Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-09-10 08:09:27

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Guardall G-Prox II

Hi,

I've read over all the other topic on Guardall G-Prox II fobs and still a little confused on how to edit this type of fob in 36-bit. I want to see if I can change and FC or Card# but under the clone commands im having a few issues. I notice that there is a note that it currently work only on 26bit formats. When i try and enter values in for the FC and Card # it doesn't match the original. I know i can write the 4 blocks from the Raw data but trying to do it by the Clone functions

anyone able to point me in the correct direction?


Original

pm3 --> lf sea u
NOTE: some demods output possible binary
  if it finds something that looks like a tag

False Positives ARE possible

Checking for known tags:

G-Prox-II Found: Format Len: 36bit - FC: 30 - Card: 3949, Raw: f896612962589613a969609c
Valid Guardall G-Prox II ID Found!

Copy

pm3 --> lf gpr cl 36 30 3949
Preparing to clone Guardall to T55x7 with Facility Code: 30, Card Number: 3949
Blk | Data
----+------------
00 | 0x00150060
01 | 0xF98C67B8
02 | 0xC6324C63
03 | 0x38CD0800
pm3 --> lf sea u
NOTE: some demods output possible binary
  if it finds something that looks like a tag

False Positives ARE possible

Checking for known tags:

G-Prox-II Found: Format Len: 36bit - FC: 1920 - Card: 3947, Raw: f98c67b8c6324c6338cd0800
Valid Guardall G-Prox II ID Found!

pm3 --> lf gpr cl
clone a Guardall tag to a T55x7 tag.
The facility-code is 8-bit and the card number is 16-bit.  Larger values are truncated.
Currently work only on 26bit

Offline

#2 2020-09-10 08:25:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Guardall G-Prox II

That would be because of a 36b format vs 26b.

clone a Guardall tag to a T55x7 tag.
The facility-code is 8-bit and the card number is 16-bit.  Larger values are truncated.
Currently work only on 26bit

You have access to more credentials from this system?   So we might be able to add a 36b format support?

If you wouldn't mind enable debug statements during a read and paste the output from it?   And make a trace file and share it here?

data setd 1
lf gprox read
data setd 0

lf read
data save f lf_gprox_36_30_3949.pm3

Offline

#3 2020-09-10 10:45:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Guardall G-Prox II

Ok, I found a bunch of bugs related to the 36b format decoding and encoding for gprox, 
I pushed some fixes,  pull latest and test smile

Offline

#4 2020-09-10 21:38:17

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Guardall G-Prox II

iceman wrote:

That would be because of a 36b format vs 26b.

clone a Guardall tag to a T55x7 tag.
The facility-code is 8-bit and the card number is 16-bit.  Larger values are truncated.
Currently work only on 26bit

You have access to more credentials from this system?   So we might be able to add a 36b format support?

If you wouldn't mind enable debug statements during a read and paste the output from it?   And make a trace file and share it here?

data setd 1
lf gprox read
data setd 0

lf read
data save f lf_gprox_36_30_3949.pm3

FC: 30 - Card: 3949

[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#]   high..........255
[#]   low...........7
[#]   mean..........126
[#]   amplitude.....129
[#]   is Noise......No
[#]   THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 19, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index 19
[#] data

10011111000100101100110000100101
00101100010010110001001011000010
01110101001011010010110000010011
10011111000100101100110000100101
0010110001001011000100101100001
[#] DEBUG: (preambleSearchEx) preamble found at 3
[#] DEBUG: (preambleSearchEx) preamble 2 found at 99
[#] DEBUG: gProxII byte 0 after xor: 92
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 00
[#] DEBUG: gProxII byte 4 after xor: 3c
[#] DEBUG: gProxII byte 5 after xor: 01
[#] DEBUG: gProxII byte 6 after xor: ed
[#] DEBUG: gProxII byte 7 after xor: a0
[#] DEBUG: (setClockGrid) demodoffset 211, clk 64
[+] G-Prox-II Found: Format Len: 36bit - FC: 30 - Card: 3949, Raw: f896612962589613a969609c
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db#   [q] divisor.............95 ( 125.00 kHz)
#db#   [b] bits per sample.....8
#db#   [d] decimation..........1
#db#   [a] averaging...........No
#db#   [t] trigger threshold...0
#db#   [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1

FC: 30 - Card: 14489

[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#]   high..........255
[#]   low...........6
[#]   mean..........126
[#]   amplitude.....129
[#]   is Noise......No
[#]   THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 12, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index 12
[#] data

11011111000100111100110001100101
00111100010011110001001111000010
00110110001111011100011100010010
11011111000100111100110001100101
00111100010011110001001111000010
[#] DEBUG: (preambleSearchEx) preamble found at 3
[#] DEBUG: (preambleSearchEx) preamble 2 found at 99
[#] DEBUG: gProxII byte 0 after xor: 92
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 00
[#] DEBUG: gProxII byte 4 after xor: 3c
[#] DEBUG: gProxII byte 5 after xor: 07
[#] DEBUG: gProxII byte 6 after xor: 13
[#] DEBUG: gProxII byte 7 after xor: 20
[#] DEBUG: (setClockGrid) demodoffset 204, clk 64
[+] G-Prox-II Found: Format Len: 36bit - FC: 30 - Card: 14489, Raw: f89e6329e2789e11b1ee3896
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db#   [q] divisor.............95 ( 125.00 kHz)
#db#   [b] bits per sample.....8
#db#   [d] decimation..........1
#db#   [a] averaging...........No
#db#   [t] trigger threshold...0
#db#   [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1

FC: 30 - Card: 3949
http://www.filedropper.com/lfgprox36303949

FC: 30 - Card: 14489
http://www.filedropper.com/lfgprox363014489

Last edited by Charlie (2020-09-10 21:39:58)

Offline

#5 2020-09-11 04:56:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Guardall G-Prox II

nice, 
have you tested the clone cmd again?

Offline

#6 2020-09-11 14:48:09

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Guardall G-Prox II

No not yet, I’ll do that later today or tomorrow.

Offline

#7 2020-09-12 22:01:26

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Guardall G-Prox II

Using proxmark3 easy 512M - Thought it use to say "PM3OTHER" for Client. Did I mess up the compiling?

[ CLIENT ]
  client: RRG/Iceman/master/release (git)
  compiled with MinGW-w64 10.2.0 OS:Windows (64b) ARCH:x86_64

 [ PROXMARK3 ]

 [ ARM ]
  bootrom: RRG/Iceman/master/release (git)
       os: RRG/Iceman/master/release (git)
  compiled with GCC 9.3.1 20200408 (release)

 [ FPGA ]
  LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
  HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 259616 bytes (50%) Free: 264672 bytes (50%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

Is that the lastest?

Offline

#8 2020-09-13 16:35:23

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Guardall G-Prox II

Original

[usb] pm3 --> lf sea u

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] G-Prox-II - len: 36 FC: 30 Card: 3949, Raw: f896612962589613a969609c

[+] Valid Guardall G-Prox II ID found!

[+] Chipset detection: T55xx

Copy

[+] Chipset detection: T55xx
[usb] pm3 --> lf gp cl 36 30 3949
[=] Preparing to clone Guardall to T55x7 with Facility Code: 30, Card Number: 3949
[+] Blk | Data
[+] ----+------------
[+]  00 | 00150060
[+]  01 | F98C67B8
[+]  02 | C6318C55
[+]  03 | 38CD0986
[+] Success writing to tag
[+] Done
[usb] pm3 --> lf sea u

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] G-Prox-II - len: 36 FC: 30 Card: 3949, Raw: f98c67b8c6318c5538cd0986

[+] Valid Guardall G-Prox II ID found!

[+] Chipset detection: T55xx
[usb] pm3 -->

Last edited by Charlie (2020-09-13 16:36:04)

Offline

#9 2020-09-15 06:20:07

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Guardall G-Prox II

I pulled the latest from https://github.com/RfidResearchGroup/proxmark3.git and still having issues when trying to write a 36bit by FC and ID.

I should be able to get a few more cards to test, Would that help for testing?

Offline

#10 2020-09-15 06:39:57

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Guardall G-Prox II

What issues is it that you are experiencing?  Doesn't the clone work on your reader?

Offline

#11 2020-09-15 21:21:13

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Guardall G-Prox II

No, the raw data is different when I clone it by using FC and ID number as you can see on post 8

Offline

#12 2020-09-15 21:44:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Guardall G-Prox II

that is because we don't know all data yet,  there are 2bit unknown.  All documented in the source.

Offline

#13 2020-09-16 03:31:24

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Guardall G-Prox II

Documented in the source? What source?

Offline

#14 2020-09-23 02:38:55

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Guardall G-Prox II

I was able to get a few more samples today, these were 26bit format but didn't follow the same raw data format at the clone commands

Format Len: 26bit - FC: 10 - Card: 39176

[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#]   high..........255
[#]   low...........12
[#]   mean..........125
[#]   amplitude.....130
[#]   is Noise......No
[#]   THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 56, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index 56
[#] data

10111110001001101001110101101010
01101000100110101000011010000101
11100000011000001001101000100110
10111110001001101001110101101010
0110100010011010100001101001010
[#] DEBUG: (preambleSearchEx) preamble found at 2
[#] DEBUG: (preambleSearchEx) preamble 2 found at 98
[#] DEBUG: gProxII byte 0 after xor: 6a
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 05
[#] DEBUG: gProxII byte 4 after xor: 4c
[#] DEBUG: gProxII byte 5 after xor: 84
[#] DEBUG: gProxII byte 6 after xor: 00
[#] DEBUG: gProxII byte 7 after xor: 00
[#] DEBUG: (setClockGrid) demodoffset 184, clk 64
[+] G-Prox-II Found: Format Len: 26bit - FC: 10 - Card: 39176, Raw: f89a75a9a26a1a178182689a
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db#   [q] divisor.............95 ( 125.00 kHz)
#db#   [b] bits per sample.....8
#db#   [d] decimation..........1
#db#   [a] averaging...........No
#db#   [t] trigger threshold...0
#db#   [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1

Format Len: 26bit - FC: 10 - Card: 39171

[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#]   high..........255
[#]   low...........12
[#]   mean..........125
[#]   amplitude.....130
[#]   is Noise......No
[#]   THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 59, clk 64
[#] Biphase Decoded using offset 1 | clock 64 | #errors 0 | start index 59
[#] data

10111110001001111010110100101010
01111000100111101000011110000101
10101010011100001001100000100111
10111110001001111010110100101010
0111100010011110100001111001010
[#] DEBUG: (preambleSearchEx) preamble found at 2
[#] DEBUG: (preambleSearchEx) preamble 2 found at 98
[#] DEBUG: gProxII byte 0 after xor: 69
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 05
[#] DEBUG: gProxII byte 4 after xor: 4c
[#] DEBUG: gProxII byte 5 after xor: 81
[#] DEBUG: gProxII byte 6 after xor: c0
[#] DEBUG: gProxII byte 7 after xor: 00
[#] DEBUG: (setClockGrid) demodoffset 187, clk 64
[+] G-Prox-II Found: Format Len: 26bit - FC: 10 - Card: 39171, Raw: f89eb4a9e27a1e16a9c2609e
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db#   [q] divisor.............95 ( 125.00 kHz)
#db#   [b] bits per sample.....8
#db#   [d] decimation..........1
#db#   [a] averaging...........No
#db#   [t] trigger threshold...0
#db#   [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1

Format Len: 26bit - FC: 10 - Card: 39172

[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#]   high..........255
[#]   low...........13
[#]   mean..........125
[#]   amplitude.....130
[#]   is Noise......No
[#]   THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 54, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index 54
[#] data

00111110001001100001110101001010
01100000100110001000011000000101
11000110011010001001100000100110
00111110001001100001110101001010
0110000010011000100001100001010
[#] DEBUG: (preambleSearchEx) preamble found at 2
[#] DEBUG: (preambleSearchEx) preamble 2 found at 98
[#] DEBUG: gProxII byte 0 after xor: 6a
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 05
[#] DEBUG: gProxII byte 4 after xor: 4c
[#] DEBUG: gProxII byte 5 after xor: 82
[#] DEBUG: gProxII byte 6 after xor: 00
[#] DEBUG: gProxII byte 7 after xor: 00
[#] DEBUG: (setClockGrid) demodoffset 182, clk 64
[+] G-Prox-II Found: Format Len: 26bit - FC: 10 - Card: 39172, Raw: f89875298262181719a26098
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db#   [q] divisor.............95 ( 125.00 kHz)
#db#   [b] bits per sample.....8
#db#   [d] decimation..........1
#db#   [a] averaging...........No
#db#   [t] trigger threshold...0
#db#   [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1

Format Len: 26bit - FC: 10 - Card: 39180

[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#]   high..........255
[#]   low...........13
[#]   mean..........125
[#]   amplitude.....130
[#]   is Noise......No
[#]   THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 54, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index 54
[#] data

00111110101001100001110101000010
01100010100110000000011000100101
11001100011010101001110010100110
00111110101001100001110101000010
0110001010011000000001100011010
[#] DEBUG: (preambleSearchEx) preamble found at 2
[#] DEBUG: (preambleSearchEx) preamble 2 found at 98
[#] DEBUG: gProxII byte 0 after xor: 6b
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 05
[#] DEBUG: gProxII byte 4 after xor: 4c
[#] DEBUG: gProxII byte 5 after xor: 86
[#] DEBUG: gProxII byte 6 after xor: 40
[#] DEBUG: gProxII byte 7 after xor: 00
[#] DEBUG: (setClockGrid) demodoffset 182, clk 64
[+] G-Prox-II Found: Format Len: 26bit - FC: 10 - Card: 39180, Raw: fa9875098a60189731aa7298
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db#   [q] divisor.............95 ( 125.00 kHz)
#db#   [b] bits per sample.....8
#db#   [d] decimation..........1
#db#   [a] averaging...........No
#db#   [t] trigger threshold...0
#db#   [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1

FC: 10 - Card: 39171
http://www.filedropper.com/lfgprox261039171_2

FC: 10 - Card: 39172
http://www.filedropper.com/lfgprox261039172

FC: 10 - Card: 39176
http://www.filedropper.com/lfgprox261039176

FC: 10 - Card: 39180
http://www.filedropper.com/lfgprox261039180

Offline

#15 2021-11-30 22:18:38

diamondrail
Contributor
Registered: 2017-08-07
Posts: 35

Re: Guardall G-Prox II

Did anyone ever figure out why the raw data is different after writing to a T55x7 ?

Write each block starting with the zero block - using the T55xx7 commands for writing blocks. This should fix it.

Last edited by diamondrail (2021-11-30 22:59:21)

Offline

#16 2022-01-18 06:03:47

Charlie
Contributor
Registered: 2017-01-27
Posts: 129

Re: Guardall G-Prox II

Were you able to produce a clone by using the lf gproxii clone --fmt xx --fc xxx --cn xxxx command?

I have a few more to test

 pm3 --> data setd -1
[=] client debug level... 1 ( debug messages )
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#]   high..........255
[#]   low...........9
[#]   mean..........126
[#]   amplitude.....129
[#]   is Noise......No
[#]   THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset -17, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index -17
[#] data

[+] DemodBuffer:
[+] 10011111010000011100000011100111
[+] 00100001000000010100000111010010
[+] 00110000001111000000101101000011
[+] 10011111010000011100000011100111
[+] 0010000100000001010000011101

[#] DEBUG: (preambleSearchEx) preamble found at 3
[#] DEBUG: (preambleSearchEx) preamble 2 found at 99
[#] DEBUG: gProxII byte 0 after xor: 91
[#] DEBUG: gProxII byte 1 after xor: f6
[#] DEBUG: gProxII byte 2 after xor: 60
[#] DEBUG: gProxII byte 3 after xor: 00
[#] DEBUG: gProxII byte 4 after xor: 28
[#] DEBUG: gProxII byte 5 after xor: 11
[#] DEBUG: gProxII byte 6 after xor: 31
[#] DEBUG: gProxII byte 7 after xor: 90
[#] DEBUG: (setClockGrid) demodoffset 175, clk 64
[+] G-Prox-II - len: 36 FC: 20 Card: 35212, Raw: fa0e0739080a0e9181e05a1c

Offline

Board footer

Powered by FluxBB