an other keri fob ....

M&S · 2016-01-22 02:14:11

I come across a strange Keri FOB.

printed code K21xx_28xxx34
"Lf search" failed to recognise this fob

"lf read"
https://www.dropbox.com/s/d50imlhtikann2u/keri_2131_2890234?dl=0

"lf investigate"
https://www.dropbox.com/s/ecy0fmxny9mssaj/investigated_keri_2131_2890234_.txt?dl=0

data plot
https://www.dropbox.com/s/sweowucux3jkwi4/keri.png?dl=0

only "data rawdemod" P1 or P2 delivered some results

re-occurrent code "FDB50DA55C7FFFFF" with "data rawdemod P1" and
re-occurrent code "36F8B77F24000000" with "data rawdemod P2" ....

That is all I can get ... But I don't see in the re-occurrent codes anything related to the printed code K21xx_28xxx34!

Does this make any sense to you?

iceman · 2016-01-22 09:19:44

Your signal in your traces is really bad. What's the voltage on your LF antenna?

Maybe you can get at better demod if your captured signal is stronger

M&S · 2016-01-22 15:29:14

thanks for looking into this signal Iceman.

I was aware of that signal amplitude. But my pm3 only reads on this KERI's fob consistent that low. In between Keri reading I did check with HW tune on antenna signal, it is ok,

here is the SW I used
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-12-07 18:21:10
os: /-suspect 2015-12-07 18:21:30
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 168743 bytes (32%). Free: 355545 bytes (68%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

and the power
.
# LF antenna: 11.69 V @ 125.00 kHz
# LF antenna: 24.06 V @ 134.00 kHz
# LF optimal: 25.85 V @ 134.83 kHz
# HF antenna: 0.78 V @ 13.56 MHz

and I also did attempt EM41xx read between the Keri reading. It recognised the EM41xx fob ID without problem, but when going back to the keri it shown that much signal only and situation is consistent. no where decoding but only on P1 and P2.

I dont have the fob anymore, it belongs to my friend when I see him again in a month or two, I would like to have a strategy to collect much as possible datas to see why it is so with this fob

What steps should I do?

HW tune
lf search
lf search u

marshmellow · 2016-01-25 18:12:41

the signal looks ok for PSK.
the repeating psk1 data appears correct, though I'd invert the bits for this particular format. (and there is still a lot we don't know about this format.)

there is a thread that talks a little about it i believe here:http://www.proxmark.org/forum/viewtopic … 390#p13390

basically it is a scrambled bit pattern.

iceman · 2016-01-25 19:13:55

If you get access to the fob again, try getting a better read (somehow)...

if you have access to several fobs of this kind, map printed number and psk-reads...

Then look at the link @marshmellow posted and you take it from there.

M&S · 2016-01-26 22:35:24

Thank you.

I have looked in the link you provided. It looks like very much more datas we need to make this type of fob.

apropos the ful print cde is K2131_2890234.

When I have the fob again I will try to have more data. Regarding better reading, I am not sure if I can provide better. Before I contact the forum I must have done at least 30 readings, different angle, distance, all are consistent very low read signal I don't understand why read quality is so bad.

Also by trying all command in LF sector, I saw something strange with snoop. Is the command "lf snoop" a real command? It seems not to do anything

marshmellow · 2016-01-27 03:49:19

Thanks for sharing. It gets us closer. The weak signal is not surprising for a small keyfob. It is plenty strong enough to demod without errors. psk tends to "look" weak anyway. (since there are no long on or off periods to build up power)

marshmellow · 2016-01-27 03:50:48

Also the lf snoop works if it is used as intended. There is some information on that command on the forum that should guide you if you'd like to capture the communication from a reader to a tag.

M&S · 2016-01-27 04:02:53

Thank you for your info regarding the fob reading, Marshmellow.

I read somewhere You wish to have a Q5 fob for experiment/testing your SW fork. Do you still need one? I would gladly share some to you.

marshmellow · 2016-01-27 05:08:36

I believe I fixed the main issues we had with the q5 in my fork... though I have yet to finish up a few items to get it committed to the master. Thanks for the offer though. Out of curiosity, is the Q5 cheaper than the t55x7 chips in your area?

M&S · 2016-01-27 06:02:04

No, in general Q5 Sokymat is always at least double expensive than T5577 fob/disk/tag. How much more it depends which type you want.

http://www.rfidplaza.com/collections/keyfobs

I got lucky once and been offered a handful of Sokymat Bobsleigh Keyfobs Q5 with very good throw-away price.

marshmellow · 2016-01-27 06:23:44

That is what I thought, but I've been told by some it was cheaper and more readily available.... Maybe in china? Not here.

Proxmark3 community

Announcement

#1 2016-01-22 02:14:11

an other keri fob ....

#2 2016-01-22 09:19:44

Re: an other keri fob ....

#3 2016-01-22 15:29:14

Re: an other keri fob ....

#4 2016-01-25 18:12:41

Re: an other keri fob ....

#5 2016-01-25 19:13:55

Re: an other keri fob ....

#6 2016-01-26 22:35:24

Re: an other keri fob ....

#7 2016-01-27 03:49:19

Re: an other keri fob ....

#8 2016-01-27 03:50:48

Re: an other keri fob ....

#9 2016-01-27 04:02:53

Re: an other keri fob ....

#10 2016-01-27 05:08:36

Re: an other keri fob ....

#11 2016-01-27 06:02:04

Re: an other keri fob ....

#12 2016-01-27 06:23:44

Re: an other keri fob ....

Board footer