Proxmark3 community

eskizle

Contributor

Registered: 2011-07-18

Posts: 26

LF Basic simulation

Hi,

I have an unknown LF card i try to identify/emulate.

I've been inspired by this link:
http://andrewmohawk.com/2013/01/27/bypassing-lf-entry-systems/
But trying to perform the same steps on my card fail.

/proxmark3/client$ ./proxmark3 /dev/ttyACM0 
proxmark3> lf read
dCan't open logfile, logging disabled!
#db# buffer samples: 90 9e 9d 9c 9a 99 6e 57 ...                 
proxmark3> data plot
proxmark3> data samples 40000
Reading 40000 samples
          
Done!

proxmark3>

I guess this one is ASK.
proxmark3> data askdemod

proxmark3> data mandemod
Warning: Manchester decode error for pulse width detection.          
(too many of those messages mean either the stream is not Manchester encoded, or clock is wrong)          
....    
proxmark3> 

So no manchester demodulation...

I wonder if i could simply replay the signal  with "lf sim" as is load the data from the buffer. so it would be

lf read
data samples 40000
lf sim

but i tried without success...

I encloded the trace below

https://dl.dropboxusercontent.com/u/7050143/lf_sig.pm3

Last edited by eskizle (2014-06-11 06:57:31)

eskizle

Contributor

Registered: 2011-07-18

Posts: 26

Re: LF Basic simulation

Trying fskdemod gives :

proxmark3> data fskdemod
actual data bits start at sample 4746         
length 50/50         
bits: '101101100100110100001111000011001110001001011'         
hex: 000016c9 a1e19c4b

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: LF Basic simulation

did you try an mandemod before doing the askdemod? (immediately after the data samples 40000)

eskizle

Contributor

Registered: 2011-07-18

Posts: 26

Re: LF Basic simulation

did you try an mandemod before doing the askdemod? (immediately after the data samples 40000)

but i do not understand why i shlould mandemod before askdemod.

Below the results:

proxmark3> data samples 16000
Reading 16000 samples
          
Done!
          
proxmark3> data plot
proxmark3> data mandemod
Manchester decoded bitstream          
0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0          
0 1 0 1 0 0 0 0 0 0 0 0 1 0 1 0          
0 0 1 0 0 0 1 0 0 0 0 1 0 0 0 1          
0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0          
0 1 0 0 1 0 0 0 0 0 1 0 1 0 0 0          
0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0          
0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0          
0 1 0 1 0 0 0 0 0 0 0 0 1 0 1 0          
0 0 1 0 0 0 1 0 0 0 0 1 0 0 0 1          
0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0          
0 1 0 0 1 0 0 0 0 0 1 0 1 0 0 0          
0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0          
0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0          
0 1 0 1 0 0 0 0 0 0 0 0 1 0 1 0          
0 0 1 0 0 0 1 0 0 0 0 1 0 0 0 1          
0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0          
0 1 0 0 1 0 0 0 0 0 1 0 1 0 0 0          
0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0          
0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0          
0 1 0 1 0 0 0 0 0 0 0 0 1 0 1 0          
0 0 1 0 0 0 1 0 0 0 0 1 0 0 0 1          
0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0          
0 1 0 0 1 0 0 0 0 0 1 0 1 0 0 0          
proxmark3>

Last edited by eskizle (2014-06-11 06:57:55)

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: LF Basic simulation

so your tag has a repeating 128 bits of Manchester encoded data:

0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0          
0 1 0 1 0 0 0 0 0 0 0 0 1 0 1 0          
0 0 1 0 0 0 1 0 0 0 0 1 0 0 0 1          
0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0          
0 1 0 0 1 0 0 0 0 0 1 0 1 0 0 0          
0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0

your trace was strictly a Manchester encoded waveform.

eskizle

Contributor

Registered: 2011-07-18

Posts: 26

Re: LF Basic simulation

so your tag has a repeating 128 bits of Manchester encoded data:

0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0          
0 1 0 1 0 0 0 0 0 0 0 0 1 0 1 0          
0 0 1 0 0 0 1 0 0 0 0 1 0 0 0 1          
0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0          
0 1 0 0 1 0 0 0 0 0 1 0 1 0 0 0          
0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0

your trace was strictly a Manchester encoded waveform.

when i perform the task again i have a different output... weird no ?

lf read
data samples 16000
data mandemod

1 0 1 1 1 1 1 1 1 1 0 1 0 1 1 1          
0 1 1 1 0 1 1 1 1 0 1 1 1 0 1 1          
1 0 1 1 1 1 0 1 1 1 1 0 1 1 1 0          
1 1 0 1 1 1 1 1 0 1 0 1 1 1 1 1          
1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1          
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1          
1 1 1 1 1 0 1 1 1 0 1 1 1 1 1 1          
1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 0    

How do you see there is no askmodulation (or fsk modulation) ? I can see the difference (between ask & fsk) on sample theorical graph but in reality...

How can i replay the signal ? (supposed to be -lf sim - )

Last edited by eskizle (2014-06-11 06:45:28)

eskizle

Contributor

Registered: 2011-07-18

Posts: 26

Re: LF Basic simulation

so your tag has a repeating 128 bits of Manchester encoded data:

0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0          
0 1 0 1 0 0 0 0 0 0 0 0 1 0 1 0          
0 0 1 0 0 0 1 0 0 0 0 1 0 0 0 1          
0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0          
0 1 0 0 1 0 0 0 0 0 1 0 1 0 0 0          
0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0          
0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0

your trace was strictly a Manchester encoded waveform.

when i perform the task again i have a different output... weird no ?

lf read
data samples 16000
data mandemod

1 0 1 1 1 1 1 1 1 1 0 1 0 1 1 1          
0 1 1 1 0 1 1 1 1 0 1 1 1 0 1 1          
1 0 1 1 1 1 0 1 1 1 1 0 1 1 1 0          
1 1 0 1 1 1 1 1 0 1 0 1 1 1 1 1          
1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1          
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1          
1 1 1 1 1 0 1 1 1 0 1 1 1 1 1 1          
1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 0    

How do you see there is no askmodulation (or fsk modulation) ? I can see the difference (between ask & fsk) on sample theorical graph but in reality...

How can i replay the signal ? (supposed to be -lf sim - )

With the trace enclosed:
https://dl.dropboxusercontent.com/u/7050143/lf_sig.pm3

I can isolate a nice 4096 samples period.

 
proxmark3> data autocorr 16000
performing 24000 correlations    

Last edited by eskizle (2014-06-11 15:56:19)

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: LF Basic simulation

I believe this is one of those occasions the mandemod is wrong.  I believe there is a patch in an unfinished branch for this.

a manual demod is:

0000000000000000
0000000000000001
0001000001111100
0111111111010000
0000101000100010
0111000100110001
1000010011001000
0110100000011110

(the start position of the repeating pattern is a guess)
is there anything written on the tag?

I'll attach a link to the other topic that shows the fix branch when I find it.

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: LF Basic simulation

hmmm looks like it was committed today to the main.
see: http://www.proxmark.org/forum/viewtopic … 578#p11578

eskizle

Contributor

Registered: 2011-07-18

Posts: 26

Re: LF Basic simulation

I believe this is one of those occasions the mandemod is wrong.  I believe there is a patch in an unfinished branch for this.

a manual demod is:

0000000000000000
0000000000000001
0001000001111100
0111111111010000
0000101000100010
0111000100110001
1000010011001000
0110100000011110

(the start position of the repeating pattern is a guess)
is there anything written on the tag?

I'll attach a link to the other topic that shows the fix branch when I find it.

- How did you do the manual demodulation ? from what signal ?
- and how can i replay the raw bits ?

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: LF Basic simulation

- How did you do the manual demodulation ? from what signal ?

I took the trace you uploaded and plotted the wave, trimmed it and put a rf/32 grid on it and decoded the Manchester waveform.
see:http://en.wikipedia.org/wiki/Manchester_code

for simulating, i'm not 100% as I usually just write a tag I have laying around to mimic a card.  but I think it might be

lf sim 32 00000000000000000000000000000001000100000111110001111111110 100000000101000100010011100010011000110000100110010000110100000011110 0

eskizle

Contributor

Registered: 2011-07-18

Posts: 26

Re: LF Basic simulation

- How did you do the manual demodulation ? from what signal ?

I took the trace you uploaded and plotted the wave, trimmed it and put a rf/32 grid on it and decoded the Manchester waveform.
see:http://en.wikipedia.org/wiki/Manchester_code

for simulating, i'm not 100% as I usually just write a tag I have laying around to mimic a card.  but I think it might be

lf sim 32 00000000000000000000000000000001000100000111110001111111110 100000000101000100010011100010011000110000100110010000110100000011110 0

I guess you mean

lf cmdread 0 32 32 00000000000000000000000000000001000100000111110001111111110100000000101000100010011100010011000110000100110010000110100000011110 0

because

lf sim              [GAP] -- Simulate LF tag from buffer with optional GAP (in microseconds)  

I will try anyway It's quite hard to understand the details..

* I have the waveform then how can i distinguish a manchester modulation, why not ask or fsk ( from basic school examples i can see)..
* how do u see the symbol is on 32 microseconds ?
* why to trim ? on how many samples do you trim ?

Maybe you are available on ICQ ?

Last edited by eskizle (2014-06-11 20:29:49)

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: LF Basic simulation

i was wrong it should have been lf simman <clock> <bitstream> <gap>

I have the waveform then how can i distinguish a manchester modulation, why not ask or fsk ( from basic school examples i can see)..

ask i'm not very familiar with and from my understanding it is harder to tell the difference between that and Manchester.  FSK however is very different and is easily recognizable from the changing heights of the waves (changing frequency). 

* how do u see the symbol is on 32 microseconds ?

in the plot you can use right click and left click to measure the distance between waveforms.  take the shortest and that should be your clock
(you can also try the "data detectclock" function)

why to trim ? on how many samples do you trim ?

to make the grid @ 32 clock to line up properly with the waveform, just to make it easier when manually demoding it.  i think the trim i used on the posted trace was 16.
if you want to make it easier you can do a "data threshold 4" to trim the tops and bottoms of the wave form to something easier to read.

Last edited by marshmellow (2014-06-11 21:15:32)

eskizle

Contributor

Registered: 2011-07-18

Posts: 26

Re: LF Basic simulation

i was wrong it should have been lf simman <clock> <bitstream> <gap>

I have the waveform then how can i distinguish a manchester modulation, why not ask or fsk ( from basic school examples i can see)..

ask i'm not very familiar with and from my understanding it is harder to tell the difference between that and Manchester.  FSK however is very different and is easily recognizable from the changing heights of the waves (changing frequency). 

* how do u see the symbol is on 32 microseconds ?

in the plot you can use right click and left click to measure the distance between waveforms.  take the shortest and that should be your clock
(you can also try the "data detectclock" function)

why to trim ? on how many samples do you trim ?

to make the grid @ 32 clock to line up properly with the waveform, just to make it easier when manually demoding it.  i think the trim i used on the posted trace was 16.
if you want to make it easier you can do a "data threshold 4" to trim the tops and bottoms of the wave form to something easier to read.

Ok so the minimal wave form i got is 32. As the autocorr give me 4096 samples. I have to demod 128 bits - 128*32 = 4096 -.

How we agree  with the capture below because i do not find the same as you manually... ( even if i change manchester convention)

proxmark3> data load lf_sig.pm3
loaded 40000 samples          
proxmark3> data detectclock
Auto-detected clock rate: 32        
proxmark3> data grid 32
proxmark3> data threshold 4
proxmark3> data ltrim 16

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: LF Basic simulation

you've got it.  I just inversed it when I read it - I switched the 0's to 1's and 1's to 0's as it looked more appropriate for the data stream. (or followed Manchester as per G.E. Thomas referenced in link above, as sometimes readers can reverse the polarity, or whatever) and guessed that it started with the large area of 0's as most of these tags do so I shifted the start of the repeating pattern down to the start of the large section of zeros.(in other words trim another 736 to get to where I started from)

Last edited by marshmellow (2014-06-11 22:21:41)

eskizle

Contributor

Registered: 2011-07-18

Posts: 26

Re: LF Basic simulation

you've got it.  I just inversed it when I read it - I switched the 0's to 1's and 1's to 0's as it looked more appropriate for the data stream. (or followed Manchester as per G.E. Thomas referenced in link above, as sometimes readers can reverse the polarity, or whatever) and guessed that it started with the large area of 0's as most of these tags do so I shifted the start of the repeating pattern down to the start of the large section of zeros.(in other words trim another 736 to get to where I started from)

Many thanks. I'll try to replay the signal. I ll keep you informed.

However, i still have to understand why askdemod wasn't needed.. for what i know manchesster is an encoding, so it must be preceded from a modulation..

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: LF Basic simulation

depending on the clock mandemod can interpret the wave directly as it is built to do so (as the most common application is ASK with Manchester).  however for your tags clock of 32 it doesn't work directly so you can do as you were looking to do and data askdemod but you have to do the threshold setting first

eskizle

Contributor

Registered: 2011-07-18

Posts: 26

Re: LF Basic simulation

FAIlL ...

proxmark3> lf simman 32 00000000000000000000000000000001000100000111110001111111110100000000101000100010011100010011000110000100110010000110100000011110 0

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: LF Basic simulation

I assume you mean it didn't work on the reader.  did the proxmark actually perform the simulation?  i'm not sure if it was designed to  handle 128 bits, maybe someone else more familiar with the sim commands will comment.

eskizle

Contributor

Registered: 2011-07-18

Posts: 26

Re: LF Basic simulation

I assume you mean it didn't work on the reader.  did the proxmark actually perform the simulation?  i'm not sure if it was designed to  handle 128 bits, maybe someone else more familiar with the sim commands will comment.

The proxmark does the simulation (it goes in sim mode). But when i put the antenna in the reader field, nothing happens..

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: LF Basic simulation

I agree, lf sim and lf simman do not appear to simulate a Manchester card properly anymore.