Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-09-26 14:54:42

jamesmat
Contributor
Registered: 2019-09-23
Posts: 6

Unknown tag and it might be unique (!)

I might have a unique tag in my hands and I could use any assistance possible!


The tag (encased in plastic) holds credits and can be "re-written/filled" by a PC reader/writer which seems to be proprietory and is NOT sold to end users.

The tag was introduced in the market circa 2002 in Italy by a (now defunct) company named "OTR". OTR's founder holds many patents and the company had a lot of R&D stuff plus an assembly line. So there is a huge possibility that the PCB was printed inhouse and the chip is "custom".
The tag's, marketing name was "Genius". When OTR ceased to exist, a new Italian company named "Paytec" carried on marketing and selling the tags and hardware. Nowadays, "Paytec" does not seem to market any more the "Genius" but an other Italian company is still selling tags and hardware (only to B2B). The tags are extremely popular in the Mediterranean countries!  (see relevant photos; link below)


Proxmark3:
-------------

I am currently running on iceman's latest firmware (I have also tried with the latest official firmware; results are identical).
The proxmark3 can read all my various (diffent types) of tags I throw at it; so it works fine.

If not mistaken, "130 LF" is imprinted on the PCB and it seems to draw power in the LF.
Proxmark can't however detect anything valuable (see relevant photos; link below)

I have no clue what the tag really is. Is it supposed to wake up with a special pattern?
Is it proprietary?

I can even ship/send it if anyone wants to investigate 1st hand.

Thanks in advance!




*** Please see all relevant photos at:

https://photos.app.goo.gl/D7tMf4rhMt8h7hvS7
https://photos.app.goo.gl/atCHyfa3YM3qmGNR6

Last edited by jamesmat (2019-09-26 20:33:58)

Offline

#2 2019-09-26 18:45:39

iceman
Administrator
Registered: 2013-04-25
Posts: 5,760
Website

Re: Unknown tag and it might be unique (!)

that looks like an ASK based signal from the tag trace.

Save a trace file and share it here smile

lf read
data save otr_lf130.pm3
data detect a
data raw am
data print x

And if you have more of those tags, I am interested in one smile  but start with a trace file.

[edited]


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2019-09-26 19:11:37

jamesmat
Contributor
Registered: 2019-09-23
Posts: 6

Re: Unknown tag and it might be unique (!)

Thanks iceman for your prompt reply!

1) "lf read" commands outcome (note that "data raw am" and "data print x" produced no output):
https://photos.app.goo.gl/LupF3t8KVKF8f26C7

2) "otr_lf130.pm3" file uploaded: https://we.tl/t-QgPzAgV1CN

3) Excuse my ignorance. What exactly do you mean with "that look like and ASK based trace."?

4) Yes, of course I can provide you with a tag!


PS: would you be interested in a Teamviewer/AnyDesk session? This way you can examine the tag live

smile

Last edited by jamesmat (2019-09-26 20:35:01)

Offline

#4 2019-09-27 03:07:34

iceman
Administrator
Registered: 2013-04-25
Posts: 5,760
Website

Re: Unknown tag and it might be unique (!)

That was just my bad spelling. I edited the post.

Anyway,  thanks for the trace.   The signal is kind of bad,  the carrier spills over.
Which Proxmark3 device are you using?


"data correleation w 8000 g" shows a correlation of 6272.
"data detectclock a" shows a clock of 32
Which gives  6272 / 32 = 196 bits repeating pattern.
which would be 196/8 = 24bytes.

...some few tries later....

It looks manchester encoded.

[usb] pm3 --> da manraw                                                                                                                                    Manchester Decoded - # errors:0 - data:
10010101000101010000000010110110
10001000000000000110001110111110
11000111110001100001010001110011
11000111110001100001010001110011
10001000000100110000000011001111
00000100000000000111011010110011
10010101000101010000000010110110
10001000000000000110001110111110
11000111110001100001010001110011
11000111110001100001010001110011
10001000000100110000000011001111
00000100000000000111011010110011
10010101000101010000000010110110
10001000000000000110001110111110
11000111110001100001010001110011
11000111110001100001010001110011

Which finally leads to the repeating 24bytes.

95 15 00 B6 88 00 63 BE
C7 C6 14 73 C7 C6 14 73
88 13 00 CF 04 00 76 B3

ASK/Manchester,  clk 32...

now... decode that to a number.
Did you have any ID / printing on the tag?
or number from when presenting it from a reader?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2019-09-27 05:49:40

jamesmat
Contributor
Registered: 2019-09-23
Posts: 6

Re: Unknown tag and it might be unique (!)

1) there is a high probability that the ID is = 136. I am not 100% sure as when I removed the plastic encasing I might have mixed its key ring  (the plastic encasing does not always have something written on it. Most of the times their key rings have a hand written number). In the 24 bytes you have posted I see 0x88 twice (136 decimal). Is this what you mean?

2) I am sending you 2 more traces of 2 other tags. The one has "98" written on it, the other "99". Please note that each tag I have sent you (3 in total) belong to different "locations"/customers. When a tag is inserted in the reader, -indeed- a number is displayed and it is always "small" (between 1-200). So, the 136, 98 and 99 numbers should be what we are after.

3) "Which Proxmark3 device are you using?": you will see in the attachment

4) Sorry for repeating myself: would a remote session help you in any way? Or are the dumps sufficient?

5) Finally, I am trying to recreate your steps in order to reach your "repeating 24 bytes" pattern but cant. If its no hassle to you, can you please write what exact steps you did in order to reach them?


Files:  https://we.tl/t-TQE3TgU8HG

Last edited by jamesmat (2019-09-27 05:55:20)

Offline

#6 2019-09-30 17:58:11

iceman
Administrator
Registered: 2013-04-25
Posts: 5,760
Website

Re: Unknown tag and it might be unique (!)

1,2 ) its a bit too few numbers to determine the start of the signal data.  Using more traces from same "locations/customers" is needed in order to figure out the correct start offset. And if there is an preamble etc.

3) RDV2,  cool,  you should be able to get a nice clean signal of the tag from that device.  You should be using latest source from either offical repo or RRG/Iceman.   The one you are on is a bit old.

4) I don't really need a remote session

Some different ways to get a better decode from your tags.   I suggest you try several times to collect traces and share smile So we can make a proper demod for it.

method 1

data load otr_lf130.pm3
data plot
data detect a
data norm
data raw ar
data manraw
data bin2hex  ....

method 2

data load otr_lf130.pm3
data plot
data iir 1
data norm
data detect a
data raw am
data print x
data bin2hex ...

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#7 2019-10-01 12:04:14

jamesmat
Contributor
Registered: 2019-09-23
Posts: 6

Re: Unknown tag and it might be unique (!)

1) I have made 5 new traces for each of the 3 tags. So now you will have 1+5 for each. Let me know if you need more. I can make as many as you like/need. Please keep in mind that if ultimately a capture between the reader/tag will be needed, it is close to impossible. Reasons: a) the readers are in public places and (b) the tag is inserted in a slot. I highly doubt that radio waves escape sufficiently enough for a valid capture. All traces can be downloaded from https://we.tl/t-PoOJ3eioS6 (each tag has its own folder. Read included "readme.txt")

2) I will of course update to the latest if needed.

3) I tried both your methods. None works for me sad   I will post below a detailed step-by-step so you can see.

Last edited by jamesmat (2019-10-01 12:11:37)

Offline

Board footer

Powered by FluxBB