Unknown and unresponsive tag

sambo · 2015-03-02 02:32:08

I'm trying to decode a fob with a 7 digit number printed on it (on a white circle contained within a black fob) There is no brand on the card. I've tried a HF read with an app on my phone and a LF read with the proxmark but don't seem to get any usable results:

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: /-suspect 2015-01-31 07:13:30                 
#db# os: /-suspect 2015-01-31 07:13:36                 
#db# HF FPGA image built on 2015/01/15 at 12:19:06                 
uC: AT91SAM7S256 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 256K bytes          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory          
proxmark3> 

proxmark3> hw tune
Measuring antenna characteristics, please wait.........          
# LF antenna: 14.23 V @   125.00 kHz          
# LF antenna: 11.01 V @   134.00 kHz          
# LF optimal: 15.71 V @   127.66 kHz          
# HF antenna:  0.13 V @    13.56 MHz          
# Your HF antenna is unusable.          
Done! Divisor 89 is 134khz, 95 is 125khz.
proxmark3> 
proxmark3> lf search
#db# buffer samples: 76 76 75 76 76 76 76 76 ...                 
Reading 20000 samples from device memory
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
Checking for known tags:
No Known Tags Found!
proxmark3> 
proxmark3> lf read h 
#db# buffer samples: 81 81 81 81 81 81 81 81 ...

Has anyone come across a similar card and do you have any ideas on how to get more usable data from it?

marshmellow · 2015-03-02 03:12:43

did you try a hw tune with each antenna with and then without the tag to see if the tag draws any voltage from the HF or LF?

sambo · 2015-03-02 06:49:59

Yes, please see results below without and with the tag:

proxmark3> hw tune
Measuring antenna characteristics, please wait.........          
# LF antenna: 17.32 V @   125.00 kHz          
# LF antenna: 11.01 V @   134.00 kHz          
# LF optimal: 18.13 V @   126.32 kHz          
# HF antenna:  0.10 V @    13.56 MHz          
# Your HF antenna is unusable.          
Done! Divisor 89 is 134khz, 95 is 125khz.
proxmark3> 
proxmark3> hw tune
Measuring antenna characteristics, please wait.........          
# LF antenna: 14.10 V @   125.00 kHz          
# LF antenna: 11.28 V @   134.00 kHz          
# LF optimal: 15.71 V @   127.66 kHz          
# HF antenna:  0.16 V @    13.56 MHz          
# Your HF antenna is unusable.          
Done! Divisor 89 is 134khz, 95 is 125khz.

Gratefuldeadbolt · 2015-03-02 07:21:00

Do you have a HF antenna to try and repeat the same test?

It may be a 13.56Mhz tag.

sambo · 2015-03-02 07:33:40

I've tested with an HF antenna - see below.

proxmark3> hw tune
Measuring antenna characteristics, please wait.........          
# LF antenna:  0.00 V @   125.00 kHz          
# LF antenna:  0.00 V @   134.00 kHz          
# LF optimal:  0.00 V @ 12000.00 kHz          
# HF antenna: 11.25 V @    13.56 MHz          
# Your LF antenna is unusable.          
Done! Divisor 89 is 134khz, 95 is 125khz.
proxmark3> 
proxmark3> hw tune
Measuring antenna characteristics, please wait.........          
# LF antenna:  0.00 V @   125.00 kHz          
# LF antenna:  0.00 V @   134.00 kHz          
# LF optimal:  0.00 V @ 12000.00 kHz          
# HF antenna: 11.34 V @    13.56 MHz          
# Your LF antenna is unusable.          
Done! Divisor 89 is 134khz, 95 is 125khz.

The LF voltage change seems more significant. Any other steps that you suggest I try?

iceman · 2015-03-02 11:00:14

From the output it looks like a LF tag.
try the new "lf search" command.

marshmellow · 2015-03-02 14:25:11

After lf search do a data plot. Is there much of a wave? Max/ min values above/below 50/-50? If yes then the tag isn't yet recognized by lf search but it still can be demoded more manually. If no then your tag may work on a different frequency or may be waiting for a wake command. Or may be a hitag?

Last edited by marshmellow (2015-03-02 14:26:05)

sambo · 2015-03-04 00:14:25

I haven't dealt with Hitag before but a lf hitag sim produces the following:

proxmark3> #db# Starting Hitag2 simulation                 
proxmark3> #db# | 0 | 024e0220 |                 
proxmark3> #db# | 1 | 4d494b52 |                 
proxmark3> #db# | 2 | 20f04f4e |                 
proxmark3> #db# | 3 | 0eaa4854 |                 
proxmark3> #db# | 4 | 465f4f4b |                 
proxmark3> #db# | 5 | 55555555 |                 
proxmark3> #db# | 6 | aaaaaaaa |                 
proxmark3> #db# | 7 | 55555555 |                 
proxmark3> #db# | 8 | 00000000 |                 
proxmark3> #db# | 9 | 00000000 |                 
proxmark3> #db# | 10 | 00000000 |                 
proxmark3> #db# | 11 | 00000000 |

Does this look familiar to anyone?

marshmellow · 2015-03-04 00:35:04

Sim is to simulate a tag to a reader. You want to act like a reader to a tag.

sambo · 2015-03-04 05:21:45

125 read / plot

134 read / plot

marshmellow · 2015-03-04 05:31:13

Looks like nothing but noise.

Might be a tag that needs a wake password before it will respond.

marshmellow · 2015-03-04 05:32:14

Can you snoop a reader read the tag?

iceman · 2015-03-04 09:55:07

if you have a tag you want to sniff / read... You should do the lf search and some plot commands.
If you want to pretend to be a tag, then you should run a "sim" command.

It seems you have confused yourself. The output looks like a hitag.

sambo · 2015-03-20 07:49:06

Ok, thanks for the tips.

I did try a snoop but I don't think it was successful and I overwrote the buffer with a second snoop

proxmark3> lf snoop l 
#db# buffer samples: 8d a1 ac af ae aa a6 a1 ...                 
proxmark3> 
proxmark3> lf snoop l 
#db# buffer samples: 7e 7e 7e 7e 7f 7e 7e 7e ...

I've inspected the reader and believe it is a TS0870 unit reading a TS1173 keyfob.

@0xFFFF : looks like you have had some experience with this format? Is there anything else I can try differently with the Proxmark? Seems like @Warren7436 gave it a crack but wasn't able to make a copy either

Last edited by sambo (2015-03-20 07:55:25)

cardix · 2015-10-26 13:26:28

Don't help Sambo he is trying to copy the fob and sell it, nothing legit here.
Total noob.

sambo · 2015-10-26 23:36:37

Lol, not quite cardix. This was for personal use but well done on reviving a 7 month old thread

Proxmark3 community

Announcement

#1 2015-03-02 02:32:08

Unknown and unresponsive tag

#2 2015-03-02 03:12:43

Re: Unknown and unresponsive tag

#3 2015-03-02 06:49:59

Re: Unknown and unresponsive tag

#4 2015-03-02 07:21:00

Re: Unknown and unresponsive tag

#5 2015-03-02 07:33:40

Re: Unknown and unresponsive tag

#6 2015-03-02 11:00:14

Re: Unknown and unresponsive tag

#7 2015-03-02 14:25:11

Re: Unknown and unresponsive tag

#8 2015-03-04 00:14:25

Re: Unknown and unresponsive tag

#9 2015-03-04 00:35:04

Re: Unknown and unresponsive tag

#10 2015-03-04 05:21:45

Re: Unknown and unresponsive tag

#11 2015-03-04 05:31:13

Re: Unknown and unresponsive tag

#12 2015-03-04 05:32:14

Re: Unknown and unresponsive tag

#13 2015-03-04 09:55:07

Re: Unknown and unresponsive tag

#14 2015-03-20 07:49:06

Re: Unknown and unresponsive tag

#15 2015-10-26 13:26:28

Re: Unknown and unresponsive tag

#16 2015-10-26 23:36:37

Re: Unknown and unresponsive tag

Board footer