Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi,
I have two RadioKey fobs for the same building and one shows up correctly and the other shows up as a EM410 chip.
When I run data rawdemod on the fob that appears to be a EM410 fob and then manly write block 0,1,2 as a securakey (RadioKey) fob, the new fob still comes back as a EM410 fob.
i've tried on a Proxmark3 RDV2 and Proxmark3 Rev 4
FOB 1
pm3 --> lf sea u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found
EM TAG ID : 0000009291
Possible de-scramble patterns
Unique TAG ID : 0000004989
HoneyWell IdentKey {
DEZ 8 : 00037521
DEZ 10 : 0000037521
DEZ 5.5 : 00000.37521
DEZ 3.5A : 000.37521
DEZ 3.5B : 000.37521
DEZ 3.5C : 000.37521
DEZ 14/IK2 : 00000000037521
DEZ 15/IK3 : 000000000018825
DEZ 20/ZK : 00000000000004090809
}
Other : 37521_000_00037521
Pattern Paxton : 1364113 [0x14D091]
Pattern 1 : 25225 [0x6289]
Pattern Sebury : 37521 0 37521 [0x9291 0x0 0x9291]
[+] Valid EM410x ID Found!
FOB 2
proxmark3> lf sea u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 2560 repeating samples
Using Clock:40, Invert:0, Bits Found:513
ASK/Manchester - Clock: 40 - Decoded bitstream:
0000000000000000
0001111000010100
1010011001011111
1111000000000000
0000000000000000
0001111000010100
1010011001011111
1111000000000000
0000000000000000
0001111000010100
1010011001011111
1111000000000000
0000000000000000
0001111000010100
1010011001011111
Unknown ASK Modulated and Manchester encoded Tag Found!
if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'
proxmark3>
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-980-gbacf8aff 2018-08-04 17:13:09
os: iceman/master/ice_v3.1.0-980-gbacf8aff 2018-08-04 17:13:25
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 7/28 at 18:36:55
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 237675 bytes (45%) Free: 286613 bytes (55%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
Any idea's why the first fob doesn't appear correctly?
Last edited by Charlie (2018-08-14 21:20:28)
Offline
try offical pm3 repo, iceman fork has a unfinished LF going on..
Offline
Also I've noticed my "lf securakey" commands don't seem to work properly... or im not running them correctly
proxmark3> lf read
#db# LF Sampling config
#db# [q] divisor.............95 (125 KHz)
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: ff ff ff ff ff ff c9 6f ...
Reading 39999 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
proxmark3>
proxmark3> lf securakey read
proxmark3>
proxmark3> lf securakey demod
proxmark3>
Offline
try offical pm3 repo, iceman fork has a unfinished LF going on..
ok, Thx
Offline
try offical pm3 repo, iceman fork has a unfinished LF going on..
Same issue happened with the offical pm3 repo...
Offline
output from data tune, hw status, hw version. Make sure you don't mix client/firmware from different repos, forks, builds.
Offline
Version
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-391-gc80eb8b-dirty-suspect 2018-08-14 21:18:03
os: master/v3.0.1-391-gc80eb8b-dirty-suspect 2018-08-14 21:18:07
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2017/10/27 at 08:30:59
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 193759 bytes (37%). Free: 330
529 bytes (63%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
Tune
Measuring antenna characteristics, please wait.........
# LF antenna: 70.40 V @ 125.00 kHz
# LF antenna: 39.32 V @ 134.00 kHz
# LF optimal: 70.40 V @ 125.00 kHz
# HF antenna: 36.26 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
Statues
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........40000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............0
#db# Currently loaded FPGA image:
#db# fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
#db# LF Sampling config:
#db# [q] divisor: 95
#db# [b] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# USB Speed:
#db# Sending USB packets to client...
#db# Time elapsed: 1500ms
#db# Bytes transferred: 910336
#db# USB Transfer Speed PM3 -> Client = 606890 Bytes/s
#db# Various
#db# MF_DBGLEVEL......2
#db# ToSendMax........1039967982
#db# ToSendBit........0
proxmark3>
Offline
looking good, if you save a data signal trace and share it via a filesharing site , then it will help out.
lf read
data save mysecura.pm3
Offline
FOB 1 (shows as EM410x)
https://ufile.io/h6e17
FOB 2 (Securakey)
https://ufile.io/7jt1e
Offline
your traces show a 64 bit securakey version that has not been properly identified yet. the current securakey commands only know the 96 bit version. (and only partially at that)
are there any markings on your tags (numbers?) or do you happen to have the id numbers the system reads them as?
Offline
I should have the numbers on the tag for you by the end of the week.
though I am confused when I write Block 0 for a 64 bit securakey and then blocks 1 and 2, how it would come up as an EM410?
Last edited by Charlie (2018-08-21 18:10:21)
Offline
Because there is some overlap possible with the current format definitions. (Unless we started testing for the end parity as well for em410x, or knew the 64 bit securakey format and had a definition for it programmed.)
Offline
Fob 3# (Securakey) - 1791813 on tag
Offline
Pages: 1