Decode LF tag NORALSY (KCP3000)

marshmellow · 2016-02-19 22:21:17

weird. I run the same commands on the same trace and get the correct results every time... ???

iceman · 2016-02-19 22:25:50

My "lf se 1 u" identifies it as Manchester 64..

the "data raw am s" identifies it as Manchester 32..

marshmellow · 2016-02-19 22:27:11

does your lf search function in cmdlf.c have the:
ans=ASKDemod_ext("0 0 0",TRUE,FALSE,1,&st);
line?

marshmellow · 2016-02-19 22:29:13

I just verified with a clean download from my own fork and fresh build that lf search u gets the correct results from the traces.

iceman · 2016-02-19 22:33:19

You are right, I missed that one

marshmellow · 2016-02-19 22:40:56

np

ok so @rbubba1911, whenever you have time you can update once more and try `lf t55xx detect` once more...

once it is confirmed working I can review the code and submit it for the main repo.

oh and btw, rbubba1911's traces prove that the new code works even on weak reads which is a bonus...

Last edited by marshmellow (2016-02-19 22:47:24)

iceman · 2016-02-19 22:56:41

My lf search works on rbubba1911 traces. Gets the same for lf se and data raw am s.

marshmellow · 2016-02-19 23:09:16

the 8 and 6 may just be an xor of all the digits between (but not including) the FF and the 87/67

or more likely an xor of all the other digits besides the 8 and 6.
B ^ B ^ 0 ^ 2 ^ 1 ^ 4 ^ F ^ F ^ 6 ^ 8 ^ 1 ^0 ^ 2 ^ 0 ^ 1 ^ 5 ^9 ^ 6 ^ 7 = 6
B ^ B ^ 0 ^ 2 ^ 1 ^ 4 ^ F ^ F ^ 6 ^ 8 ^ 1 ^0 ^ 2 ^ 0 ^ 1 ^ 5 ^0 ^ 1 ^ 7 = 8

Last edited by marshmellow (2016-02-19 23:13:25)

iceman · 2016-02-19 23:20:49

I think your on to something!

6^8^1^0^2^0^1^5^9^6 == 6
6^8^1^0^2^0^1^5^0^1 == 8

you were faster

Last edited by iceman (2016-02-19 23:21:23)

iceman · 2016-02-19 23:22:28

And the 7000 ? parity?

marshmellow · 2016-02-19 23:29:28

an end of sequence marker?

Last edited by marshmellow (2016-02-19 23:29:38)

marshmellow · 2016-02-19 23:31:38

if only we had a few more tags to compare...

iceman · 2016-02-19 23:32:27

there are other noralys threads on the forum... should be some traces there..

marshmellow · 2016-02-19 23:42:22

iceman wrote:

there are other noralys threads on the forum... should be some traces there..

hmmm.. I haven't seen any...

iceman · 2016-02-20 00:04:52

http://www.proxmark.org/forum/viewtopic.php?id=2815

but it didn't have any info, maybe if we mail OP...

marshmellow · 2016-02-20 00:22:36

looks like he didn't have a PM3 so won't be helpful unless he's willing to send you his tag ...

iceman · 2016-02-20 00:25:38

Anyway, rbubba1911 have had his pm3 for awhile. Maybe he can sniff out some more details?

If he creates some clones where we changes one digit (one bit inside) and new xor-check, and see if the reader accepts it?

rbubba1911 · 2016-02-20 16:00:09

Hi people !

lot of post during my night !!
I'm ready to test some change on clone card,

I sync your fork, make clean, make, flash pm3 (I even try with a new git clone)

but t55 detect, search return nothing, even when I load the kcp trace

log:

Prox/RFID mark3 RFID instrument
bootrom: icemanmaster/v1.1.0-981-gc2d2a5a-dirty-suspect 2016-01-14 11:22:54
os: master/v1.1.0-690-g35cfcfc-suspect 2016-02-20 14:40:24
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 170452 bytes (65%). Free: 91692 bytes (35%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> da plot
proxmark3> da lo kcp300-cap1.txt
loaded 39999 samples
proxmark3> lf t55 detect 1
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

proxmark3> lf se 1 u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:
No Known Tags Found!

Checking for Unknown tags:
Possible Auto Correlation of 3200 repeating samples
Found Sequence Terminator

Using Clock:32, Invert:0, Bits Found:1152
ASK/Manchester - Clock: 32 - Decoded bitstream:
1011101100000010
0001010011111111
0110100000010000
0010000000010101
0000000110000111
0000000000000000
.. snip ..
1011101100000010
0001010011111111
0110100000010000
0010000000010101
0000000110000111
0000000000000000
1011101100000010
0001010011111111

Unknown ASK Modulated and Manchester encoded Tag Found!

if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'

proxmark3> da pr x
DemodBuffer: BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF

I try with live data after a lf read with the same result. maybe I do something wrong ...

Last edited by rbubba1911 (2016-02-20 16:02:42)

rbubba1911 · 2016-02-20 16:29:56

a curious behaviour:

PM3 in offline mode

./proxmark3 test
ERROR: invalid serial port
proxmark3> da pl
proxmark3> da lo kcp300-cap1.txt
loaded 39999 samples
proxmark3> da raw am s 32
Found Sequence Terminator
Using Clock:32, Invert:0, Bits Found:1152
ASK/Manchester - Clock: 32 - Decoded bitstream:

proxmark3> da pr x
DemodBuffer: BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF

proxmark3> lf t55 det 1
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

proxmark3> da pr x
DemodBuffer: FF0F30CCCCCCCF0CF0F333330F333330F33333330F0F0F3333330CF3330CCF3333333333333330C0C0F0CCF0CF333330F3330F0F30CCCCCCCF0CF0F333330F33
proxmark3>

marshmellow · 2016-02-20 16:41:35

The lf t5 detect routine can only be used offline on a loaded trace of a block 0 read. It is not intended to detect on a normal trace. But you should be able to detect online with your tag on the antenna now

Last edited by marshmellow (2016-02-20 17:17:50)

rbubba1911 · 2016-02-20 19:01:01

I've update your fork,

maybe i do something wrong, but here is my result :

./proxmark3 test
ERROR: invalid serial port
proxmark3> da pl
proxmark3> da lo kcp300-cap1.txt
loaded 39999 samples

proxmark3> lf t55 det 1
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

another thing "lf t55 det 1" seem to corrupt data buffer

./proxmark3 test
ERROR: invalid serial port
proxmark3> da pl
proxmark3> da lo kcp300-cap1.txt
loaded 39999 samples
proxmark3> da raw am s 32

Found Sequence Terminator

Using Clock:32, Invert:0, Bits Found:1152
ASK/Manchester - Clock: 32 - Decoded bitstream:
1011101100000010
0001010011111111
01101....

proxmark3> da pr x
DemodBuffer: BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF6810201501870000BB0214FF

proxmark3> lf t55 det 1
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

proxmark3> da pr x
DemodBuffer: FF0F30CCCCCCCF0CF0F333330F333330F33333330F0F0F3333330CF3330CCF3333333333333330C0C0F0CCF0CF333330F3330F0F30CCCCCCCF0CF0F333330F33

What is your sequence to use lf t55 detect 1 to work ?

marshmellow · 2016-02-20 19:03:38

Ok stop trying to lf t5 detect offline! It is not meant to be used the way you are using it, which is why it is not working. It will NEVER work on your trace.

marshmellow · 2016-02-20 19:50:05

It WILL work directly on your tag though... (online)

The ONLY way to attempt 'lf t5 detect 1' (offline) is if you'd saved a trace after a 'lf t5 read b 0' and then loaded that trace.

Last edited by marshmellow (2016-02-20 19:54:03)

rbubba1911 · 2016-02-20 22:16:51

sorry to bother you

but, only using "lf t55 detect" (online) output nothing,

using :
lf t55 read b 0
lf t55 detect 1 (offline)

also output nothing.

don't bit me

marshmellow · 2016-02-20 22:52:49

thanks for testing!

I just found I had to fix the clock detection routine to finally get the lf t55 detect working on your original block 0 trace (from a long time ago)...

on my tags I didn't need it as they are full cards with very strong signal and the clock detect worked without adjustment. on your small tag and weak signal the clock detect routine wasn't working correctly. and it is needed for the lf t55xx detect.

Updated again, maybe this time...

Last edited by marshmellow (2016-02-21 03:38:03)

rbubba1911 · 2016-02-21 13:08:33

Serious update man !

everything I test is working now
offline and online mode

congratulation for your work, you made it !

----------------------------------------------------------------
lf t55 dete
#db# DownloadFPGA(len: 42096)
Chip Type : T55x7
Modulation : ASK
Bit Rate : 2 - RF/32
Inverted : No
Offset : 32
Seq. Term. : Yes
Block0 : 0x00088C6A

proxmark3> lf t55 config
Chip Type : T55x7
Modulation : ASK
Bit Rate : 2 - RF/32
Inverted : No
Offset : 32
Seq. Term. : Yes
Block0 : 0x00088C6A

proxmark3> lf t55 read b 0
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 00088C6A | 00000000000010001000110001101010

proxmark3> lf t55 info

-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key : 0
reserved : 0
Data bit rate : 2 - RF/32
eXtended mode : No
Modulation : 8 - Manchester
PSK clock frequency : 3
AOR - Answer on Request : No
OTP - One Time Pad : No
Max block : 3
Password mode : No
Sequence Start Terminator : Yes
Fast Write : No
Inverse data : Yes
POR-Delay : No
-------------------------------------------------------------
Raw Data - Page 0
Block 0 : 0x00088C6A 00000000000010001000110001101010
-------------------------------------------------------------

I'm pleased to do more test I you need.

iceman · 2016-02-21 18:23:14

How about we get back to the thread and look at Noralys again?

If @rbubba1911 could test to make small changes to the raw data, and re-calc the potential checkbyte, (with xoring all individual hex symbols in modified raw data) and try it against a valid reader.. then that would be great.

M&S · 2016-02-21 23:16:21

I am sorry to jump on this thread.

I see the new Sw and like to try out on a AT55x7 chip and get this result. There is three things I would like to have clarify if it is normal
1/ it seems that I can successfully use lf t55xx trace only after used a lf t55xx read b 0

[== Undefined ==]
Prox/RFID mark3 RFID instrument          
bootrom: /-suspect 2016-02-21 13:55:57
os: /-suspect 2016-02-21 13:56:06
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 169009 bytes (32%). Free: 355279 bytes (68%).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory          
proxmark3> lf t55xx trace 
proxmark3> 
proxmark3> lf t55xx trace 
proxmark3> 
proxmark3> lf t55xx trace 
proxmark3> 
proxmark3> lf t55xx trace 
proxmark3> 
proxmark3> lf t55xx trace 
proxmark3> 
proxmark3> lf t55xx read b 0 p 
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 2 - RF/32          
Inverted   : No          
Offset     : 34          
Seq. Term. : No          
Block0     : 0x00080080          
Safety Check: PWD bit is NOT set in config block. Reading without password...          
  0 | 00080080 | 00000000000010000000000010000000          
proxmark3> 
proxmark3> lf t55xx trace 
-- T55x7 Trace Information ----------------------------------          
-------------------------------------------------------------          
 ACL Allocation class (ISO/IEC 15963-1)  : 0xE0 (224)          
 MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x39 (57) - Silicon Craft Technology Thailand          
 CID                                     : 0x00 (0) -           
 ICR IC Revision                         : 0          
 Manufactured          
     Year/Quarter : 2013/0          
     Lot ID       : 1105          
     Wafer number : 14          
     Die Number   : 19648          
-------------------------------------------------------------          
 Raw Data - Page 1          
     Block 1  : 0xE03900D0  11100000001110010000000011010000          
     Block 2  : 0x45174CC0  01000101000101110100110011000000          
-------------------------------------------------------------          
proxmark3>

2/ there is a different result in report on data blocks between "lf t55xx trace" and "lf t55xx dump"
3/ the new detect of STT is inconsistent between "lf search" (found) in "lf t55xx config", "lf t55xx trace" (not found) "

[== Undefined ==]
Prox/RFID mark3 RFID instrument          
bootrom: /-suspect 2016-02-21 13:55:57
os: /-suspect 2016-02-21 13:56:06
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 169009 bytes (32%). Free: 355279 bytes (68%).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory          
proxmark3> hw tu
Measuring antenna characteristics, please wait.......#db# DownloadFPGA(len: 42096)          
# LF antenna: 12.10 V @   125.00 kHz          
# LF antenna: 24.20 V @   134.00 kHz          
# LF optimal: 24.89 V @   134.83 kHz          
# HF antenna:  0.74 V @    13.56 MHz          
# Your HF antenna is unusable.          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3> 
proxmark3> lf t55xx read b 0 p 
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
#db# DownloadFPGA(len: 42096)          
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 2 - RF/32          
Inverted   : No          
Offset     : 34          
Seq. Term. : No          
Block0     : 0x00080080          
Safety Check: PWD bit is NOT set in config block. Reading without password...          
  0 | 00080080 | 00000000000010000000000010000000          
proxmark3> 
proxmark3> lf t55xx read b 1 p 
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 2 - RF/32          
Inverted   : No          
Offset     : 34          
Seq. Term. : No          
Block0     : 0x00080080          
Safety Check: PWD bit is NOT set in config block. Reading without password...          
  1 | 64DDFF20 | 01100100110111011111111100100000          
proxmark3> 
proxmark3> lf t55xx read b 2 p 
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 2 - RF/32          
Inverted   : No          
Offset     : 34          
Seq. Term. : No          
Block0     : 0x00080080          
Safety Check: PWD bit is NOT set in config block. Reading without password...          
  2 | 49906D07 | 01001001100100000110110100000111          
proxmark3> 
proxmark3> lf t55xx read b 3 p 
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 2 - RF/32          
Inverted   : No          
Offset     : 34          
Seq. Term. : No          
Block0     : 0x00080080          
Safety Check: PWD bit is NOT set in config block. Reading without password...          
  3 | 3148706C | 00110001010010000111000001101100          
proxmark3> 
proxmark3> lf t55xx read b 4 p 
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 2 - RF/32          
Inverted   : No          
Offset     : 34          
Seq. Term. : No          
Block0     : 0x00080080          
Safety Check: PWD bit is NOT set in config block. Reading without password...          
  4 | DB06C997 | 11011011000001101100100110010111          
proxmark3> 
proxmark3> lf t55xx trace 
-- T55x7 Trace Information ----------------------------------          
-------------------------------------------------------------          
 ACL Allocation class (ISO/IEC 15963-1)  : 0xE0 (224)          
 MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x39 (57) - Silicon Craft Technology Thailand          
 CID                                     : 0x00 (0) -           
 ICR IC Revision                         : 0          
 Manufactured          
     Year/Quarter : 2013/0          
     Lot ID       : 1105          
     Wafer number : 14          
     Die Number   : 19648          
-------------------------------------------------------------          
 Raw Data - Page 1          
     Block 1  : 0xE03900D0  11100000001110010000000011010000          
     Block 2  : 0x45174CC0  01000101000101110100110011000000          
-------------------------------------------------------------          
proxmark3> 
proxmark3> lf t55xx info 
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 0          
 reserved                  : 0          
 Data bit rate             : 2 - RF/32          
 eXtended mode             : No          
 Modulation                : 0 - DIRECT (ASK/NRZ)          
 PSK clock frequency       : 0          
 AOR - Answer on Request   : No          
 OTP - One Time Pad        : No          
 Max block                 : 4          
 Password mode             : No          
 Sequence Start Terminator : No          
 Fast Write                : No          
 Inverse data              : No          
 POR-Delay                 : No          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x00080080  00000000000010000000000010000000          
-------------------------------------------------------------          
proxmark3> 
proxmark3> lf t55xx config b  d t55xxdem i  o 
Unknown parameter 't'          
Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]          
Options:          
       h                        This help          
       b <8|16|32|40|50|64|100|128>  Set bitrate          
       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A          
       i [1]                         Invert data signal, defaults to normal          
       o [offset]                    Set offset, where data should start decode in bitstream          
       Q5                            Set as Q5(T5555) chip instead of T55x7          
       ST                            Set Sequence Terminator on          
Examples:          
      lf t55xx config d FSK          - FSK demodulation          
      lf t55xx config d FSK i 1      - FSK demodulation, inverse data          
      lf t55xx config d FSK i 1 o 3  - FSK demodulation, inverse data, offset=3,start from position 3 to decode data          
proxmark3> 
proxmark3> lf t55xx config
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 8 - (Unknown)          
Inverted   : No          
Offset     : 34          
Seq. Term. : No          
Block0     : 0x00080080          
proxmark3> 
proxmark3> lf t55xx dump 
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | 00080080 | 00000000000010000000000010000000          
  1 | 64DDFF20 | 01100100110111011111111100100000          
  2 | 49906D07 | 01001001100100000110110100000111          
  3 | 3148706C | 00110001010010000111000001101100          
  4 | DB06C997 | 11011011000001101100100110010111          
Reading Page 1:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | 00080080 | 00000000000010000000000010000000          
  1 | E03900D0 | 11100000001110010000000011010000          
  2 | 45174CC0 | 01000101000101110100110011000000          
  3 | 00A00003 | 00000000101000000000000000000011          
proxmark3> 
proxmark3> lf search  u
Reading 30000 bytes from device memory
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 4096 repeating samples          
Found Sequence Terminator          
No Data Found!
proxmark3> 
proxmark3> lf t55xx detect
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 2 - RF/32          
Inverted   : No          
Offset     : 34          
Seq. Term. : No          
Block0     : 0x00080080          
proxmark3>

" or perhaps we are too eager to detect it

Last edited by M&S (2016-02-21 23:27:03)

M&S · 2016-02-21 23:21:12

thank you for the new tools with this time modification Marshmellow and iceman, I could not see something like this before from my PM3. I saw the news from git and decided I must try out immediately

marshmellow · 2016-02-22 04:41:10

lf t55xx commands should always be preceded by a `lf t55xx detect` (or manually configured with `lf t55xx config`) then the client knows how to decode the rest of the tag's responses to the commands.

it also appears your tag is configured for NRZ/Direct modulation, which is not supported by `lf search` or the Sequence Terminator.

you also got lucky we built in a safety check for the password bit otherwise you would have hosed your tag multiple times running the read block command with a password when there shouldn't be one for your tag's configuration...

Last edited by marshmellow (2016-02-22 04:50:44)

marshmellow · 2016-02-22 05:06:32

iceman wrote:

How about we get back to the thread and look at Noralys again?
If @rbubba1911 could test to make small changes to the raw data, and re-calc the potential checkbyte, (with xoring all individual hex symbols in modified raw data) and try it against a valid reader.. then that would be great.

I agree with iceman. @rbubba1911 if we could use one of your t55x7's to emulate a tag number you DON'T have and see if our theory of the checksum is correct and your reader beeps or blinks or acts like it does when it sees a valid tag then we might learn something more here.

marshmellow · 2016-02-22 05:10:28

for example we could try: BB0214FF 68102015 02B70000

iceman · 2016-02-22 07:57:56

@M&S start a new thread with your questions please. And as Marshmellow said, you got really lucky there with the password read.

rbubba1911 · 2016-02-22 13:13:31

marshmellow wrote:

for example we could try: BB0214FF 68102015 02B70000

Hi,

I will program a T55 tag with this info.
I will program another T55 tag with a config block 0x000C8040

I'll try to dump another Noralys tag from a friend

I confirm, the luck about T55 and passwd

iceman · 2016-12-15 12:09:56

@OP, How did it go?

martinlbb · 2016-12-15 12:52:35

I guys,

I had access to some Noralsy blue tags, used for residential access. Unfortunately, I didn't write down engraved ID.
00088c6a bb0214ff 10298001 87c70000
00088c6a bb0214ff 20000101 91a70000
00088c6a bb0314ff 25299001 16360000

I confirm that 00088c6a is working well. I tried cloning theses tags on T55xx chip, and they all worked well.
On this, I got two regular tags (blue colored) and one credit card style (Parking access).
The parking access is the second one.

I have access to a friend bulding using that blue tag. He had 4 tags, I can get dump and engraved ID.

I will test with a invalid number (with valid checksum) to see if reader detect it or not.

Last edited by martinlbb (2016-12-15 13:03:08)

iceman · 2016-12-15 14:40:31

I think I have the last bytes. Its to seperate xoring of the nibbles. Its valid for the three samples above.

00088c6a bb0214ff 10298001 87c70000
                             ZX
z) 
Xor Nibbles 1029800187 = c

x) =
Xor Nibbles  bb0214ff1029800187c = 7

iceman · 2016-12-15 14:41:24

However the Block1, is different in the samples, which should indicate something since the xoring still matches up.

iceman · 2016-12-15 14:50:57

block0-- ???!???? AAA---AA AACD----
00088C6A BB0214FF 10298001 87C70000
-------- -------- CCCCCCCC CC---------
-------- DDDDDDDD DDDDDDDD DDD------

A = printed id  ( 1020187 )  BCD
C = xor nibbles of C
D = xor nibbles of D

iceman · 2016-12-15 18:05:08

Added what I know about Noralsy into my fork. SIM/CLONE/READ and detection in 'LF SEARCH'

pm3 --> lf nor clone 112233
Preparing to clone Noralsy to T55x7 with CardId: 112233
Blk | Data
----+------------
 00 | 0x00088068
 01 | 0xbb0214ff
 02 | 0x01198022
 03 | 0x33170000
pm3 --> lf nor read
Noralsy Tag Found: Card ID 112233,  Raw: BB0214FF0119802233170000

marshmellow · 2016-12-15 19:10:44

looks like now we only don't know the 3 nibbles in the middle of the ID.

iceman · 2016-12-15 19:15:51

The block1 seems to change aswell,

---x----
bb0214ff 
bb0314ff

marshmellow · 2016-12-15 20:19:09

yes, but i doubt it is calculated. possibly a location or facility code change? or a rollover number for the ID?

iceman · 2017-01-11 15:15:40

I have six samples of Noralsy tags and I've a guess for the 3missing nibbles.

# MISSING (***)
found values,  could it year?  in pdf [url]http://pdfstream.manualsonline.com/c/c1558e6a-0b6b-4a99-a9c8-12aa95518f88.pdf[/url]

020
010
980
001
990

It could be year.
  02 = 2002
  01 = 2001
  98 = 1998
  00 = 2000
  99 = 1999

It matches my samples at least. Only one nibble left. Month? or Quarter?

drakospart · 2017-02-07 18:19:50

http://pastebin.com/n30DYPGc

iceman · 2017-02-07 19:53:16

@drakospart that trace decodes as nedap for me. Doesnt look like Noralsy. Where did you get that trace?

Onisan · 2017-02-08 10:46:46

If you are in London and want to travel to Canary Wharf I will clone it for you, it takes less than 30 seconds.
Still haven't purchased the Proxmark though :-(

iceman · 2017-02-08 11:47:58

@onisan, when you do, some raw samples from your tags would be nice. Maybe you can get the raw bytes read already with your current reader?

Onisan · 2017-02-08 15:04:32

@iceman, I'd love to but my reader is a specific bit of tag copying kit so it only displays Hex blocks. I guess if we had the same tag I could tell you what the blocks should look like in byte Hex, but to do that we'd need to have the very same fob or at least have access to it.

Happy to assist in anyway I can though so if anyone has one and wants to know what the data should be I can certainly assist if they want to meet up or send a fob to me.

iceman · 2017-02-08 15:34:29

The hex blocks should do fine. I've seen others using TWN4 to share raw bytes.

Proxmark3 community

Announcement

#101 2016-02-19 22:21:17

Re: Decode LF tag NORALSY (KCP3000)

#102 2016-02-19 22:25:50

Re: Decode LF tag NORALSY (KCP3000)

#103 2016-02-19 22:27:11

Re: Decode LF tag NORALSY (KCP3000)

#104 2016-02-19 22:29:13

Re: Decode LF tag NORALSY (KCP3000)

#105 2016-02-19 22:33:19

Re: Decode LF tag NORALSY (KCP3000)

#106 2016-02-19 22:40:56

Re: Decode LF tag NORALSY (KCP3000)

#107 2016-02-19 22:56:41

Re: Decode LF tag NORALSY (KCP3000)

#108 2016-02-19 23:09:16

Re: Decode LF tag NORALSY (KCP3000)

#109 2016-02-19 23:20:49

Re: Decode LF tag NORALSY (KCP3000)

#110 2016-02-19 23:22:28

Re: Decode LF tag NORALSY (KCP3000)

#111 2016-02-19 23:29:28

Re: Decode LF tag NORALSY (KCP3000)

#112 2016-02-19 23:31:38

Re: Decode LF tag NORALSY (KCP3000)

#113 2016-02-19 23:32:27

Re: Decode LF tag NORALSY (KCP3000)

#114 2016-02-19 23:42:22

Re: Decode LF tag NORALSY (KCP3000)

#115 2016-02-20 00:04:52

Re: Decode LF tag NORALSY (KCP3000)

#116 2016-02-20 00:22:36

Re: Decode LF tag NORALSY (KCP3000)

#117 2016-02-20 00:25:38

Re: Decode LF tag NORALSY (KCP3000)

#118 2016-02-20 16:00:09

Re: Decode LF tag NORALSY (KCP3000)

#119 2016-02-20 16:29:56

Re: Decode LF tag NORALSY (KCP3000)

#120 2016-02-20 16:41:35

Re: Decode LF tag NORALSY (KCP3000)

#121 2016-02-20 19:01:01

Re: Decode LF tag NORALSY (KCP3000)

#122 2016-02-20 19:03:38

Re: Decode LF tag NORALSY (KCP3000)

#123 2016-02-20 19:50:05

Re: Decode LF tag NORALSY (KCP3000)

#124 2016-02-20 22:16:51

Re: Decode LF tag NORALSY (KCP3000)

#125 2016-02-20 22:52:49

Re: Decode LF tag NORALSY (KCP3000)

#126 2016-02-21 13:08:33

Re: Decode LF tag NORALSY (KCP3000)

#127 2016-02-21 18:23:14

Re: Decode LF tag NORALSY (KCP3000)

#128 2016-02-21 23:16:21

Re: Decode LF tag NORALSY (KCP3000)

#129 2016-02-21 23:21:12

Re: Decode LF tag NORALSY (KCP3000)

#130 2016-02-22 04:41:10

Re: Decode LF tag NORALSY (KCP3000)

#131 2016-02-22 05:06:32

Re: Decode LF tag NORALSY (KCP3000)

#132 2016-02-22 05:10:28

Re: Decode LF tag NORALSY (KCP3000)

#133 2016-02-22 07:57:56

Re: Decode LF tag NORALSY (KCP3000)

#134 2016-02-22 13:13:31

Re: Decode LF tag NORALSY (KCP3000)

#135 2016-12-15 12:09:56

Re: Decode LF tag NORALSY (KCP3000)

#136 2016-12-15 12:52:35

Re: Decode LF tag NORALSY (KCP3000)

#137 2016-12-15 14:40:31

Re: Decode LF tag NORALSY (KCP3000)

#138 2016-12-15 14:41:24

Re: Decode LF tag NORALSY (KCP3000)

#139 2016-12-15 14:50:57

Re: Decode LF tag NORALSY (KCP3000)