Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-07-24 22:58:53

batman192
Contributor
Registered: 2019-07-16
Posts: 24

Tinkering with AWID- any ideas appreciated

Hi all,

I've got a key fob that returns the following with "lf search" (This is a Proxmark3 RDV2 with Iceman's fork):

Checking for known tags:
AWID Found - BitLength: 37, FC: 2593, Card: 172082 - Wiegand: 510d4065f, Raw: 012244841db11727e1111111          
          
[+] Valid AWID ID Found!
          

Valid T55xx Chip Found
Try `lf t55xx` commands

Theoretically, if  I run the "lf awid clone" command with the proper parameters (37 2593 172082), this would/could be cloned onto other t55xx cards.

However, after carrying out the experiment, the new card returns the following:

AWID Found - BitLength: 37, FC: 2593, Card: 172082 - Wiegand: 1510d40640, Raw: 012274841db1172111111111          
          
[+] Valid AWID ID Found!
          

Valid T55xx Chip Found
Try `lf t55xx` commands

         
Everything is right except that damn Wiegand and trailing binary.

HOWEVER, I've been successful with cloning the fob, I just had to run "lf t55xx dump" and then manually write each block to the t55xx card.

I'm hoping someone here can assist with cloning an AWID with just a Bit Length, Facility Code, and Card Number.

Any ideas, friends?

Last edited by batman192 (2019-07-25 13:56:20)

Offline

#2 2019-08-12 21:57:42

batman192
Contributor
Registered: 2019-07-16
Posts: 24

Re: Tinkering with AWID- any ideas appreciated

Okay, I'm back from DEF CON with an answer!

I spoke to someone incredibly knowledgeable on Proxmark and RFID hacking, and got my answer.

Short answer: We aren't there yet in terms of RFID research in terms of being able to clone an AWID with an identical Wiegand value from just a simple touch with the proxmark, UNLESS we do one of two things:

1. Dump the contents of the entire card in raw data as I did above and write it to a blank T55xx card (Requires either continous access to a badge or a long-distance LF antenna, which is in the works for mass distribution)
2. Obtain an AWID reader and understand/decode the signal sent to the reader from the key fob/badge and compare it to the Proxmark. The reader in this case is a CanProx reader by Cansec (https://www.cansec.com/products/access- … x-one.html). If anyone has one (or would like to donate one as I'm not sure how to go about purchasing a single reader) please don't hesitate to reach out.

Last edited by batman192 (2019-08-12 21:58:37)

Offline

#3 2019-10-02 00:48:18

RFID.consultant
Contributor
From: USA
Registered: 2019-09-25
Posts: 3

Re: Tinkering with AWID- any ideas appreciated

I can send you an AWID Reader. But they are really cheap on eBay. See https://www.ebay.com/sch/i.html?_from=R40&_trksid=p2380057.m570.l1313.TR11.TRC2.A0.H0.Xawid+prox+reader.TRS1&_nkw=awid+prox+reader&_sacat=0

I am also looking to decode AWID formats including:

26-bit
33-bit DSX
34-bit RS2
36-bit IEI
37-bit PCSC
CS-AWID-RBH50: 50-bit

Offline

#4 2019-10-03 20:35:05

batman192
Contributor
Registered: 2019-07-16
Posts: 24

Re: Tinkering with AWID- any ideas appreciated

RFID.consultant wrote:

I can send you an AWID Reader. But they are really cheap on eBay. See https://www.ebay.com/sch/i.html?_from=R40&_trksid=p2380057.m570.l1313.TR11.TRC2.A0.H0.Xawid+prox+reader.TRS1&_nkw=awid+prox+reader&_sacat=0

I am also looking to decode AWID formats including:

26-bit
33-bit DSX
34-bit RS2
36-bit IEI
37-bit PCSC
CS-AWID-RBH50: 50-bit

I appreciate it! It's good to know that they're quite cheap, I didn't know they're that inexpensive. Unfortunately for my use case here, I'd need that specific reader provided by CANSEC. The reason for this is because there may be a difference between how CanSec's AWID readers interpret and parse the tag as opposed to other AWID readers, and I'm hoping to have as close to a replica of the access control system I am up against.

I'm hoping the data and information I learn and dump here can assist with uncovering more about AWID and it's implementation smile .

Offline

#5 2019-10-04 22:33:17

RFID.consultant
Contributor
From: USA
Registered: 2019-09-25
Posts: 3

Re: Tinkering with AWID- any ideas appreciated

The reader you are referring to is actually made by Farpointe Data Systems. One such reader that supports AWID can be found at http://www.farpointedata.com/downloads/datasheets/P300_TDS.pdf

All of Farpointe's Prox readers can be found here
http://www.farpointedata.com/products/proximity-readers-and-credentials.php

I'm still confused about why you don't want to use a genuine AWID reader since only an AWID reader can be assumed to interpret their own cards properly.

Offline

#6 2019-10-06 14:11:11

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Tinkering with AWID- any ideas appreciated

Most Lf awid follows the binary encoding outlined in the awid image in this thread http://www.proxmark.org/forum/viewtopic.php?id=1767

It outlines how a weigand format (I.e. 26 bit) is encoded for awid.
The weigand format inside the awid format changes per bit length, but the only thing not known is the individual weigand format break down. (Paritys and field lengths)  but many weigand formats are known and can be inserted inside the awid format manually.

Offline

#7 2019-10-07 19:13:41

batman192
Contributor
Registered: 2019-07-16
Posts: 24

Re: Tinkering with AWID- any ideas appreciated

Thank you both. RFID.consultant, the reason is "just in case", meaning I'm making sure to replicate the target environment as much as possible to avoid any potential issues, regardless of whether the readers parse the data the same way.

That said, it sounds like the P300 AWID reader module is actually what I'm after since I assume that module would be included were I to buy a CanProx One reader, according to their brochure (https://www.cansec.com/downloads/send/42-proximity-readers/77-canprox-one-installation-guide). I assumed CanSec had their own AWID reader embedded in the CanProx one, but this seems to be not the case.

Offline

#8 2022-11-04 17:35:17

diamondrail
Contributor
Registered: 2017-08-07
Posts: 35

Re: Tinkering with AWID- any ideas appreciated

is there anyone else looking into this issue?

Last edited by diamondrail (2022-11-04 17:36:26)

Offline

#9 2022-11-04 17:35:50

diamondrail
Contributor
Registered: 2017-08-07
Posts: 35

Re: Tinkering with AWID- any ideas appreciated

batman192 wrote:

Thank you both. RFID.consultant, the reason is "just in case", meaning I'm making sure to replicate the target environment as much as possible to avoid any potential issues, regardless of whether the readers parse the data the same way.

That said, it sounds like the P300 AWID reader module is actually what I'm after since I assume that module would be included were I to buy a CanProx One reader, according to their brochure (https://www.cansec.com/downloads/send/42-proximity-readers/77-canprox-one-installation-guide). I assumed CanSec had their own AWID reader embedded in the CanProx one, but this seems to be not the case.

Batman, when you manually wrote the blocks on the new t55xx card, which pages and blocks did you write? I am getting that error with the trailing "1" on the wiegand number as well.

Offline

Board footer

Powered by FluxBB