with the requirement to invert the NRZ demodulation? Is it a hardware quirk of my "counterfeit" Proxmark or do I have some kind of weird type of PAC keyfob that's inverted? I have tried 2 tags from the same premises and they both exhibit the same problem (despite working perfectly and decoding to a plausible value as the starting part "FF2049906" is the same for the other posts in this thread). Needless to say the tags work fine for opening the door.

2) How do I emulate this? As a proof of concept I'd like to emulate this tag with the Proxmark. Am I correct in saying that emulation doesn't care about decoding data as it can just replay the raw waveform, thus I can do "lf raw" and then "lf sim"? Do I need to set some extra parameters in "lf config" first? Or do I need to properly demodulate the data before being able to simulate it?

3) How would I write this to a T5577 tag? I'm pretty sure it's doable and it's just a matter of understanding the T5577 datasheet and setting its config blocks properly, but I wonder if someone has already figured that out and would be willing to provide the required settings? I know Proxmark has some code to clone other types of tags (and that code sets the required T5577 blocks) so I was wondering if someone has already done that research for these PAC (or similar) keyfobs.

Thanks!

Offline

#24 2020-09-06 18:06:21

Rjevski
Contributor
Registered: 2019-12-20
Posts: 4

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Update:

I've successfully managed to copy the PAC keyfob onto a T5577 card. First you need to read the raw data of your PAC tag as in the outputs quoted in previous posts. If your PAC tag is not detected you might want to try the "hack" I described in my previous post where you change the NRZ demod function to default to inverted mode.

Once you have the raw data (that FF204... string), split it in 8 character blocks, then do the following:

lf t55 write b 1 d <first 8 chars of the raw data, FF204....>
lf t55 write b 2 d <second 8 chars of the raw data>
lf t55 write b 3 d <third 8 chars>
lf t55 write b 4 d <last 8 chars>

Finally set the config of the T5577 card to simulate the PAC's radio properties (modulation, etc):

lf t55 write b 0 d 80080

At this point it will stop responding to "lf t55 ..." commands but should now become detectable by the "lf pac read" command.

Offline

#25 2024-02-14 16:23:14

ProxSmith
Contributor
Registered: 2024-02-14
Posts: 2

Re: Stanley PAC 125 kHZ / KeyPAC + Readykey 153 kHZ

Sorry to resurrect such an old thread, but did anyone work out how to get from card data to raw?

[+] PAC/Stanley - Card: AE4D3B36, Raw: FF2049906D075145911D9B21D9B36C03
[+] PAC/Stanley - Card: AE4D5B36, Raw: FF2049906D075145911D5B21D9B36CC3
[+] PAC/Stanley - Card: AE5D1B36, Raw: FF2049906D075155B11D1921D9B36D83

Offline

Board footer

Powered by FluxBB