Guardall G-Prox II, 125 kHz

Sentinel · 2012-11-26 11:45:31

Hi All!
Maybe someone knows format Guardall G-Prox II ?

Card number 1365205

Read from card:(96bit)
1101 0
0110 0
1100 0
0000 0
0101 0
0110 0
1101 0
0110 0
1000 0
1011 0
0001 0
0010 0
0011 0
0011 0
1101 0
0101 0
1101 0
0110 0
1111 1 0 - may be start marker ?

0xFFFF · 2012-11-27 00:06:38

There is very little information to work with here.

The start is typical of a number of readers indicating the number of bits used in the card format (26 in this case). Assuming this is correct, that would mean that your card data is possibly '10011110101011101011011111' meaning that:
SC/FC is 61
and CN/IN is 23919

There are a lot of guesses here and I'd surprised if I'm right.

Where do you get 96 from?
When you say the card number is 1365205, do you mean this is printed on the card?

Sentinel · 2012-11-27 10:35:19

Hi, 0xFFFF !
I have 8 cards with printed numbers. COOLEDIT programs I recorded and decoded bit sequence. MODULATION was not Manchester, biphase.
Analogs for conventional cards began to look long sequence 1. The longest was 5 bits. So they had to do so on 5 bits never ranked in the data sequence. To do this, every 5 bit is ZERO

printed numbers:
1365205
1365208
1365209
1365210
1367510
1367511
1367512
1367513

0 1101 0 0110 0 1100 0 0000 0 0101 0 0110 0 1101 0 0110 0 1000 0 1011 0 0001 0 0010 0 0011 0 0011 0 1101 0 0101 0 1101 0 0110 0 11111
0 1011 0 0000 0 0110 0 0110 0 0011 0 0000 0 1011 0 0000 0 1110 0 1101 0 0111 0 0100 0 0010 0 0101 0 1011 0 0010 0 1011 0 0000 0 11111
0 0111 0 0000 0 1010 0 0110 0 1111 0 0000 0 0111 0 0000 0 0010 0 1101 0 1011 0 0100 0 1110 0 0101 0 0111 0 0001 0 0111 0 0000 0 11111
0 0011 0 0011 0 1010 0 0101 0 1011 0 0011 0 0011 0 0011 0 0110 0 1110 0 1111 0 0111 0 0110 0 0110 0 0011 0 0001 0 0011 0 0011 0 11111
0 0010 0 0000 0 1011 0 0110 0 1010 0 0000 0 0010 0 0000 0 0111 0 1101 0 0000 0 0100 0 0100 0 1011 0 0010 0 0010 0 0010 0 0000 0 11111
0 1110 0 0000 0 0111 0 0110 0 0110 0 0000 0 1110 0 0000 0 1011 0 1101 0 1100 0 0100 0 1000 0 1011 0 1110 0 0001 0 1110 0 0000 0 11111
0 0010 0 0010 0 1111 0 0100 0 1010 0 0010 0 0010 0 0010 0 0111 0 1111 0 0000 0 0110 0 1100 0 1001 0 0010 0 0010 0 0010 0 0010 0 11111
0 1110 0 0010 0 0011 0 0100 0 0110 0 0010 0 1110 0 0010 0 1011 0 1111 0 1100 0 0110 0 0000 0 1001 0 1110 0 0001 0 1110 0 0010 0 11111

Sentinel · 2012-12-03 10:53:23

If you apply an operation to XOR standing next byte:
686901BA998467C01D
6B6A01BA998AE9407B
6B6A01BA998A298078
696801BA9989EA40BA
696801BA9EF2964072
696801BA9EF2568071
6B6A01BA9EF3D70032
6B6A01BA9EF317C031

XOR apply to all code cards - get the difference

6B6A01BA998AE9407B 000000000000C0C003
6B6A01BA998A298078

696801BA9EF2964072 000000000000C0C003
696801BA9EF2568071

6B6A01BA9EF3D70032 000000000000C0C003
6B6A01BA9EF317C031

scotchtape · 2012-12-29 22:13:52

I have the same questions... except I am a total noob.
I have a g-prox ii fob and don't know how to work with it!

Does the proxmark3 even work with it?

Sentinel · 2013-01-20 11:09:52

Hi Scotchtape!
Unfortunately, I was unable to decipher the information on the proxcard ((( Proxmark3 not worked with GPROX card.
If you have a sufficient number of cards and a desire to cooperate, I can send you the reader, print complete information about card

scotchtape · 2013-01-21 23:13:24

I would but I'm a total noob
I also don't have a g-prox "card" - I have a 4 button fob that I think uses the G-prox RFID format.
I'm not sure if it has a printed number, it has an FCC number on it though.

It works with a verex reader. I'm not sure what the "card number" is.
Wish I could help more too!

scotchtape · 2013-01-21 23:16:39

I did notice the that their website says it's a 36-bit format though?
Says it comes it 26, 36, and 40 bit formats:

http://verextech.interlogix.com/downloads/G-Prox_II_Cards_DS.pdf

Sentinel · 2014-04-08 14:15:48

marshmellow · 2014-04-08 15:48:22

Question @ Sentinel: how does the 1-74474F-1 relate at all to the card number? what part of the 1-74474F-1 increments for card number 1365206? Thanks! great information!

EDIT:
I think I figured it out. the next card would be 1-744750-1 incrementing in hex. it appears to have no direct relationship to the external printed number. (maybe just add 6255226 to the external number and convert to hex to get the internal number?)

Last edited by marshmellow (2014-04-08 18:54:06)

Sentinel · 2014-04-09 07:49:15

to Marshmellow
Printed Wiegand26
1365205 1-74474F-1 add 6255226
1365208 1-744752-1
1365209 1-744753-0
1365210 1-744754-1

1367510 1-7449AC-1 add 6253526
1367511 1-7449AD-0
1367512 1-7449AE-0
1367513 1-7449AF-1

possible shall be calculated in the software access control for a range of cards?

Sentinel · 2014-04-09 08:08:45

Experimenting with the encryption key and the first byte sequence, I managed to get 27 bit Weigand. Carefully looking at the first byte of a piece, I realized that he is 26

Last edited by Sentinel (2014-10-13 08:56:18)

Sentinel · 2014-04-15 16:18:34

my generator cards worked night and here is the result. Weigand generate sequence then was selected key (8bit) and two strange bits - 1024 options. If the reader read this card - its code recorded in the log file. Rather, these are a 10 bit of this - CRC10. calculate it would be quite difficult: (

PS fixed a bug, that was noticed Marshmellow

Last edited by Sentinel (2014-04-16 10:03:48)

marshmellow · 2014-04-15 17:47:27

@Sentinel: are you attempting to identify the Parity? (or P?).
With your data I've worked out this parity structure that works with the cards I've tested:

Wiegand data:
   XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXX
L   EE E   E  E  E     E  E   E   E E  E    
R   OO OOOOO OO OO OOOOO OOOO O  OO O OO OOO

where LR = P = 10 or 00 or 01 or 11
and E = even parity digit, O = odd parity digit

I'm doing further testing to see it if works for all card data I have

thoughts?

Edit: ...

Last edited by marshmellow (2014-04-15 22:02:34)

Sentinel · 2014-04-15 18:55:19

@marshmellow: Now I will check your theory)
Guardal reader responds to only one combination of 1024 states. Assume that P - is not parity, as part of the CRC10 .. I think we should look for math forum and ask there, as the output of the restore poltnom CRC:)
Still have a few features. Weygand value lies in the range 20 ... 40 bits. for values less than 19bit, and I could not find CRC. just nothing works, if you change the 0x0100 (16bit)

marshmellow · 2014-04-15 19:29:43

I fixed my issue, my application wasn't following my map correctly(and I flip flopped odd and even on the R). I've adjusted the parity map I used above a little and it appears to work with the samples I have. (which admittedly is limited)

That said, I have no clue how the Key is generated. but it is possible that if the Parity is incorrect then the reader wouldn't respond. in that case you would need to have the correct key and the correct calculated parity bits as you suggest. once we know the parity calculation for sure then the key is likely a crc8 of sorts.
but really the math you are doing is out of my current reach so i'll yield to you and any math forum you find

btw: we also do not know the calculation for the last wiegand bit the -1 or -0.

Last edited by marshmellow (2014-04-15 19:46:05)

Sentinel · 2014-04-15 20:09:08

@marshmellow:
"btw: we also do not know the calculation for the last wiegand bit the -1 or -0."
As far as I understood, at guardal, like HIDD parity bits stored on the card.. all sequences have been read and transferred to Weigand interface. Although not all of them are correct from the point of view of the last bit parity. for example:
10010010 011010 11 0000000100000000 00000000000000000000000000 00000000000000 (all zero)

Sentinel · 2014-04-15 20:18:55

my device enumerates codes with rate 4 per second goes through all the options (1024) about 4 minutes..

marshmellow · 2014-04-15 20:21:37

is the card with all zero's a valid number? what is the card number output by the reader? it doesn't follow the format 1-XXXXXX-P. that may change the parity calculation. I may not have the calculations perfect (missing a bit or using a bit I shouldn't) but from what I see it looks very much like a parity calculation.

With HID readers, if the binary prefix or header is incorrect it will not output any wiegand. is it possible the guardal reader checks the parity as part of the decrypt function and ignores invalid data?

marshmellow · 2014-04-15 20:22:37

Sentinel wrote:

my device enumerates codes with rate 4 per second goes through all the options (1024) about 4 minutes..

Nice

Sentinel · 2014-04-15 20:45:34

@marshmellow:
>With HID readers, if the binary prefix or header is incorrect it will not output any wiegand.

If you do not put the first 1 (defining the beginning of Weygand) in Hidd sequence, you can get a zero-Weigand. Reader beeps, but nothing gives to Weigand. with my HIDD reader passed this trick)

marshmellow · 2014-04-15 22:01:41

you are correct that HID readers will do that as long as the header bits are correct (the header is not part of the wiegand data).

marshmellow · 2014-04-15 22:16:08

can you check this line in your image file above:

10010010 011010 10 0000000100000000 00000000000000000000010000 00000000000000   92-1

the 10 and 92-1 appear to be mismatched.

Sentinel · 2014-04-16 09:55:33

@marshmellow:
ups...I wrote HEX data manually - so wrong)
10010010 011010 10 0000000100000000 00000000000000000000010000 00000000000000 92-2

Sentinel · 2014-04-16 09:59:19

Here tried consistently generate Weigand 26 ..

10010010 011010 11 0000000100000000 00000000000000000000000000 00000000000000
10010011 011010 11 0000000100000000 00000000000000000000000001 00000000000000
10010000 011010 11 0000000100000000 00000000000000000000000010 00000000000000
10010001 011010 11 0000000100000000 00000000000000000000000011 00000000000000

11010001 011010 01 0000000100000000 00000000000000000000000100 00000000000000
11010000 011010 01 0000000100000000 00000000000000000000000101 00000000000000
11010011 011010 01 0000000100000000 00000000000000000000000110 00000000000000
11010010 011010 01 0000000100000000 00000000000000000000000111 00000000000000

00010010 011010 10 0000000100000000 00000000000000000000001000 00000000000000
00010011 011010 10 0000000100000000 00000000000000000000001001 00000000000000
00010000 011010 10 0000000100000000 00000000000000000000001010 00000000000000
00010001 011010 10 0000000100000000 00000000000000000000001011 00000000000000

01010011 011010 00 0000000100000000 00000000000000000000001100 00000000000000
01010010 011010 00 0000000100000000 00000000000000000000001101 00000000000000
01010001 011010 00 0000000100000000 00000000000000000000001110 00000000000000
01010000 011010 00 0000000100000000 00000000000000000000001111 00000000000000

10010010 011010 10 0000000100000000 00000000000000000000010000 00000000000000

10110110 011010 01 0000000100000000 00000000000000000000100000 00000000000000
10110111 011010 01 0000000100000000 00000000000000000000100001 00000000000000
10110100 011010 01 0000000100000000 00000000000000000000100010 00000000000000
10110101 011010 01 0000000100000000 00000000000000000000100011 00000000000000

It is strange that no one else met such cards: (

Last edited by Sentinel (2014-04-16 10:06:19)

Lenox · 2015-02-23 03:33:33

I see Chubb system using Verex fob.
Is there any way to decode this fob yet?

asper · 2015-02-23 09:53:40

More info here.

marshmellow · 2015-02-23 14:06:36

The new data rawdemod ar and data biphaserawdecode should get you the binary programmed on the chip.
You would need to find the start of the bitstream and
then follow sentinel's procedure to decrypt to get the card ID and fc.

Last edited by marshmellow (2015-02-25 23:28:45)

marshmellow · 2015-03-12 01:56:06

there is a new auto demod for this tag now included in <lf search> , or <data askgproxiidemod>

Proxmark3 community

Announcement

#1 2012-11-26 11:45:31

Guardall G-Prox II, 125 kHz

#2 2012-11-27 00:06:38

Re: Guardall G-Prox II, 125 kHz

#3 2012-11-27 10:35:19

Re: Guardall G-Prox II, 125 kHz

#4 2012-12-03 10:53:23

Re: Guardall G-Prox II, 125 kHz

#5 2012-12-29 22:13:52

Re: Guardall G-Prox II, 125 kHz

#6 2013-01-20 11:09:52

Re: Guardall G-Prox II, 125 kHz

#7 2013-01-21 23:13:24

Re: Guardall G-Prox II, 125 kHz

#8 2013-01-21 23:16:39

Re: Guardall G-Prox II, 125 kHz

#9 2014-04-08 14:15:48

Re: Guardall G-Prox II, 125 kHz

#10 2014-04-08 15:48:22

Re: Guardall G-Prox II, 125 kHz

#11 2014-04-09 07:49:15

Re: Guardall G-Prox II, 125 kHz

#12 2014-04-09 08:08:45

Re: Guardall G-Prox II, 125 kHz

#13 2014-04-15 16:18:34

Re: Guardall G-Prox II, 125 kHz

#14 2014-04-15 17:47:27

Re: Guardall G-Prox II, 125 kHz

#15 2014-04-15 18:55:19

Re: Guardall G-Prox II, 125 kHz

#16 2014-04-15 19:29:43

Re: Guardall G-Prox II, 125 kHz

#17 2014-04-15 20:09:08

Re: Guardall G-Prox II, 125 kHz

#18 2014-04-15 20:18:55

Re: Guardall G-Prox II, 125 kHz

#19 2014-04-15 20:21:37

Re: Guardall G-Prox II, 125 kHz

#20 2014-04-15 20:22:37

Re: Guardall G-Prox II, 125 kHz

#21 2014-04-15 20:45:34

Re: Guardall G-Prox II, 125 kHz

#22 2014-04-15 22:01:41

Re: Guardall G-Prox II, 125 kHz

#23 2014-04-15 22:16:08

Re: Guardall G-Prox II, 125 kHz

#24 2014-04-16 09:55:33

Re: Guardall G-Prox II, 125 kHz

#25 2014-04-16 09:59:19

Re: Guardall G-Prox II, 125 kHz

#26 2015-02-23 03:33:33

Re: Guardall G-Prox II, 125 kHz

#27 2015-02-23 09:53:40

Re: Guardall G-Prox II, 125 kHz

#28 2015-02-23 14:06:36

Re: Guardall G-Prox II, 125 kHz

#29 2015-03-12 01:56:06

Re: Guardall G-Prox II, 125 kHz

Board footer