Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-10-03 02:17:25

ebodyyy
Contributor
Registered: 2019-10-02
Posts: 14

Copying AWID 50 Bit FOB Weingard HELP

Hello Everyone,

I want to be able to copy my 50 bit weingard FOB but have not been successful. I do have a reading from my proxmark but im confused on how to break up each individual bit and figure out the FC and ID. I believe ICEMAN's fork is now able to clone 50 bit AWID and would like to know how exactly to extract the FC and ID from the data that's being read of the FOB. I have referenced all 3 of these topics but I was not successful.

I have tried copying block 0 on to a blank T55x card followed by blocks 1,2,3 but that didn't work.

http://www.proxmark.org/forum/viewtopic.php?id=1767
http://www.proxmark.org/forum/viewtopic.php?id=2991
http://www.proxmark.org/forum/viewtopic.php?id=2203

I'm new to RFID and if anyone has had success or could lead me in the direction to copy this kind of FOB i would really appreciate it.

Thanks!

Last edited by ebodyyy (2019-10-20 21:31:49)

Offline

#2 2019-10-03 20:38:23

batman192
Contributor
Registered: 2019-07-16
Posts: 24

Re: Copying AWID 50 Bit FOB Weingard HELP

ebodyyy wrote:

Hello Everyone,

I want to be able to copy my 50 bit weingard FOB but have not been successful. I do have a reading from my proxmark but im confused on how to break up each individual bit and figure out the FC and ID. I believe ICEMAN's fork is now able to clone 50 bit AWID and would like to know how exactly to extract the FC and ID from the data that's being read of the FOB. I have referenced all 3 of these topics but I was not successful.

I have tried copying block 0 on to a blank T55x card followed by blocks 1,2,3 but that didn't work.

http://www.proxmark.org/forum/viewtopic.php?id=1767
http://www.proxmark.org/forum/viewtopic.php?id=2991
http://www.proxmark.org/forum/viewtopic.php?id=2203

I'm new to RFID and if anyone has had success or could lead me in the direction to copy this kind of FOB i would really appreciate it.

Thanks!

Oof, welcome to AWID. I'm not too familiar with 50-bit AWID's mapping (I work with 26 & 37 bit AWID) but this http://www.proxmark.org/forum/viewtopic.php?id=2897 might help out. Best of luck, if you can dump the binary here that might help also!

Offline

#3 2019-10-04 01:32:31

ebodyyy
Contributor
Registered: 2019-10-02
Posts: 14

Re: Copying AWID 50 Bit FOB Weingard HELP

Thanks for your response.

proxmark3> lf search
Reading 30000 bytes from device memory
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
Checking for known tags:
AWID Found - BitLength: 50 -unknown BitLength- (25351) - Wiegand: 1f400062c60f, Raw: 0128817e41111284d281e811          
Valid AWID ID Found!          
proxmark3> 

Was this what you were referring too dumping on here?


About the link you suggested: I did see that post as well before. I'm not completely sure how to start from the data I have and get what he got. Were you able to extract FC and ID in a 26-bit AWID? based on the post, the FC and ID would just be double the length for 50 bit, so that could be a possible starting point.

Offline

#4 2019-10-04 18:01:18

batman192
Contributor
Registered: 2019-07-16
Posts: 24

Re: Copying AWID 50 Bit FOB Weingard HELP

ebodyyy wrote:

Thanks for your response.

proxmark3> lf search
Reading 30000 bytes from device memory
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
Checking for known tags:
AWID Found - BitLength: 50 -unknown BitLength- (25351) - Wiegand: 1f400062c60f, Raw: 0128817e41111284d281e811          
Valid AWID ID Found!          
proxmark3> 

Was this what you were referring too dumping on here?


About the link you suggested: I did see that post as well before. I'm not completely sure how to start from the data I have and get what he got. Were you able to extract FC and ID in a 26-bit AWID? based on the post, the FC and ID would just be double the length for 50 bit, so that could be a possible starting point.

Sweet. That's a solid start, I was thinking if you can do a "lf t55xx detect" to see if there's an underlying t55xx chip. if so, you can run "lf t55xx dump" to dump the binary.

It doesn't say "valid t55xx chip found" from the "lf search" command but I'm just curious.

Offline

#5 2019-10-05 22:40:23

ebodyyy
Contributor
Registered: 2019-10-02
Posts: 14

Re: Copying AWID 50 Bit FOB Weingard HELP

proxmark3> lf t55xx detect
Modulation : FSK2a          
Bit Rate   : 4 - RF/50          
Inverted   : Yes          
Offset     : 0          
Block0     : 0x00107060  
 

proxmark3> lf t55xx dump
Reading Page 0:          
blk | hex data | binary          
  0 | 00107060 | 00000000000100000111000001100000          
  1 | 0128817E | 00000001001010001000000101111110          
  2 | 82222508 | 10000010001000100010010100001000          
  3 | D281E811 | 11010010100000011110100000010001          
  4 | 00000000 | 00000000000000000000000000000000          
  5 | 00000000 | 00000000000000000000000000000000          
  6 | 00000000 | 00000000000000000000000000000000          
  7 | 00000000 | 00000000000000000000000000000000          
Reading Page 1:          
blk | hex data | binary          
  0 | 00107060 | 00000000000100000111000001100000          
  1 | E0150A6C | 11100000000101010000101001101100          
  2 | 11BC8E8C | 00010001101111001000111010001100          
  3 | 00000000 | 00000000000000000000000000000000 

There is a T55xx chip in the fob, and this was the output from the lf t5xx dump. How would i proceed?

Thank you again for your help.

Offline

#6 2019-10-07 19:15:01

batman192
Contributor
Registered: 2019-07-16
Posts: 24

Re: Copying AWID 50 Bit FOB Weingard HELP

Awesome! Can you try now copying both pages and all the blocks over to a T55xx card and let us know if that works?

Offline

#7 2019-10-08 03:52:13

ebodyyy
Contributor
Registered: 2019-10-02
Posts: 14

Re: Copying AWID 50 Bit FOB Weingard HELP

So i realized two things while doing this:

1) The card i was using before was a EM410x card, and that explains why after I copy all the blocks from the AWID to the Em410X, and i run the lf T55x dump, i can't see the blocks anymore and it doesn't read it. I guess i can probably fix them by  re-writing EM410x blocks(from the other ones i have).

2) Block 2, Page 0,  is not accepting the new data that I'm writing on to it(this is on the T55XX card). I think this maybe due to me not running the latest firmware maybe? Every other block copied except this one, any suggestions?

Which T55x cards do you use? were you able to copy AWID on to EM410x?

Thank you.

Offline

#8 2019-10-08 04:00:19

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Copying AWID 50 Bit FOB Weingard HELP

@ebodyyy
1) EM410x tend to be read only ID cards, the T55xx and EM4x05 etc) are cards that can emulate things like the EM4100
If lf t55xx dump worked prior to you writing of the AWID, then there is a good chance that the config block (block 0 page 1) changed and as such you would need to run lf t55 detect again prior to the dump command working.

2) If every block looks ok but 1 block (2), can you share the output from the lf t55 dump and what you think the data should be ?
It may have written correctly but not showing correctly.  Try lf search and see if that shows the correct AWID output.

Last edited by mwalker (2019-10-08 04:42:44)

Offline

#9 2019-10-08 15:36:20

batman192
Contributor
Registered: 2019-07-16
Posts: 24

Re: Copying AWID 50 Bit FOB Weingard HELP

ebodyyy wrote:

So i realized two things while doing this:

1) The card i was using before was a EM410x card, and that explains why after I copy all the blocks from the AWID to the Em410X, and i run the lf T55x dump, i can't see the blocks anymore and it doesn't read it. I guess i can probably fix them by  re-writing EM410x blocks(from the other ones i have).

2) Block 2, Page 0,  is not accepting the new data that I'm writing on to it(this is on the T55XX card). I think this maybe due to me not running the latest firmware maybe? Every other block copied except this one, any suggestions?

Which T55x cards do you use? were you able to copy AWID on to EM410x?

Thank you.

I didn't use EM410x when I copied mine, I used a blank t55xx card I bought on Amazon, if you just look up "blank t55xx RFID cards" I'm sure you'll find some.

I agree with mwalker as well, can you show us the dump output?

Offline

#10 2019-10-09 02:29:24

ebodyyy
Contributor
Registered: 2019-10-02
Posts: 14

Re: Copying AWID 50 Bit FOB Weingard HELP

So this is the output from the AWID fob:

proxmark3> lf t55xx dump
Reading Page 0:          
blk | hex data | binary          
  0 | 00107060 | 00000000000100000111000001100000          
  1 | 0128817E | 00000001001010001000000101111110          
  2 | 82222508 | 10000010001000100010010100001000          
  3 | D281E811 | 11010010100000011110100000010001          
  4 | 00000000 | 00000000000000000000000000000000          
  5 | 00000000 | 00000000000000000000000000000000          
  6 | 00000000 | 00000000000000000000000000000000          
  7 | 00000000 | 00000000000000000000000000000000          
Reading Page 1:          
blk | hex data | binary          
  0 | 00107060 | 00000000000100000111000001100000          
  1 | E0150A6C | 11100000000101010000101001101100          
  2 | 11BC8E8C | 00010001101111001000111010001100          
  3 | 00000000 | 00000000000000000000000000000000 

Here is the output from the T5577 card:

proxmark3> lf t55xx dump
Reading Page 0:          
blk | hex data | binary          
  0 | 00107060 | 00000000000100000111000001100000          
  1 | 0128817E | 00000001001010001000000101111110          
  2 | 04444A11 | 00000100010001000100101000010001          
  3 | D281E811 | 11010010100000011110100000010001          
  4 | 00000000 | 00000000000000000000000000000000          
  5 | 00000000 | 00000000000000000000000000000000          
  6 | 00000000 | 00000000000000000000000000000000          
  7 | 00000000 | 00000000000000000000000000000000          
Reading Page 1:          
blk | hex data | binary          
  0 | 00107060 | 00000000000100000111000001100000          
  1 | E0150A6C | 11100000000101010000101001101100          
  2 | 11BC8E8C | 00010001101111001000111010001100          
  3 | 00000000 | 00000000000000000000000000000000

Block 2 Page 0 is the only that doesn't copy.

When I run lf search, it doesn't even find the T5577 card( this is after running lf t55xx detect and lf t55xx config)

Offline

#11 2019-10-09 04:33:23

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Copying AWID 50 Bit FOB Weingard HELP

I am wondering the the dump of the original is not 100%, thus the clone wont work.

The config block is saying FSK2a RF/50 send blocks 1 to 3 (which is where your data is)

Block 2 may simply be a decoding error on one or both dumps.  Its one bit out (and some encodings can be a bit tricky)
i.e.

AWID Fob    10000010001000100010010100001000     
T5577 Card   00000100010001000100101000010001

from an earlier post
Raw: 0128817e 41111284 d281e811

which converts to
0128817e : Matches both block 1's
41111284 : Does not match either block 2's
d281e811 : Matches both block 3's

Can you try
Place the "cloned" card (not yet working) on the proxmark.

lf t55xx detect                               (you should see a valid FSK2a RF/50 detect)
lf t55xx write b 2 d 41111284

the lf search

Offline

#12 2019-10-10 06:05:03

ebodyyy
Contributor
Registered: 2019-10-02
Posts: 14

Re: Copying AWID 50 Bit FOB Weingard HELP

It worked!!!

Thank you mwalker and batman192 for your help.

I went through how you broke down the RAW data and compared it with each block and now its making sense. Do you know why Block 0 isn't included in the RAW data?

I'm going to see if i can get my hands on some more fobs which are different from AWID, but generally wouldn't the copying process be the same for all fobs basically? Just getting the dump file and then copying it to an empty T55xx card. I get that they would be using different modulation schemes and may occupy more (probably less blocks). Any thoughts on this?

Offline

#13 2019-10-10 06:24:58

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Copying AWID 50 Bit FOB Weingard HELP

With the LF rfid tags we are talking about, they work like this.

When the tag is powered up (near a reader), it will start to send the data from block x to y (what x is can vary between chips), in this case it will be block 1 to 2.

This is the DATA that needs to get sent for the reader to get the card ID.

HOW the chip sends that data/ID is based in the config for THAT chip.  since every type of chip could have a different config, and the reader does not need to know it, there is no point in sending it (in default read mode).  Remember were not using the original chips, we are making a clone to a general purpose card, as such we would NOT want the clone to send out invalid data to the real readers; it would result in an invalid card presented.

When you run an lf search, it will power on the chip (like a reader) and record the data that the chip spits out (e.g. block 1 and 2). i.e. what the real reader would see.  It will then try to see if this is a know type of ID,  so the RAW data will be the "ID data"

Hope that makes sense.

Offline

#14 2019-10-19 03:25:27

ebodyyy
Contributor
Registered: 2019-10-02
Posts: 14

Re: Copying AWID 50 Bit FOB Weingard HELP

Hey guys, thank you for your help on the last fob it worked great.

I got another fob this time and had a similar issue to the one above where block 2 of page 0 was not copying. So i used the raw data from the lf search and fixed that issue.

Now, page 1, block 1&2 are not copied properly. How would i be able to obtain raw data for page 1 blocks?

This is this original Fob:

blk | hex data | binary          
  0 | 80107060 | 10000000000100000111000001100000          
  1 | 00913A42 | 00000000100100010011101001000010          
  2 | 81B81B28 | 10000001101110000001101100101000          
  3 | 90888888 | 10010000100010001000100010001000          
  4 | 00000000 | 00000000000000000000000000000000          
  5 | 00000000 | 00000000000000000000000000000000          
  6 | 00000000 | 00000000000000000000000000000000          
  7 | 00000000 | 00000000000000000000000000000000          
Reading Page 1:          
blk | hex data | binary          
  0 | 80107060 | 10000000000100000111000001100000          
  1 | F00A80AB | 11110000000010101000000010101011          
  2 | 49888295 | 01001001100010001000001010010101          
  3 | 00000000 | 00000000000000000000000000000000 

This is the output of the t55xx card:

proxmark3> lf t55xx dump
Reading Page 0:          
blk | hex data | binary          
  0 | 80107060 | 10000000000100000111000001100000          
  1 | 00913A42 | 00000000100100010011101001000010          
  2 | 81B81B28 | 10000001101110000001101100101000          
  3 | 90888888 | 10010000100010001000100010001000          
  4 | 00000000 | 00000000000000000000000000000000          
  5 | 00000000 | 00000000000000000000000000000000          
  6 | 00000000 | 00000000000000000000000000000000          
  7 | 00000000 | 00000000000000000000000000000000          
Reading Page 1:          
blk | hex data | binary          
  0 | 80107060 | 10000000000100000111000001100000          
  1 | F00A8542 | 11110000000010101000010101000010          
  2 | 0CF218E8 | 00001100111100100001100011101000          
  3 | 00000000 | 00000000000000000000000000000000 

Thank you again for your help.

Last edited by ebodyyy (2019-10-20 21:41:45)

Offline

Board footer

Powered by FluxBB