Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-09-15 19:27:21

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

BEGEH - Entry Card System

Hi

A friend of mine gave me his BEGEH token for research.
I cant read it with proxmark, as I thought.

hw tune shows its 13.56 and hw search as well as all manual checks did not succeed.

after some resarch I found following detailed resources:
mainly site 104 - end of document
https://secenv.seclab.tuwien.ac.at/secenv/static/inetsec2/10_Radio_SDR_RFID.pdf

the key is used by postman, police and others to enter buildings "without a key"


I'm not a programmer, but I guess when these guys manage it to read them, it should be possible with proxmark too?


anyone? smile

Offline

#2 2016-09-21 16:48:12

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: BEGEH - Entry Card System

ok funny thing.. I swapped now for testing to the proxmark original build and original flash fullimage

now hf search results

proxmark3> hf search
         
#db# DownloadFPGA(len: 42096)         
Tag UID : the 16digit token id
Tag Info: Texas Instrument; Tag-it HF-I Plus (RF-HDT-DVBB tag or Third Party Products)         

Valid ISO15693 Tag Found - Quiting Search



while running the iceman build wont find this

Offline

#3 2016-09-21 17:27:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: BEGEH - Entry Card System

thats because my iso15 is not working with my changes to the timers...

Offline

#4 2016-09-21 20:17:09

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: BEGEH - Entry Card System

Iceman's build tends to be bleeding edge, which can break some older functionality at times.

Offline

#5 2016-10-14 20:32:14

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: BEGEH - Entry Card System

as I was curios whats up with this card I just did an git pull and make clean all
then I flashed back to proxmark master...


proxmark3> hw ver
[[[ Cached information ]]]
         
Prox/RFID mark3 RFID instrument         
bootrom: master/v2.2.0-264-gd1057e7-dirty-suspect 2016-10-14 17:48:01
os: master/v2.2.0-264-gd1057e7-dirty-suspect 2016-10-14 17:48:03
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8
         
uC: AT91SAM7S256 Rev D         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes. Used: 188608 bytes (72%). Free: 73536 bytes (28%).         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory       

proxmark3> hw tune

Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)         
......         
# LF antenna: 31.07 V @   125.00 kHz         
# LF antenna: 29.43 V @   134.00 kHz         
# LF optimal: 36.44 V @   129.03 kHz         
# HF antenna: 22.26 V @    13.56 MHz         
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
         

         
proxmark3> hw tune

Measuring antenna characteristics, please wait........#db# DownloadFPGA(len: 42096)         
.         
# LF antenna: 31.07 V @   125.00 kHz         
# LF antenna: 29.43 V @   134.00 kHz         
# LF optimal: 36.44 V @   129.03 kHz         
# HF antenna: 28.89 V @    13.56 MHz         
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
         

proxmark3> hf search
         
no known/supported 13.56 MHz tags found
         
proxmark3> hf 15 demod
proxmark3> hf 15 read
proxmark3> hf 15 record
#db# fin record         
proxmark3> hf 15 reader
#db# 0 octets read from IDENTIFY request:         
#db# 0 octets read from SELECT request:         
#db# 0 octets read from XXX request:         
proxmark3> hf 15 findafi
proxmark3> hf 15 dumpmemory
Sending bytes to proxmark failed         
Sending bytes to proxmark failed         
No Tag found.         
#db# AFI Bruteforcing done.         

proxmark3> hf list raw
Recorded Activity (TraceLen = 122 bytes)         
         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
iso14443a - All times are in carrier periods (1/13.56Mhz)         
iClass    - Timings are not as accurate         
         
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |         
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------| 



The card is not dead.. cause when I go out to my front door and hold the card to the reader it opens the door

I tried to do a hf mf sniff but it doesnt do anything
as it doesnt recognize it in any commands I guess it wont do anything with snooping others too.


so any idea what could be the reason or how to get on with it?

Offline

#6 2016-10-14 20:42:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: BEGEH - Entry Card System

there is the "subcommand" under "hf 15" which is better then the first level smile *secret*
hf 15 cmd

Offline

#7 2016-10-14 22:04:41

HighPressure
Contributor
Registered: 2016-07-17
Posts: 56

Re: BEGEH - Entry Card System

ahh yeah... I missed those as I remembered this from playing round with some other cards earlier, but did not think of some other commands behind cmd :-P

basically no luck with the basics...
i've started debug mode as i read here in the forum that its giving better results then.
I did play round with the commands and tried it over and over again and the result is not very steady and coming over again...
BUT ! I finaly got some responses big_smile

1 out of like 10-20 tries it replies with Detected UID E***80D**EA81***  (*** just hidden here as the card is still active and not mine)

basically I found it only with
proxmark3> hf 15 cmd sysinfo -2 *
#db# SEND         
#db# &....    26 01 00 f6 0a         
#db# error, uneven octet! (extra bits!) mask=40         
#db# RECV         
#db# SEND         
#db# &....    26 01 00 f6 0a         
#db# error, uneven octet! (extra bits!) mask=10         
#db# RECV         
#db# NoErr CrcFail!         
#db# .....    00 00 1d 17 a8         
#db# SEND         
#db# &....    26 01 00 f6 0a         
#db# RECV         
#db# NoErr CrcOK         
#db# ........ 00 00 1d 17 a8 0e d1 80         
#db# ...r     07 e0 07 72         
Detected UID E***80D**EA81***   


with the same accuracy I managed also to get this response:

proxmark3> hf 15 cmd read -2 u 0
#db# SEND         
#db# . .GP    02 20 00 47 50         
#db# ran off end!         
#db# error, uneven octet! (extra bits!) mask=02         
#db# RECV         
#db# NoErr CrcFail!         
#db# .....w.. 00 00 00 00 00 77 cf 00         
#db# ........ 00 00 00 00 00 00 00 00         
#db# ...... . 00 00 00 00 cc fc 20 00         
#db# ........ 00 f4 ff ff 00 f4 ff ff         
#db# ........ 01 00 00 00 00 01 00 00         
#db# K*..X> . 4b 2a 10 00 58 3e 20 00         
#db# ........ 05 00 00 00 88 0a 00 00         
#db# ..       0a 00         
CRC failed

*EDIT*

uhhh found the magic corner on the proxmark with this card... way more far away than with other tags.

proxmark3> hf 15 dumpmemory
#db# SEND         
#db# &....    26 01 00 f6 0a         
#db# error, uneven octet! (extra bits!) mask=02         
#db# RECV         
#db# NoErr CrcFail!         
#db# ........ 00 00 1d 17 a8 0e d1 80         
#db# ...      07 e0 07         
#db# SEND         
#db# &....    26 01 00 f6 0a         
#db# ran off end!         
#db# error, uneven octet! (extra bits!) mask=02         
#db# RECV         
#db# NoErr CrcFail!         
#db# ........ 00 00 1d 17 a8 0e d1 80         
#db# ...r.... 07 e0 07 72 02 00 00 00         
#db# ...... . 00 00 00 00 cc fc 20 00         
#db# ........ 00 f4 ff ff 00 f4 ff ff         
#db# ........ 01 00 00 00 00 01 00 00         
#db# K*..X> . 4b 2a 10 00 58 3e 20 00         
#db# ....(... 05 00 00 00 28 01 00 00         
Reading memory from tag UID=E***80D**EA81***         
Tag Info: Texas Instrument; Tag-it HF-I Plus (RF-HDT-DVBB tag or Third Party Products)

Last edited by HighPressure (2016-10-14 22:09:42)

Offline

Board footer

Powered by FluxBB