Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2020-01-27 17:24:55
- fobIncognito
- Contributor
- Registered: 2020-01-27
- Posts: 6
Copying an unknown tag (updated with picture and additional info)
Hi everyone,
I've got a 125kHz tag that I'd like to make copies of, but unfortunately I'm struggling to identify it.
Harware
I've been experimenting with both my proxmark3 RDV4 and a multi-format USB Reader from RFIDeas called "pcProx" with model number RDR-6R81AKU.
Info about my proxmark3:
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-1097-ga23414fe 2020-01-26 17:01:03
os: iceman/master/ice_v3.1.0-1097-ga23414fe 2020-01-26 17:01:06
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 241380 bytes (46%) Free: 282908 bytes (54%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hw status
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........40000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............0
#db# Currently loaded FPGA image
#db# mode.................... HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
#db# Flash memory
#db# init....................OK
#db# Memory size.............2 mbits / 256kb
#db# Unique ID...............0xd567a882a72a8d26
#db# Smart card module (ISO 7816)
#db# version.................v2.06
#db# LF Sampling config
#db# [q] divisor.............95 (125 KHz)
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# USB Speed
#db# Sending USB packets to client...
#db# Time elapsed............1500ms
#db# Bytes transferred.......761856
#db# USB Transfer Speed PM3 -> Client = 507904 Bytes/s
#db# Various
#db# MF_DBGLEVEL.............1
#db# ToSendMax...............-1
#db# ToSendBit...............0
#db# ToSend BUFFERSIZE.......2308
#db# Installed StandAlone Mods
#db# LF HID26 standalone - aka SamyRun (Samy Kamkar)Reading the tag
The pcProx reader is able to pull out some values. It returns a Facility ID and User ID. I won't include these here for security reasons, as this tag is still in use.
My proxmark3, running
lf searchreturns no results.
If I enable debug output I can see it is able to demodulate the signal as NRZ.
pm3 --> lf search
LF Signal properties:
high..........255
low...........0
mean..........121
amplitude.....134
is Noise......No
THRESHOLD noice amplitude......10
[#] DEBUG: (setClockGrid) demodoffset 0, clk 0
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No data found!, clock tried:64
Try again with more samples.
or after a 'data askedge' command to clean up the read
getHiLo fuzzed: High 223 | Low 32
getHiLo fuzzed: High 223 | Low 32
[#] DEBUG: no data or error found 78, clock: 64
[#] DEBUG: Error - Nedap ASKbiphaseDemod failed
[#] DEBUG: Error - AWID problem during FSK demod
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000
getHiLo fuzzed: High 229 | Low 25
getHiLo fuzzed: High 223 | Low 32
getHiLo fuzzed: High 223 | Low 32
DEBUG: (askdemod_ext) CLEAN: startIdx -9, alignPos 0
[#] DEBUG: (ASKDemod_ext) Using clock:64, invert:0, bits found:326
[#] DEBUG: (setClockGrid) demodoffset -9, clk 64
# Errors during Demoding (shown as 7 in bit stream): 98
ASK/Manchester - Clock: 64 - Decoded bitstream:
7077010710777100
(redacted)
7777707701071077
710007
[#] DEBUG: Error - Em410x preamble not found
getHiLo fuzzed: High 223 | Low 32
getHiLo fuzzed: High 223 | Low 32
[#] DEBUG: no data or error found 258, clock: 32
[#] DEBUG: Error - FDX-B ASKbiphaseDemod failed
getHiLo fuzzed: High 223 | Low 32
getHiLo fuzzed: High 223 | Low 32
[#] DEBUG: no data or error found 78, clock: 64
[#] DEBUG: Error - gProxII ASKbiphaseDemod failed
[#] DEBUG: Error - HID problem during FSK demod
[#] DEBUG: (PSKdemod) no data found, clk: 0, invert: 0, numbits: 30000, errCnt: -1
[#] DEBUG: Error - Idteck PSKDemod failed
[#] DEBUG: (PSKdemod) Too many errors found, clk: 32, invert: 0, numbits: 1552, errCnt: 628
[#] DEBUG: Error - Indala can't demod signal: 0
[#] DEBUG: Error - IO prox error during fskdemod
getHiLo fuzzed: High 223 | Low 32
getHiLo fuzzed: High 223 | Low 32
[#] DEBUG: no data or error found 78, clock: 64
[#] DEBUG: Error - Jablotron ASKbiphaseDemod failed
[#] DEBUG: (PSKdemod) no data found, clk: 0, invert: 0, numbits: 30000, errCnt: -1
[#] DEBUG: Error - NexWatch can't demod signal
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000
getHiLo fuzzed: High 229 | Low 25
getHiLo fuzzed: High 223 | Low 32
getHiLo fuzzed: High 223 | Low 32
DEBUG: (askdemod_ext) CLEAN: startIdx 7, alignPos 0
[#] DEBUG: (ASKDemod_ext) Too many errors found, errors:157, bits:344, clock:32
[#] DEBUG: Error - Noralsy: ASK/Manchester Demod failed
getHiLo fuzzed: High 242 | Low 12
getHiLo fuzzed: High 223 | Low 32
[#] DEBUG: (NRZrawDemod) Tried NRZ Demod using Clock: 32 - invert: 0 - Bits Found: 936
[#] DEBUG: (setClockGrid) demodoffset 23, clk 32
NRZ demoded bitstream:
1110100110110010
(redacted)
0111111011011001
10
[#] DEBUG: Error - PAC: preamble not found
[#] DEBUG: Error - Paradox problem during FSK demod
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000
getHiLo fuzzed: High 229 | Low 25
getHiLo fuzzed: High 223 | Low 32
getHiLo fuzzed: High 223 | Low 32
DEBUG: (askdemod_ext) CLEAN: startIdx 7, alignPos 0
[#] DEBUG: (ASKDemod_ext) Too many errors found, errors:157, bits:344, clock:32
[#] DEBUG: Error Presco ASKDemod failed
[#] DEBUG: Error - Pyramid: problem during FSK demod
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000
getHiLo fuzzed: High 223 | Low 32
getHiLo fuzzed: High 223 | Low 32
DEBUG: (askdemod_ext) CLEAN: startIdx 3, alignPos 0
[#] DEBUG: (ASKDemod_ext) Too many errors found, errors:157, bits:344, clock:40
[#] DEBUG: Error - Securakey: ASK/Manchester Demod failed
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000
getHiLo fuzzed: High 223 | Low 32
getHiLo fuzzed: High 223 | Low 32
DEBUG: (askdemod_ext) CLEAN: startIdx -9, alignPos 0
[#] DEBUG: (ASKDemod_ext) Using clock:64, invert:0, bits found:326
[#] DEBUG: (setClockGrid) demodoffset -9, clk 64
# Errors during Demoding (shown as 7 in bit stream): 98
ASK/Manchester - Clock: 64 - Decoded bitstream:
7077010710777100
(redacted)
7777707701071077
710007
[#] DEBUG: Error - Viking Demod -4
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 30000
getHiLo fuzzed: High 229 | Low 25
getHiLo fuzzed: High 223 | Low 32
getHiLo fuzzed: High 223 | Low 32
DEBUG: (askdemod_ext) CLEAN: startIdx -9, alignPos 0
[#] DEBUG: (ASKDemod_ext) Too many errors found, errors:98, bits:326, clock:64
[#] DEBUG: Error - Visa2k: ASK/Manchester Demod failed
[-] No known 125/134 KHz tags Found!
LF Signal properties:
high..........127
low...........-128
mean..........2
amplitude.....125
is Noise......No
THRESHOLD noice amplitude......10
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 6000
getHiLo fuzzed: High 127 | Low -64
getHiLo fuzzed: High 127 | Low -64
DEBUG: (askdemod_ext) CLEAN: startIdx 0, alignPos 0
[#] DEBUG: (ASKDemod_ext) No data found errors:-1, invert:0, bitlen:0, clock:16
[#] DEBUG: Error - EM: ASK/Manchester Demod failed
getHiLo fuzzed: High 127 | Low -64
getHiLo fuzzed: High 127 | Low -64
[#] DEBUG: Error BiphaseRawDecode: -1
[#] DEBUG: Error - EM: ASK/biphase normal demod failed
getHiLo fuzzed: High 127 | Low -64
getHiLo fuzzed: High 127 | Low -64
[#] DEBUG: Error BiphaseRawDecode: -1
[#] DEBUG: Error - EM: ASK/biphase inverted demod failed
[#] DEBUG: No data found
[#] DEBUG: Error - EM: FSK clock failed
[#] DEBUG: (setClockGrid) demodoffset 0, clk 0
[#] DEBUG: Error - EM: PSK clock failed
LF Signal properties:
high..........127
low...........-128
mean..........-6
amplitude.....133
is Noise......No
THRESHOLD noice amplitude......10
[#] DEBUG: No data found
[#] DEBUG: (setClockGrid) demodoffset 0, clk 0
getHiLo fuzzed: High 127 | Low -76
getHiLo fuzzed: High 127 | Low -64
[#] DEBUG: (setClockGrid) demodoffset 192, clk 32
Auto-detected clock rate: 32, Best Starting Position: 192
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 7679
getHiLo fuzzed: High 127 | Low -76
getHiLo fuzzed: High 127 | Low -64
getHiLo fuzzed: High 127 | Low -64
DEBUG: (askdemod_ext) CLEAN: startIdx 0, alignPos 0
[#] DEBUG: (ASKDemod_ext) No data found errors:-1, invert:0, bitlen:0, clock:32
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 7679
getHiLo fuzzed: High 127 | Low -76
getHiLo fuzzed: High 127 | Low -64
getHiLo fuzzed: High 127 | Low -64
DEBUG: (askdemod_ext) CLEAN: startIdx 0, alignPos 0
[#] DEBUG: (ASKDemod_ext) No data found errors:-1, invert:1, bitlen:0, clock:32
getHiLo fuzzed: High 127 | Low -64
getHiLo fuzzed: High 127 | Low -64
[#] DEBUG: Error BiphaseRawDecode: -1
getHiLo fuzzed: High 127 | Low -64
getHiLo fuzzed: High 127 | Low -64
[#] DEBUG: Error BiphaseRawDecode: -1
getHiLo fuzzed: High 127 | Low -102
[#] DEBUG: (setClockGrid) demodoffset 0, clk 0Now, if I run lf read myself I can see it captures a clear waveform and that the pattern repeats a few times.
And, since certain parts of the waveform contain sustained lows or sustained highs, the guess that it's NRZ modulated seems correct:
I can get a stream of bits for the tag running the following:
lf read
data norm
data raw nr 32However there seems to be no relation between this data and the data returned by the pcProx device. I've tried inverting, reversing, and offsetting the bit stream and there still seems to be no relation.
Simulating
Interestingly, I have been able to replay the data and open my building door doing the following
lf read
data norm
data di 60 -60
lf simSo, this rules out reading errors as a problem.
The Question
If I'm unable to find the format of this tag, is there still a way to copy it to another tag? That would seem too good to be true, but I thought I'd ask here. I'm still very new to all this, so Googling for answers is proving difficult since I don't know my terminology yet.
Any help is appreciated.
Cheers.
Last edited by fobIncognito (2020-01-28 00:04:23)
Offline
#2 2020-01-30 15:04:14
- fobIncognito
- Contributor
- Registered: 2020-01-27
- Posts: 6
Re: Copying an unknown tag (updated with picture and additional info)
Any suggestions on how to move forward identifying this tag?
Would sniffing a valid read off the building or my USB reader add any new information?
Offline
#3 2020-01-30 15:17:05
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Copying an unknown tag (updated with picture and additional info)
First, start using the lastest source from RRG/Iceman repo for your RDV4. ref: https://github.com/rfidresearchgroup/proxmark3
Then save and share a trace. replace xxxx in the file name with any printed numbers on the tag/fob
lf read
data save f lf_nrz_xxxxxx.pm3Offline
#4 2020-01-30 15:51:30
- fobIncognito
- Contributor
- Registered: 2020-01-27
- Posts: 6
Re: Copying an unknown tag (updated with picture and additional info)
Thanks for the response.
Unfortunately, everyone in the building uses the same fob. I'd only be comfortable giving a trace of it publicly if I could also then blacklist it in our system. However, that's not possible since it would kick everyone out.
I know. Not ideal.
If you're personally interested in the trace I'll take one when I'm back at the workshop and send it to you directly.
Offline
#5 2020-01-30 16:14:44
- fobIncognito
- Contributor
- Registered: 2020-01-27
- Posts: 6
Re: Copying an unknown tag (updated with picture and additional info)
For more context:
I run a hackspace and we share a building with a number of other community organisations.
The organisation that runs the building is, like the rest of us, very budget constrained. As a result, the building security configuration is pretty basic. We have one fob authorised to open the building and that's it.
As such, each individual must pay around £10 to get a copy of that fob.
My goals:
Reduce the cost of copying fobs by doing it ourselves.
Add second, unique, piece of information to each fob.
Roll out an attendance system (already written) which would read this second unique id to uniquely identify people.
... and, of course, just get more experience with RFID.
So, ideally, I'll figure out the format and that format would support adding additional information to the fob.
But, even if I only manage to reduce the cost of copying fobs it's already a win for the larger group.
Offline