Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hey Guys,
Last night I've been playing with some TK4100 cards I have in hand. All of them read fine on PM3 except for one
I have 2 more readers that can read all of the cards, one is ACG LF multi and the other is generic HID emulating keyboard.
Both read perfectly well the card in question but the PM3 can not...
I did try many times with different positions/angles of the card but the result is always negative.
The data plot looks quite different compared to the other cards - not as uniform waves, but somewhat garbled and curly.
It is not a big deal since it is a cheap read only card, but the fact it works on other reades and not on the PM3 is driving me crazy. Am I doing something wrong or there is a problem with my Proxmark device/antenna?!?
Anyone have a clue to what the reason for this bizarre behaviour might be?
Thanks in advance!
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2016-06-05 08:31:59
os: /-suspect 2016-06-05 08:31:58
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 186750 bytes (36%). Free: 337538 bytes (64%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)
......#db# DownloadFPGA(len: 42096)
.
# LF antenna: 40.01 V @ 125.00 kHz
# LF antenna: 22.96 V @ 134.00 kHz
# LF optimal: 40.01 V @ 125.00 kHz
# HF antenna: 0.07 V @ 13.56 MHz
Here is a sample test with debug on...
Rawdemod am also fails due to so many errors. Nothing gets in the demodbuff whatever command I send.
proxmark3> lf search u
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
DEBUG: error during fskdemod
DEBUG: Error - problem during FSK demod
DEBUG: Error demoding fsk
DEBUG: Error - problem during FSK demod
DEBUG: Error demoding fsk
DEBUG: Bitlen from grphbuff: 30000
DEBUG: Too many errors found, errors:782, bits:931, clock:32
DEBUG: no data or error found 793, clock: 32
ASKbiphaseDemod failed 1st try
DEBUG: no data or error found 793, clock: 32
DEBUG: Bitlen from grphbuff: 30000
DEBUG: Too many errors found, errors:782, bits:931, clock:32
ASKDemod failed
Error1: 0
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 1 repeating samples
DEBUG: Bitlen from grphbuff: 30000
DEBUG: Too many errors found, errors:793, bits:937, clock:32
Error demoding: 0
No Data Found!
Last edited by Flintstone.S (2016-06-27 23:16:39)
Offline
if you can share either traces (data save command) its easier to test and verify the results.
Offline
Thanks for chiming in @iceman!
Here is a link to a save of investigated.txt
https://drive.google.com/open?id=0B1IiA … 2Rvb1RMbTA
The HID keyboard emulating reader spit this: 0005235685
Last edited by Flintstone.S (2016-06-17 23:56:42)
Offline
@Flintstone.S
what you have there is a poor read on a EM410x compatible.
you either need an antenna better tuned to the tag or you can clean up the read as shown below:
proxmark3> data dirthreshold 15 -21
Applying Up Threshold: 15, Down Threshold: -21
proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found:
EM TAG ID : 14004FE3E5
Unique TAG ID : 2800F2C7A7
Possible de-scramble patterns
HoneyWell IdentKey {
DEZ 8 : 05235685
DEZ 10 : 0005235685
DEZ 5.5 : 00079.58341
DEZ 3.5A : 020.58341
DEZ 3.5B : 000.58341
DEZ 3.5C : 079.58341
DEZ 14/IK2 : 00085904581605
DEZ 15/IK3 : 000171814602663
DEZ 20/ZK : 02080000150212071007
}
Other : 58341_079_05235685
Pattern Paxton : 342106597 [0x146421E5]
Pattern 1 : 9419667 [0x8FBB93]
Pattern Sebury : 58341 79 5235685 [0xE3E5 0x4F 0x4FE3E5]
Valid EM410x ID Found!
proxmark3>
Offline
@Flintstone.S
what you have there is a poor read on a EM410x compatible.you either need an antenna better tuned to the tag or you can clean up the read as shown below:
@marshmellow
Amazing! Your answer is what I was suspecting as a problem but had no idea how to solve it.
I'm using the stock LF antenna which came with the PM3 rev2 from Elechouse, which is small diameter and round shape.
Both my other readers have rectangular shaped antennas and much larger size, so i was thinking this might be the issue.
One more question if you don't mind. How do you select the dirthreshold values?
Thanks!
Offline
dirthreshold looks for any sample that goes above the first parameter and will set all samples after that to 1 (high) until it goes below the second parameter which it then sets all samples to -1 (low) until it again goes above the first parameter - and so on.
so i look for values that will satisfy all (most) highs and all (most) lows, and won't get messed up by the larger waves. the values will fluctuate depending on the strength of the read.
in my fork i just fixed the askedgedetect cleaning tool which also would work on your trace with the default parameters (and Iceman added it to his fork as well). - this tool looks for large jumps in sample values which indicate an Edge of a high or low wave. it is pretty accurate for most ask tags.
it will be a little time for me to get my fork ready to be pulled into the main trunk for this update though.
Last edited by marshmellow (2016-06-20 17:36:09)
Offline
yep, I can verify that @marshmellow's fixed askedgedetect works on your tag / trace.
Nice work as every marshmellow!
Offline
Hi Marshmellow,
From your explanation - if I understand correctly the "dirthreshold" command trims the "spikes" in the waves (appearing as errors in PM3), and makes the waves more uniform for the demod to work ... right? (Forgive my nooby questions, but I want to get into the inner workings of the graph plot)
Loading the saved samples after the dirthreshold command, the graph plot looks uniform and more functional(machine readable), like from logic analizer.
Initially I was puzzled that such a sophisticated device as the PM3 couldn't do the same job as the simple $6.00 reader can.
I figure the cheap reader does this on a hardware level(that it is specifically designed for) which must be replayed in PM3 on software level which is a work in progress and takes a lot of testing an debuging.
Your work is a wonderful example what the opensource can achieve
Thanks for the great work and look forward to your comments !
BTW, your suggestion for "dirthreshold" worked even on my totally garbled attempt to lf snoop the same card, which still leaves me wondering if I really got the idea how to define the dirthreshold values, since the highs and lows are way off in this one...
Please check the saved trace in this link
Offline
yep, I can verify that @marshmellow's fixed askedgedetect works on your tag / trace.
Nice work as every marshmellow!
Thanks for confiming it @iceman!
I will need some time to test your's/marshmellow's fork, since I rely on side help for compiling.
Please explain how to apply "askedgedetect" properly?
Best regards!
Offline
just run it, then "lf se 1 u"
Offline
Hi Marshmellow,
From your explanation - if I understand correctly the "dirthreshold" command trims the "spikes" in the waves (appearing as errors in PM3), and makes the waves more uniform for the demod to work ... right?
basically yes. it is one method of interpreting the wave to digital 1s and 0s.
(ask edge detect is another method)
Initially I was puzzled that such a sophisticated device as the PM3 couldn't do the same job as the simple $6.00 reader can.
I figure the cheap reader does this on a hardware level(that it is specifically designed for) which must be replayed in PM3 on software level which is a work in progress and takes a lot of testing an debuging.
most readers know what they are trying to read which makes it easier. and i wouldn't suggest that a piece of hardware designed about 10 years ago is super sophisticated in today's standards.
a reader with properly designed hardware for a specific modulation can apply filters to clean up a signal better than we can currently with the PM3. and part of it is by design as we don't want to mess with the wave before we identify it. so we leave it raw until we put it in the graphbuffer, then various commands can attempt to demod it. cleaning up ASK signal is very different then cleaning up PSK or FSK signal.
but then again a good working antenna goes a long way. i haven't run across a tag i can demod directly anymore since i built new antennas.
BTW, your suggestion for "dirthreshold" worked even on my totally garbled attempt to lf snoop the same card, which still leaves me wondering if I really got the idea how to define the dirthreshold values, since the highs and lows are way off in this one...
Please check the saved trace in this link
depending on the signal a large range of values MAY work.
Offline
Hi marshmellow,
after your answers, most of my questions seem rhetorical
Thanks for taking time to clear them up for me!
most readers know what they are trying to read which makes it easier. and i wouldn't suggest that a piece of hardware designed about 10 years ago is super sophisticated in today's standards.
a reader with properly designed hardware for a specific modulation can apply filters to clean up a signal better than we can currently with the PM3. and part of it is by design as we don't want to mess with the wave before we identify it. so we leave it raw until we put it in the graphbuffer, then various commands can attempt to demod it. cleaning up ASK signal is very different then cleaning up PSK or FSK signal.
Totaly agree with you, and that's the beauty of the PM3... it is "multy functional tool" which is still prone to future development .
but then again a good working antenna goes a long way. i haven't run across a tag i can demod directly anymore since i built new antennas.
...Speaking of which makes me think how good is my "stock" antenna, considering the original issue for this thread.
It seems that despite of the "good" hw tune indexes, there is still much to demand from the antenna.
For example the lf snoop was highly influenced by the antenna situation/position. It Never worked card-antenna-reader. Only worked antenna-card-reader and had to keep the antenna further away from the card in order for the reader to work.
I suppose this is because of the matching diameter of my antenna coil and the card's coil, which seems to be damping the reader signal.
I'll appreciate your suggestions in this respect.
Cheers!
Offline
The issue may also lie in the proximity of the antenna to the pm3 and interference from the board itself.
Offline
The issue may also lie in the proximity of the antenna to the pm3 and interference from the board itself.
My stock Elechouse antenna has about 20cm cable connecting it to the pm3 board. I try both with extended cable away form pm3 and also with antenna mounted over the pm3 board...
The only resulting difference was in hw tune results, but I didn't notice any significant difference in the actual reads/snoops.
Last edited by Flintstone.S (2016-06-21 00:11:11)
Offline
just run it, then "lf se 1 u"
Thanks marshmellow and iceman! We are all lucky to have you here guys.
Just managed to test your forks.
For anyone that might be interested or is having the same issue as me, this solution works "as advertised"
Cheers!
Offline
First step, get strong antenna.
Second step, even with good antenna find the right spot/angle/distance for the particular antenna & tag.
Third step, analyse raw datasignal inside proxmark client.
Offline
First step, get strong antenna.
Second step, even with good antenna find the right spot/angle/distance for the particular antenna & tag.
Third step, analyse raw datasignal inside proxmark client.
Sure you make good point.
I've tested with 3 different antennas but the resulting raw datasignal was always similar. However with askedgedetect and dirthreshold as initially suggested by marshmellow, it gets right and the card is recognized.
There may be a problem with this particular card but I can not be sure because unfortunately I don't have another of the same batch.
I will keep trying to reach a point when the PM3 will immediately recognize this card by just lf search.
So taking your kind guidance I'll go back to First step and try to build a better antenna.
I have already built one nice antenna but will experiment more, as it is not giving much better results with this card.
I'll post a new topic about my antenna experiments in the appropriate section of this forum.
Thanks again!
Offline
If you have @marshmellows fix, doesn't the tag get detected with "LF SEARCH" ?
Offline
It is possible that particular tag is 134khz. Have you tried changing the lf config to that?
And I haven't added any fix to lf search. Clean up of the signal is currently all manual.
Offline
hm, ok, the adding of these kinds of signal manipulations automatically is up for debate. We have them, just need to learn how to use them.
Offline
iceman wrote:just run it, then "lf se 1 u"
Thanks marshmellow and iceman! We are all lucky to have you here guys.
Just managed to test your forks.
For anyone that might be interested or is having the same issue as me, this solution works "as advertised"Cheers!
Actually with above I meant to confirm that @marshmellows fix of askedgedetect is working perfectly without any specific parameters in the command. "lf se 1 u" then displays the cards details as with a normal card/tag.
That's why I added the [Solved] to the topic title so everyone interested will know that it works.
I'm sorry if I wasn't clear enough... blame it on my bad english.
I was not expecting a fix in lf search for automatic signal manipulation... rather I hope to build a stronger antenna as @iceman suggested earlier, which will obtain better results, without having to use the askedgedetect. Or do you think this is not going to work?
Offline