Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Looking for another set of eyes on this waveform/capture it has me puzzled at the moment. I have experience recovering data from ASK/FSK signals recorded with a HackRF that have various encodings such as Manchester but this one has me a bit confused. I currently suspect it might be Pulse Width Modulation…
Setup: The capture was taken with the Proxmark3 RDV4 configured with the following basic settings.
[usb] pm3 --> lf config L t 120
lf sniff
The Proxmark was then placed by the LF emitter on a Nissan meant to stimulate the Key fob watch responds at a UH frequency (315MHz), the passive entry button was pressed on the vehicle with the Key fob in range resulting in a successful capture with the proxmark3. I saved the capture in both the .pm3 and wav format links below to the files.
Links:
https://drive.google.com/file/d/1Lvkj6F … sp=sharing
https://drive.google.com/file/d/1YSj2sB … sp=sharing
The Problem: I am not confident in any method I have used thus far to get valid bits out of this capture, I believe it to be ASK with a clock of 32 but from there I struggle to use the proxmarks tool chain in the client to get the data to bits. I have also attempted to analyze the capture in Universal Radio Hacker with little to no success.
Image:
https://drive.google.com/file/d/1fDAVYa … sp=sharing
Hardware/Software Info:
[ CLIENT ]
client: RRG/Iceman
compiled with GCC 7.4.0 OS:Linux ARCH:x86_64
[ PROXMARK3 RDV4 ]
external flash: present
smartcard reader: present
[ PROXMARK3 RDV4 Extras ]
FPC USART for BT add-on support: absent
[ ARM ]
bootrom: RRG/Iceman/master/release (git)
os: RRG/Iceman/master/release (git)
ompiled with GCC 6.3.1 20170620
[ FPGA ]
LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
Any help would be appreciated!
Last edited by DrFalken (2020-03-04 18:16:18)
Offline
I had a very quick look at one of the dumps and did an ask demod, and had a quick look at the plot.
00000000.1....11100011111111111111111111111111111111111111111111..0101000.11.000000000000000.1....11100011100110111000011101.
11111111..0101000.11.00000000000000000000000000000000000000000000.1....111000111111111111111..0101000.11.00.1.0..00.111.00..0.
00000000.1....11100011111111111111111111111111111111111111111111..0101000.11.000000000000000.1....11100011100110111000011101..0000000000000
There did seem to be a section that was repeated.
the "." was not decoded. looking at the plot the spacing/timing at those spots seemed a little off, so maybe a pause in the transmit ?
The middle line kinda looks to be the invert of the other two
Offline
looks like a PWM.. Since we are talking about a car, it could be pcf793x, hitag-x type of tag.
Offline
Thank you for the feedback and suggestions, I have taken a few more samples and plan to keep plugging away at it. My goal is to analyze the seed and key relationship between the car and key fob, but this obviously requires a good decode of the LF data.
Offline
So a bit more information, I have included three more samples below along with some details from the IC on the key fob.
NXP
F7952A15
CD5076 03
TnD14171
Haven't had much luck finding a datasheet that will help with determining the data encoding…
Links to captures:
https://drive.google.com/file/d/1Nf1r9m … sp=sharing
https://drive.google.com/file/d/1YrunxF … sp=sharing
https://drive.google.com/file/d/1h3dqzN … sp=sharing
Offline