Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Dear community,
I'm trying do decode a previously to me unknown tag. Since hf search didn't find a readable tag, I tried low freq:
pm3 --> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
[-] No known 125/134 KHz tags Found!
Valid T55xx Chip Found
Try `lf t55xx` commands
To get more hints on the tag, I did
pm3 --> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
[-] No known 125/134 KHz tags Found!
[=] Checking for Unknown tags:
[-] no repeating pattern found
FSK1a decoded bitstream:
1011000110100001
1011000110000000
0000100000000000
0000000000000000
0000000001111001
1000000110010001
1011000110000001
1011000110111001
1011000110100001
1011000110000000
0000100000000000
0000000000000000
0000000001111001
1000000110010001
1011000110000001
1011000110111001
1011000110100001
1011000110000000
0000100000000000
0000000000000000
0000000001111001
1000000110010001
1011000110000001
1011000110111001
1011000110100001
1011000110000000
0000100000000000
0000000000000000
0000000001111001
1000000110010001
10
Unknown FSK Modulated Tag Found!
Valid T55xx Chip Found
Try `lf t55xx` commands
pm3 --> lf t55 config d FSK
Chip Type : T55x7
Modulation : FSK
Bit Rate : 2 - RF/32
Inverted : No
Offset : 28
Seq. Term. : No
Block0 : 0x00000000
pm3 --> lf t55 dump
Reading Page 0:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
00 | C606C6E6 | 11000110000001101100011011100110 | ....
01 | C606C6E6 | 11000110000001101100011011100110 | ....
02 | C606C6E6 | 11000110000001101100011011100110 | ....
03 | 63036373 | 01100011000000110110001101110011 | c.cs
04 | C606C6E6 | 11000110000001101100011011100110 | ....
05 | 63036373 | 01100011000000110110001101110011 | c.cs
06 | C606C6E6 | 11000110000001101100011011100110 | ....
07 | C606C6E6 | 11000110000001101100011011100110 | ....
Reading Page 1:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
00 | 9F92F5DD | 10011111100100101111010111011101 | ....
01 | 9F92F5DD | 10011111100100101111010111011101 | ....
02 | 9F92F5DD | 10011111100100101111010111011101 | ....
03 | 9F92F5DD | 10011111100100101111010111011101 | ....
Now I feel a little stuck since I'm not used to lf tags .... Similar to Mifare classic tags I would suppose to see any obvious data content, whether coded or decoded, on the tag, but the only interesting parts are page 0 block 3 and 5. Any hints how that data should be interpreted are welcome!
Regards,
JD.
Last edited by JohnDoePM (2020-10-22 15:42:54)
Offline
You should always run detect before doing any of the t55xx commands.
lf t55 detect
lf t55 info
lf t55 trace
lf t55 dump
---
lf read
data plot
data save -f lf_unknown_xxxxx.pm3
Is some suggestions.
There are some guide on the official wiki how to look and use the LF commands.
some videos on youtube also.
Reading a t5577 datasheet will also be useful for you.
Enjoy!
Offline
Dear Iceman,
studying this video tutorial I managed to determine that per read there are 4 bytes transmitted (period length 256 divided by 8 clock rate).
And, according to the waveform per read, I would tend to and fsk modulation.
So I went to
lf t55 config d FSK
[=] Chip Type : T55x7
[=] Modulation : FSK
[=] Bit Rate : 0 - RF/8
[=] Inverted : No
[=] Offset : 0
[=] Seq. Term. : No
[=] Block0 : 0x00000000
[=] Downlink Mode : default/fixed bit length
[=] Password Set : No
[usb] pm3 --> lf t55 info
--- T55x7 Configuration & Information ---------
-------------------------------------------------------------
Safer key : 0
reserved : 0
Data bit rate : 0 - RF/8
eXtended mode : No
Modulation : 0 - DIRECT (ASK/NRZ)
PSK clock frequency : 0 - RF/2
AOR - Answer on Request : No
OTP - One Time Pad : No
Max block : 0
Password mode : No
Sequence Terminator : No
Fast Write : No
Inverse data : No
POR-Delay : No
-------------------------------------------------------------
Raw Data - Page 0, block 0
0x00000000 00000000000000000000000000000000
-------------------------------------------------------------
[usb] pm3 --> lf t55 dump
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 80003FFF | 10000000000000000011111111111111 | ..?.
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
[+] 04 | 00000000 | 00000000000000000000000000000000 | ....
[+] 05 | 00000000 | 00000000000000000000000000000000 | ....
[+] 06 | 00000000 | 00000000000000000000000000000000 | ....
[+] 07 | 00000000 | 00000000000000000000000000000000 | ....
[+] Reading Page 1:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00000000 | 00000000000000000000000000000000 | ....
[+] 01 | FFF80000 | 11111111111110000000000000000000 | ....
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
[+] saved to json file lf-t55xx-dump-4.json
[+] saved 12 blocks to text file lf-t55xx-dump-4.eml
[+] saved 48 bytes to binary file lf-t55xx-dump-4.bin
But that page 0 seems not to be what I expected:
[usb] pm3 --> data rawdemod fs
FSK1a decoded bitstream:
01110000000010101000010100110010
01111110010010111101011101110111
11110000000010101000010100110010
01111110010010111101011101110111
11110000000010101000010100110010
01111110010010111101011101110111
11110000000010101000010100110010
01111110010010111101011101110111
11110000000010101000010100110010
01111110010010111101011101110111
11110000000010101000010100110010
01111110010010111101010000000000
0
Could you give me a hint ?
Best regards
JD.
Edit:
I should have thought till the end ...
[usb] pm3 --> data print x
[+] DemodBuffer: 700A85327E4BD777F00A85327E4BD777F00A85327E4BD777F00A85327E4BD777F00A85327E4BD777F00A85327E4BD
[usb] pm3 -->
Does that look of something useful ... ?
Last edited by JohnDoePM (2020-10-30 21:30:43)
Offline
Dear community,
I thought to start from the beginning as I'm not quite sure if I'm getting the modulation right and to make sure that the hw works as expected.
To my system:
[usb] pm3 --> hw ver
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.9237-1927-g03bd9e00 2020-11-02 09:59:07
compiled with GCC 7.5.0 OS:Linux ARCH:x86_64
[ PROXMARK3 ]
firmware.................. PM3OTHER
[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-1900-ga7cdffd5 2020-10-31 18:30:50
os: RRG/Iceman/master/v4.9237-1927-g03bd9e00 2020-11-02 10:00:05
compiled with GCC 6.3.1 20170620
[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 263728 bytes (50%) Free: 260560 bytes (50%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 --> hw tune
[=] REMINDER: 'hw tune' doesn't actively tune your antennas, it's only informative
[=] Measuring antenna characteristics, please wait...
? 9
[=] ---------- LF Antenna ----------
[+] LF antenna: 17,62 V - 125,00 kHz
[+] LF antenna: 21,83 V - 134,83 kHz
[+] LF optimal: 21,86 V - 131,87 kHz
[+] Approx. Q factor (*): 5,9 by frequency bandwidth measurement
[+] Approx. Q factor (*): 6,4 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 26,42 V - 13.56 MHz
[+] Approx. Q factor (*): 7,7 by peak voltage measurement
[+] HF antenna is OK
(*) Q factor must be measured without tag on the antenna
[+] Displaying LF tuning graph. Divisor 88 (blue) is 134,83 kHz, 95 (red) is 125,00 kHz.
What happens if I try something to detect:
[usb] pm3 --> lf t55 detect
[!] ⚠️ Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t55xx read b 0
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
That 's the signal I get from lf read:
[usb] pm3 --> lf read
[#] LF Sampling config
[#] [q] divisor.............95 ( 125.00 kHz )
[#] [b] bits per sample.....8
[#] [d] decimation..........1
[#] [a] averaging...........No
[#] [t] trigger threshold...0
[#] [s] samples to skip.....0
[#] LF Sampling Stack
[#] Max stack usage.........4040 / 8480 bytes
[#] Done, saved 44072 out of 0 seen samples at 8 bits/sample
[=] Reading 44071 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1
This is what the answer of the card looks like:
Readplot
If somebody has an idea what kind of tag this could be and how I'm supposed to get something out of it that information is highly appreciated.
Best regards,
JD.
Offline
Maybe an update:
I've gambled around a bit with the distance/relative position between the proxmarl lf antenna and the card. And voila:
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] Indala - len 121, Raw: 800000004100000008c9cecccff7ffc64e76667fbfff000000798181
[+] Valid Indala ID found!
[+] Chipset detection: T55xx
Now I will try to clone the card with
lf indala clone -l -r 8000000000042033723273b333fe6e464e76667f8000000000798181
to a blank T55XX card.
Offline
Seems like an odd length for indala, which is PSK based.
And your plot doesn't look like PSK. I would say false positive.
lf read
data mod
data raw -- based on what mod say
Offline
Cheers iceman,
there you are:
[usb] pm3 --> lf read
[#] LF Sampling config
[#] [q] divisor.............95 ( 125.00 kHz )
[#] [b] bits per sample.....8
[#] [d] decimation..........1
[#] [a] averaging...........No
[#] [t] trigger threshold...0
[#] [s] samples to skip.....0
[#] LF Sampling Stack
[#] Max stack usage.........4040 / 8480 bytes
[#] Done, saved 44072 out of 0 seen samples at 8 bits/sample
[=] Reading 44071 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1
[usb] pm3 --> data mod
[+] Found [1] possible matches for modulation.
[=] --[1]---------------
[=] Modulation.... FSK1a
[=] Bit clock..... RF/64
[+] Field Clocks.. FC/8, FC/5
[usb] pm3 --> data raw fs
FSK1a decoded bitstream:
10101001010101000010000000000000
00000001101000100011010100010100
10101010101010101000010000000000
00000000011010001000101010001010
01011010100100101010100001000000
00000000000000110100010001101010
00101001011010101010101010000100
00000000000000000011010001000110
10100010101011010100101010101000
01000000000000000000001101000100
01101010001010101101010100101010
10000100000000000000000000110100
01000110101000101001010101010101
01010000100000000000000000001101
00010001010100010101011010100100
10101010000100000000000000000000
Can you lend me a hand to look on the findings the right way ?
Best regards,
JD.
Offline
Look at the hex, maybe you find something,
data print x
or try "lf search" again now that you found a better spot w the card/antenna
Offline
[usb] pm3 --> data print x
[+] DemodBuffer: A954200003446A295555080000D115156A4AA100000D11A8A5A955080000D11A8A5A955080000688D45554AA100001A22A2954954200003445455A92A8400003
Even if I group the data in seven parts I don't see something interesting here...
Offline
Pages: 1