Decoding Cloning Guardall/Verex Key Fob

Upgrade · 2014-12-20 18:34:36

I'm trying to decode and clone this verex/guardall fob

Still pretty new at PM3 so bare with me!

Did following:
lf read
data samples 20000
data save c:\verex.pm3

Link to trace: http://www.filedropper.com/verex

Steps to decode and clone? Can I use the FC and GX to clone? Thank you very much in advance!

Last edited by Upgrade (2015-05-22 08:02:40)

marshmellow · 2014-12-20 19:37:05

these tags use a form of encryption. see http://www.proxmark.org/forum/viewtopic.php?id=1459.

there is no function in pm3 to demod the ask wave to binary that works that i know of. (though i will be working on it soon)

also with the encryption there is no way without the algorithms to take the fc and gx and calculate the bits needed for cloning.
however, with the captured data it is possible to clone as the encryption is not based on a uid.

Edit: the most recent github code now has the following commands that can demod the raw xored data:
data rawdemod ar
data biphaserawdecode

It appears the 11111 is the start or stopping bits of the data.

Last edited by marshmellow (2015-02-25 05:35:12)

Sentinel · 2014-12-22 11:48:51

Hi Upgrade!
Code card is
66 7f 76 66 66 A5 36 C2 66
Swap nibbles
66 F7 67 66 66 5A 63 2C 66
XOR operation
00 91 01 00 00 3C 05 4A 00
00 91 01 00 00 3C 05 4A 00
BIN CODE
100100 01 0000000100000000 000000000011110000000101010010100000 0000

FC30 = 11110
10832 = 00000010101001010000

Sentinel · 2014-12-22 13:25:03

If I am not mistaken in the calculations...
Record these blocks in Temik will give you a copy of the card
block 0: 00150060 -> bit rate 64cpb ;Direct modulation, Bifaze;3 block
block 1: 319CF718
block 2: C6318AA6
block 3: 1864319F

Upgrade · 2014-12-22 23:45:31

Sentinel, could I ICQ or skype you?

Lenox · 2015-02-23 16:12:22

Sentinel wrote:

If I am not mistaken in the calculations...
Record these blocks in Temik will give you a copy of the card
block 0: 00150060 -> bit rate 64cpb ;Direct modulation, Bifaze;3 block
block 1: 319CF718
block 2: C6318AA6
block 3: 1864319F

Hi Sentinel,
I am a newbie. Pls forgive me if I am asking stupid questions.

How do you calculate the block 1, 2, 3? Thanks

app_o1 · 2015-02-24 13:03:03

Lenox wrote:

Sentinel wrote:
If I am not mistaken in the calculations...
Record these blocks in Temik will give you a copy of the card
block 0: 00150060 -> bit rate 64cpb ;Direct modulation, Bifaze;3 block
block 1: 319CF718
block 2: C6318AA6
block 3: 1864319F
Hi Sentinel,
I am a newbie. Pls forgive me if I am asking stupid questions.
How do you calculate the block 1, 2, 3? Thanks

You can find more details here : http://www.proxmark.org/forum/viewtopic.php?pid=13323#p13323

Lenox · 2015-02-24 20:12:56

The following the reading from a Verex Fob.
FC: 30 GX1002: 28417

proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
Checking for known tags:
Using Clock: 64 - Invert: 0 - Bits Found: 250
ASK/Manchester decoded bitstream:
1011111010001000
0101110111101000
1001011111000101
0111011110110101
1110111100000010
0001011100111001
1011111010001000
0101110111101000
1001011111000101
0111011110110101
1110111100000010
0001011100111001
1011111010001000
0101110111101000
1001011111000101
No Known Tags Found!
proxmark3>

Just do not know how to calculate the value for the block 1, 2, 3 etc.

marshmellow · 2015-02-24 20:21:16

Probably doesn't matter where you start, just as long as you get the entire repeating bitstream

Lenox · 2015-02-24 20:27:16

0001 0101 1101 1110 15DE
1101 0111 1011 1100 D7BC
0000 1000 0101 1100 085C
1110 0110 1111 1010 E6FA
0010 0001 0111 0111 2177
1010 0010 0101 1111 A25F

That is the pattern I can find. But what 's next? Thanks.

Sentinel · 2015-02-24 22:18:37

hi Lenox
Coding Guardall card not "ASK/Manchester"
Post *.mp3 , and I will try to decode

Sentinel · 2015-02-24 22:24:16

Or use command
data biphaserawdecode [offset] [invert] - just biphase decode (need to askrawdemod first)

Lenox · 2015-02-24 23:48:24

Sentinel wrote:

hi Lenox
Coding Guardall card not "ASK/Manchester"
Post *.mp3 , and I will try to decode

Thanks for your quick response.

This is the investigate file: http://www.filedropper.com/investigated-verex

Meanwhile I will try to learn how to decode it. So much fun....

marshmellow · 2015-02-25 03:47:03

is there a card number printed on the tag? is it 1777?

Sentinel is correct - depending on pm3 os version you need to
data askrawdemod - data biphase
to get the bitstream

or for latest github version
data rawdemod ar - data biphase

while the correct demod is ask/biphase I'm not convinced a tag couldn't be emulated with ask/man since there were no errors in the manchester decoding, as long as you used the correct config settings for ask/man it should output an identical wave to the biphase one. but some tags may create errors in the manchester demod making those impossible to emulate with ask/man.

Last edited by marshmellow (2015-02-25 03:53:23)

Lenox · 2015-02-25 04:16:51

marshmellow wrote:

is there a card number printed on the tag? is it 1777?

The wrinting on the fob: Verex FCC ID: ELVUTOA GX1002 FC: 30 28417
I am using the latest windows client :pm3-bin-0.0.7

marshmellow · 2015-02-25 04:37:23

On 0.0.7 then the first two data commands will get the bitstream. askraw and biphase.
And I missed a word when converting the ID, I now get 28417.

Look for the 11111 in the bitstream. It is the starting point (or ending point based on sentinels info above.)

Last edited by marshmellow (2015-02-25 05:26:05)

Lenox · 2015-02-25 16:06:06

Wow! It works!
Marshmellow, Sentinel, app_o1: Thanks a lot for your help. You guys are awesome.

Lenox · 2015-02-25 22:20:34

marshmellow wrote:

On 0.0.7 then the first two data commands will get the bitstream. askraw and biphase.
And I missed a word when converting the ID, I now get 28417.

Hi Marshmellow, I have a newbie question if you do not mind.

Where do you see the ID number: 28417? Which step?

Thanks,

marshmellow · 2015-02-25 23:07:10

follow the steps in post #3 of this topic

or see: http://www.proxmark.org/forum/viewtopic … 731#p10731 for great picture done by sentinel

Last edited by marshmellow (2015-02-25 23:15:27)

Sentinel · 2015-02-26 00:00:47

EC D5 EC EC EC 2F 34 E2 EE
CE 5D CE CE CE F2 43 2E EE
00 93 00 00 00 3C 8D C2 02

Last edited by Sentinel (2015-02-26 00:38:28)

Sentinel · 2015-02-26 00:04:53

marshmellow, my result is not 28417 (( were mistake ?

Sentinel · 2015-02-26 00:06:56

night sleep is necessary, but not decode card

Last edited by Sentinel (2015-02-26 00:41:54)

marshmellow · 2015-02-26 05:37:20

sentinel made 2 small mistakes. (probably due to lack of sleep )

EC D5 FC EC EC 2F 3C E2 EE
CE 5D CF CE CE F2 C3 2E EE (word swap)
CE CE CE CE CE CE CE CE CE (xor key)
00 93 01 00 00 3C 0D E0 20 (after xor)
-- 100100 11 0000000100000000 0 00000000011110 00000110111100000001 0 0000  (binary)
-- -36bit cs ---------------- p ------FC------ --------Card-------- p ????

marshmellow · 2015-03-10 02:59:08

The latest github code now includes a demod for this in lf search, or through the command data askgproxiidemod (after a lf read and data samples)

marshmellow · 2015-05-07 20:02:05

The data you got is actually the same repeating raw pattern

Notice it says it did not find any tag type it recognized so it cannot identify the start point.

Upgrade · 2015-05-07 20:15:57

I'm confident its a gprox key.

Is there a recent firmware that I'm not aware of?

Last edited by Upgrade (2015-07-12 08:02:39)

marshmellow · 2015-05-07 20:23:58

You are using an older build, I can tell from the output.

Cardedit · 2016-02-25 14:56:43

I know there's a mention that the Chubb readers will only respond to a certain parity. I'm assuming that had to do with the "lock code" feature. Is it in fact the parity that controls this? New to forum! Thanks

marshmellow · 2016-02-25 16:13:13

besides the xor obfuscation there is a 2 bit checksum or parity that is of an unknown calc, which makes guessing card numbers you don't have trial and error. if these are not correct the reader will ignore the tag.

none of it protects from a direct clone.

Cardedit · 2016-02-25 16:28:37

so would it be somewhat possible to encode a blank card to work with a "locked" reader?

iceman · 2016-02-25 16:39:52

maybe the keyfob is a t55x7 tag...

Cardedit · 2016-03-01 17:16:45

So if I wanted to encode a card with just a random ID and have it read by the reader do you figure it would be possible?

Cardedit · 2016-03-01 17:35:01

Id be curious to figure the format out.

Here's what know so far. When a box of the cards ships to the customer, a chart chips with them that has the printed card number on the side of the card compared to what will actually show up in the system. Most end customers don't use that chart, they just swipe at a reader, and add the card from whatever number shows up.

Id be very curious to see if it is just the facility code that prevents a card from being read at a reader if its not the same... I do have access to readers, and a box of cards.

marshmellow · 2016-03-01 20:23:41

most readers will read any valid tag, it is the access system that rejects incorrect facility codes or invalid card numbers. if you have a proxmark and can share some traces of your cards (lf read ... data samples ... data save tracename.pm3 ) we could look into what is yet unknown about this format.

iceman · 2016-03-20 15:00:06

There has been working code out since a couple of weeks already, don't know if its in PM3 master yet, me & marshmellow did it, so you will find in our forks.

There is only one issue with it. a 2-bit parity checksum, which is not figured out yet.
meaning you will make for 4different version of your clone at the most to find the one that works.

pm3 --> lf guard
help             This help
read             Attempt to read and extract tag data
clone            <Facility-Code> <Card Number>  clone Guardall tag
sim              <Facility-Code> <Card Number>  simulate Guardall tag
pm3 -->

Last edited by iceman (2016-03-20 15:01:01)

Cardedit · 2016-03-21 23:02:33

So Jeff1551, is it a Chubb gprox card or not? Perhaps a picture?

Iceman - I do have cards and reader available, however I'll have to order a Proxmark unit to capture the info you need. I can send you the data from maybe a dozen of the Chubb cards, maybe we can find a pattern?

Cheers!

Cardedit · 2016-03-21 23:06:58

The thing about the Gprox II cards is that they have two variations, the Chubb ones have a certain lock code, where as the others don't. It basically means that the Chubb cards can only be read at a Chubb reader, the others can be read at any gprox II reader. Any regular gprox II reader can be converted to a Chubb reader by passing programming cards in front of it. Once the reader is converted, no changing it back. My issue is that I have readers, but need to be able to create or program card with the Chubb lock code so that they can be used in a system (Chubb doesn't sell just cards). Similar issue to jeff here, but not exactly the same.

Let me know how I can help! Cheers

marshmellow · 2016-03-21 23:53:21

Cloning a tag is easy. Creating a new ID from just an ID number takes a couple tries...

Cardedit · 2016-03-22 01:38:32

What card would you encode the data onto? Any way of just modifying a card to make it work? Again I'm not sure what the reader looks for when making a decision wether to acknowledge the card or not

iceman · 2016-03-22 07:06:28

@Cardedit , If you can read cards and sniff traffic between reader & card, and upload somewhere then we can have a look at the 2-bit parity problem.

marshmellow · 2016-03-23 00:08:14

A t55x7 would do. And yes it could be reused.

Sentinel · 2016-04-01 08:22:23

Unfortunately, to generate complete code card is not enough to choose the 2-bit parity Byte, which is used at the beginning, for the XOR operation also participates in the checksum. So, it is necessary to select the 10 bit. I have collected from the microcontroller unit and reader VEREX. And now you can brute force select the 10-bit. If it is necessary to calculate the card, write the number, and I'll pick the 10-bit
see http://www.proxmark.org/forum/viewtopic.php?id=1459
Example 40-bit cards:
CODE 0000000001
0 0x00150060
1 0x3BDEA7BC
2 0xEF3BCEF3
3 0xBCEF7BDF

CODE 0000000002
0 0x00150060
1 0x2258C624
2 0x89224892
3 0x2489025F

CODE 0000000003
0 0x00150060
1 0x335C8734
2 0xCD334CD3
3 0x34CD535F

Sentinel · 2016-04-01 13:01:46

@jeff1551
It is not clear, what kind of video you want to see?

marshmellow · 2016-04-01 13:38:32

@sentinel, are you saying the xor key is calculated and not just random? What would it be calculated from, the tid?

Sentinel · 2016-04-02 06:26:28

@marshmellow: "xor key" and 2 bits for each card is a unique combination. Microcontroller emulates cards with speed 0.3 sec. Thus for ~5 minutes, you can go through 1024 combined.

Sentinel · 2016-04-02 06:41:37

@jeff1551: if you have a card Guardal, it can be very easy to copy using proxmark. If you only have the card number, it is also possible to do it, but more difficult. because it will be necessary to pick up 1024 options. In any case, you will need proxmark.

Sentinel · 2016-04-02 07:04:20

as I wrote, for me no trouble, start the calculation of 1024 for your card number and the length of Wiegand

marshmellow · 2016-04-02 14:15:21

Sentinel wrote:

@marshmellow: "xor key" and 2 bits for each card is a unique combination. Microcontroller emulates cards with speed 0.3 sec. Thus for ~5 minutes, you can go through 1024 combined.

Meaning there is only one valid xor key and one valid 2 bits for each wiegand data?

iceman · 2016-04-02 17:38:12

I'm also curious about how the xor-key relates to the 2bit parity. Is it crc-10 or a custom ?

Sentinel · 2016-04-02 18:27:48

@marshmellow
@iceman
Reader G-Prox II understands only 1 of the 1024 options.
Unfortunately, I can't understand how the G-Prox generates these 10 bits.
I have a quite large table with accurate 10 bit CRC(?). but after a few days of work, I abandoned this puzzle.

Proxmark3 community

Announcement

#1 2014-12-20 18:34:36

Decoding Cloning Guardall/Verex Key Fob

#2 2014-12-20 19:37:05

Re: Decoding Cloning Guardall/Verex Key Fob

#3 2014-12-22 11:48:51

Re: Decoding Cloning Guardall/Verex Key Fob

#4 2014-12-22 13:25:03

Re: Decoding Cloning Guardall/Verex Key Fob

#5 2014-12-22 23:45:31

Re: Decoding Cloning Guardall/Verex Key Fob

#6 2015-02-23 16:12:22

Re: Decoding Cloning Guardall/Verex Key Fob

#7 2015-02-24 13:03:03

Re: Decoding Cloning Guardall/Verex Key Fob

#8 2015-02-24 20:12:56

Re: Decoding Cloning Guardall/Verex Key Fob

#9 2015-02-24 20:21:16

Re: Decoding Cloning Guardall/Verex Key Fob

#10 2015-02-24 20:27:16

Re: Decoding Cloning Guardall/Verex Key Fob

#11 2015-02-24 22:18:37

Re: Decoding Cloning Guardall/Verex Key Fob

#12 2015-02-24 22:24:16

Re: Decoding Cloning Guardall/Verex Key Fob

#13 2015-02-24 23:48:24

Re: Decoding Cloning Guardall/Verex Key Fob

#14 2015-02-25 03:47:03

Re: Decoding Cloning Guardall/Verex Key Fob

#15 2015-02-25 04:16:51

Re: Decoding Cloning Guardall/Verex Key Fob

#16 2015-02-25 04:37:23

Re: Decoding Cloning Guardall/Verex Key Fob

#17 2015-02-25 16:06:06

Re: Decoding Cloning Guardall/Verex Key Fob

#18 2015-02-25 22:20:34

Re: Decoding Cloning Guardall/Verex Key Fob

#19 2015-02-25 23:07:10

Re: Decoding Cloning Guardall/Verex Key Fob

#20 2015-02-26 00:00:47

Re: Decoding Cloning Guardall/Verex Key Fob

#21 2015-02-26 00:04:53

Re: Decoding Cloning Guardall/Verex Key Fob

#22 2015-02-26 00:06:56

Re: Decoding Cloning Guardall/Verex Key Fob

#23 2015-02-26 05:37:20

Re: Decoding Cloning Guardall/Verex Key Fob

#24 2015-03-10 02:59:08

Re: Decoding Cloning Guardall/Verex Key Fob

#25 2015-05-07 20:02:05

Re: Decoding Cloning Guardall/Verex Key Fob

#26 2015-05-07 20:15:57

Re: Decoding Cloning Guardall/Verex Key Fob

#27 2015-05-07 20:23:58

Re: Decoding Cloning Guardall/Verex Key Fob

#28 2016-02-25 14:56:43

Re: Decoding Cloning Guardall/Verex Key Fob

#29 2016-02-25 16:13:13

Re: Decoding Cloning Guardall/Verex Key Fob

#30 2016-02-25 16:28:37

Re: Decoding Cloning Guardall/Verex Key Fob

#31 2016-02-25 16:39:52

Re: Decoding Cloning Guardall/Verex Key Fob

#32 2016-03-01 17:16:45

Re: Decoding Cloning Guardall/Verex Key Fob

#33 2016-03-01 17:35:01

Re: Decoding Cloning Guardall/Verex Key Fob

#34 2016-03-01 20:23:41

Re: Decoding Cloning Guardall/Verex Key Fob

#35 2016-03-20 15:00:06

Re: Decoding Cloning Guardall/Verex Key Fob

#36 2016-03-21 23:02:33

Re: Decoding Cloning Guardall/Verex Key Fob

#37 2016-03-21 23:06:58

Re: Decoding Cloning Guardall/Verex Key Fob

#38 2016-03-21 23:53:21

Re: Decoding Cloning Guardall/Verex Key Fob

#39 2016-03-22 01:38:32

Re: Decoding Cloning Guardall/Verex Key Fob