[solved] Reading LF nedap tag

Kitesg · 2015-03-18 10:18:38

Hello,

I am trying to read data from a low frequency nedap tag but I haven't been very successful so far and I hope you could help me.

As far as I know there isn't a predefined command such as "lf nedap fskdemod", as you have for other tags such as hid tags "lf hid fskdemod". So with that in mind the only approach I can see is to treat it almost like an "unknown" tag... I followed the approach described in the wiki for "unknown" tags by exciting the tag, getting data samples, plotting, etc. The data I get from mandemod is Manchester decoded but doesn't appear to be be correct...

So I am not sure if my methodology is incorrect or lf nedap tags are some how "special" and cannot be read as easily as a hid tag...

Many thanks.

iceman · 2015-03-18 10:36:03

Download the latest source from Github, and run the new "LF SEARCH U" command..
That will give you a good hint what kind of modulation is used on your tag.

Do you have some documentation over this Nedap tag?

marshmellow · 2015-03-18 12:41:29

Another approach is to save a trace and post it for the community to have a look too.

Kitesg · 2015-03-18 18:19:20

Thank you.

Iceman, Unfortunately no documentation. I will go and upgrade my pm3 firmware, is the latest repository on GitHub or Google code?

Marshmallow, if this doesn't work I will get the trace, anyway I will share the outcome/conclusion.

iceman · 2015-03-18 18:21:45

As I wrote earlier, GitHub.

marshmellow · 2015-03-24 12:36:22

No luck?

rbubba1911 · 2015-07-31 13:25:11

Hi,
I'm also trying to read a nedap tag
info printed on tag :
---------------------------
VDFD
07 01630
---------------------------

lf search return :

Using Clock:64, Invert:0, Bits Found:472
ASK/Manchester - Clock: 64 - Decoded bitstream:
0111100100100110
1110000001010000
1000100101111100
0110000100001000
0000001101111111
1111110100001110
0000000001111100
1101010001010101
0111100100100110
1110000001010000
1000100101111100
0110000100001000
0000001101111111
1111110100001110
0000000001111100
1101010001010101
0111100100100110
1110000001010000
1000100101111100
0110000100001000
0000001101111111
1111110100001110
0000000001111100
1101010001010101
0111100100100110
1110000001010000
1000100101111100
0110000100001000
0000001101111111
11111101

Unknown ASK Modulated and Manchester encoded Tag Found!
if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'
proxmark3> data print x
DemodBuffer: 7926E050897C6108037FFD0E007CD4557926E050897C6108037FFD0E007CD4557926E050897C6108037FFD0E007CD4557926E050897C6108037FFD

I have similar result with lf read /data raw am

I cannot see a sequence terminator, so I decode this as 16x8bit (no parity)

11111111 : FF
11111010 : FA
00011100 : 1C
00000000 : 00
11111001 : F9
10101000 : A8
10101010 : AA
11110010 : F2
01001101 : 4D
11000000 : C0
10100001 : A1
00010010 : 12
11111000 : F8
11000010 : C2
00010000 : 10
00000110 : 06

hope it helps

Last edited by rbubba1911 (2015-08-27 10:23:21)

jump · 2015-08-01 20:18:30

Could you post the ASK/Biphase result please? As far as I can tell, Nedap doesn't use Manchester.

rbubba1911 · 2015-08-01 21:12:18

Hi,

I attach the trace file
http://s000.tinyupload.com/?file_id=17889978702907254704

Biphase Decoded using offset: 0 - clock: 64 - # errors:0 - data:
1111111110001110
1101111111110111
1010100000110000
0000011101001001
0100110111110000
1110011001000111
1011010111001110
0111111110100111
1111111110001110
1101111111110111
1010100000110000
0000011101001001
0100110111110000
1110011001000111
1011010111001110
0111111110100111
1111111110001110
1101111111110111
1010100000110000
0000011101001001
0100110111110000
1110011001000111
1011010111001110
0111111110100111
1111111110001110
1101111111110111
1010100000110000
0000011101001001
0100110111110000
1110011001000111
1011010111001110
0111111110100111

DemodBuffer: FF8EDFF7A83007494DF0E647B5CE7FA7FF8EDFF7A83007494DF0E647B5CE7FA7FF8EDFF7A83007494DF0E647B5CE7FA7FF8EDFF7A83007494DF0E647B5CE7FA7

pattern could be : 11111111100011101101111111110111101010000011000000000111010010010100110111110000111001100100011110110101110011100111111110100111

FF8EDFF7A83007494DF0E647B5CE7FA7

I can't see valuable information !!

Last edited by rbubba1911 (2015-08-01 21:52:59)

jump · 2015-08-01 21:41:39

It's not using the decoding method I know. But at least the start marker is correct (128 bit pattern starting with nine '1' followed by one '0')

rbubba1911 · 2015-08-01 22:18:23

well, if the start marker is 10 bit long, we have 118 bit left,
which is not a binary friendly value.

how can we decode 118 bit ?

jump · 2015-08-02 00:41:27

The only encoding I know from that manufacturer uses a weird checksum function and a lookup table to encode the values, digit per digit.
This scheme unfortunately doesn't work on your bitstream (checksum errors and the decoding function fails).

rbubba1911 · 2015-08-03 17:19:09

ok, thank for the info

I'll search for Nedap algo/document on the web.

If I found something relevant, I'll update this post

Cheers !

mnelson · 2015-08-22 00:35:06

Can you upload a picture of the credential? Does it look like a card, a hockey puck or a sticker? NEDAP has a bunch of products that work in a variety of frequencies. For example, the TransIT family of credentials are 120 kHz, whereas the uPass series run in the UHF spectrum: 865 - 870 MHz in Europe and 902 - 928 MHz in the US (or maybe vise versa, I can't remember). They also have some that do both LF and UHF at the same time. If I know what you're using, I might be able to provide additional examples.

marshmellow · 2015-08-26 16:48:29

i think his biphase demod data should be inverted. (differential biphase)

1111111110001011
0110101100100000
1111000110011011
1000010010100011
0001100000000101
1000000000000111
0001001000000000
1000010101111100

btw, this is definitely a tag in the 120-130khz range or the lf search wouldn't have seen it.

Last edited by marshmellow (2015-08-26 16:52:01)

jump · 2015-08-26 19:00:56

Way better indeed.

With your input, I have valid checksums and I decode the card ID: 001630

marshmellow · 2015-08-26 19:02:51

are those algo's publicly known? or privately shareable?

rbubba1911 · 2015-08-27 09:50:54

Good news !

It seem you got it, it's the value printed on the card.

I'll update the post with a picture of this tag

marshmellow : how do you found the demod data should be inverted ?

jump: please, could you share the algo you have used ? (I'll keep it private)

Thanks

Last edited by rbubba1911 (2015-08-27 10:33:12)

jump · 2015-08-27 10:37:53

Unfortunately I cannot share it

rbubba1911 · 2015-08-27 11:21:02

As we have to found the algo by ourself, I search for some documentations

I've found a very interesting FTP with a lot of resources especially some Nedap pdf

look at : ftp://ftp.luis.ru/Documentation/ОПС/Nedap

in particular this pdf : P61_InstallGuide_E.pdf

it describe some protocols very close to jump#12 description

I'll continue to investigate this way, marshmellow if it's help you to find the algo, please keep me in touch

btw, the rest of this ftp contain many other vendor pdf

Last edited by rbubba1911 (2015-08-27 12:53:09)

marshmellow · 2015-08-27 15:22:13

rbubba1911 wrote:

marshmellow : how do you found the demod data should be inverted ?

it looked right. after looking at thousands of binary streams and hundreds of formats, sometimes it just looks right...

i also know many claimed "higher security" tags use differential biphase (inverted biphase) or di-phase encoding, when i tried it it looked right. the resulting bitstream also contained only one of the suggested preamble in the stream, and it had more zeros than ones (not always a good indicator but often).

rbubba1911 · 2015-08-27 15:32:03

I see, it's the experience's reward !

I keep the hint in a corner of my mind

iceman · 2015-08-27 17:39:43

if you can sendspace the pdf, that would be nice. I'm not too excited to visit dodgy russian ftp sites..

rbubba1911 · 2015-08-27 17:56:13

hi,

I made a file upload here:

http://www.filedropper.com/nedap-pdftar

but after reading the pdf , i don't find useful informations,

the model here is a Nedap PM / Prox,

btw: I've got my segger clone, and play a bit with motherboard/hdd/pm3
thanks for the advice

Last edited by rbubba1911 (2015-08-27 18:03:35)

suixo · 2016-04-29 10:52:10

Hello folks,

I am studying some Nedap XS tags. They do work at 120/125KHz, and I was able to get the preamble using the information posted here:

data rawdemod ab 0 64 1 0

Then I looked at the preamble and selected the (repeating) 128 bits pattern:

1111111110001011
0111001001100010
0010010010111010
1000010111010101
0001101000100001
0100000001000111
0001001000000001
1111000101011001

Qpiny's post (http://www.proxmark.org/forum/viewtopic.php?id=1836) suggests a format and allow to extract the tag ID from the dump (in my case 028534).

However, I have no idea about the checksum validation / the lookup tables jump was talking about.

Hope this helps (at least we can read the tag ID), I may try to write my first commit for the PM3 on these Nedap XS tags (just to read the tag ID for now).

jump · 2016-04-29 13:16:10

Funny. I just had a look and basically, the first 64 bits contain the badge ID protected using "Nedap proprietary encryption".
The second half contains an unprotected version of the badge ID

The checksum algorithm and the lookup tables are only necessary to read the first half of your dump (that you can validate by checking the 10 bit header). The other fields that Qpiny labelled R and I on the second half of the dump should also be checksums but obviously not computed with the same algorithm as on the first part (data width is not the same).

iceman · 2016-04-29 13:26:52

@jump, do you have the checksum algo or the proprietary enc description? I think I read that you do.

jump · 2016-04-29 13:43:59

Indeed, I do.
But I unfortunately cannot share it. First because I was not the only one to work on that (so it's not 100% my code) and second because this code was recovered by reverse engineering the firmware of a badge reader.

Disclosing the checksum algorithm is less problematic though, as the same algorithm was used in a game on the NES platform and the documentation (which includes a C++ implementation) was released under GPL. Just search for information about "Dragon Warrior" and you should find it easily.

iceman · 2016-04-29 13:58:08

Thanks @jump, I found a imp from 2007 in c++.

I also found a firmware hex of a reader.

iceman · 2016-04-29 14:51:39

Another question then, you mention two different checksum algos if I understand you correct. Which one is the DragonWarrior one?

jump · 2016-04-29 21:49:42

I was only talking about the checksum used in the first half of the dump.
That's the first time I saw an encoding on Nedap where the ID is not obfuscated so I don't know anything about the last 64 bits

iceman · 2016-05-02 12:49:05

For the fun of it, I've started with a NEDAP read/demod/clone/sim command. It doesn't do a complete demod or sim yet. Since the propritary encryption and checksums is not available yet. However with preamble and such we should at least get a detection of a nedap tag.

suixo · 2016-06-14 12:46:02

Hello guys,

I am trying to clone the Nedap XS tag to a blank T5577 tag.
I know:
* the modulation/encoding: ASK/Biphase, inverted
* the data for my tag (retrieved using data rawdemod ab 0 64 1 0) + the size of the data

Unfortunately, I have trouble using the T5577:
1. Can you confirm the T5577 is able to clone the Nedap XS tag?
2. What do I need to do?

So far I tried the `lf t55xx config d BI i 1 o 0` and to write data using `lf t55xx write b 1 d FF93932B` for instance, but using `lf search`on the programmed tag doesn't return anything like a Nedap XS.

Any idea / hint on what I am doing the wrong way?

iceman · 2016-06-14 13:40:34

you don't need to configure the t55 to something special before.
First you need to detect what kind of configuration your t55xx card has now
then write data blocks,
then write a correct block 0 for Nedap

But read my earlier posts, you need the checksum and stuff to make it work. Which hasn't been released.

suixo · 2016-06-14 13:59:02

Thank you for your quick reply.

Here is the current configuration of my T5577 tag:

pm3 --> lf t55xx config
Chip Type  : T55x7          
Modulation : BIPHASE          
Bit Rate   : 5 - RF/64          
Inverted   : Yes          
Offset     : 0          
Seq. Term. : No          
Block0     : 0x00000000

(BTW, I am surprised to see a blank block0 here, I expected to see a computed block from the values provided, but in the source code the value is explicitely set to 0... Not sure I understand why)

I don't need to understand the checksum stuff, since I already own the tag I want to clone: all I have to do (?) is to dump the content of the 128 bits of the tag (done, and I can successfully extract the ID from the "unencrypted" part), and make the T5577 play these bits with the appropriate modulation.

I guess the "write" part will not be that difficult (`lf t55xx write b 1 d AAAAAAAA`and so on). Building a correct block 0 may be more complicated (what is the goal of the `lf t55xx config` command then?) but not impossible.

Can you explain why / how to proceed with your first step "detect what kind of configuration the t55xx card has now"? I assumed the card could be rewritten at any time, whatever its current configuration is. And how do I "reset" it then?

Thanks for your help.

PS: I am currently reading the datasheet to better understand what part of the block 0 is used for what

suixo · 2016-06-14 15:29:10

Ok I think I understood something: the autodetect and config commands are only for telling the PM how to communicate with the tag, right? I misunderstood the goal of the config command.

I have read the datasheet and in my case (Nedap XS) I want the following 0:
* Master key = 9 (to use the extended mode and its inverted flag)
* Reserved data = 0b0000
* Data bit rate = 0x05 (RF/64)
* X-Mode = 1
* Modulation: biphase = 0b10000
* PSK-CF = 0 because we don't use PSK
* AOR = 0 because we don't need it (we have no password)
* OTP = 0 (hell yeah I don't want to screw my only T5577 tag)
* MAXBLK = 4 because I have 4 blocks of data (128 bits of Nedap payload = 4*32 chunks)
* PWD = 0 (no password)
* SST = 0 (don't think we need it)
* Fast Write = 0 (same here)
* Inverse bit = 1 because Nedap XS uses this highly secure encryption method
* POR-Delay = 0 (don't think we need this?)

Concatenating all this gives me a block0 [bold]0x90170082[/bold].

I then write the data blocks with lf t55xx write b 1, 2, 3, 4.
I then write the block 0 with lf t55xx write b 0 d 90170082.

I run lf se u to detect the tag (the u flag is not necessary here since iceman implemented Nedap detection), but all I get is "No Data Found!"

pm3 --> lf se u
Reading 30000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          

No Known Tags Found!
          

Checking for Unknown tags:
          
Possible Auto Correlation of 1536 repeating samples          
Possible 192 bytes          
Possible  2 blocks, width 96          
Possible  4 blocks, width 48          
Possible  8 blocks, width 24          
Possible 16 blocks, width 12          

No Data Found!

Then, all I can do is wipe the tag and start again.
I cannot interact with the tag by specifying/autodetecting the configuration:

pm3 --> lf t55xx config d BIa b 64
Set modulation to 18
Set bitrate to 5
Chip Type  : T55x7          
Modulation : BIPHASEa - (CDP)          
Bit Rate   : 5 - RF/64          
Inverted   : Yes          
Offset     : 33          
Seq. Term. : Yes          
Block0     : 0x00000000          
          
pm3 --> lf t55xx info
pm3 --> # Nothing detected here :'(
pm3 --> lf t55xx detect
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 0 - RF/8          
Inverted   : Yes          
Offset     : 56          
Seq. Term. : No          
Block0     : 0x10020100          
          
pm3 --> lf t55xx info
# Junk data here, block0 is detected as 10020100, DIRECT ASK/NRZ

What am I doing wrong now? Maybe something with the inversion?

EDIT: I finally managed to clone the Nedap XS tag to the T5577, by writing inverted blocks to the memory and using 00150080 as the configuration block (no eXtended Mode, no inversion, Biphase, RF/64) !! \o/

Last edited by suixo (2016-06-14 16:31:31)

marshmellow · 2016-06-14 18:21:05

instead of bi-phase - DI-phase or CDP (Bi-phaseA) would have been the correct encoding which is by default inverted bi-phase (no inverting config or data needed). unfortunately this encoding is not publicly documented well on the T5577 as it is often just shown as "RESERVED".

iceman · 2016-06-14 18:46:58

Good learning there.
Yes, the config command is about figuring out how to read a unknown configured t55xx tag. Since we only check for some settings, the block0 printout is zero. However if you want a complete break down of your tags block 0, use the "lf t55xx info" command.

In your output there is a faulty config block on your tag. Re-write it to make a proper one.

HighPressure · 2016-10-17 13:57:54

thanks for the interesting writeup

I also am stuck with my Nedap card.
I tried the main build and the iceman build. both same result with lf search
even in the iceman build with "lf nedap read" out of the box I´ll receive a 1st 64bit parity check failed: 1|0

card says on back NeXS H6FQ O1 ###### (< = Serial Number) and nedap on the right bottom.
Its an entry card with a 7 digit company serial on the front.

an lf search u gives me an simmilar output to yours

@iceman - should it now work with the lf nedap commands and latest fw/build?

in the mean time i´m going for a Dragon hunt :-P

iceman · 2016-10-17 16:04:56

Problem with Nedap is that the checksums / parity checks in not disclosed, we can decode a tag but we can't validate a tag.

So the answer is no. Nedap commands doesnt work.
Do please contribute with all your findings so we can finish it up.

iceman · 2016-12-18 21:17:00

@highressure @suxio
If you share a trace from your card, we have more to go on. Use sendspace.com or a similar service.

lf read
data samp
data save nedap.pm3

iceman · 2016-12-18 21:19:23

@jump
This is the checksum I found, searching for dragon warrior. Is this what you meant?
http://pastebin.com/9dYq8f1G

jump · 2016-12-19 22:14:23

Yes, that's the right algorithm

iceman · 2016-12-19 23:15:59

ok, one step forward.
What does yr imp get when feeding it 0xFFEE?

Kepouick · 2017-04-19 14:04:50

hi Iceman,

I see that getting post is old enough, but have you managed to use the piece of code of the magic dragon ??
Do you think we have to actually work with the first 64 bits?
(I under-talk about the R and I of the second 64 bits of Qpiny)

PS : For me I just have the first "I" that is different (only two bit inverted)

Last edited by Kepouick (2017-04-19 14:10:44)

iceman · 2019-08-05 17:32:26

[usb] pm3 --> lf sea
[=] NOTE: some demods output possible binary          
[=] if it finds something that looks like a tag          
[=] False Positives ARE possible          
[=]           
[=] Checking for known tags...
          
[+] NEDAP Tag Found: Card ID 09999  subtype: 7  customer code: 007           
[+] Checksum is OK  (0xA774)          
[+] Raw: FF 8E 00 F1 50 F0 F0 91 4C A6 40 07 12 00 00 01           
[+] Second Card Id 09999           
          
[+] Valid NEDAP ID found!
          
          
[+] Chipset detection : T55xx found
          
[+] Try `lf t55xx` commands          
[usb] pm3 -->

Proxmark3 community

Announcement

#1 2015-03-18 10:18:38

[solved] Reading LF nedap tag

#2 2015-03-18 10:36:03

Re: [solved] Reading LF nedap tag

#3 2015-03-18 12:41:29

Re: [solved] Reading LF nedap tag

#4 2015-03-18 18:19:20

Re: [solved] Reading LF nedap tag

#5 2015-03-18 18:21:45

Re: [solved] Reading LF nedap tag

#6 2015-03-24 12:36:22

Re: [solved] Reading LF nedap tag

#7 2015-07-31 13:25:11

Re: [solved] Reading LF nedap tag

#8 2015-08-01 20:18:30

Re: [solved] Reading LF nedap tag

#9 2015-08-01 21:12:18

Re: [solved] Reading LF nedap tag

#10 2015-08-01 21:41:39

Re: [solved] Reading LF nedap tag

#11 2015-08-01 22:18:23

Re: [solved] Reading LF nedap tag

#12 2015-08-02 00:41:27

Re: [solved] Reading LF nedap tag

#13 2015-08-03 17:19:09

Re: [solved] Reading LF nedap tag

#14 2015-08-22 00:35:06

Re: [solved] Reading LF nedap tag

#15 2015-08-26 16:48:29

Re: [solved] Reading LF nedap tag

#16 2015-08-26 19:00:56

Re: [solved] Reading LF nedap tag

#17 2015-08-26 19:02:51

Re: [solved] Reading LF nedap tag

#18 2015-08-27 09:50:54

Re: [solved] Reading LF nedap tag

#19 2015-08-27 10:37:53

Re: [solved] Reading LF nedap tag

#20 2015-08-27 11:21:02

Re: [solved] Reading LF nedap tag

#21 2015-08-27 15:22:13

Re: [solved] Reading LF nedap tag

#22 2015-08-27 15:32:03

Re: [solved] Reading LF nedap tag

#23 2015-08-27 17:39:43

Re: [solved] Reading LF nedap tag

#24 2015-08-27 17:56:13

Re: [solved] Reading LF nedap tag

#25 2016-04-29 10:52:10

Re: [solved] Reading LF nedap tag

#26 2016-04-29 13:16:10

Re: [solved] Reading LF nedap tag

#27 2016-04-29 13:26:52

Re: [solved] Reading LF nedap tag

#28 2016-04-29 13:43:59

Re: [solved] Reading LF nedap tag

#29 2016-04-29 13:58:08

Re: [solved] Reading LF nedap tag

#30 2016-04-29 14:51:39

Re: [solved] Reading LF nedap tag

#31 2016-04-29 21:49:42

Re: [solved] Reading LF nedap tag

#32 2016-05-02 12:49:05

Re: [solved] Reading LF nedap tag

#33 2016-06-14 12:46:02

Re: [solved] Reading LF nedap tag

#34 2016-06-14 13:40:34

Re: [solved] Reading LF nedap tag

#35 2016-06-14 13:59:02

Re: [solved] Reading LF nedap tag

#36 2016-06-14 15:29:10

Re: [solved] Reading LF nedap tag

#37 2016-06-14 18:21:05

Re: [solved] Reading LF nedap tag

#38 2016-06-14 18:46:58

Re: [solved] Reading LF nedap tag

#39 2016-10-17 13:57:54

Re: [solved] Reading LF nedap tag