Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
This is just like Days of Our Lives (for the Americans), Eastenders (for the Brits) or Home and Away (for the Aussies).
Offline
This is just like Days of Our Lives (for the Americans), Eastenders (for the Brits) or Home and Away (for the Aussies).
Yes, I'm waiting for the part where one of the main characters falls in love with his/hers biggest enemy and has lots of little babies, or something like that.
Offline
Intro:
On todays show John will hear a knock on his door- will it be the package he has been so eagerly waiting for? Will Adams' attemps to clone the fob actually pay off? And what will happen to John when his girlfriend finds out where the money has gone?
Stand-by guys. Season 1, episode 5 is about to begin
Offline
I was going to hold back an update until i had the ACG working - but to be honest i think some people are just as excited as me to see if Adam's cards worked
I don't have a fob to enter my building ( i broke it taking it apart to put it in my phone a year ago.... yeah... long story -_-; ) , which means whenever i leave my flat i either have to buzz up and hope one of my flatmates is there (and awake!) or wait for someone else to enter/leave.
This looks very suspicious, which is funny really because i own my flat whilst 90% of the people who live here rent.
Anywho, if no one comes for a long time the concierge (door man) usually feels sorry for me and lets me in with his fob.
It's been this way for around a year - simply because i refused to buy a £100 RFID fob >_<
So you can imagine the look on the concierge's face when i opened the door today, without his assistance, by just holding the package he had just handed over too me up to the reader.
That's right - they work! xD
I've slipped one in my wallet (as it's the same dimentions as a credit card) and i just hold my wallet up to the reader and it unlocks instantly!
So happy! xD
The next step is to test out transit.py, with other valid and non-valid (x00 x00 x00 x00) UIDs.
Then - well, i'm done!
On to XERO!
As for the girlfriend situation:
Put it this way - her birthdays coming up soon. As soon as she reembered, she suddenly stopped nagging me about spending to much cash =P
Offline
WoW! How amazing is that! I'm extatic about this. Great work Adam! Really happy you found what you were looking for John. It really will pay off in the end. Best of all -you got your sex life back! Go get'em boy!
Offline
YEAY! Partydance!
Great work you guys.
Incredible that in about a 100 postings you guys managed to reverse engineer a system that took some company probably quite a long time to build.
CHEERS!
Tom
Offline
Excellent. Guess I'd better release the code then!
Offline
For whatever reason (and personally i belive it's because the PM3 hadn't warmed up yet), the mandemod of that trace was inverted. I have no idea why.
This should never happen as a Manchester decode is just taking a sequence of HI-LO (or LO-HI) transitions to codify a '1' or a '0', and because we're looking at transitions and not initial values, it's not possible to get them the wrong way around (which is why it's used in the first place!)... Consider the following sequence:
HI-LO-LO-HI-HI-LO-HI-LO-HI-LO-HI-LO-LO-HI...
Assuming we take the norm of LO-HI is a '0' and HI-LO is a '1', this reads as 101110.
If you chop off the first HI, the first transition is then LO-HI, so we read that as a '0'. The sequence then continues: 1110 etc. If you chop the the first HI-LO off, you still get 01110 and if you chop HI-LO-LO off, you simply pick up the bit sequence at the first '1' instead of the first '0', so you get '1110'. You've lost data, but you haven't changed it's meaning...
For this reason, I suspect the bug is in the 'mandemod' code (and it's even mentioned in the comments that the author believes there's an initialisation issue), and I think I've fixed it by making sure we are dealing with a whole sample before we start decoding, instead of one that may be only a partial or spurious HI or LO at the start...
John, if you could test it against your 'inverted' reads, that would be great....
Offline
Absolutly, I'd be happy to help
I'm a bit busy these next few days revising for two exams 7 days from now (UKCAT and GAMSAT, if anyone has done these I'd love some advice -_- ) but I'll make time to do this.
I have yet to use the ACG - that's how busy I am
Here's something to think about:
I asked some friends of mine whether or not they thought if it was okay to be making copies of residents' keyfobs, and they told me that while it could be a useful service for residents, it is probibly illegal.
What do you guys think the legality of this is?
While efforts to reverse-engineer the processes behind this fob/reader where made, I used an analogy that whilst a lock company such as Yale or Kwikset might make a lock and patent that lock's design, it is still perfectly legal to make copies of Yale keys using keyblanks from an entirely differrent company.
I would have thought the same principle would apply, but even so, there are other issues for thier reasoning, such as a decrease in security due to the avalibility of copies.
All though I personally believe that the decrease in security is negligable, i can't argue that it's not true. I have no way of determining who should own a key and who shouldn't.
For this reason, dispite all our efforts, I will not be selling cloned key fobs.
But you don't get on a rollercoster to see where it goes. I had a lot of fun and learnt a lot about LF RFID throughout this project.
I will go on to learn more about HF cards after my exams, and of course help Xero out anyway I can.
All I'm saying is I might be a little inactive for the next week - and it has nothing to do with the compleation of this project. :]
EDIT:
I forgot to mention something - would that example still work if the message was 1111111?
I think that would end up as 000000 as it would go from hi-lo hi-lo hi-lo..., to lo-hi lo-hi lo...
I'm probibly wrong, I'm just interested as to why it wouldn't be so.
Last edited by John (2009-09-10 17:35:37)
Offline
That would only work as long as it was all 1 or all 0 bits. As soon as you hit a bit flip you'd end up with an illegal sequence of either LO-LO or HI-HI...
For example, this sequence only works if you start with the HI:
HI-LO-HI-LO-HI-LO-HI-LO-LO-HI
HI-LO 1
HI-LO 1
HI-LO 1
HI-LO 1
LO-HI 0
If you chop off the first HI, you get:
LO-HI-LO-HI-LO-HI-LO-LO-HI
LO-HI 0
LO-HI 0
LO-HI 0
LO-LO Sequence error!
Offline
As far as legality goes, IANAL, but one thing is very clear here - the companies making the fobs and selling the security systems are perfectly well aware that they can be trivially cloned, and that the tools to do so are readily available. The Q5 tag (amongst others) is sold by the same industry to it's resellers, for the purpose of creating fobs with arbitrary UIDs, as is the software to configure them. The only difference between RFIDIOt/PM3 and their software/hardware is the cost...
Offline
Ahhh, i see...
Well, as you say, the only way to know for sure what's going on is for me to compair the plots of a normal mandemod and an inversed mandemod and see what the differences are. If there's a slight pause, or a wave not hitting the max (btw, that amp program would be mega useful if it where part of the main Proxspace package!), then it would be obvious what's causing the error.
I've got a few hours now before i go to bed - i'll look into it right away :3
Back to the issue of legality - personally i think you're right. The real criminals are the people who charge £100 for me to enter my own home. I don't have a choice whether or not to pay it, nor do i have the ability to shop around.
They have a monopoly on access to my own flat - and they can charge %9,999 profit (probibly more, those read-only cards probibly cost well under what the Q5 costs in bulk) because of it.
I paid them once to install the system, i pay them more to maintain it, and i pay them again just to use it!
I bet if you had to pay money for a tool that lets you ride the elevator, people would be outraged (and even then they atleast have the option to use the stairs!)
~phew~ i'm ranting.
I'll go and check these plots. That will cool me down -__-;
Offline
I was on the way back from a conference last night and had to spend a couple of hours at the airport, so I knocked up this handy (I hope) script... It will take a number of unknown base, and search for it in a bitstream, forwards, backwards and inverted. Here is how it behaves with John's original sample:
$ ./findbits.py 99531670 1111111111111111101100110101011001110100110001111000010010000110
Trying DECIMAL
Forward: (101111011101011101110010110) Not found
Reverse: (011010011101110101110111101) Not found
Inverse: (0000000000000000010011001010100110001011001110000111101101111001)
Forward: (101111011101011101110010110) Not found
Reverse: (011010011101110101110111101) Not found
Trying HEX
Forward: (10011001010100110001011001110000) Not found
Reverse: (00001110011010001100101010011001) Not found
Inverse: (0000000000000000010011001010100110001011001110000111101101111001)
Forward: (10011001010100110001011001110000) *** Match at bit 17: 00000000000000000<10011001010100110001011001110000>111101101111001
Reverse: (00001110011010001100101010011001) Not found
and here is the usage:
$ ./findbits.py
./findbits.py - Search bitstream for a known number
Usage: ./findbits.py <NUMBER> <BITSTREAM>
NUMBER will be converted to it's BINARY equivalent for all valid
instances of BINARY, OCTAL, DECIMAL and HEX, and the bitstream
and it's inverse will be searched for a pattern match. Note that
NUMBER must be specified in BINARY to match leading zeros.
Note that it hasn't been thoroughly tested, but I'll add it to the tools section of the repo.
Offline
Hello again! :]
I've had some time recently to have a play with the ACG, and i can confirm that transit.py works 100%!
You need to make sure that you're using the absolute latest version of RFIDIOt if you're using a windows system - else the LRC might be wrong, but other than that it's great
So i tried using 'special' IDs to see if there where any obvious backdoors in the system. I tried:
00000000
01234567
12345678
99999999, and
FFFFFFFF
Fortunately, none of these worked.
I also tried adding/subtracting 1 to the ID's i know work. Again, no go.
I then thought about bruteforcing, and how long that might take - I worked out that to try all the ID's in 24 hours, it would need to try around 11500 ID's per second - not going to happen. I don't know how fast the proxmark could spew out CORRECT tag bitstreams if the FPGA could be programed to do so, but it would probably be way less than 100/second.
I figured that the chances are that these IDs aren't generated randomly though - there's probably some sort of pattern to it.
I don't mean that the PRNG isn't random enough - i can't generate enough data to prove that at all (at max i could have 20 tags)
But i think it might have something to do with time... the time that tag was made... or the date - with the last 3 digits being sequential/random:
04008064
030249BB
99531670
05015749
Does that looks like a year as the beginning two digits? Then perhaps the next digit could be the month, and then the next two the date?
If that where the case, it would *seriously* reduce the number of IDs that are possible.
It would be the number of days since 99001 (Jan first '99) times 4095 (000-FFF), which is around 18 million. This is a LOT less than 1 Billion
To try all possible numbers would take a day at 200 IDs per second - however, as we're looking for fobs which *have* been made, the chances for finding a correct key is proportional to the number of ID's in the system.
My block of flats has around 300 apartments, and if everyone has two fobs each - then it makes sense to say that there are some 600 fobs in the access system.
This would mean you would estimate that at 50 IDs per second, the average amount of time it would take to stumble upon a correct UID would be around 10 minutes for my block of flats.
Of course, if you knew when the access system was built you could seriously increase the chances of guessing the right ID.
If it's in the last 5 years, you would have a lot less ID's to try indeed.
Okay - so it's a long shot... but look at it this way - what is the chance of the first two digits all being between 99 - 09 ? - 1 in 10782039 (25.5 ^ 5, as the chance for one is 1 in 25.5)
What's the probability of the fourth and fifth digits being between 0-31 five times in a row? 1 in 32133.
The probability of BOTH happening?
One in 346 trillion.
Okay, so i Da Vinci code'd it a bit by looking for patterns which might not really be there. But still! 346 Trillion is very very very unlikely.
If someone knew how many times 64 bits can be pushed out per second when the clock rate is 32 and the frequency is 250Mhz, then i'd be very happy to know! Because if it's 50+ this really could be a viable weakness in this access system (and other access systems like it).
Anyway, just a thought. I need some sleep now -_-;
Offline
Hello again! :]
But i think it might have something to do with time... the time that tag was made... or the date - with the last 3 digits being sequential/random:
04008064
030249BB
99531670
05015749Does that looks like a year as the beginning two digits? Then perhaps the next digit could be the month, and then the next two the date?
This means that no fobs would be able to be given out in october, november and december, since they have two-digit month numbers which will not fit your algorithm.
--Ralph
Offline
Hehe, I really didn't expect anyone to read that, let alone think about it. I'm impressed that your not put off by large volumes of text.
I thought the same thing about the months as you, which got my hopes up for a bit.
Then I remembered that this is hex and not decimal, so it's 0-F not 9.
0 - Jan
1 - Feb
...
9 - Oct
A - Nov
B - Dec
Still could work right?
I dunno... You'd need a hell of a lot more fobs to be certain.
Offline
Hehe, I really didn't expect anyone to read that, let alone think about it. I'm impressed that your not put off by large volumes of text.
I thought the same thing about the months as you, which got my hopes up for a bit.
Then I remembered that this is hex and not decimal, so it's 0-F not 9.0 - Jan
1 - Feb
...
9 - Oct
A - Nov
B - DecStill could work right?
I dunno... You'd need a hell of a lot more fobs to be certain.
Well if its hex then the first two digits can be years because '99' wouldnt make sense..... and presuming that years would be expressed in base 10 whereas months would be in base 16 is a bit farfetched..... I'd be very surprised if thats the case :-)
Do you know when you (or your neighbours) got your fob and does it fit with the algo?
Cheerio!
Offline
Hey John,
Did you eventually come to the conclusion that the faulty tags were actually faulty cause I have a sus feeling that the building manager is trying to make money on these tags. My gut feeling is that whenever he is bored he picks you guys like flies and deletes fob UID's off the system. Afterall, these fobs are meant to last something like 200 years!
Offline
Heheh... oooh that would be devious. Even for my building manager that would be particularly low
Unfortunately (because it would have otherwize made a great story), my tag is definitely broken. When i read it with the proxmark it was not giving out a proper bitstream at all.
The proxmark must have blown it, or put it into a factory setting... or something. There's a trace of it's output somewhere in this thread.
How is cloning your project working out? I'm currently looking through the forum to find something about it
Offline
Err, lol, speaking of blown circuits - my brain got a little confused during that last sentence.
What i meant to say was - How is your project (cloning your key fob) going? What's the next step for you?
Offline
Hey John,
Sorry it's taken so long to reply. I've been Procrastinating all this time. Thanks 4 your email- heart warming. I also bought a ACG LF reader from Adam not long ago and I think its time to start playing with it. Tell me.. did you get your reader working? I mean, was it straight forward for you cause I have no idea where to start. I thought it's just a matter of plugging the damn thing in but there's a lot more to it. Let me know how things are.
Your friend,
Xero.
Offline
Ahhh, no exactly no. -_-;
I had a real problem getting the right dependacies for the right version of python, not to mention compiling one of the dependancies in windows was a real PITA.
I did eventually figure it all out, and to be hounest it's not that difficult when you know what youre doing - but as I've never coded in python I found it more confusing than it needed to be
I would be happy to point you in the right direction and get it all set up in under 5 minutes
I'm not at a computer right now (using my phone) but I'll get all the links for you when I get back home. In the mean time, uninstall anything python related so we can start afresh with no variables.
Offline
Ok John. which reader did you buy from Adam? was it the L&HF ACG or just the LF like mine? I also got the Omnikey 5325 as well- just incase I get bored Im starting a collecton of readers. My initial goal is to be able to program the Q5 cards using FSK modulation. How thats done- I don't know. Maybe somebody here has a few pointers and would like to help. In the meantime I'll do some googling on Q5 cards and see if there is a program out there already which will help me write in different modulation schemes. Stay tuned.
Offline
I have the LF only one. Planning on getting that omnikey sometime soon though too!
Perhaps we should make a new thread about cloning cards with the Q5, and then later again perhaps for the HF rewriteable HID cards.
I never got to my computer yesterday, so it'll have this evening for the how-to-RFIDIOt
Offline
Making a new Q5 adventure thread sounds good. These cards are awsome in that they can be programmed to replicate almost all modulations. The challenge is how its done. Adam python script allows us to program using ASK which is a great start. I need to figure out how FSK should be done. Then theres PSK and so on. Even timing can be varied. Really amazing card and not much has been explored or mentioned about it in this forum. Where to start John??
Edit.
While your here take a look at www.rfdump.org This may be of help to us.
Edit Edit.
Maybe not. At the moment it only works with HF readers --+ Damn.
Last edited by XEROEFFECT (2009-09-30 15:03:18)
Offline
Ahh, i've have such a crappy day today >_<
Fortunately, I have all of tomorrow off mate so we can start exploring Q5 then if you like :]
Your absolutely right - we're only using a 10th of the potential of the Q5. I really want to see what it can do down the line...
perhaps even unlock several door systems with one card? We will have to find out.
But yeah.... -yawn- ...it's been a long day for me today. See you tomorrow =]
Offline
Yup - but that was 5 years ago
I live in German now, and while I still have my Proxmark somewhere in the attic, i'm sure there are other/newer tools out these days to do the same thing.
What kind of help do you need?
Offline