Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-01-27 17:24:55

fobIncognito
Contributor
Registered: 2020-01-27
Posts: 6

Copying an unknown tag (updated with picture and additional info)

Hi everyone,

I've got a 125kHz tag that I'd like to make copies of, but unfortunately I'm struggling to identify it.

76d166ac1b2329139066f5222b803f48.png

Harware

I've been experimenting with both my proxmark3 RDV4 and a multi-format USB Reader from RFIDeas called "pcProx" with model number RDR-6R81AKU.

Info about my proxmark3:

 [ CLIENT ]          
 client: iceman build for RDV40 with flashmem; smartcard;  
          
 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-1097-ga23414fe 2020-01-26 17:01:03
      os: iceman/master/ice_v3.1.0-1097-ga23414fe 2020-01-26 17:01:06

 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23          

 [ Hardware ]           
  --= uC: AT91SAM7S512 Rev B          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 241380 bytes (46%) Free: 282908 bytes (54%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory          

          
pm3 --> hw status
#db# Memory          
#db#   BIGBUF_SIZE.............40000          
#db#   Available memory........40000          
#db# Tracing          
#db#   tracing ................1          
#db#   traceLen ...............0          
#db# Currently loaded FPGA image          
#db#   mode.................... HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23          
#db# Flash memory          
#db#   init....................OK          
#db#   Memory size.............2 mbits / 256kb          
#db#   Unique ID...............0xd567a882a72a8d26          
#db# Smart card module (ISO 7816)          
#db#   version.................v2.06          
#db# LF Sampling config          
#db#   [q] divisor.............95 (125 KHz)          
#db#   [b] bps.................8          
#db#   [d] decimation..........1          
#db#   [a] averaging...........Yes          
#db#   [t] trigger threshold...0          
#db# USB Speed          
#db#   Sending USB packets to client...          
#db#   Time elapsed............1500ms          
#db#   Bytes transferred.......761856          
#db#   USB Transfer Speed PM3 -> Client = 507904 Bytes/s          
#db# Various          
#db#   MF_DBGLEVEL.............1          
#db#   ToSendMax...............-1          
#db#   ToSendBit...............0          
#db#   ToSend BUFFERSIZE.......2308          
#db# Installed StandAlone Mods          
#db#    LF HID26 standalone - aka SamyRun (Samy Kamkar)
Reading the tag

The pcProx reader is able to pull out some values.  It returns a Facility ID and User ID.  I won't include these here for security reasons, as this tag is still in use.

My proxmark3, running

lf search

returns no results. 

If I enable debug output I can see it is able to demodulate the signal as NRZ.

pm3 --> lf search
LF Signal properties:          
  high..........255          
  low...........0          
  mean..........121          
  amplitude.....134          
  is Noise......No          
  THRESHOLD noice amplitude......10          
[#] DEBUG: (setClockGrid) demodoffset 0, clk 0          
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
No data found!, clock tried:64          
Try again with more samples.          
  or after a 'data askedge' command to clean up the read          
getHiLo fuzzed: High 223 | Low 32          
getHiLo fuzzed: High 223 | Low 32          
[#] DEBUG: no data or error found 78, clock: 64          
[#] DEBUG: Error - Nedap ASKbiphaseDemod failed          
[#] DEBUG: Error - AWID problem during FSK demod          
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000          
getHiLo fuzzed: High 229 | Low 25          
getHiLo fuzzed: High 223 | Low 32          
getHiLo fuzzed: High 223 | Low 32          
DEBUG: (askdemod_ext) CLEAN: startIdx -9, alignPos 0          
[#] DEBUG: (ASKDemod_ext) Using clock:64, invert:0, bits found:326          
[#] DEBUG: (setClockGrid) demodoffset -9, clk 64          
# Errors during Demoding (shown as 7 in bit stream): 98          
ASK/Manchester - Clock: 64 - Decoded bitstream:          
7077010710777100
(redacted)
7777707701071077
710007          
[#] DEBUG: Error - Em410x preamble not found          
getHiLo fuzzed: High 223 | Low 32          
getHiLo fuzzed: High 223 | Low 32          
[#] DEBUG: no data or error found 258, clock: 32          
[#] DEBUG: Error - FDX-B ASKbiphaseDemod failed          
getHiLo fuzzed: High 223 | Low 32          
getHiLo fuzzed: High 223 | Low 32          
[#] DEBUG: no data or error found 78, clock: 64          
[#] DEBUG: Error - gProxII ASKbiphaseDemod failed          
[#] DEBUG: Error - HID problem during FSK demod          
[#] DEBUG: (PSKdemod) no data found, clk: 0, invert: 0, numbits: 30000, errCnt: -1          
[#] DEBUG: Error - Idteck PSKDemod failed          
[#] DEBUG: (PSKdemod) Too many errors found, clk: 32, invert: 0, numbits: 1552, errCnt: 628          
[#] DEBUG: Error - Indala can't demod signal: 0          
[#] DEBUG: Error - IO prox error during fskdemod          
getHiLo fuzzed: High 223 | Low 32          
getHiLo fuzzed: High 223 | Low 32          
[#] DEBUG: no data or error found 78, clock: 64          
[#] DEBUG: Error - Jablotron ASKbiphaseDemod failed          
[#] DEBUG: (PSKdemod) no data found, clk: 0, invert: 0, numbits: 30000, errCnt: -1          
[#] DEBUG: Error - NexWatch can't demod signal          
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000          
getHiLo fuzzed: High 229 | Low 25          
getHiLo fuzzed: High 223 | Low 32          
getHiLo fuzzed: High 223 | Low 32          
DEBUG: (askdemod_ext) CLEAN: startIdx 7, alignPos 0          
[#] DEBUG: (ASKDemod_ext) Too many errors found, errors:157, bits:344, clock:32          
[#] DEBUG: Error - Noralsy: ASK/Manchester Demod failed          
getHiLo fuzzed: High 242 | Low 12          
getHiLo fuzzed: High 223 | Low 32          
[#] DEBUG: (NRZrawDemod) Tried NRZ Demod using Clock: 32 - invert: 0 - Bits Found: 936          
[#] DEBUG: (setClockGrid) demodoffset 23, clk 32          
NRZ demoded bitstream:          
1110100110110010
(redacted)
0111111011011001
10          
[#] DEBUG: Error - PAC: preamble not found          
[#] DEBUG: Error - Paradox problem during FSK demod          
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000          
getHiLo fuzzed: High 229 | Low 25          
getHiLo fuzzed: High 223 | Low 32          
getHiLo fuzzed: High 223 | Low 32          
DEBUG: (askdemod_ext) CLEAN: startIdx 7, alignPos 0          
[#] DEBUG: (ASKDemod_ext) Too many errors found, errors:157, bits:344, clock:32          
[#] DEBUG: Error Presco ASKDemod failed          
[#] DEBUG: Error - Pyramid: problem during FSK demod          
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000          
getHiLo fuzzed: High 223 | Low 32          
getHiLo fuzzed: High 223 | Low 32          
DEBUG: (askdemod_ext) CLEAN: startIdx 3, alignPos 0          
[#] DEBUG: (ASKDemod_ext) Too many errors found, errors:157, bits:344, clock:40          
[#] DEBUG: Error - Securakey: ASK/Manchester Demod failed          
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000          
getHiLo fuzzed: High 223 | Low 32          
getHiLo fuzzed: High 223 | Low 32          
DEBUG: (askdemod_ext) CLEAN: startIdx -9, alignPos 0          
[#] DEBUG: (ASKDemod_ext) Using clock:64, invert:0, bits found:326          
[#] DEBUG: (setClockGrid) demodoffset -9, clk 64          
# Errors during Demoding (shown as 7 in bit stream): 98          
ASK/Manchester - Clock: 64 - Decoded bitstream:          
7077010710777100
(redacted)
7777707701071077
710007          
[#] DEBUG: Error - Viking Demod -4           
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000          
getHiLo fuzzed: High 229 | Low 25          
getHiLo fuzzed: High 223 | Low 32          
getHiLo fuzzed: High 223 | Low 32          
DEBUG: (askdemod_ext) CLEAN: startIdx -9, alignPos 0          
[#] DEBUG: (ASKDemod_ext) Too many errors found, errors:98, bits:326, clock:64          
[#] DEBUG: Error - Visa2k: ASK/Manchester Demod failed          
          
[-] No known 125/134 KHz tags Found!
          
LF Signal properties:          
  high..........127          
  low...........-128          
  mean..........2          
  amplitude.....125          
  is Noise......No          
  THRESHOLD noice amplitude......10          
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 6000          
getHiLo fuzzed: High 127 | Low -64          
getHiLo fuzzed: High 127 | Low -64          
DEBUG: (askdemod_ext) CLEAN: startIdx 0, alignPos 0          
[#] DEBUG: (ASKDemod_ext) No data found errors:-1, invert:0, bitlen:0, clock:16          
[#] DEBUG: Error - EM: ASK/Manchester Demod failed          
getHiLo fuzzed: High 127 | Low -64          
getHiLo fuzzed: High 127 | Low -64          
[#] DEBUG: Error BiphaseRawDecode: -1          
[#] DEBUG: Error - EM: ASK/biphase normal demod failed          
getHiLo fuzzed: High 127 | Low -64          
getHiLo fuzzed: High 127 | Low -64          
[#] DEBUG: Error BiphaseRawDecode: -1          
[#] DEBUG: Error - EM: ASK/biphase inverted demod failed          
[#] DEBUG: No data found          
[#] DEBUG: Error - EM: FSK clock failed          
[#] DEBUG: (setClockGrid) demodoffset 0, clk 0          
[#] DEBUG: Error - EM: PSK clock failed          
LF Signal properties:          
  high..........127          
  low...........-128          
  mean..........-6          
  amplitude.....133          
  is Noise......No          
  THRESHOLD noice amplitude......10          
[#] DEBUG: No data found          
[#] DEBUG: (setClockGrid) demodoffset 0, clk 0          
getHiLo fuzzed: High 127 | Low -76          
getHiLo fuzzed: High 127 | Low -64          
[#] DEBUG: (setClockGrid) demodoffset 192, clk 32          
Auto-detected clock rate: 32, Best Starting Position: 192          
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 7679          
getHiLo fuzzed: High 127 | Low -76          
getHiLo fuzzed: High 127 | Low -64          
getHiLo fuzzed: High 127 | Low -64          
DEBUG: (askdemod_ext) CLEAN: startIdx 0, alignPos 0          
[#] DEBUG: (ASKDemod_ext) No data found errors:-1, invert:0, bitlen:0, clock:32          
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 7679          
getHiLo fuzzed: High 127 | Low -76          
getHiLo fuzzed: High 127 | Low -64          
getHiLo fuzzed: High 127 | Low -64          
DEBUG: (askdemod_ext) CLEAN: startIdx 0, alignPos 0          
[#] DEBUG: (ASKDemod_ext) No data found errors:-1, invert:1, bitlen:0, clock:32          
getHiLo fuzzed: High 127 | Low -64          
getHiLo fuzzed: High 127 | Low -64          
[#] DEBUG: Error BiphaseRawDecode: -1          
getHiLo fuzzed: High 127 | Low -64          
getHiLo fuzzed: High 127 | Low -64          
[#] DEBUG: Error BiphaseRawDecode: -1          
getHiLo fuzzed: High 127 | Low -102          
[#] DEBUG: (setClockGrid) demodoffset 0, clk 0

Now, if I run lf read myself I can see it captures a clear waveform and that the pattern repeats a few times. 
And, since certain parts of the waveform contain sustained lows or sustained highs, the guess that it's NRZ modulated seems correct:

a2be0a69d7bb87c2aba2e55d3da19d72.png

I can get a stream of bits for the tag running the following:

lf read
data norm
data raw nr 32

However there seems to be no relation between this data and the data returned by the pcProx device.  I've tried inverting, reversing, and offsetting the bit stream and there still seems to be no relation.

Simulating

Interestingly, I have been able to replay the data and open my building door doing the following

lf read
data norm
data di 60 -60
lf sim

So, this rules out reading errors as a problem.

The Question

If I'm unable to find the format of this tag, is there still a way to copy it to another tag?  That would seem too good to be true, but I thought I'd ask here.  I'm still very new to all this, so Googling for answers is proving difficult since I don't know my terminology yet.

Any help is appreciated.

Cheers.

Last edited by fobIncognito (2020-01-28 00:04:23)

Offline

#2 2020-01-30 15:04:14

fobIncognito
Contributor
Registered: 2020-01-27
Posts: 6

Re: Copying an unknown tag (updated with picture and additional info)

Any suggestions on how to move forward identifying this tag?

Would sniffing a valid read off the building or my USB reader add any new information?

Offline

#3 2020-01-30 15:17:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,486
Website

Re: Copying an unknown tag (updated with picture and additional info)

First, start using the lastest source from RRG/Iceman repo for your RDV4. ref: https://github.com/rfidresearchgroup/proxmark3

Then save and share a trace.  replace xxxx in the file name with any printed numbers on the tag/fob

lf read
data save f lf_nrz_xxxxxx.pm3

Offline

#4 2020-01-30 15:51:30

fobIncognito
Contributor
Registered: 2020-01-27
Posts: 6

Re: Copying an unknown tag (updated with picture and additional info)

Thanks for the response.

Unfortunately, everyone in the building uses the same fob.  I'd only be comfortable giving a trace of it publicly if I could also then blacklist it in our system.  However, that's not possible since it would kick everyone out.

I know.  Not ideal.

If you're personally interested in the trace I'll take one when I'm back at the workshop and send it to you directly.

Offline

#5 2020-01-30 16:14:44

fobIncognito
Contributor
Registered: 2020-01-27
Posts: 6

Re: Copying an unknown tag (updated with picture and additional info)

For more context:

I run a hackspace and we share a building with a number of other community organisations.

The organisation that runs the building is, like the rest of us, very budget constrained.  As a result, the building security configuration is pretty basic.  We have one fob authorised to open the building and that's it.

As such, each individual must pay around £10 to get a copy of that fob.

My goals:

  1. Reduce the cost of copying fobs by doing it ourselves.

  2. Add second, unique, piece of information to each fob.

  3. Roll out an attendance system (already written) which would read this second unique id to uniquely identify people.

  4. ... and, of course, just get more experience with RFID.

So, ideally, I'll figure out the format and that format would support adding additional information to the fob.
But, even if I only manage to reduce the cost of copying fobs it's already a win for the larger group.

Offline

Board footer

Powered by FluxBB