Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2021-04-21 13:34:19

jrjgjk
Contributor
Registered: 2021-04-16
Posts: 3

Nexwatch cmd

Hi, I am new to Proxmark3.
I am trying to understand why both commands:

lf nexwatch clone --raw <MY HEX DATA>
lf nexwatch --cn <CARD ID>

don't work.

But what I am able to do is:
- write the same data I dumped by shifting the bits 10 bits to the left before writing them, and it works perfectly.
- simulate the card (lf read/lf sim)

Write the same data I dumped
If I try to rewrite the dump on a card, I don't get the same result. I understand that the dump show the bits shifted by 10 bits, so I reshifted it on the opposite side and I succeeded. Maybe the dump function doesn't show the correct data. I also compared the dump to the dump given on an other proxmark, and it didn't give me the same result.

I also analyse the hex data gotten with:

lf nexwatch reader

And the data are correct as I can retrieve my ID, mode, parity etc..

So I am thinking that there is a malfunction in the `lf t55 dump` command.
Below is an example of the dump I get with the `lf t55 dump` command without reshifting bits:

[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 20000108 | 00100000000000000000000100001000 |  ...
[+]  01 | 003E8000 | 00000000001111101000000000000000 | .>..
[+]  02 | 4E002AB1 | 01001110000000000010101010110001 | N.*.
[+]  03 | C0290953 | 11000000001010010000100101010011 | .).S
[+]  04 | 00000000 | 00000000000000000000000000000000 | ....
[+]  05 | 00000000 | 00000000000000000000000000000000 | ....
[+]  06 | 00000000 | 00000000000000000000000000000000 | ....
[+]  07 | 00000000 | 00000000000000000000000000000000 | ....

Shifting the bits:

Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 00042080 | 00000000000001000010000010000000
  1 | FA000000 | 11111010000000000000000000000000
  2 | 00AAC538 | 00000000101010101100010100111000
  3 | A4254F00 | 10100100001001010100111100000000
  4 | 00000000 | 00000000000000000000000000000000
  5 | 00000000 | 00000000000000000000000000000000
  6 | 00000000 | 00000000000000000000000000000000
  7 | 00000000 | 00000000000000000000000000000000

(This is also what I got with the old proxmark)
If anyone could help me understand how I can clone a nexwatch card with proxmark3, or how I can recover the ID with the above dump it would be perfect !!
Thanks in advance and tell me if you need more data or something.

Offline

#2 2021-04-21 19:59:49

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Nexwatch cmd

Which repo are you running?

I can't find the nexwatch preamble in your `lf t55xx dump` output.

Offline

#3 2021-04-22 08:17:12

Zolorah
Contributor
Registered: 2021-04-16
Posts: 9

Re: Nexwatch cmd

Hello,
I am working with jrjgjk ! We were using your repo https://github.com/RfidResearchGroup/proxmark3 for the proxmark3 Rdv4.0,
And the repo https://github.com/Proxmark/proxmark3 for the other proxmark3 hardware.

We cannot find the preamble in the lf t55 dump indeed. It's a dump made using the default config (PSK2 - RF/16), but we can find it if we dump with config PSK1 - RF/16 :

Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | FFF83F00 | 11111111111110000011111100000000          
  1 | 53FFFFFF | 01010011111111111111111111111111          
  2 | FF3379D0 | 11111111001100110111100111010000          
  3 | 38398A00 | 00111000001110011000101000000000          
  4 | 00000000 | 00000000000000000000000000000000          
  5 | 00000000 | 00000000000000000000000000000000          
  6 | 00000000 | 00000000000000000000000000000000          
  7 | 00000000 | 00000000000000000000000000000000 

But we are wondering why we get this result in PSK1 as it seems to us by reading block 0 that we should demodulate on psk2.
Moreover, even with this dump we can't find the ID. We tried to descramble using the pattern found on the forum but maybe we're missing a step ?
Thank you for your fast reply.

Offline

#4 2021-04-22 09:42:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Nexwatch cmd

How about you share a signal trace instead.   Replace <CARDID>  with the real id. here.

lf read
data save -f lf_nextwatch_<CARDID>.pm3

Offline

#5 2021-04-22 10:16:42

Zolorah
Contributor
Registered: 2021-04-16
Posts: 9

Re: Nexwatch cmd

Ok here it is :
https://pastebin.com/irj0mNij

Thanks !

Offline

#6 2021-04-22 20:06:36

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Nexwatch cmd

And what is your problem with it?
pm3 client identifies it.
you can easily clone it with the nexwatch cmd

Offline

#7 2021-04-22 20:44:18

Zolorah
Contributor
Registered: 2021-04-16
Posts: 9

Re: Nexwatch cmd

We're mostly trying to understand the dump and how to retrieve the different information contained in the card identified on the other topics (like ID, mode, checksum) from the dumped data. Moreover we're trying to figure out why we can't succeed to clone with nexwatch cmd. I mean we managed to do so with lf read and lf sim but nexwatch clone didn't work for us.

Maybe we're doing something wrong but lf nexwatch clone <ID> didn't work with our ID.
And from the dumps written earlier we can't manually find anything but the preamble and reserved field.

Thank you for your time and responses so far !

[Edit] : The command we tried is not lf nexwatch clone <ID> but

 lf nexwatch clone --cn <ID>

Last edited by Zolorah (2021-04-23 07:53:07)

Offline

#8 2021-05-06 18:25:33

jrjgjk
Contributor
Registered: 2021-04-16
Posts: 3

Re: Nexwatch cmd

Hi just to say that we finally found what was the issue. The magic number used for our cards is different than the one used for nexkey / quadrakey. Also the clone function works perfectly. Thanks for your help and responses.

Offline

#9 2021-05-06 18:41:44

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Nexwatch cmd

Good to hear,
Of curiosity,  which magic number did your system have?

Offline

#10 2021-05-07 15:35:12

Zolorah
Contributor
Registered: 2021-04-16
Posts: 9

Re: Nexwatch cmd

Hello,

We found magic byte 0x86.
We figured that if we have a magic byte different from nexkey or quadrakey, then other system could also have so we added a bruteforce (only 256 values so bruteforce is acceptable) step to the lf nexwatch reader command and an optional argument --magic to the command lf nexwatch clone that allows to give a specific value for the magic byte when cloning. (see below examples of usage)

Now one thing we don't understand is that our block 0 that seems to indicate that the card is encoded in psk2 : lf t55 detect tells us psk2 (btw we're not sure we understand how the detect works : how can you tell what modulation to use to read the block 0 ?) and previous dumps seem to confirm that we should use psk2. However, the dump in which we find data like scrambled and checksum is the psk1 dump. When we create a clone of the card, we calculate raw data to write in psk1 (the preamble, the reserved bits and all) and then we use psk1TOpsk2 to transform it into psk2 raw data that we then write (with the block 0 corresponding to the psk2 RF/16 modulation) on a tag.
But this solution seems weird and we're not sure it's the easiest way of doing it.
Do you have an opinion or an advice on what could be the solution.

Thank you,
Zolorah

Offline

#11 2021-05-07 18:33:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Nexwatch cmd

Interesting,  what system is it ?  I will need an description for the identifier (0x86)
Quadrakey is 0xBE
Nexkey is 0x88
xxxx is 0x86

Offline

#12 2021-05-07 19:04:56

Zolorah
Contributor
Registered: 2021-04-16
Posts: 9

Re: Nexwatch cmd

I don't really know what's its name, it's a recent Honeywell card but I don't know if it has a name.

Offline

#13 2021-05-08 15:27:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Nexwatch cmd

ok,  I added your magic number to the commands.

Offline

#14 2021-06-04 09:34:54

Zolorah
Contributor
Registered: 2021-04-16
Posts: 9

Re: Nexwatch cmd

Hello iceman !
We have tried what you added to your repo for our cards but it still doesn't work to clone our cards. However we found out that our card reader is only able to read PSK2 cards. We added our own command to transform the blocks of nexwatch clone to psk2 and it works fine for our cards.

Moreover we thought it was interesting when you read a nexwatch card to be able to brute force the value of the magic byte used for the card if it's not one of the three known values, and to be able to clone a card with a specific magic byte.

We added both these modification locally and can send this version to you if you consider it worth.

Thanks

Offline

#15 2021-06-19 17:26:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Nexwatch cmd

All improvements are always welcome.
Open a Pull Request on GH and we take it from there

Offline

Board footer

Powered by FluxBB