[+] PAC/Stanley - Card: AE4D3B36, Raw: FF2049906D075145911D9B21D9B36C03
[+] PAC/Stanley - Card: AE4D5B36, Raw: FF2049906D075145911D5B21D9B36CC3
[+] PAC/Stanley - Card: AE5D1B36, Raw: FF2049906D075155B11D1921D9B36D83
I've successfully managed to copy the PAC keyfob onto a T5577 card. First you need to read the raw data of your PAC tag as in the outputs quoted in previous posts. If your PAC tag is not detected you might want to try the "hack" I described in my previous post where you change the NRZ demod function to default to inverted mode.
Once you have the raw data (that FF204... string), split it in 8 character blocks, then do the following:
lf t55 write b 1 d <first 8 chars of the raw data, FF204....>
lf t55 write b 2 d <second 8 chars of the raw data>
lf t55 write b 3 d <third 8 chars>
lf t55 write b 4 d <last 8 chars>
Finally set the config of the T5577 card to simulate the PAC's radio properties (modulation, etc):
lf t55 write b 0 d 80080
At this point it will stop responding to "lf t55 ..." commands but should now become detectable by the "lf pac read" command.
]]>Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-200-ge6158a4-suspect 2020-09-05 11:21:35
os: master/v3.1.0-200-ge6158a4-suspect 2020-09-05 11:27:41
fpga_lf.bit built for 2s30vq100 on 2019/11/21 at 09:02:37
fpga_hf.bit built for 2s30vq100 on 2020/03/05 at 19:09:39
SmartCard Slot: not available
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 209033 bytes (40%). Free: 315255 bytes (60%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
I'm now trying to read a PAC keyfob and had some problems. Using the code from the repo, "lf search" didn't find anything. I am getting somewhere with the following though:
proxmark3> lf read
#db# LF Sampling config:
#db# [q] divisor: 95
#db# [b] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# [s] samples to skip: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 7b 7b 7a 78 7a 78 48 0e ...
Reading 39999 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
proxmark3> data samples 20000
Reading 20000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
proxmark3> data autocorr 2000
performing 18000 correlations
Possible Correlation: 4096 samples
Now I don't have the exact commands at hand but I've managed to extract the raw bitstream from that and then searched for the PAC preamble (https://github.com/Proxmark/proxmark3/blob/fdee1ffa8419e8357913582f53e74218cae5b3d4/client/cmdlfpac.c#L32) in there to no avail. However inverting the preamble (converting ones to zeros and the reverse) I found a repeating pattern - somehow the demodulation is inverted?
As a hack I've changed the "NRZrawDemod" function to always default to inverted mode (set invert=1 instead of invert=0 at line 907 of client/cmddata.c) and after recompiling, "lf search" is now successfully recognizing the PAC keyfob:
proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
Tried NRZ Demod using Clock: 32 - invert: 1 - Bits Found: 936
NRZ demoded bitstream:
1011001010001100
[truncated]
0010100111011000
PAC/Stanley Tag Found -- Raw: FF2049906[truncated]
How the Raw ID is translated by the reader is unknown
Valid PAC/Stanley ID Found!
Now my questions are:
1) what is going on with the requirement to invert the NRZ demodulation? Is it a hardware quirk of my "counterfeit" Proxmark or do I have some kind of weird type of PAC keyfob that's inverted? I have tried 2 tags from the same premises and they both exhibit the same problem (despite working perfectly and decoding to a plausible value as the starting part "FF2049906" is the same for the other posts in this thread). Needless to say the tags work fine for opening the door.
2) How do I emulate this? As a proof of concept I'd like to emulate this tag with the Proxmark. Am I correct in saying that emulation doesn't care about decoding data as it can just replay the raw waveform, thus I can do "lf raw" and then "lf sim"? Do I need to set some extra parameters in "lf config" first? Or do I need to properly demodulate the data before being able to simulate it?
3) How would I write this to a T5577 tag? I'm pretty sure it's doable and it's just a matter of understanding the T5577 datasheet and setting its config blocks properly, but I wonder if someone has already figured that out and would be willing to provide the required settings? I know Proxmark has some code to clone other types of tags (and that code sets the required T5577 blocks) so I was wondering if someone has already done that research for these PAC (or similar) keyfobs.
Thanks!
]]>[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] PAC/Stanley Tag Found -- Card ID: CD4F5552, Raw: FF2049906D8511C593155B56D5B2649F
[+] Valid PAC/Stanley ID found!
rrg/iceman repo
pm3-> lf read
pm3-> data save f lf_unk_nnnnn
official repo
proxmark3-> lf read
proxmark3-> data save lf_unk_nnnnn.pm3