Hacking on Farpointe/Pyramid 26 bit, need encoding help

marshmellow · 2015-03-12 03:30:01

Different formats of farpointe? Might not need a new thread.
Different tags altogether definitely should start a new thread.

marshmellow · 2015-03-12 03:37:15

@iceman, did you use a tool to test different checksums/polys?

hkplus · 2015-03-12 06:38:47

Problem now. I used an online tool to verify the CRC's also, but the expansion of the calculation is vague. I also currently don't have any source code to perform the calculation in vb.net. Does anyone know how to expand this crc caclulation by hand so that I can write some code to calculate the final result?

iceman · 2015-03-12 10:59:50

I had a generic crc.h / crc.c in my common folder. Maybe I put it there long time ago.

static crc_t    maxim_crc;
/* calculate crc for a FARPOINT tag */
static int MaximCRC(uint8_t *buff, size_t size  ) {
	crc_init(&maxim_crc, 8, 0x31, 0x00, 0x00);
	crc_clear(&maxim_crc);

	for ( int i=0; i < size; ++i){
		crc_update(&maxim_crc, buff[i], 8);
	}
	return crc_finish(&maxim_crc);
}


// called with:
	uint8_t buff[] = { 0x01, 0x01, 0x01, 0x01,
					   0x01, 0x01, 0x01, 0x01,
					   0x01, 0x40, 0x01, 0x01, 0x04 };
int crc8 = MaximCRC(buff, 13);
PrintAndLog("CRC-8: %x",crc8);

This works.

iceman · 2015-03-12 11:01:53

@marshmellow, yes, I do use a tool for checking many different kinds of CRC algos.

hkplus · 2015-03-12 13:26:14

Iceman, do you have the four other subroutines required to get this c code working? Mainly CRC_INIT(), CRC_CLEAR() & CRC_UPDATE(), CRC_FINISH?

If not I can write some code based on an expansion I have...

Last edited by hkplus (2015-03-12 13:32:31)

marshmellow · 2015-03-12 13:37:11

I found this link that has VBA code for this checksum. Just note it expects the input to be big endian. But the code works.
http://www.maximintegrated.com/en/app-n … vp/id/4600

iceman · 2015-03-12 13:41:59

@hkplus: in my fork under common, there is the crc.c / crc.h which has what you want. https://github.com/iceman1001/proxmark3 … mmon/crc.c

hkplus · 2015-03-12 14:11:14

Cool let me see if I can convert this code to my fav VB.NET...thanks!

iceman · 2015-03-12 14:21:15

If we commit the crc.c , then Marshmellow can add the checksum to his lf demods...

marshmellow · 2015-03-12 14:22:48

I'll look at adding it.

iceman · 2015-03-12 14:29:35

just take the crc.c / crc.h under common, and the method above and bob's your uncle

hkplus · 2015-03-13 05:24:38

z

Last edited by hkplus (2016-05-01 04:46:30)

iceman · 2015-03-13 10:13:44

I think @marshmellow will soon push some code to the PM3 master.

marshmellow · 2015-03-24 12:40:55

Committed (a while ago actually)

hkplus · 2015-03-29 02:17:03

MaxSecure is easy...it's a 14 bit number put into D11 and D10 that throws off the checksum calculation.

Last edited by hkplus (2015-03-29 02:17:46)

marshmellow · 2015-03-29 02:38:28

Sample?

iceman · 2015-03-29 15:49:46

a sample would be much appreaciated.

marshmellow · 2015-03-29 23:06:21

A trace or an hex example would suffice.

hkplus · 2015-04-07 16:58:50

Sorry I have been away.

Here you go:

FC 10, ID 2500, MaxSecure 1500, 26 Bit Wiegand:

BLOCK 0: 80107080
BLOCK 1: 00010116
BLOCK 2: B9010101
BLOCK 3: 01010140
BLOCK 4: A14F102F

iceman · 2015-04-07 17:21:10

Using your block 0-4 I got this out.

Possible Auto Correlation of 6402 repeating samples

Using Clock:50, invert:0, fchigh:10, fclow:8
FSK2 decoded bitstream:
0010100011011111
1101111111011111
1101111111011111
1101111111010111
1110101111010110
0001110111111010
0000000000000000
0000000000000000
0010100011011111
1101111111011111
1101111111011111
1101111111010111
1110101111010110
0001110111111010
0000000000000000
0000000000000000
0010100011011111
1101111111011111
1101111111011111
1101111111010111
1110101111010110
0001110111111010
0000000000000000
0000000000000000
0010100011011111
1101111111011111
1101111111011111
1101111111010111
1110101111010110
0001110111111010
0000000000000000
0000000000000000

iceman · 2015-04-07 17:44:29

I edited this whole post. The CRC-8/Maxim works for both samples.
I don't know what made me think it was different?

However, please tell me what it is we were looking for again? MaxSecure has the two different bytes, and we need to descramble it or?!?

Last edited by iceman (2015-04-07 20:47:04)

hkplus · 2015-04-07 20:33:34

Checksum works the same way as standard 26 bit.

Example 2

FC 20, ID 2100, MaxSecure 1200:

BLOCK 0: 80107080
BLOCK 1: 00010113
BLOCK 2: 61010101
BLOCK 3: 01010143
BLOCK 4: 4040D3E9

hkplus · 2015-04-07 22:33:07

iceman wrote:

I edited this whole post. The CRC-8/Maxim works for both samples.
I don't know what made me think it was different?
However, please tell me what it is we were looking for again? MaxSecure has the two different bytes, and we need to descramble it or?!?

Nothing to solve. MaxSecure is just another number shoved into D11 and D10 that throws off the result of the checksum calculation. This is how the reader rejects cards that do not have the correct MaxSecure number encoded on them.

iceman · 2015-04-07 23:10:26

The two examples you gave, gets a correct checksum. In which way do you think the extra number throws off the result?

marshmellow · 2015-04-07 23:42:53

is the maxsecure number set per customer/location or does it change with every card? (calculated?)

nevermind - it is specified like another Facility Code.

Last edited by marshmellow (2015-04-07 23:44:14)

hkplus · 2015-04-08 01:21:50

By throw off the result I mean that the reader substitutes it's programmed MaxSecure number into D11 and D10 before comparing the cards checksum to its calculated one. Yes MaxSecure works like a second facility code on the reader level without effecting the actual card data output of the reader.

iceman · 2015-04-08 08:53:57

thanks for explaining it.

marshmellow · 2015-04-09 03:15:05

Yes, I too appreciate your work on these tags hkplus.

hkplus · 2015-04-09 04:25:32

I appreciate all of you guys help also. I'm currently messing with trying to get Indala 26 bit and HID ABA working on 5577...

hkplus · 2015-04-09 17:40:43

Don't want to continue this thread on a different topic, but is there any detailed information on how to implement HID ABA formats on 5577? There is a listing of it in some posts, but no details on how to get the reader to recognize it as ABA data...

joe · 2015-04-27 18:46:32

bin 200 new try, after inverted writing to new tag, but it don't work ?? FSK

proxmark3> data rawdemod fs
Args invert: 0 - Clock:50 - fchigh:10 - fclow: 8
FSK decoded bitstream:
1110111111101111
1110111111101111
1110111111101010
1000001111100000
0001110001111001
0100111111111111
1110111111101111
1110111111101111
1110111111101111
1110111111101111
1110111111101010
1000001111100000
0001110001111001
0100111111111111
1110111111101111
1110111111101111
proxmark3>
proxmark3> data rawdemod fs 50 1
Args invert: 1 - Clock:50 - fchigh:10 - fclow: 8
FSK decoded bitstream:
0000000000000010
0000001000000010
0000001000000010
0000001000000010
0000001000000010
0000001010101111
1000001111111100
0111000011010110
0000000000000010
0000001000000010
0000001000000010
0000001000000010
0000001000000010
0000001010101111
1000001111111100
0111000011010110
proxmark3>

joe · 2015-04-27 18:58:52

is invert necessary ?? please help , thks

marshmellow · 2015-04-27 19:46:49

if the tag you are working with is FSK2a modulated then Invert is necessary to read it. if it is FSK2 then no invert is needed.
if it is a "known" tag and your PM3 is up to date you should be using "lf search" to read it.

joe · 2015-04-27 20:15:50

Checking for known tags:

Pyramid ID Found - BitLength: 26, FC: 188, Card: 8142 - Wiegand: 1783f9c, Raw: 000101010101010101010157c1fe386b
Checksum 6b passed

Valid Pyramid ID Found!
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

Pyramid ID Found - BitLength: 26, FC: 188, Card: 8142 - Wiegand: 1783f9c, Raw: 000101010101010101010157c1fe386b
Checksum 6b passed

Valid Pyramid ID Found!
Args invert: 0 - Clock:16 - fchigh:10 - fclow: 8
FSK decoded bitstream:
1111111111111101
1000011111011111
1111111111100001
1111111111111111
1111100011111111
1111111111111100
0111111111111111
1111111000011111
1111111111111111
1000011111111111
1111111111100011
1111111111111111
1111000111111111
1111111111111000
0111111111111111
1111111000011100
Data in Graphbuffer was too small.

yes, could it clock 16 or 50 ?

joe · 2015-04-27 20:22:34

maybe some bugs with bin 200

marshmellow · 2015-04-27 20:25:06

bin 200?
looks like it identified your tag fine and output the RAW ID for you. - not sure what more you need.

Last edited by marshmellow (2015-04-27 20:28:45)

marshmellow · 2015-04-27 20:27:37

BTW, your output is jumbled, you must be sending multiple commands and pasting SOME of the output from each

iceman · 2015-04-27 20:31:07

Yeah, Im also curious? Whats the "bin 200"

marshmellow · 2015-04-27 20:40:21

version 2.0.0?

EDIT: i get it i think. Aspers compiled binaries are named as pm3-bin-2.0.0

Last edited by marshmellow (2015-04-27 20:41:58)

joe · 2015-04-27 20:50:11

but is not working well as 007 ..

iceman · 2015-04-27 21:01:20

Well, the latest PM3 release, https://github.com/Proxmark/proxmark3/r … tag/v2.0.0
is also call 2.0.0,

Can you compile the latest source yourself, Joe? There has been some changes since the latest offical release.
And yes, I wonder the same as @Marshmellow, what more is it that you are looking for??

Last edited by iceman (2015-04-27 21:02:16)

joe · 2015-04-27 21:12:36

I download from window client . Am I right ?

iceman · 2015-04-27 21:26:31

If you don't know how to compile the sourcecode, then keep using Aspers pre-compiled binary distros.

joe · 2015-04-28 03:20:48

Will try again, Just wonder the config block 00107xxx or 80107xxx ?

marshmellow · 2015-04-28 03:34:35

Doesn't matter. Look at chip datasheet for why.

lime1 · 2015-06-11 09:21:26

Hi,

Looking at this thread I can see marshmellow, hkplus & iceman did some great work!

I did a lf search and it found a 26 bit pyramid card and it displayed the facility code, card number, wiegand and raw output etc.

I am wondering if there is any command to clone the card?

Thanks

iceman · 2015-06-11 09:38:13

I might suggest, that you read the documentation for T55x7 tags, and understand how those tags works.
It will help you to clone all sorts of LF tags. But to answer you question, no there is no specific clone command for Pyramid tags at the momement. If you feel the need for it, you are much welcome to add it to the source code.

lime1 · 2015-06-11 13:50:07

iceman wrote:

I might suggest, that you read the documentation for T55x7 tags, and understand how those tags works.
It will help you to clone all sorts of LF tags. But to answer you question, no there is no specific clone command for Pyramid tags at the momement. If you feel the need for it, you are much welcome to add it to the source code.

Thanks for the suggestion iceman. I am trying to learn as much as I can about the proxmark and the relevant tags. There is a lot of knowledge in these forums and a few other RFID websites. Do you have any suggested reading materials for a relative newbie as a good place to start? Thanks

iceman · 2015-06-11 13:51:41

The document section on this site is a'ok.

ref: http://proxmark.org/files/Documents/

Proxmark3 community

Announcement

#101 2015-03-12 03:30:01

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#102 2015-03-12 03:37:15

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#103 2015-03-12 06:38:47

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#104 2015-03-12 10:59:50

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#105 2015-03-12 11:01:53

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#106 2015-03-12 13:26:14

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#107 2015-03-12 13:37:11

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#108 2015-03-12 13:41:59

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#109 2015-03-12 14:11:14

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#110 2015-03-12 14:21:15

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#111 2015-03-12 14:22:48

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#112 2015-03-12 14:29:35

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#113 2015-03-13 05:24:38

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#114 2015-03-13 10:13:44

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#115 2015-03-24 12:40:55

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#116 2015-03-29 02:17:03

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#117 2015-03-29 02:38:28

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#118 2015-03-29 15:49:46

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#119 2015-03-29 23:06:21

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#120 2015-04-07 16:58:50

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#121 2015-04-07 17:21:10

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#122 2015-04-07 17:44:29

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#123 2015-04-07 20:33:34

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#124 2015-04-07 22:33:07

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#125 2015-04-07 23:10:26

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#126 2015-04-07 23:42:53

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#127 2015-04-08 01:21:50

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#128 2015-04-08 08:53:57

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#129 2015-04-09 03:15:05

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#130 2015-04-09 04:25:32

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#131 2015-04-09 17:40:43

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#132 2015-04-27 18:46:32

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#133 2015-04-27 18:58:52

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#134 2015-04-27 19:46:49

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#135 2015-04-27 20:15:50

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#136 2015-04-27 20:22:34

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#137 2015-04-27 20:25:06

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#138 2015-04-27 20:27:37

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

#139 2015-04-27 20:31:07

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help