Help identifying tag

kaladorm · 2015-08-27 16:16:37

I have the following 125Khz tag I can't identify:

The card has www.cardax.com printed on it (but the company is now Gallagher Group, https://security.gallagher.com/). A poke around their site revealed they have 125Khz tags but couldn't find any more information than that.

The other information on the card is an ID in the bottom corner (51609890-1) and an ID that looks to have been printed on afterwards (2104)

Dump from the card search below:

[== Undefined ==]
proxmark3> lf search u
#db# Sampling config:
#db#   [q] divisor:           95
#db#   [b] bps:               8
#db#   [d] decimation:        1
#db#   [a] averaging:         1
#db#   [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: ff ff e0 be c5 cc ce c9 ...
Reading 20000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:


Using Clock: 32 - Invert: 0 - Bits Found: 500

No Known Tags Found!


Checking for Unknown tags:

Detected Field Clocks: FC/10, FC/8 - Bit Clock: RF/32
Args invert: 0 - Clock:32 - fchigh:10 - fclow: 8
no FSK data found

Using Clock: 32 - Invert: 0 - Bits Found: 500
ASK/Manchester decoded bitstream:
1111111101010101
0001100110110010
1101100101010101
0101100001101000
1101010001101011
0000111000111011
1111111101010101
0001100110110010
1101100101010101
0101100001101000
1101010001101011
0000111000111011
1111111101010101
0001100110110010
1101100101010101
0101100001101000
1101010001101011
0000111000111011
1111111101010101
0001100110110010
1101100101010101
0101100001101000
1101010001101011
0000111000111011
1111111101010101
0001100110110010
1101100101010101
0101100001101000
1101010001101011
0000111000111011
1111111101010101

I see a 96-bit repeating pattern, and looked for header matches of various schemes and found the following potential matches:

11111111
00101101 GSRN-96
00110011 GRAI-96
00110100 GIAI-96
00110101 GID-96

This has led to the following output, but nothing I can see obviously matches to those IDs above (2104 or 51609890-1), unless I am missing something?

[== Undefined ==]


11111111 01010101 00011001 10110010 11011001 01010101 01011000 01101000 11010100 01101011 00001110 00111011
FF 55 19 B2 D9 55 58 68 D4 6B 0E 3B


[b]00110011 GRAI-96[/b]
00110011 01100101 10110010 10101010 10110000 11010001 10101000 11010110 00011100 01110111 11111110 10101010
33	65	B2	AA	B0	D1	A8	D6	1C	77	FE	AA

00110011 011 001 0110110010101010101011000011010001101 0100011 01011000011100011101111111111010101010
header filter partition   company prefix              asset type		serial


[b]00110100 GIAI-96[/b]
00110100 01101010 00110101 10000111 00011101 11111111 10101010 10001100 11011001 01101100 10101010 10101100
34	6A	35	87	1D	FF	AA	8C	D9	6C	AA	AC

00110100 011 010 1000110101100001 110001110111111111101010101000110011011001011011001010101010101100
header filter partition  company prefix              asset ref


[b]00110101 GID-96[/b]
00110101 10000111 00011101 11111111 10101010 10001100 11011001 01101100 10101010 10101100 00110100 01101010
35	87	1D	FF	AA	8C	D9	6C	AA	AC	34	6A

001101011 000011100011101111111111010 101010001100110110010110 110010101010101011000011010001101010
header		general manager number		object class			serial number

marshmellow · 2015-08-27 17:13:57

i do not see a known pattern either.

could you try
data rawdemod ab

(on a valid trace - either by loading a saved trace or by running lf search or lf read - data samples with the tag on the antenna)

kaladorm · 2015-08-30 08:31:51

Reread the tag and ran data rawdemod ab.

I've not had a chance to look through the data yet but have included it here. Will let you know how I get on later

[== Undefined ==]
1001010001001010
0000000000001011
1010001101000001
1010000101110110
1101100111111111
0000000001101010
1001010001001010
0000000000001011
1010001101000001
1010000101110110
1101100111111111
0000000001101010
1001010001001010
0000000000001011
1010001101000001
1010000101110110
1101100111111111
0000000001101010
1001010001001010
0000000000001011
1010001101000001
1010000101110110
1101100111111111
0000000001101010
1001010001001010
0000000000001011
1010001101000001
1010000101110110
1101100111111111
0000000001101010
1001010001001010
0000000000001011

Go_tus · 2015-08-30 09:37:53

Can u post the data plot of the tag please?

kaladorm · 2015-08-31 09:54:00

A bit of post-coffee Google-fu has revealed it is almost certainly the proprietary "Cardax IV" standard.

Found a few more pieces of info but will keep on digging.

With the Cardax IV proprietary format,
enhanced data protection is achieved via:
> Encoding of issue level and region code
in addition to facility code and card
number, providing unique card data
across global card databases
> Using 8 bit error detection protocol,
ensuring that the reader correctly
identifies the card being presented by
the cardholder.

Gallagher readers use the proven Cardax IV reader communications delivering enhanced reader security through encryption and monitoring of the data between the reader and Controller.

Nothing like vague "security through encryption" statements to get a researchers blood pumping

There is also a device called a "Cardax FT - Wiegand Protocol Converter" which will take the Cardax IV data and convert it to 40-bit Wiegand output with (first 16 bits facility code, next 24 bits card number). This is just for supporting other systems though and the document doesn't mention much about the input format.

Proxmark3 community

Announcement

#1 2015-08-27 16:16:37

Help identifying tag

#2 2015-08-27 17:13:57

Re: Help identifying tag

#3 2015-08-30 08:31:51

Re: Help identifying tag

#4 2015-08-30 09:37:53

Re: Help identifying tag

#5 2015-08-31 09:54:00

Re: Help identifying tag

Board footer