Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi all,
I need some help decoding/cloning this car park access card.
Card id on it: 1246037
I'm sure it is a LF card, did the HW TUNE to determine that.
How do i tell if it is a 125khz or 134 khz card?
here is the trace i did with:
lf read
data sample 16000
Trace here: http://www.filedropper.com/trace
It seems like a em4x, but i cannot get a proper tag using the following commands:
lf em4x em410xwatch
I tried using mandemod, doesn't seem to work:
proxmark3> lf read
#db# buffer samples: 16 11 0e 0b 09 07 06 05 ...
proxmark3> data sample 16000
Reading 16000 samples
Done!
proxmark3> data askdemod 0
proxmark3> data mandemod 1
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or
clock is wrong)
Error: too many detection errors, aborting.
proxmark3>
hw ver:
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 840 2014-01-23 12:58:08
#db# os: svn 840 2014-01-23 12:58:11
#db# FPGA image built on 2013/11/19 at 18:17:10
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3>
Thanks!!
Offline
Try with hid commands.
Offline
Hey thanks for the reply.
I tried with lf hid fskdemod but no response also.
Any other suggestions?
Offline
proxmark3> data load ../../Downloads/trace.pm3
loaded 16000 samples
proxmark3> data plot
proxmark3> lf hid
lf hid
help This help
demod Demodulate HID Prox Card II (not optimal)
fskdemod Realtime HID FSK demodulator
sim <ID> -- HID tag simulator
clone <ID> ['l'] -- Clone HID to T55x7 (tag must be in antenna)(option 'l' for 84bit ID)
proxmark3> lf hid demod
proxmark3> data mandemod
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or clock is wrong)
Unsynchronized, resync...
(too many of those messages mean the stream is not Manchester encoded)
Manchester decoded bitstream
1 0 1 1 0 0 1 1 1 1 1 1 1 0 0 1
1 0 1 0 1 0 1 0 1 0 0 0 0 0 0 0
0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 0 1 1 0 0 1 1 1 1 1 1 1 0 0 1
1 0 1 0 1 0 1 0 1 0 0 0 0 0 0 0
0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1
But then the trace looks a bit strange? antenna problem?
Offline
Hi,
Don't think there is an antenna problem. I was able to decode other HID and EM410x cards.
Offline
Send an "hw tune" command and post the result.
Those are mine WITH and WITHOUT a tag on it:
WITH TAG
proxmark3> hw tune
proxmark3>
proxmark3> #db# Measuring antenna characteristics, please wait...
proxmark3> #db# Measuring complete, sending report back to host
proxmark3>
proxmark3> # LF antenna: 17.05 V @ 125.00 kHz
proxmark3> # LF antenna: 30.48 V @ 134.00 kHz
proxmark3> # LF optimal: 30.48 V @ 133.33 kHz
proxmark3> # HF antenna: 0.16 V @ 13.56 MHz
proxmark3> # Your HF antenna is unusable.
WITHOUT TAG
proxmark3> hw tune
proxmark3>
proxmark3> #db# Measuring antenna characteristics, please wait...
proxmark3> #db# Measuring complete, sending report back to host
proxmark3>
proxmark3> # LF antenna: 28.06 V @ 125.00 kHz
proxmark3> # LF antenna: 36.25 V @ 134.00 kHz
proxmark3> # LF optimal: 40.01 V @ 129.03 kHz
proxmark3> # HF antenna: 0.16 V @ 13.56 MHz
proxmark3> # Your HF antenna is unusable.
I think it is an hid card looking at the plastic "case" but I am not sure of course.
Last edited by asper (2014-01-25 09:22:23)
Offline
May I know how do you guys determine that this is a HID card?
Offline
See answer above.
Offline
http://www.securakey.com/PRODUCTS/CARDS/RADIO_KEY_Cards_Tags_6770.pdf
http://www.proxmark.org/forum/viewtopic.php?id=1840
Offline
hi all, hw tune as below
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
#db# Measuring complete, sending report back to host
# LF antenna: 16.25 V @ 125.00 kHz
# LF antenna: 13.56 V @ 134.00 kHz
# LF optimal: 19.60 V @ 127.66 kHz
# HF antenna: 0.03 V @ 13.56 MHz
# Your HF antenna is unusable.
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
#db# Measuring complete, sending report back to host
# LF antenna: 5.24 V @ 125.00 kHz
# LF antenna: 5.50 V @ 134.00 kHz
# LF optimal: 9.27 V @ 160.00 kHz
# HF antenna: 0.10 V @ 13.56 MHz
# Your LF antenna is marginal.
# Your HF antenna is unusable.
proxmark3>
Offline
As proxmark3 says, with the tag on your antenna is "marginal" so signal is not very good. Anway it probaly is a HID card (refer to app_o1 links and to this)
Last edited by asper (2014-01-25 12:04:34)
Offline
it does look like the securakey rfid clam shell type. can proxmark3 clone something like this? I need to start reading more on this...
Offline
is there anyway i can boost the signal?
Offline
can you post the details and a picture of your current antenna, maybe we can suggest improvements?
Offline
Hi, I bought my proxmark3 with low fr3quency antenna from this website. http://www.xfpga.com/e_products/?big_id=17
Its connected to my laptop or desktop USB 2.0 port.
Offline
guys
i did the following and this is the result. anybody able to help decode?
lf read
data samples 40000
data dec
data dec
data dec
data mandemod
results:
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 0 1 0 1 0 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 0
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
graph after DEC:
graph before anything:
Offline
I put the below code into http://www.andrewmohawk.com/EM41X, but it gives an invalid parity. When i try to read the card at 134khz, the commands give a different code also.
Anybody else has any other ideas? I'm trying to fabricate another LF antenna with 30awg magnet wire. Going to take some time to do it...
proxmark3> data load ../../Downloads/trace.pm3
loaded 16000 samples
proxmark3> data plot
proxmark3> lf hid
lf hid
help This help
demod Demodulate HID Prox Card II (not optimal)
fskdemod Realtime HID FSK demodulator
sim <ID> -- HID tag simulator
clone <ID> ['l'] -- Clone HID to T55x7 (tag must be in antenna)(option 'l' for 84bit ID)
proxmark3> lf hid demod
proxmark3> data mandemod
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or clock is wrong)
Unsynchronized, resync...
(too many of those messages mean the stream is not Manchester encoded)
Manchester decoded bitstream
1 0 1 1 0 0 1 1 1 1 1 1 1 0 0 1
1 0 1 0 1 0 1 0 1 0 0 0 0 0 0 0
0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 0 1 1 0 0 1 1 1 1 1 1 1 0 0 1
1 0 1 0 1 0 1 0 1 0 0 0 0 0 0 0
0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1But then the trace looks a bit strange? antenna problem?
Offline
Added more traces
1)
lf read
data samples 16000
download: http://www.filedropper.com/trace16k
2)
lf read h
data samples 16000
download: http://www.filedropper.com/trace16kh
Offline
could it be an indala card? Guessing now, tricky to work out.
Offline
I dont think so. I tried this before
lf read
data sample 16000
lf indalademod
the 'data plot' for the indala is really very very different. I tried creating a t5 with the "decoded" indala, but it doesn't work.
proxmark3> lf indalademod
Expecting a bit less than 500 raw bits
Recovered 442 raw bits
worst metric (0=best..7=worst): 6 at pos 20
UID=0000000000000000000000000000000010000100000000010001001000100000 (084011220)
Occurences: 1 (expected 5)
Offline
the trace is a 64 bit Manchester with a clock rate of 40
decoded:
0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 1 0 1 0 0 1 0 0
0 0 0 0 1 1 0 1 0 1 0 1 0 1 0 1
you can find a large part of the binary of the decimal number on the card in this string. (not 100% on the start and end of the 64 bits, but I think this is right)
should be able to program a clone from this data.
Offline
if you try a data mandemod 40 it should give you a repeating pattern of the decoded data I posted above.
Offline
Hey thanks!
I tried putting the string into the em41x decoder online, it doesn't seem to return any proper code.
How do I clone to t5 with a proxmark3? I'm assuming its a EM41x right?
Offline
not sure what version everyone is on but the data mandemod should have detected the 40 clock rate and should have worked the first time for you. I'm still running the older version 715. is it possible mandemod auto has been broken lately?
just curious what does data detectclock show for you on this trace?
Offline
it is not a EM41x it is a different format entirely. you'd need to program the bits above to blocks 1 and 2 of a t5 and then alter the configuration block 0 to be Manchester with a 40 clock.
Offline
loaded 16000 samples
proxmark3> lf hid demod
proxmark3> data mandemod 40
Warning: Manchester decode error for pulse width detection.
(too many of those messages mean either the stream is not Manchester encoded, or clock is wrong)
Unsynchronized, resync...
(too many of those messages mean the stream is not Manchester encoded)
Manchester decoded bitstream
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 1 1 0 0 1 1 1 1 1 1
1 0 0 1 1 0 1 0 1 1 0 1 1 0 0 0
0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 0 1 1 0 0 1 1 1 1 1 1
1 0 0 1 1 0 1 0 1 1 0 1 1 0 0 0
and yes it detects it at 40
proxmark3> data detectclock
Auto-detected clock rate: 40
proxmark3>
Offline
what version is your proxmark firmware?
Offline
it is not a EM41x it is a different format entirely. you'd need to program the bits above to blocks 1 and 2 of a t5 and then alter the configuration block 0 to be Manchester with a 40 clock.
I can do this with a proxmark3? Could you walk me through on this?
Offline
i'm on 840.
Offline
something like:
lf t55xx writeblock 0000000001000000000000000000000000000000101001000000110101010101 1
lf t55xx writeblock 0000000001000000000000000000000000000000101001000000110101010101 2
?
Offline
writeblock takes hex values. and only 32 bits per block (8 hex numbers). (total 64 bits = 2 blocks)
I'm not sure what has happened to the most recent version(s) of the demod commands but it doesn't appear at all correct. decoding the wave form manually (I'm not an expert) the decode from version 715 (my proxmark) looks very close.
Offline
i think i got it... it is
lf t55xx writeblock 4000000 1
lf t55xx writeblock 0A40D55 2
how do i code the block 0 with manchester 64 and 40?
Offline
block 2: 0x00400000
block 1: 0x00A40D55
might get you started. i'm not 100% on the t5 config block settings for that config though
Offline
Well T5 is different from T55x7 so I don't think it is supported by proxmark3 (T5 it is not recognized by my dedicated T55x7 reader/writer).
Offline
oh, its different...?
the card i have is a t55x7.
will this work?
Offline
you are correct asper a T5 is not the same as the chip genexis has been referring to in short as t5.
Offline
a t55x7 is compatible and can be configured to mimic the card in question.
Offline
but you'll need to know the specific version of t55x7 to get the config block settings correct. (t5557 is slightly different from ata5567 which is slightly different from ata5577.)
Offline
... and we know that
Last edited by asper (2014-01-27 17:46:51)
Offline
Thanks asper, I forgot in normal mode the chips are set to be compatible with the same block 0 settings. it is when you get into extended mode (or xmode) things get different per chip version.
Offline
Hey guys thanks for the input. I'll try it out tonight and I'll post the outcome!
Offline
Looking at the article linked by asper, i'm guessing that for a 64bit manchester, i should be using this as the block 0 config: 00148040
But how does the 40 clockrate comes into play? I dont see something that configures it in the block 0 config, unless it should be in the bit rate field? Which makes the configuration to be: 000c8040
In anycase, i'll be trying the following:
1)
lf t55xx writeblock 00148040 0
lf t55xx writeblock 00400000 2
lf t55xx writeblock 00A40D55 1
2)
lf t55xx writeblock 000c8040 0
lf t55xx writeblock 00400000 2
lf t55xx writeblock 00A40D55 1
i'll keep you guys posted! Please let me know if im interpreting the above config 0 wrong
Offline
000c8040
This way it should be RF/40 (bits 13 and 14, starting from left [MSb] = 1, set both to 1), Mnachester modulation (bit17 set to 1) and 2 blocks (block1&block2) are transmitted in a cyclic way (bit26 set t 1) [data blocks transmitted should be 00400000->00A40D55].
00148040
Same as above but data rate is set to RF/64 (bits 12 an 14 set to 1).
If you need you can find ATA5567 datasheet here.
Last edited by asper (2014-01-28 10:35:23)
Offline
I tried writing a few t55xx cards with the commands below, but all failed to work...
lf t55xx writeblock 000c8040 0
lf t55xx writeblock 00400000 1
lf t55xx writeblock 00A40D55 2
and
lf t55xx writeblock 000c8040 0
lf t55xx writeblock 00400000 2
lf t55xx writeblock 00A40D55 1
Compare to the original wave, its still quite different...
Offline
I must add that this looks very similar to the original wave.
But there is no tapering on the original wave.... anybody has any idea how to work on this?
lf t55xx writeblock 000c8040 0
lf t55xx writeblock 00400000 2
lf t55xx writeblock 00A40D55 1
VS
ORIGINAL
Offline
I'm trying to follow this thread but I got lost here
I'm not sure how marshmellow arrived at this decode..
I have tried askdemod then mandemod but it doesn't work
I've also tried to threshold it to make it just 1/-1 then use mandemod but I still can't get this decode.
Can someone (marshmellow) please explain or point me in the right direction?
Thanks a lot!
the trace is a 64 bit Manchester with a clock rate of 40
decoded:
0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 1 0 1 0 0 1 0 0
0 0 0 0 1 1 0 1 0 1 0 1 0 1 0 1you can find a large part of the binary of the decimal number on the card in this string. (not 100% on the start and end of the 64 bits, but I think this is right)
should be able to program a clone from this data.
Offline
@genexis the wave forms look almost identical. we might just have a binary bit off. I'll do a comparison when I've programmed a card and gotten a full trace.
@tissuepeanut with Mandemod there should be no reason to do an askdemod first. so if you were reading a card you'd do lf read - data samples 16000 - data mandemod
but from what I've been seeing lately I think there may be an issue with mandemod in the latest version of Proxmark Firmware. I'm currently using 715 and it's worked good for lf.
Last edited by marshmellow (2015-01-30 05:12:17)
Offline
@marshmellow
Okay I'll downgrade to 715 and try again. By the way, did you get your decode from the pm3 trace or the serial number printed on the card?
Offline
from the trace. I just did a data mandemod directly on the trace and it came up with the binary. I then compared to the serial number. it is close enough I believe it to be a pretty good demod. (though a bit here or there may be misplaced possibly due to a poor read).
Offline
@Marshmellow
which trace did you use mandemod on?
Now i've loaded v715 and ran mandemod on trace.pm3, trace16k.pm3 and trace16kh.pm3 but still can't get a similar decode. If you don't mind, can you run me through the steps you took. I'm not sure what i'm missing out here. thanks!
@Genexis, do you think you can upload another Fresh read of the trace at 125k and 134k? We would like to rule out a bad read.
Offline