Proxmark3 community

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: Decoding Cloning Guardall/Verex Key Fob

@sentinel,
since there is only 2 bits parity and you set the xor-key yourself when making a clone,  you would only need to test the 4 different states of the parity bits to find the correct one.  Or have I missunderstood the whole format in the threads about it?

Is there a seperate calc for the xor-key?  The xor-key is in the bitstream so its known.

If you have samples of 26bit guardall tags,  can you share them so we can have a look at the parity calc again?

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

Sorry for my english )
2 orange parity bits were part of a 10 bit CRC(?), which includes esch 8bit xor-key.
blue 16 bits must always be such. Otherwise VEREX reader does not read card.

key=10010010 011010 11 0000000100000000 [00000000000000000000000000] 00000000000000
key=10010011 011010 11 0000000100000000 [00000000000000000000000001] 00000000000000
key=10010000 011010 11 0000000100000000 [00000000000000000000000010] 00000000000000
key=10010001 011010 11 0000000100000000 [00000000000000000000000011] 00000000000000

in [] Wiegand 26 bit

other examples in the topic
http://www.proxmark.org/forum/viewtopic.php?id=1459

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

@iceman
I write program for the microcontroller that At89c2051 shorting circuit 125 kHz, consistently emulates Guardal card, and wait the reaction from VEREX reader . if someone else has to be programmed this "dinosaur", I can share firmware

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: Decoding Cloning Guardall/Verex Key Fob

There is a implementation of this GuardAll,  in the pm3 client which take the card number.   The only part missing is the 2bit parity and the blue is fixed to 0x0100,   

Since you seem to have a valid reader,  you can test it out?

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

@iceman
Yes, I have a card reader G-Prox II, Mullion Arming Station (Verex)

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

Running one for Weigand card 26bit. At the end of the string is specified xor-key and parity
10010011 011010 11 0000000100000000 00000000000000000000000001 00000000000000  93-3
10010000 011010 11 0000000100000000 00000000000000000000000010 00000000000000  90-3
11010001 011010 01 0000000100000000 00000000000000000000000100 00000000000000  B1-1
00010010 011010 10 0000000100000000 00000000000000000000001000 00000000000000  12-2
10010010 011010 10 0000000100000000 00000000000000000000010000 00000000000000  92-2
10110110 011010 01 0000000100000000 00000000000000000000100000 00000000000000  B6-1
11011011 011010 11 0000000100000000 00000000000000000001000000 00000000000000  DB-3
10010000 011010 11 0000000100000000 00000000000000000010000000 00000000000000  90-3
10110110 011010 11 0000000100000000 00000000000000000100000000 00000000000000  B6-3
11011010 011010 11 0000000100000000 00000000000000001000000000 00000000000000  DA-3
11111100 011010 10 0000000100000000 00000000000000010000000000 00000000000000  FC-2
10010010 011010 01 0000000100000000 00000000000000100000000000 00000000000000  92-1
10010011 011010 11 0000000100000000 00000000000001000000000000 00000000000000  93-3
10000000 011010 10 0000000100000000 00000000000010000000000000 00000000000000  80-2
11010110 011010 01 0000000100000000 00000000000100000000000000 00000000000000  D6-1
11011010 011010 11 0000000100000000 00000000001000000000000000 00000000000000  DA-3
10000010 011010 10 0000000100000000 00000000010000000000000000 00000000000000  82-2
10110010 011010 01 0000000100000000 00000000100000000000000000 00000000000000  B2-1
11011011 011010 11 0000000100000000 00000001000000000000000000 00000000000000  DB-3
10010000 011010 11 0000000100000000 00000010000000000000000000 00000000000000  90-3
10110110 011010 11 0000000100000000 00000100000000000000000000 00000000000000  B6-3
10011001 011010 01 0000000100000000 00001000000000000000000000 00000000000000  99-1
00000010 011010 10 0000000100000000 00010000000000000000000000 00000000000000  02-2
10110010 011010 01 0000000100000000 00100000000000000000000000 00000000000000  B2-1
11010001 011010 01 0000000100000000 01000000000000000000000000 00000000000000  D1-1
00010010 011010 10 0000000100000000 10000000000000000000000000 00000000000000  12-2

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: Decoding Cloning Guardall/Verex Key Fob

If I understand you correct,  the xor-key is not random its calculated?

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

Yes, Xor-Key is calculated by unknown algorithm, which has not yet managed to crack

Cardedit

Member

Registered: 2016-02-25

Posts: 8

Re: Decoding Cloning Guardall/Verex Key Fob

@sentinel

So some inside knowledge.. These guardall/verex readers support cards that allow for certain functions (ie programming, firmware update, as well as changing light patterns for arming stations) could this Xor-Key be used as apart of that? For instance, if I want to program certain functions, I have an application that allows me to create cards using a guradall programming reader.

Is this affecting card read? Also, just curious what type of card you are encoding this test data onto? I do have blank and unprogrammed gprox cards.

Please do let me know if I can contribute

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

@Cardedit
Do you have a programmer?
guardall.com/   resources/    downloads_old/G-Prox_II_Programming_Station_Datasheet.pdf

With the help of a spy program can write a protocol between the program and the device.
download.   sysinternals.com   /files/PortMon.zip

maybe we'll see something interesting)

I use a homemade programmer and card t5577

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

@jeff1551
unfortunately I do not have proxmark ((
both written Iceman
using commands, you can copy your card
pm3 --> lf guard
help             This help
read             Attempt to read and extract tag data
clone            <Facility-Code> <Card Number>  clone Guardall tag
sim              <Facility-Code> <Card Number>  simulate Guardall tag
pm3 -->

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

@jeff1551
If you need to copy only 1 card, in your place, I would have found a man with proxmark in your region, and asked to make a clone)

your link greyfieldindustries is not clear what software is needed : /

bic_bawss

Contributor

Registered: 2015-08-11

Posts: 2

Re: Decoding Cloning Guardall/Verex Key Fob

@Sentinel:

I am going to purchase a Proxmark 3, so if you can teach me how to fish it would be better than catching the fish for me every time. 

I can easily do a clone for you. do you have a way for me to contact you?

ericlam2728

Contributor

Registered: 2015-09-26

Posts: 34

Website

Re: Decoding Cloning Guardall/Verex Key Fob

@bic_bawss:

Please provide instructions on how you would achieve cloning this fob?  Chubb G-Prox II fob.  I will then go ahead and acquire the hardware to do this on my own.  Like I said in my previous post, I am not looking for someone to do it for me... I am looking to learn how to do it on my own.

All you need is a proxmark 3

3 hours of your time

A lot of hair to pull out

Gprox2 was the first key I ever cloned and I can tell you it's quite easy. In fact if you do a quick search you could find the step by step instructions (I wrote it out in a post) If you need more help skype me: erilam2728

Last edited by ericlam2728 (2016-05-03 22:29:07)

ericlam2728

Contributor

Registered: 2015-09-26

Posts: 34

Website

Re: Decoding Cloning Guardall/Verex Key Fob

@bic_bawss:

Please provide instructions on how you would achieve cloning this fob?  Chubb G-Prox II fob.  I will then go ahead and acquire the hardware to do this on my own.  Like I said in my previous post, I am not looking for someone to do it for me... I am looking to learn how to do it on my own.

All you need is a proxmark 3

3 hours of your time

A lot of hair to pull out

Gprox2 was the first key I ever cloned and I can tell you it's quite easy. In fact if you do a quick search you could find the step by step instructions (I wrote it out in a post) If you need more help skype me: erilam2728

========================

Could you please be so kind and write out the step by step instructions for me the noob.  I would greatly appreciate it sir!

I actually refuse to do so because all you have to do is search this forum

http://www.proxmark.org/forum/viewtopic.php?id=2649

Last edited by ericlam2728 (2016-05-06 17:33:28)

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: Decoding Cloning Guardall/Verex Key Fob

Some more samples.   The question is how to get the XORKEY and "p".

 XX = XORKEY  
W = wiegand format (in samples; 101000  40bit)
P = unknown 2bits   (seen in samples: 01, 10, 11,   - the 00 is seldom seen)
aa = static? 16bits  (0000 0001)
cc = cardnumber 24bits?

----samples from user. 40bit wiegand  cardnum 1,2,4,8,10,20,40,80 etc
XX WP aa aa cc cc cc cc cc
FE-A1-01-00-00-00-00-00-01
92-A1-01-00-00-00-00-00-02
4A-A1-01-00-00-00-00-00-04
FA-A0-01-00-00-00-00-00-08
9A-A3-01-00-00-00-00-00-10
5A-A1-01-00-00-00-00-00-20
DA-A0-01-00-00-00-00-00-40
DA-A3-01-00-00-00-00-00-80

CA-A0-01-00-00-00-00-01-00
FA-A3-01-00-00-00-00-02-00
9A-A1-01-00-00-00-00-04-00
5B-A0-01-00-00-00-00-08-00
D8-A0-01-00-00-00-00-10-00
DA-A3-01-00-00-00-00-20-00
DB-A1-01-00-00-00-00-40-00
D8-A1-01-00-00-00-00-80-00

9A-A3-01-00-00-00-01-00-00
5A-A0-01-00-00-00-02-00-00
DA-A0-01-00-00-00-04-00-00
FE-A3-01-00-00-00-08-00-00	
93-A1-01-00-00-00-10-00-00
D8-A1-01-00-00-00-20-00-00
FE-A1-01-00-00-00-40-00-00
92-A1-01-00-00-00-80-00-00

FC-A0-01-00-00-01-00-00-00
DA-A3-01-00-00-02-00-00-00
DB-A1-01-00-00-04-00-00-00
C8-A0-01-00-00-08-00-00-00
1E-A0-01-00-00-10-00-00-00
92-A1-01-00-00-20-00-00-00
CA-A0-01-00-00-40-00-00-00
FA-A3-01-00-00-80-00-00-00

A3-A0-01-00-01-00-00-00-00
D8-A1-01-00-02-00-00-00-00
FE-A1-01-00-04-00-00-00-00
D2-A3-01-00-08-00-00-00-00
4A-A0-01-00-10-00-00-00-00
FA-A3-01-00-20-00-00-00-00
9A-A3-01-00-40-00-00-00-00
5A-A0-01-00-80-00-00-00-00


---some samples which ends with 1,2,3
7E-A0-01-00-00-00-02-00-01
12-A0-01-00-00-00-02-00-02
36-A0-01-00-00-00-02-00-03


7E-A0-01-00-80-00-00-00-01-
12-A0-01-00-80-00-00-00-02-
36-A0-01-00-80-00-00-00-03-
CA-A0-01-00-80-00-00-00-04-