Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2011-08-21 01:54:13

miikeyboy
Member
Registered: 2011-08-21
Posts: 3

KeyFOB at 153mHz

Hi chaps,

I'm lost at identifying the protocol/frequency of my apartments key fob. According to this page (http://www.pac.co.uk/products/id-device … u-156.html) it uses 153 KHz rather than 125KHz. I just wasted money on a ebay-rfid 125KHz read/writer and I don't want to make the same mistake on the 13.56 reader.

Can the Promark read and write at this frequency? I thought it was only 125khZ and 13.56MHz for door entry systems.

Thanks,
Michael

Last edited by miikeyboy (2011-08-21 01:56:12)

Offline

#2 2011-08-21 09:49:18

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: KeyFOB at 153mHz

In my experience I have found that 125kHz, 134kHz and 13.56MHz are the most common for access control. Outside of that there are quite a few others like the one you have there.
The Proxmark is capable of reading/writing 153kHz.
I'm guessing you will need to construct the antenna yourself. An alternative I use for low frequency antennas is destroying an old card to remove the coil from it. This is a delicate process and is usually done on clamshell or ISO cards since most key fobs or tags are filled with resin.

Offline

#3 2011-08-21 13:59:47

miikeyboy
Member
Registered: 2011-08-21
Posts: 3

Re: KeyFOB at 153mHz

Cheers for the reply 0xFFF,

Good to know its capable, but being lazy it doesn't sound easy to a newbie and was expecting an out-of-the box ready made solution.

Last edited by miikeyboy (2011-08-21 14:02:10)

Offline

#4 2011-08-21 22:11:42

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: KeyFOB at 153mHz

No worries miikeyboy,

If you find a solution to your problem, please post it here.

Do you have a spare card/key/fob? Perhaps I could look it for you instead?

Offline

#5 2011-08-22 11:31:26

miikeyboy
Member
Registered: 2011-08-21
Posts: 3

Re: KeyFOB at 153mHz

Only have the one key and my landlord hasn't got back to me about a possible spare. But if lucky I will take you up on the offer if its not too much trouble.

Regards,
Mike

Offline

#6 2011-08-22 13:34:51

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: KeyFOB at 153mHz

I don't mind really. It's more for my own interests. How many cards do you require?

Offline

#7 2012-04-27 20:23:59

Bugman1400
Contributor
Registered: 2010-12-20
Posts: 132

Re: KeyFOB at 153mHz

0xFFFF wrote:

In my experience I have found that 125kHz, 134kHz and 13.56MHz are the most common for access control. Outside of that there are quite a few others like the one you have there.
The Proxmark is capable of reading/writing 153kHz.
I'm guessing you will need to construct the antenna yourself. An alternative I use for low frequency antennas is destroying an old card to remove the coil from it. This is a delicate process and is usually done on clamshell or ISO cards since most key fobs or tags are filled with resin.

Seems like you could use a 125kHz antenna. It wouldn't be perfect but, it is not like you are trying to use a LF for a HF application. The difference between 125kHz and 153kHz I'd think would not be that great.

Also, would the PM3 firmware have to be modified to run the 153kHz or can this be achieved from the client?

Offline

#8 2014-09-13 06:13:14

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

Has anyone done any further work with/on the 153khz tags?

I know, this is an old thread, sorry, but I would like to learn more about these tags.

Last edited by marshmellow (2014-09-13 06:15:04)

Offline

#9 2014-09-16 14:08:46

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

i think i've successfully read the PAC 153kHz tag using the 134kHz read option.  it appears to be a type of direct modulation rf/32.  128 bits of data transmitted.  I don't have a PAC reader to confirm, and there is no printed numbers on the tag to compare.  i was able to use data askdemod to get a clean look at the wave to read it manually.  I was able to create a very similar wave in a standard ata5577 125kHz tag with block 0 configured to 00080080, but it probably won't work with the original readers.  Does anyone know where i can find a writable 153kHz tag/chip?  ps. if anyone wants a trace let me know.

Offline

#10 2015-05-24 02:33:26

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

@marshmellow

I can not be much help by your level of knowledge but I have a real PAK FOB, and a PAK door reader to help you test out your idea.

I know that database can be written on PAK fob, but I do not know about sector 0 is writable or not.

There is UID writable tag/key for 13.56kHz, and also UID Writable 125KHz RFID ID Tag Sticker Alarm Access Key EM4100 Proximity, and T55x7 but why you ask for 153kHz writable???
.

Last edited by ntk (2015-05-31 00:21:19)

Offline

#11 2015-05-24 04:52:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

ntk wrote:

There is UID writable tag/key for 13.56kHz, and also UID Writable 125KHz RFID ID Tag Sticker Alarm Access Key EM4100 Proximity, and T55x7 but why you ask for 153kHz writable???

the link at the beginning of the thread shows a link that shows PAK makes  a 153KHz tag.  I'm interested in learning more about the 153KHz chip as it seems to be fairly rarely used frequency in prox.  if i can get blank tags i can write and test with I'd learn more.

do you have a pm3 to do any testing on your tag / reader?

Offline

#12 2015-05-24 11:49:50

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

because there is no writable 153kHz here or on Chinese market I think we could try first if it works with UID writable 125kHz before sitting and hoping someone will offer the writable 153Khz.

this type is obscured very well, it says "its chip is unique and impossible to copy", i wonders we dont know enough or it may be true.

I have PM3, strangely I could not detect clock, PM crashed when mandemod , data askem410xdemod  1 seems not doing anything

Offline

#13 2015-05-24 12:03:24

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

I have studied ways people in the forum have worked on identify and demodulation and tried those technique here, but seem to have problem with correct reading, because result is 0 for clock or PM3 crashed.

with guidance and support knowledge on your side, I think we will get further because while you have theory, I have the fob to test on PAK reader

apparently what exactly is the type of a Urmxt Domys key? I can not identify from data the step they made there

Last edited by ntk (2015-06-05 02:41:21)

Offline

#14 2015-05-24 12:05:07

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

PAK card/tag/key are not always 153kHz there is also KeyPAK which is 125kHz too.

Last edited by ntk (2015-05-31 00:22:11)

Offline

#15 2015-05-24 13:21:20

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

have never upload trace before so I have to look through the examples again. Here is traces. If you need anything else pls le me know
http://www.filedropper.com/pak

Offline

#16 2015-05-24 13:30:12

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

how do you re-edit a post in this forum? Sorry, I have made mistakes.

the previous post should be:

"
I have never uploaded trace before, so I have to look through the examples again. Here are my trace files. I have tried to read both types at 125 (Xtanley_125_x.txt) and reading at 134 kHz (Xtanley_134_x.txt).

http://www.filedropper.com/trace_pak



If you need anything else, pls let me know."

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: /-suspect 2015-04-02 15:12:04                 
#db# os: /-suspect 2015-04-02 15:12:11                 
#db# LF FPGA image built on 2015/03/06 at 07:38:04                 
uC: AT91SAM7S512 Rev B         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 512K bytes         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory         

window vista.

Last edited by ntk (2015-06-05 02:42:28)

Offline

#17 2015-05-25 05:39:34

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

looks like the 125 khz traces are all exactly the same (even from the same read, saved 3 times?) except _4.  are they supposed to be all the same tag?

the 134Khz traces are a mess.  is this the same tag as the 125khz samples?  ( i would guess.)  if so the tag you have is definately of the 125khz variety, different than the 153khz i've seen.

the protocol looks similar to what i've seen on this tag before, but different enough that i'm not sure on how to read it.  (there certainly is no automatic read capability currently on the pm3.)  if you plot the 125khz trace there appears to be a definite 128 bit repeating stream (@ rf/32 or possibly 64bit @ rf/64)....

the protocol does not follow any standard i know.  as some data points are 64 sample width, and others 32 samples kind of like biphase but it has, in some cases, a data point of 96 samples which is against biphase rules. plus there is a null state like NRZ/direct, but nrz/direct cannot have different size data points.

is there a tag number, or can you tell me what the reader outputs for the tag(s) you've traced?   that might indicate how we interpret some of the bits.

ps. sorry for the slow response...  i've been very busy lately.

Last edited by marshmellow (2015-05-25 05:45:47)

Offline

#18 2015-05-25 11:05:28

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

thanks for your reply. I have few more traces just to make sure what we get from this is right
http://www.filedropper.com/trace_pak125

log_tune_without.txt
I have done Hw tune

log_Tune_2nd_time_with_fob.txt
done hw tune at first w.o. fob; then with fob

for the data I do separately for command "lf read" 3 times
lf_read_1.txt is the data file and log_lf_read_1.txt is the screen log file

for the data I do separately for command "lf search" 3 times
lf_search_1.txt is the data file and log_lf_search_1.txt is the screen log file

Last edited by ntk (2015-06-05 02:43:03)

Offline

#19 2015-05-25 11:20:44

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

marshmellow wrote:

"looks like the 125 khz traces are all exactly the same (even from the same read, saved 3 times?) except _4.  are they supposed to be all the same tag?"

I ran again and save data and save log report again, to make sure I use correct command.

"the 134Khz traces are a mess.  is this the same tag as the 125khz samples?  ( i would guess.)  if so the tag you have is definately of the 125khz variety, different than the 153khz i've seen.

the protocol looks similar to what i've seen on this tag before, but different enough that i'm not sure on how to read it.  (there certainly is no automatic read capability currently on the pm3.)  if you plot the 125khz trace there appears to be a definite 128 bit repeating stream (@ rf/32 or possibly 64bit @ rf/64)...."

I think it is 125 kHz too. It is common here in UK.

"
the protocol does not follow any standard i know.  as some data points are 64 sample width, and others 32 samples kind of like biphase but it has, in some cases, a data point of 96 samples which is against biphase rules. plus there is a null state like NRZ/direct, but nrz/direct cannot have different size data points."

so would it be good to put it on request list of new PM3 next release?

"
is there a tag number, or can you tell me what the reader outputs for the tag(s) you've traced?   that might indicate how we interpret some of the bits."
the fob is quasi square, black and has imprint "PAC" on its front, on the back field of 0123456789, but this always
on every PAC fob, I have seen. they are available to buy on ebay new and used, I have bought one used to compare data. It sometimes is identify as indala fob!!!

"
ps. sorry for the slow response...  i've been very busy lately.

"
it i ok, we are 6,7 hrs earth-time-different.

I must dash to work now will be back here at 9:00PM

Offline

#20 2015-05-27 21:20:20

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

marshmellow wrote:

looks like the 125 khz traces are all exactly the same (even from the same read, saved 3 times?) except _4.  are they supposed to be all the same tag?

Yes the traces are from the same tag, I left it on the antenna.
After each "lf read" or lf search I saved data

This time I have two more  tag from my friend. Saved data from lf read I call them H1 and H2.
http://www.filedropper.com/readh1h2

Before the week-end a friend has promised to let me do a reading on two more tags If you think of any special ways to experiment read please do let me know.

marshmellow wrote:

l
the 134Khz traces are a mess.  is this the same tag as the 125khz samples?  ( i would guess.)  if so the tag you have is definately of the 125khz variety, different than the 153khz i've seen.

I think here in the UK the 125 kHz is common. shame that the graph from my tag and data does not similar your 153 kHz

marshmellow wrote:

l
the protocol looks similar to what i've seen on this tag before, but different enough that i'm not sure on how to read it.  (there certainly is no automatic read capability currently on the pm3.)  if you plot the 125khz trace there appears to be a definite 128 bit repeating stream (@ rf/32 or possibly 64bit @ rf/64)....

the protocol does not follow any standard i know.  as some data points are 64 sample width, and others 32 samples kind of like biphase but it has, in some cases, a data point of 96 samples which is against biphase rules. plus there is a null state like NRZ/direct, but nrz/direct cannot have different size data points.

is this what you have found affirmative Marshmellow. Could we confirm again in the new trace of two more tag H1 and H2, before the week-end I should be able to have trace of two more physical similar tags.

It can not be possible that thay have built the device based on a different than tandard protocol ...

marshmellow wrote:

l
is there a tag number, or can you tell me what the reader outputs for the tag(s) you've traced?   that might indicate how we interpret some of the bits.

outside the tag is only the name nothing else.

marshmellow wrote:

l
ps. sorry for the slow response...  i've been very busy lately.

It is kind of you, a veteran on this project to join and give a newbie some answers

Concerning the behaviour of the reading reg standard I want t6o make ure the reading is not faulty. So
I want to rebuild all my software and flash PM3 to make sure the fault in reading does not come from PM3. I have built and flashed the new bootrom, os and fpga image. I use SVN check out the trunk and it gives me as yeterday 26/5/2015 the 845 as the trunk, top of the software tree, the latest release!

Is there another Sw release some where else Marshmellow?

Offline

#21 2015-05-27 21:26:47

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

Regarding the latest released code, the code repository is now on github instead of googlecode.  The google repo is no longer managed or updated.  So 845 is actually very old.  There are various posts about github on the forum with more info.

Offline

#22 2015-05-27 21:28:11

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: KeyFOB at 153mHz

Offline

#23 2015-05-27 22:29:29

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

make sure after the `lf read` you do a `data samples 20000`  as it looks like all your traces are again the same tag. (but different than the first...)

i still see strange wave patterns.  it doesn't match any common modulation standard I know. (doesn't mean it isn't a standard modulation, just not one i'm familiar with)

it doesn't fit manchester/ask, or biphase/ask, or diphase/ask, or even direct/nrz ask.  it definitely isn't psk or fsk.  it appears to be a modified ASK or some other form of ASK modulation.

unless someone here knows the modulation so we can research it more, and without an authentic reader to match up the binary interpretation of the waves, demodulating it will be shooting in the dark...  sad

Offline

#24 2015-05-27 22:47:50

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

Thanks for your help Iceman and Marshmellow,

I do also use git,  I either download the proxmark-master.zip, or open git in explorer, do a clean and compile all with recent modification of 4 days old ...   problem is it does not tell you a rxyz number but onlt "master" what is that for a release, latest yest but which one where can I see the releae identification like on SVN

also some files I expect to see on github or VN are from Gaucho like project CPP, setting xml files I could not find anywhere. I did all rebuild on linux and also windows none of those Gaucho's files. They must be somewhere on archive.

OK arshmellow, That was I have missed. I did only one after the first lf read. I thought wrongly that if I dont samples and prepare to plot I won't need data samples each tie I one to save.

I will do it a gain tonight, when I am home in about 1hr. . Will do after each read a data samoples 20000 for you.

Offline

#25 2015-05-27 22:57:01

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

The version tagging doesn't have a solution.  There is actually a github issue open regarding that.  Go by date.


The GUI is not part of the github repo.  It is a windows only add-on so it can be downloaded from the windows client section of this forum.  Asper keeps the first post of the topic up to date as best he can. http://www.proxmark.org/forum/viewtopic.php?id=1562 The XML is hand made and has to be hand edited for each command change.

Last edited by marshmellow (2015-05-27 22:59:41)

Offline

#26 2015-05-27 23:47:50

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

marshmellow wrote:

The version tagging doesn't have a solution.  There is actually a github issue open regarding that.  Go by date.

Ah thanks It is clear now, for half a day I look up and down and dont understand Strange this is master-release of when of what, how could professional programmers put up with this Git

marshmellow wrote:

The GUI is not part of the github repo.  It is a windows only add-on so it can be downloaded from the windows client section of this forum.  Asper keeps the first post of the topic up to date as best he can. http://www.proxmark.org/forum/viewtopic.php?id=1562 The XML is hand made and has to be hand edited for each command change.


I will go back there and look around again. we should mention that in wiki doc and always keep update, there are o many links most of them does not separate 64bits or 32bits environement and cause a lot of errors. It would be nice if some one could take down or mark all out-dated infos

Offline

#27 2015-05-27 23:50:40

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

here is the trace again.

Would youu help from beginning HW, version, Tune, Voltage

We want to check there is no possible cause which misled us.

http://www.filedropper.com/hwvervoltage_1

Offline

#28 2015-05-27 23:54:12

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

can you see something strange with the voltage drop there?

it is unexpected, is it not? If it is 125KHz key I would expect to see voltage drop there...

Offline

#29 2015-05-27 23:58:15

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

You have a good looking trace. (Good clipping so antenna is good) Not much could go wrong if you got that far.  It has a clear repeating pattern ever 4096 samples.  It almost looks like a normal Manchester or BIPHASE encoding /ask modulation.  But it definitely isn't. 

I agree there have been a lot of code changes but not a lot of doc changes.  That is what we need those who don't write the code to help clean up smile,  but with all volunteer hobbyists here, we do what we can.

Offline

#30 2015-05-28 00:04:31

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

the voltage does drop, it just also shifts the optimal to what you are reading.  the tag takes about 8v from the optimal. 
while i can't say i've seen that exact scenario (the optimal shift), i also never had an antenna tuned like yours (stronger on the 134khz side).  I'd say it looks normal.

Last edited by marshmellow (2015-05-28 00:05:18)

Offline

#31 2015-05-28 00:05:40

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

but reading with 134 Khz somehow bring us only gabbage.

So I still start do reading as 125kHz first

http://www.filedropper.com/test2_9

Offline

#32 2015-05-28 00:10:40

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

the antenna is directly from the company, not a self-built version Marshmellow

Offline

#33 2015-05-28 00:18:45

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

The tag is 125khz.  134 leaves you with a mangled trace.

The antenna you have is fine (actually better than the prefab ones I've seen.). Just different smile. It works fine for either tag type (134 or 125). Just affects the voltage output a little different than other antennas when given a 125 kHz tag.

And I'd read your tag with
lf read
data samples 20000
Then save the trace. 
Each time.  Then you can load and compare the plots.  I use the windows snip tool to copy the plots.

Offline

#34 2015-05-28 00:20:34

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

perhaps I should ask this question on a separated topic

I camed across this thread on the forum
http://www.proxmark.org/forum/viewtopic.php?id=314

from the work with this Uxmet Domys fob,x=r and y=u, most of demodulation happened manually 5 years ago, have we nowadays implemented any command to work using promark3 with that type of fob.

From that read It does not seem to be standard EM41xx. What is that exactly, do you know?

Last edited by ntk (2015-05-31 00:28:46)

Offline

#35 2015-05-28 00:29:13

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

The
lf search u
Will find and output all known tags and demod the binary of most unknown tags that are a common modulation.  But it will not work properly on this tag. sad

Offline

#36 2015-05-28 00:38:36

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

window snip tool!!! I will install...

Why you tell me that? does the three trace show the same plot again???

I did

lf read
data samples 20000
Then save the trace as x_1.txt

then again

lf read
data samples 20000
Then save the trace as x_2.txt

lf read
data samples 20000
Then save the trace as x_3.txt

Offline

#37 2015-05-28 00:43:20

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

Perfect.  On mobile, haven't checked your files yet

Offline

#38 2015-05-28 00:47:24

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

Can you try holding your tag half an inch or so off the antenna and read one again and post that trace?  Sometimes with a strong antenna it can clip odd.  I haven't seen any evidence of that but if you want to try something...

Offline

#39 2015-05-28 00:55:48

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

if the trace this time show similare behaviour like the last time, then that is strange ....

I will reset, reconnect proxmark and take one more time new traces

If that similarity we see again then we might haven't really read anything from tag, but we "save and plot" coiincidentlally
a fix pattern from inside proxmark,,,

Offline

#40 2015-05-28 01:01:03

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

The last 3 trace files all are different reads now.

Offline

#41 2015-05-28 01:06:51

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

now I have reset the proxmark each time I took trace , run data samples 200, then save the trace, they could not have identical starting point, amplitiude etc

http://www.filedropper.com/testwithreset


Next I will take trace with tag positioned some " away from antenna

Offline

#42 2015-05-28 01:10:19

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

marshmellow wrote:

The last 3 trace files all are different reads now.

Uh so relieved ... I thought we save & plot imaginaire not real read data.

Offline

#43 2015-05-28 01:18:07

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

and here are traces with the tag positioned about  1" away from antenna

Offline

#44 2015-05-28 02:53:26

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

we could have PAK door reader....if I connect it to power suply

would the key react when it comes near the PAK reader, even when it is not the one supposing to welcome this PAK key

Last edited by ntk (2015-06-19 10:12:49)

Offline

#45 2015-05-28 03:31:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

typically a key of this type will still make the reader "Beep" or read the tag, it is then up to the door access system to see if it is valid.  so yes, your reader, if powered should read the tag.  however, i doubt there is much to snoop as i don't think there is any two way communication on this tag. 

but if you could connect the data output of the reader to something to read the output of the reader when it reads your tag that would be something.  if we could get the binary output of the reader we could have a binary string to look for in the modulation. (if it is not scrambled...)

Offline

#46 2015-05-28 05:48:40

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

ok, it might be a heavily clipped version of a direct modulation tag.  (tag must either be really strong or is a slightly different implementation of direct than i'm used to.)

load your trace and then
if you run 'data rawdemod nr 32'  you get 128 repeating bits.
not certain on the starting point as there is no clear start marker.

it "looks" right.  but without a card number or knowing what it is supposed to read, it remains only a theory.

might be able to attempt a clone on a ata55x7.  but you will want to power up your reader and see if your "good" tags make it "beep" (or light up, or something), so you will know if it might be able to test your clone.

no guarantees as it doesn't look like the typical direct modulation (waves remain clipped beyond the clock = not typical)  but it might work.

Offline

#47 2015-05-28 05:51:42

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

unfortunately there is no nrz/direct simulation mode for the pm3.  (the half modulation [not high and not low and not in transition] is difficult and would require fpga modifications)

Offline

#48 2015-05-28 10:54:31

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

marshmellow wrote:

ok, it might be a heavily clipped version of a direct modulation tag.  (tag must either be really strong or is a slightly different implementation of direct than i'm used to.)

load your trace and then
if you run 'data rawdemod nr 32'  you get 128 repeating bits.
not certain on the starting point as there is no clear start marker.

it "looks" right.  but without a card number or knowing what it is supposed to read, it remains only a theory.

yhank you Marshmellow.

to be sure that look at the same record, and decode similar wise i do an other read, sample , save the trace, then I do a nz demodulation without 32 then with 32
http://www.filedropper.com/k125nzdemod_1
I can see the 111111 block pattern they mentioned in the urmet dous thread


marshmellow wrote:

might be able to attempt a clone on a ata55x7.  but you will want to power up your reader and see if your "good" tags make it "beep" (or light up, or something), so you will know if it might be able to test your clone.

I can not really follow you here. You mean I should power on which reader? my PAK reader? my PM3, my door reader?

marshmellow wrote:

no guarantees as it doesn't look like the typical direct modulation (waves remain clipped beyond the clock = not typical)  but it might work.

at least we can see some known pattern in the unknow ....

Offline

#49 2015-05-28 11:03:10

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: KeyFOB at 153mHz

I do have a door reader on my table and on its back I see +12V; 0V; D0/Clk; D1/SIG;VCA;+5

I think the D1/SIG is the data you talk about but where should I connect it to to see what that reader do when a tag comes near it?

Last edited by ntk (2015-06-19 10:10:37)

Offline

#50 2015-05-28 12:37:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: KeyFOB at 153mHz

Some readers light up some beep.  Any change when a tag is presented means it read it.

The urmet dous is a different format, and I don't think has any similarities here.

Power on a the reader that is supposed to read your original tag, verify it reads the original tag (lights up or beeps) and then clone it and try the clone on the reader...

I would try the reader that is most accessible to you first.

Offline

Board footer

Powered by FluxBB