Proxmark3 community

asper

Contributor

Registered: 2008-08-24

Posts: 1,409

Bit "scrambling" patterns

40bit TAGs

===============
SCRAMBLE PATTERN 1
===============
(2 bits are always 1 so I cannot determine where to put them but there are only 2 possibilities):

So, if you have a decoded Hex ID to bin like:
0x0F00887882 (hex) => 0000111100000000-100010000111100010000010 (bin);

you need to remove 1st 16bis obtaining a 24-bits only value: 100010000111100010000010

Now label these 24 bits from b0 do b23:
b0 b1 b2 b3 - b4 b5 b6 b7 - b8 b9 b10 b11 - b12 b13 b14 b15 - b16 b17 b18 b19 - b20 b21 b22 b23

now scramble bits this way (I am not sure for x and y [b10-b11] but they can be easily switched):

b1 b3 b0 b2 - b6 b4 b7 b5 - b9 b11 b8 b10 - b18 b20 b23 b17 - b14 b12 b22 b21 - b19 b13 b15 b16

finally convert the scrambled bits to decimal and you should obtain the numebr printed on the card.

If someone is able to do a small software to elaborate bytes that way we can have a confirmation.
_____________________________________________________________________________________________________________

===============
SCRAMBLE PATTERN 2
===============

This one was found with an EM4100

ID = 140156c3ef

Steps to decode:
1 - Read ID
2 - convert in binary
3 - remove 1st 17 bits
4 - take 7 bits and convert in decimal = 3-value code printed on card
5 - take next 16 bits and convert in decimal = 5-value code printed on card
6 - take bits of step 4 & 5 together, convert in decimal, and you will get the 10-value code printed on card

In practice:
- If card id (read with a reader, es. proxmark3) is 140156c3ef:
- decode in binary: 00010100000000010(17bits) 1010110(7bits) 1100001111101111(16bits)
- remove 1st 14 bits: 1010110(7) 1100001111101111(16)  convert in decimal  -->  86  50159
- all together  -->  10101101100001111101111(7+16bits)  -->  5686255
so the final number printed on tag will be: 5686255 86,50159 (maybe 1st "unused" 17 bits are used for some other kind of checks).
_____________________________________________________________________________________________________________

32bit TAGs

===============
SCRAMBLE PATTERN 3
===============

1) decode 0x01301949 to bin -> 1001100000001100101001001
2) remove bit 9, 15, 20 and 23 (starting from 1) from the step 1 bit sequence and "concatenate" the result -> 100110000001101010101
3) convert the prevuois bin value to decimal -> 1246037 <-- BINGO!

Of course this must be confirmed with another "sister" tag.
_____________________________________________________________________________________________________________

64bit Kantech XSFTAGs

===============
SCRAMBLE PATTERN 4
===============

Numbering bits from 1 to 64:

(b19-b26) -> hex

(b37-b45)concatenate(b47-b53) -> dec
_____________________________________________________________________________________________________________

MOTOROLA TAGs

for 26bit table:
1   always one (1)
29  always zero (0)
30  always zero (0)
31  CSUM 1 or 0
32  CSUM 1 or 0
33  always one (1)
34  always zero (0)
35  always one (1)
NU = Not Used

Example for 26bit:

x79288B08D x020 x2355 09045
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
1 1 1 1 0 0 1 0 0 1   0   1  0   0   0  1   0   0   0   1   0   1  1   0  0   0   0   1   0   0  0   1   1   0  1
Y1=0 (11)
Y2=0 (14)
Y3=1 (12)
Y4=0 (9)
Y5=0 (21)
Y6=0 (5)
Y7=1 (4)
Y8=1 (20)
Y9=0 (15)
Y10=1(2)
Y11=0(6)
Y12=1(23)
Y13=0(25)
Y14=1(28)
Y15=0(19)
Y16=1(10)
0010001101010101 = 0x2355

_____________________________________________________________________________________________________________

OTHER VARIOUS TAGs (mainly HIDs)

HERE

Last edited by asper (2014-02-19 08:59:08)

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: Bit "scrambling" patterns

http://www.proxmark.org/forum/viewtopic … 020#p12020 discusses more.