Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-01-25 20:46:21

SCFalconry
Contributor
Registered: 2020-01-22
Posts: 4

[SOLVED] AWID with printed # on FOB

Fresh NOOB ALERT!  (I've owned a Proxmark for less than a week!)   Man is this thing AWESOME!

I have an AWID FOB... that I have successfully cloned to T55xx FOBs.  The original FOB I cloned had a printed decimal number of 1165076.

I would now like to write more T55xx tags that will appear to the access reader to be the next card in the printed DECIMAL sequence. 


I've taken the 96 bits from page 0 block 1,2&3 and placed them into excel.  I've removed every 4th bit and looked at the remaining 72 bits per the instruction in the "26bit AWID FSK Transmission Sequence" reference that I've seen in the forum numerous times.   

NO JOY!  I have yet to get any portion of those 96 bits to translate into the printed DECIMAL "1165076"

The 96 bits from block 1,2&3 from pg 0.
100100000110001001010000011000101110000000010101000010100111100010111011010110011000001101110011

The 72 bits after removing every 4th bit:
100000011001010000011001111000000010000101011100101101010100100001011001

Please point the NOOB in the right direction.  For your easy reference to... I've added client window results for: lf search, lf t55 detect,  lf t55 info, lf t55 dump,  hw ver, hw tune & hw status.

Thanks in advance!


   
proxmark3> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
         

Checking for known tags:
         
AWID Found - BitLength: 12 -unknown BitLength- (24576) - Wiegand: 0, Raw: 011711111111111118787848          

Valid AWID ID Found!     



  

Valid T55xx Chip Found
Try lf t55xx ... commands
----------------------------------------------------------------------------------
proxmark3> lf t55 detect
Chip Type  : T55x7          
Modulation : FSK2a          
Bit Rate   : 24 - RF/50          
Inverted   : Yes          
Offset     : 32          
Seq. Term. : No          
Block0     : 0x90625062          
         
Downlink Mode used : default/fixed bit length




proxmark3> lf t55 info
         
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 9 - testmode          
 reserved                  : 3          
 Data bit rate             : 0 - RF/2          
 eXtended mode             : Yes - Warning          
 Modulation                : 5 - FSK 2 RF/8  RF/10          
 PSK clock frequency       : 0          
 AOR - Answer on Request   : No          
 OTP - One Time Pad        : No          
 Max block                 : 3          
 Password mode             : No          
 Sequence Start Terminator : No          
 Fast Write                : No          
 Inverse data              : Yes          
 POR-Delay                 : No          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x90625062  10010000011000100101000001100010          
-------------------------------------------------------------  







proxmark3> lf t55 dump
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | 90625062 | 10010000011000100101000001100010          
  1 | 022E2222 | 00000010001011100010001000100010          
  2 | 22222222 | 00100010001000100010001000100010          
  3 | 30F0F090 | 00110000111100001111000010010000          
  4 | 00000000 | 00000000000000000000000000000000          
  5 | 00000000 | 00000000000000000000000000000000          
  6 | 00000000 | 00000000000000000000000000000000          
  7 | 00000000 | 00000000000000000000000000000000          
Reading Page 1:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | 90625062 | 10010000011000100101000001100010          
  1 | E0150A78 | 11100000000101010000101001111000          
  2 | BB598373 | 10111011010110011000001101110011          
  3 | 00000000 | 00000000000000000000000000000000






proxmark3> hw ver
Prox/RFID mark3 RFID instrument          
bootrom: master/v3.1.0-176-gd00a30d-suspect 2020-01-24 22:51:58
os: master/v3.1.0-176-gd00a30d-suspect 2020-01-24 22:51:59
fpga_lf.bit built for 2s30vq100 on 2019/11/21 at 09:02:37
fpga_hf.bit built for 2s30vq100 on 2019/11/13 at 14:52:19
SmartCard Slot: not available
         
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 209564 bytes (40%). Free: 314724 bytes (60%).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory






proxmark3> hw tune

Measuring antenna characteristics, please wait.........          
# LF antenna: 37.67 V @   125.00 kHz          
# LF antenna: 28.46 V @   134.00 kHz          
# LF optimal: 41.94 V @   127.66 kHz          
# HF antenna:  0.07 V @    13.56 MHz          
# Your HF antenna is unusable.          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.





proxmark3> hw status
#db# Memory          
#db#   BIGBUF_SIZE.............40000          
#db#   Available memory........40000          
#db# Tracing          
#db#   tracing ................1          
#db#   traceLen ...............30          
#db# Currently loaded FPGA image:          
#db#   fpga_hf.bit built for 2s30vq100 on 2019/11/13 at 14:52:19          
#db# Smart card module (ISO 7816)          
#db#   version.................FAILED          
#db# LF Sampling config:          
#db#   [q] divisor:           95          
#db#   [b] bps:               8          
#db#   [d] decimation:        1          
#db#   [a] averaging:         1          
#db#   [t] trigger threshold: 0          
#db#   [s] samples to skip:   0          
#db# USB Speed:          
#db#   Sending USB packets to client...          
#db#   Time elapsed:      1500ms          
#db#   Bytes transferred: 921600          
#db#   USB Transfer Speed PM3 -> Client = 614400 Bytes/s          
#db# Various          
#db#   MF_DBGLEVEL........2          
#db#   ToSendMax..........1729066737          
#db#   ToSendBit..........0

Last edited by SCFalconry (2020-02-03 22:31:10)

Offline

#2 2020-01-28 19:05:33

batman192
Contributor
Registered: 2019-07-16
Posts: 24

Re: [SOLVED] AWID with printed # on FOB

I have a similar fob that uses the AWID protocol, but has a printed decimal numer on the fob itself. I'm not sure if there is a way to have the cloned card appear to the reader as the next sequence for the printed numbers...

The best way to check would be to see if you can get a fob with another printed decimal number and compare the dumps of both if at all possible.

I noticed too that your AWID output for "lf search" isn't displaying a Facility Code or the ID afterwards- have you tried this with Iceman's RDV4 fork? Once I flashed mine with his I was getting a bit more info on my fob, it could help here smile

Offline

#3 2020-01-30 14:28:41

SCFalconry
Contributor
Registered: 2020-01-22
Posts: 4

Re: [SOLVED] AWID with printed # on FOB

Batman... thanks for the reply.

Warning..  assumptions about to be made by neophyte RFID enthusiast!  So please.. Do not take any of this as gospel.

I believe the 26bit AWID I'm studying is proprietary.  I have obtained a read from another tag whose decimal printed number is the next in sequence.   Comparison of the 72 bits stripped from the 96 bits.... show that the sole difference is in the last nibble.. (bits 69,70,71,72).

I've written both cards to T5577's via  entering  TX55 Write commands for each block...  And successfully used both cards.  I'm unable to CLONE via PM3 because I do not know the FC or UID.    Since the tag is proprietary.... My assumption is...  even if i entered the correct FC & UID...
The PM3 programming wouldn't know where to place them in the bitstream.

According to the example 26bitAWID  format I've seen..  the UID should NOT have been in the last nibble of the 72 bits.  So  I guess these tags have a proprietary format.

I believe this is why LF SEARCH doesn't return a facility code.  (Wouldn't hurt my feelings if someone piped in and confirmed that for me).  smile.

To that end... It looks like I will continue shifting things around in Excel for quite some time to decipher this fully... (FC&UID).   As a side effect..  I now translate bin2hex & hex2 bin ALOT faster than I ever did before.  LOL.

I've SEARCHED this forum ALOT in the past week..  and I remember a post where the OP stated he was so engrossed that he had started dreaming in binary.  ROFL.

When I read that I laughed...   Now it is a week later and I understand FULLY.

Last edited by SCFalconry (2020-01-30 14:33:01)

Offline

#4 2020-01-30 15:18:20

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: [SOLVED] AWID with printed # on FOB

this is what happens when you fall down the rabbit hole of rfidhacking/proxmark3....

Offline

#5 2020-02-01 18:21:24

SCFalconry
Contributor
Registered: 2020-01-22
Posts: 4

Re: [SOLVED] AWID with printed # on FOB

Embarrassingly... It took me a week of shifting things around in Excel.  I'm a complete newbie to RFID experimenting..  and made numerous mistakes including simple typos in Excel.  In the end after correcting typos , slowing down and working carefully and methodically... Translating the decimal printed# into the required HEX revealed itself fairly quickly.

The information needed is all in the forum.  A special thanks to all contributers who document their experiences.

The graphics of the 26bit AWID format was nearly spot on. 
Ref: Post 1767 Titled "T55x7 and Tags Emulation"

I removed every 4th bit of the 96bit stream.   Leaving me 76 bits.  The card I was studying is proprietary format. The FC & UID were the last 8 nibbles.(block 3 of the remaining 72 bits).     Had it been non proprietary format ...FC & UID would have been bits 16 thru 39.

I'm having quite a time writing new cards from the gleaned information.  I'm now re -eading T5577 data sheets.  This problem is due to my limited experience with Proxmark.  Every once in awhile I get one of maybe 20 to detect as AWID format.  Once I get a better grasp on Page1 configuration block settings ... I'm sure writing will work out more consistently.   I will seek assistance for that in a separate post.

My buddy and I have enjoyed learning about the strengths and weaknesses of what he has installed here at the community club house. 

We're recommending to the HOA that the decimal printed number on the FOBs be removed with acetone before being issued.

Also we may be rewriting or writing new tags.  The purchased tags are in sequenced batches.  Writing our own tags will allow us  spread the UIDs randomly positioned within the 65536 possible locations... Instead of having lots of tags in small perfectly sequenced groups.

All this for access to a swimming pool and community center.  LOL

Last edited by SCFalconry (2020-02-01 18:30:29)

Offline

#6 2020-02-15 17:15:20

batman192
Contributor
Registered: 2019-07-16
Posts: 24

Re: [SOLVED] AWID with printed # on FOB

Oh snap.....you just flicked a lightbulb on in my head, SCFalconry!

I've been having issues with cloning what I *thought* was an AWID card- I tried writing the FC and UID to a new card from the one I dumped, but the Wiegand values ended up differing between the two cards. The only way I got them to work is if I dumped the entire card using LF t55xx dump and then writing the new information.

Now that you write this.....maybe I'm NOT working with the AWID protocol at all! Maybe it's a proprietary format too!

Offline

Board footer

Powered by FluxBB