Tecom Smart Fob - Trouble Reading with Proxmark3

warren7436 · 2014-02-26 11:46:42

Hey Guys,

I have the proxmark3, running

#db# bootrom: svn 486-unclean 2011-08-28 18:52:03
#db# FPGA image built on 2012/1/6 at 15:27:56

I have had some success with copying and reading HID 125kHz cards, but am having trouble with what i think is a Tecom Smart Fob.

The system used for entry in our building is a GE - TS0870H reader, and after some googling i think the fob being used to access is a Tecom smart fob.

I can't find any info on the fob rfid type but get the following voltage drops on the LF antenna when i do an lf test:

NO RFID:
#LF antenna: 13.96 V @ 125kHz
#LF antenna: 22.29 V @ 134kHz
#LF optimal: 25.11 V @ 131.87kHz
#HF antenna: 0.58 V @ 13.56MHz

WITH RFID
#LF antenna: 12.22 V @ 125kHz
#LF antenna: 22.42 V @ 134kHz
#LF optimal: 22.42 V @ 131.87kHz
#HF antenna: 0.61 V @ 13.56MHz

Not really sure where to go from here as ive tried (i think) all of the types of LF (and some HF) tests with the proxmark3.

Could someone please steer me on the right direction

Cheers

Warren

asper · 2014-02-26 11:56:50

It is 99% a 125kHz tag; try with hid and indala commands (you can also try em4100 commands); also have a look at this.

Last edited by asper (2014-02-26 11:57:12)

warren7436 · 2014-02-26 12:36:44

Thanks I have had no response from any of these commands.

0xFFFF · 2014-02-26 23:09:16

It's 125kHz Hitag.
The PACS format is pretty easy to work out.

warren7436 · 2014-02-26 23:46:33

Sorry I'm pretty new to this what is the best command or way to work it out?

0xFFFF · 2014-02-26 23:52:45

I've never tried reading a Tecom smart card on the PM3. But I'd assume that you'd be looking at lf hitag ...

warren7436 · 2014-02-27 23:51:12

0xFFFF wrote:

I've never tried reading a Tecom smart card on the PM3. But I'd assume that you'd be looking at lf hitag ...

Thanks I've tried all commands and still can't get a rear. I haven't had any luck with a hitag snoop either. Do you think I have to send a code/ password to it to get a response?

0xFFFF · 2014-03-03 01:04:14

I'll have to look at the source for the programmer. Give me a few days and I'll get back to you.
There is a password but I can't remember/didn't write down what it was.

What other information do you need?
What are you trying to achieve?

warren7436 · 2014-03-03 10:33:55

0xFFFF wrote:

I'll have to look at the source for the programmer. Give me a few days and I'll get back to you.
There is a password but I can't remember/didn't write down what it was.
What other information do you need?
What are you trying to achieve?

Thank you that would be great I'm trying to make a copy of my apartment access fob so I can have a spare.

0xFFFF · 2014-03-05 00:25:20

Ok. To get you started...
Tecom Smart Card hardware uses the HTRC110.
The format has been added here.

*I can't find the information I had on this card. I will have to re-reverse engineer it. I should have an update tonight hopefully.

0xFFFF · 2014-03-06 11:04:38

Ok. I have sniffed traffic going to the HTRC110.
This is SPI communications between the PIC micro and the reader IC (HTRC110) on the TS0870P.

'Blanking' a card.
Writing a card with Site code 171, Card number 1
Reading the same card back.
Reading a 'blank' card.
Writing a reader configuration card.

Commands were issued by connecting the programmer to a PC running the 'Titan' software.
Basically each capture is a button press (Titan), presentation of a card and a cancel button press (Titan).

warren7436 · 2014-03-10 09:57:56

Thanks for getting back to me I appreciate your help I will try and crack it this week.

Regards,

Warren

warren7436 · 2014-03-10 10:48:19

What PM3 command did you use? When I use the command "lf hitag read card" I get an error: unkown reader function 0

0xFFFF · 2014-03-10 22:48:33

Sorry, I'm good at not explaining things sometimes.
I didn't sniff anything using the PM3.
I have updated the post (above).

warren7436 · 2014-03-10 23:44:54

I don't have access to any other readers apart from my Proxmark3. Do you think I have a chance of cloning it with the proxmark3 or I need another reader / writer? What is the best reader / writer?

0xFFFF · 2014-03-11 01:15:48

I have not looked in to fixing (or adding functionality to) LF. However, the PM3 is capable of working with Hitag / Tecom Smart Cards.
Understanding what is happening between the micro and the HTRC110 gives us the information required to create/clone/emulate/etc...
The 'best' reader/writer would probably be the one designed for the task. The TS0870P is apparently ~$600AUD!!!!
There are a few options available to you...

Crack it and code it
Buy a programmer
Find someone with a programmer and get them to ship you a card

warren7436 · 2014-03-11 04:12:35

Thanks would you know the best place to buy a The TS0870P?

0xFFFF · 2014-03-11 04:49:07

The programmer I have was given to me.
Using my Google-fu I determined that the distributor in Australia is Direct Alarm Supplies.

This is a very expensive way to get a spare card for your apartment.

warren7436 · 2014-03-11 05:40:31

Cheers, my wife usually has comments like that. I checked with those guys before you posted and they don't deal with the public and they were a bit rude so I will shop around and see what my options are.

Thanks for your help.

0xFFFF · 2014-03-11 06:11:47

No worries.

I can't sell you a programmer but I can sell you a few cards. If you're interested, send me an email.

MJDalton · 2014-03-21 09:26:36

ReadTag Pic

From the HTRC110 Data Sheet, it says "After the assertion of the three command bits the HTRC110 instantaneously switches to READ_TAG-mode and transmits the demodulated, filtered and digitized data from the transponder"

Is there a way to program the proxmark to send these 3 bits then listen for the transponder data?

And then to just loop after a wait to keep on reading the card data over and over?

MJDalton · 2014-03-21 09:27:37

ReadTag

warren7436 · 2014-03-23 10:07:49

0xFFFF wrote:

No worries.
I can't sell you a programmer but I can sell you a few cards. If you're interested, send me an email.

Hey 0xFFFF

My curiosity got the better of me, and against your and my wifes recommendation, i bought a Tecom TS0870P Smart Card Programmer.

I can talk to the programmer fine using the Titan software for the challenger security system, but it seems like the software is a complete management package for like a building access system or something.

I can't even find a part in Help or the user guide or in the software to read the card. Is there other software or could steer me in the right direction of how to read my Tecom card.

Ive looked at these guide:

http://www.protection1.com.au/User%20Manuals/Titan%20Manuals.pdf

and the help menu of the titan software

YOur help would be muchly appreciated

Cheers

Warren

0xFFFF · 2014-03-23 10:35:22

These instructions are very rough but should get you what you want (hopefully).
To setup the reader with the Titan software...
Login using
u: TECOM MASTER
p: 4346
Create a port. Admin -> Ports. The port you are creating is a 'Card Programmer' (obvious). Delete any other port record you have.
Go to File -> Open / System. Tick Active system and click Save.
Go to Admin -> Card Programmer -> Setup. Change the port to the 'port' record you created earlier. Click Activate programmer and click save.

That should get you going

warren7436 · 2014-03-23 11:56:00

Hey 0xFFFF

Thanks for getting back to me so quick!

0xFFFF wrote:

These instructions are very rough but should get you what you want (hopefully).
To setup the reader with the Titan software...
Login using
u: TECOM MASTER
p: 4346
Create a port. Admin -> Ports. The port you are creating is a 'Card Programmer' (obvious). Delete any other port record you have.
>>haha thanks, had got this far from the instruction sheet
Go to File -> Open / System. Tick Active system and click Save.
Go to Admin -> Card Programmer -> Setup. Change the port to the 'port' record you created earlier. Click Activate programmer and click save.
That should get you going

Once I get to these next steps:
Go to File -> Open / System. Tick Active system and click Save.
Go to Admin -> Card Programmer -> Setup. Change the port to the 'port' record you created earlier. Click Activate programmer and click save.

The following message

error code

Ive tried changing my COM port and have tried different system numbers, but to no avail. There is a message saying that Titan software is UNREGISTERED, soit may be a question for interlogix as the serial number on the programmer wasn't recognized by the software.

That said i can get the reader to go online (ie amber status light) but yeah, maybe i should have a rest from the PC for the night.

Dunno if you can help from what ive described or have had similar issues, but thanks all the same

Regards

Warren

warren7436 · 2014-03-23 11:57:14

prox error

This was after selecting active system and saving

Last edited by warren7436 (2014-03-23 11:57:58)

0xFFFF · 2014-03-25 03:29:45

It's been a while since I've played with this. Are you sure you don't have any ports configured other than the port that is to be used as the programmer?

If you have the ports configured and still can't get it going, send me an email.

Mr Nobot · 2015-10-26 11:47:25

Hi Warren,

Did you have any luck in copying your Tecom Smart Fob? Very interested to find out if you got to the bottom of it.

I'm trying to copy my access card for work (they charge $150 for a replacement and I've already lost two). At this point in time, I've had no luck using the PM3.

Mr N

Mr Nobot · 2015-10-26 12:04:07

Hi 0xFFFF,

Further to my previous post, if you could let me know if you found a solution, that would be much appreciated.

Thanks,

Mr N

0xFFFF wrote:

It's been a while since I've played with this. Are you sure you don't have any ports configured other than the port that is to be used as the programmer?
If you have the ports configured and still can't get it going, send me an email.

warren7436 · 2015-10-26 12:05:12

Hi Mr N,

No I've been pretty sick, so I put it aside for a while, however a friend had found a thread on how to extract and decipher new codes with the pm3 I'll will try and track it down and give it a go and let you know.

Mr Nobot · 2015-10-26 12:08:41

Hi Warren,

Sorry to hear about your health.

Appreciate your help and look forward to hearing how you progress!

All the best.

Mr N

cardix · 2015-10-26 13:27:52

Warren7436 why do you bother answering this noob.
He is obviously trying to duplicate the security cards and sell them to make profits.

Let him find out himself which he will never since he is a noob.

I'm the installer of the Tecom system, Mr Nobot get lost you cannot duplicate the fobs.

cardix · 2015-10-26 13:36:29

talk to 0xFFFF, he knows who I am

cardix · 2015-10-26 13:48:03

I think too many intelligent guys here are giving away too much to the noobs, there is a big difference between someone trying to learn about RFID and someone just asking stupid questions to turn it into a business!
We saw not long time ago this Chinese guy from xfpga asking hits of question in this forum to finally create a cloner and sell it everywhere in the world, this idiot certainly didn't realised that they used his cloner on the tv show Mr Robot ah ah ah
Thanks to all smart guys here, giving him too much information, he is now rich and instead of using the Proxmark they used his noob cloner, what a shame...
If you want to keep helping noobs this is going to turn into dodgy businesses at the end!
You are smart enough to make the difference!

Mr Nobot · 2015-10-26 23:03:55

Hi Cardix,

Thanks for your judgmental, ill informed post. I thought I'd take a minute to reply.

I'm certainly not trying to duplicate security cards other than my own. I'd hardly enjoy 50 staff member walking around with a clone of my own card. I'm simply looking to make a copy (possible even two) of my own card so that I don't get stung with a $150 replacement fee for in my case, a clamshell card (not a fob) worth about $2!

Yes, I am new to this forum, but so once were you. I've been reading all I can about 125kHz RFID in an attempt to make copies of my own card. I've purchased a proxmark3, and while I can make a backup of my card to gain entry into the lobby of my apartment building, I've been toiling away with no luck with the Hitag2 card.

If you find my questions stupid, move on and let someone more accommodating help the n00b. Go back to your Tecom ivory tower.

Mr N

jump · 2015-10-26 23:57:54

I don't think it's worth answering. If you look carefully at all the 7 posts he (it?) made after registering today, it's all about "don't help that guy". Not very useful stuff.

Mr Nobot · 2015-10-27 00:11:38

jump wrote:

I don't think it's worth answering. If you look carefully at all the 7 posts he (it?) made after registering today, it's all about "don't help that guy". Not very useful stuff.

Thanks Jump.

I understand that he's trying to protect his business, and has every right to, but I'm not trying to take that away from him, simply clone my own card!

warren7436 · 2015-10-27 11:31:28

Cardix it must be so great to be born with the ability to know everything. Only a handful of people have this ability. You should change your name to Master Cardix.

Now I know the truth, people who know nothing and ask questions are the jerks ruining industry and society.

As I am still learning Master Cardix, can I ask one more question. Am I being sarcastic?

Mr Nobot · 2015-11-10 06:24:26

warren7436 wrote:

Hi Mr N,
No I've been pretty sick, so I put it aside for a while, however a friend had found a thread on how to extract and decipher new codes with the pm3 I'll will try and track it down and give it a go and let you know.

Any luck with this one Warren?

If you find the thread, let me know and I'll also give it a go.

Cheers,

Mr N

warren7436 · 2015-11-13 09:44:57

https://github.com/Proxmark/proxmark3/wiki/lf%20tag%20operations

Mr Nobot · 2015-11-20 05:22:25

Cheers Warren.

Have had some fun playing with this, but no luck. Appreciate your help though.

crispy · 2016-07-18 13:33:43

Mr Nobot / warren7436,

It was interesting to see your discussion.

Did anyone else make any progress with Tecom tags?

Proxmark3 community

Announcement

#1 2014-02-26 11:46:42

Tecom Smart Fob - Trouble Reading with Proxmark3

#2 2014-02-26 11:56:50

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#3 2014-02-26 12:36:44

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#4 2014-02-26 23:09:16

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#5 2014-02-26 23:46:33

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#6 2014-02-26 23:52:45

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#7 2014-02-27 23:51:12

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#8 2014-03-03 01:04:14

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#9 2014-03-03 10:33:55

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#10 2014-03-05 00:25:20

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#11 2014-03-06 11:04:38

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#12 2014-03-10 09:57:56

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#13 2014-03-10 10:48:19

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#14 2014-03-10 22:48:33

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#15 2014-03-10 23:44:54

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#16 2014-03-11 01:15:48

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#17 2014-03-11 04:12:35

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#18 2014-03-11 04:49:07

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#19 2014-03-11 05:40:31

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#20 2014-03-11 06:11:47

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#21 2014-03-21 09:26:36

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#22 2014-03-21 09:27:37

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#23 2014-03-23 10:07:49

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#24 2014-03-23 10:35:22

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#25 2014-03-23 11:56:00

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#26 2014-03-23 11:57:14

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#27 2014-03-25 03:29:45

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#28 2015-10-26 11:47:25

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#29 2015-10-26 12:04:07

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#30 2015-10-26 12:05:12

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#31 2015-10-26 12:08:41

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#32 2015-10-26 13:27:52

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#33 2015-10-26 13:36:29

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#34 2015-10-26 13:48:03

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#35 2015-10-26 23:03:55

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#36 2015-10-26 23:57:54

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#37 2015-10-27 00:11:38

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#38 2015-10-27 11:31:28

Re: Tecom Smart Fob - Trouble Reading with Proxmark3

#39 2015-11-10 06:24:26

Re: Tecom Smart Fob - Trouble Reading with Proxmark3