Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi!
I am just getting started with Proxmark. I have two tags of different types that I am toying with. One of them turned out to be an EM4100 compatible tag. The other one I have so far been unable to figure out. I am looking at the graph output of "lf read" followed by "data samples 16000" and feeling very confused.
The EM4100 tag looks like this:
This looks like the output after filtering out the clock, i.e. the modulation signal. The tag runs at 64 clocks meaning that the base scale on the x axis must be clock cycles. It makes sense.
The unknown tag looks like this:
I am not sure what to make of this. Is this also the output after filtering out the clock? Is the tag generating its own sinus wave? Or is proxmark somehow adapting to the signal and giving me a different display because it does not recognize the data format? I keep looking for detailed documentation as to what the commands actually do but it seems I may have to dive into the source code and circuit diagrams to actually understand what is going on.
Assuming that proxmark does not change the scale depending on what is being read, this unknown tag seems to produce a sinus wave with high or low amplitude. The amplitude stays high or low for either 5-7 cycles or 11-13 cycles. The 5-7 cycle intervals always come in pairs, whereas the 11-13 cycle intervals can come alone. I suppose it looks like Manchester or Biphase encoding, but I don't know how to tell which it is. The pattern transmitted from the tag repeats, and there is a special pattern between repetitions; this graph shows the end of one repetition and beginning of the next and the intervening pattern:
It would be really nice if someone recognized the tag format and could tell me what it is and how to intepret it.
Offline
Actually I think I am figuring this out. I had to realize that the relevant different wasn't the obvious difference in amplitude, but the difference in frequency. This looks like I could program a T5557 to emulate with FSK8/10 encoding, a 50 cycle bit rate, and storing manchester or biphase encoded data on the chip. I am still not sure how to tell whether the data is manchester or biphase encoded, but I am not sure it is important for cloning the tag anyway.
Offline
why dont you upload the trace so that people here can try to help you out
Offline
I was wanting to do that but did not find a way to attach files to posts and did not have a place to store it. I have worked further on analyzing the card contents however, and I think I have the relevant data here. It seems to transmit these 96 fsk modulated bits in a loop:
000111101010101010101010101010101010110011001101010100110101010101001101010010110101010011010100
I am not sure exactly what marks the proper beginning/end of the sequence, perhaps it should be rotated one or two bits. I think it looks similar to a HID card, but not quite the same. If the position above is correct, this would be a preamble of 00011110, 0x1e, followed by this manchester encoded bit string:
00000000000000111110001100000110010100011001
I tried matching that bit string with the HID card format from http://www.proxclone.com/pdfs/HID_format_example.pdf, but then the parity is incorrect:
0000000 00000001111 1 000110000011 001010001100 1
There are no numbers printed on the tag to help figure out the correct interpretation.
Any tips?
Offline
you could try filedropper.com or one of the many free file sharing services...
it does appear to be FSK, but without more bits I cannot identify the proper string.
Offline
Assuming that the bits you captured are correct, it appears to me like a HID variant (normal HID except for the start sentinel).
I changed the start sentinel from 0x0F to 0x1D as shown below and then programmed it into a T5567 card. I read the card using standard HID readers and they all correctly read the card with the output being as shown below. The parity bits are correct for the 37-bit format. I believe that it must be a vendor that licensed the format from HID but uses a different front-end OEM code/start sentinel.
00001111 0101 0101 0101 0101 0101 0101 0101 0110 0110 0110 1010 1001 1010 1010 1010 0110 1010 0101 1010 1010 0110 1010 (original)
00011101 0101 0101 0101 0101 0101 0101 0101 0110 0110 0110 1010 1001 1010 1010 1010 0110 1010 0101 1010 1010 0110 1010 (modified)
T5567 Registers:
Block0 = 0x00107060
Block1 = 0x1D555555
Block2 = 0x5666A9AA
Block3 = 0xA6A5AA6A
Output from HID Reader:
HID 37-bit H10304
Wiegand Code = 0x0015EFDCF7
FC = 350
CN = 519803
Offline
Thanks carl55, added here.
Offline
I think it is a bad read, but carl55 is probably write in the hid format. in the one picture I can see the starting bits 00011101. so it is a standard 37 bit H10304 (or H10302 as they have the same parities and format).
is there a number on the card?
Offline
No, unfortunately there is no printed number on the card, so I cannot verify.
The reason that the original trace looks like it is starting in 00011101 is that the grid lines are wrong in it. I had them set to 64 because that was the frequency of the other tag, but for this tag they were supposed to be 50.
For the graph I parsed the bits from, I did "lf read", then "data samples 16000", "data fskdemod", "data grid 50 0" and looked up a good starting point:
Then "data ltrim 1197", "data hpf", "data threshold 0" to end up with this:
Would there be a good way to extract the bits to a bit string directly from this with a proxmark command? I ended up saving it to a file and loading it into Excel to postprocess into a bit string.
Either way, the start sentinel definitely has four one bits in a row.
I misinterpreted the sentinel because I confused manchester and biphase encodings. Silly me!
Offline
Try an hid demod command right after getting the samples
Offline
I think hid demod does not like the start sentinel of this tag; it produces no output.
Offline
I think it also chokes on anything but 26 bits. I also think the fskdemod is broken...
I use a different reader for FSK usually as the proxmark is somewhat inconsistent. I have a feeling it is a std hid card.
Offline
Haha, I see. I suppose I should start coding improvements; time to get the development environment running
side-question: How are people running proxmark3 on Windows 8? I had to make a cat file and sign it for Windows 8 to like the inf-file for the driver I downloaded.
Offline
Can you provide the cat file ?
Offline
I am sorry, I used the official company signature certificate at work to put a signature on the cat file, and I cannot publish it with that signature.
Offline
Axark, if you get rolling with code for the proxmark I have lots of ideas, just not enough time to learn the language.
BTW I haven't tried windows 8 yet.
Last edited by marshmellow (2014-01-29 13:41:43)
Offline
Using a second hand HID reader from Ebay (I think they are less than 30$), connecting yourself on data 0 data 1 Tx Rx (whatever how it is labeled) using a USB to serial converter and then monitor the output of the reader using a simple serial monitor - wouldn't you be able to see how the reader interprets the card data ?
And then, use the HID documentation to see how to convert the hex output to a fac and card no.
It works for me with the 26-bit format.
Offline
I think the problem with a second hand card reader would be that this is not an ordinary HID card, so a normal HID card reader probably would not recognize it.
Offline
@app_o1, the point is the proxmark is capable of this, it just has some bugs that need fixing. (also there are many hid formats that are not publicly documented like the 26bit format is) . Granted the proxmark might have read his card perfectly, and maybe it is a special format for a special style reader, forgive me for just being a little skeptical.
Offline
@app_o1, the point is the proxmark is capable of this, it just has some bugs that need fixing. (also there are many hid formats that are not publicly documented like the 26bit format is) . Granted the proxmark might have read his card perfectly, and maybe it is a special format for a special style reader, forgive me for just being a little skeptical.
No offence taken
I had the idea that any HID "prox" readers from HID could read any of their format and spit out the data like it would transfer it to the controller it is connected to.
Take the Prox Point for example, I don't believe it is working only for "known" hid formats. When they sell you some special "corporate hardcore" format, they don't tell you to buy new readers...
I am speaking from an installer's point of view. i don't have much experience about what is behind all this unfortunately.
I also believe that the proxmark read it perfectly well. But I don't believe that it is a special format "for a special style reader".
I am sure carl55 can give us some cool comments on this !
Last edited by app_o1 (2014-01-29 16:22:33)
Offline
HID formats "work" with their readers but the reader just spits the full binary not facility code and card number. the application then has to recognize the format in the binary. and not all formats have documented facility code, card number and parity positions. those sometimes are hard coded in the software programs.
However, I'm pretty certain that hid readers will not read anything that doesn't have the preamble written exactly as their 00011101, but I will try the 00001111 on several hid readers I have and report back...
(btw no offense intended )
Last edited by marshmellow (2014-01-29 17:02:07)
Offline
I tried 00001111 and a few others. Only 00011101 seems to work with my HID reader.
Last edited by app_o1 (2014-01-31 15:47:53)
Offline
...which is "Compatible with all HID cards and tags with formats up to 85 bits."
Offline
After looking into it some more, I think the tag I read was an old version of Paradox proximity card:
http://www.s4s.co.za/ProductInfo.aspx?productid=S4S1025
http://www.cardacc.com/contents/en-ca/d15_Paradox_cards.html
Paradox C704 Blue Proximity Key Tag
"Paradox is major manufacturer of card access control devices and manufactures prox cards and tags for their systems. They are encoded with proprietary format, will work on Paradox systems only and not on other door access systems."
The data seems to be the 0F sentinel followed by manchester encoded data: 10 zero bits; an 8-bit number and a 16-bit number that together form the card id programmed into the system; an 8-bit checksum of some kind that is not displayed by or input into the security system; and two 1 bits.
As of yet, I have no idea how the checksum is calculated. Even tags whose card id differ only by a single bit can have 4 bits flipped in the checksum.
The tags are used with an alarm system like this: http://site.geoarm.com/manuals/paradox.digiplexdgp2-641lcd.pdf
Offline
Oh, and I started working on a windows gui program to conveniently read and clone tags using a proxmark3. So far it works for my tags. If there is interest I could post it. Though I suppose then I would have to go to the trouble of making the COM port configurable.
Last edited by axark (2014-02-27 18:13:53)
Offline
axark did you make any more headway with this paradox card format?
Offline
Hey axark, I uploaded some traces for 3 other paradox cards here:
www.proxmark.org/forum/viewtopic.php?pid=11979
Maybe you could confirm if these cards have a similar format to your keytag.
Thanks
Offline
@nirom, I believe your tag is different. they both use FSK but different data formats (AWID doesn't use Manchester), see: http://www.proxmark.org/forum/viewtopic.php?id=1635 and: http://www.proxmark.org/forum/viewtopic.php?id=1767 (first post scroll down a little for awid)
Offline
Oh, and I started working on a windows gui program to conveniently read and clone tags using a proxmark3. So far it works for my tags. If there is interest I could post it. Though I suppose then I would have to go to the trouble of making the COM port configurable.
Did you come-up with your program? I would love to be able to clone a Paradox FOB with easy steps! Thanks!
Offline
Oh, and I started working on a windows gui program to conveniently read and clone tags using a proxmark3. So far it works for my tags. If there is interest I could post it. Though I suppose then I would have to go to the trouble of making the COM port configurable.
Did you end-up posting this Windows GUI program, I would love to get it? Thanks.
Offline
Oops, sorry I posted twice. I cannot find a way to Edit/Delete my posting on this board...
Offline
The new "data fskparadoxdemod" will auto demodulate these.
Offline
Thanks, I'll give it a try
Offline
printed number: 55525
recorded on the card:
00 00000000 01101000 11011000 11100101 11010111 11
00 68 D8 E5 D7
Offline