Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-12-20 18:34:36

Upgrade
Contributor
Registered: 2014-12-14
Posts: 36

Decoding Cloning Guardall/Verex Key Fob

I'm trying to decode and clone this verex/guardall fob

Still pretty new at PM3 so bare with me!

Did following:
lf read
data samples 20000
data save c:\verex.pm3

Link to trace: http://www.filedropper.com/verex

Steps to decode and clone?  Can I use the FC and GX to clone? Thank you very much in advance!

Last edited by Upgrade (2015-05-22 08:02:40)

Offline

#2 2014-12-20 19:37:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

these tags use a form of encryption.  see http://www.proxmark.org/forum/viewtopic.php?id=1459.

there is no function in pm3 to demod the ask wave to binary that works that i know of. (though i will be working on it soon)

also with the encryption there is no way without the algorithms to take the fc and gx and calculate the bits needed for cloning.
however, with the captured data it is possible to clone as the encryption is not based on a uid.

Edit:  the most recent github code now has the following commands that can demod the raw xored data:
data rawdemod ar
data biphaserawdecode

It appears the 11111 is the start or stopping bits of the data.

Last edited by marshmellow (2015-02-25 05:35:12)

Offline

#3 2014-12-22 11:48:51

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

5WshCYt.png
Hi Upgrade!
Code card is
66 7f 76 66 66 A5 36 C2 66
Swap nibbles
66 F7 67 66 66 5A 63 2C 66
XOR operation
00 91 01 00 00 3C 05 4A 00 
00 91 01 00 00 3C 05 4A 00
BIN CODE
100100 01 0000000100000000 000000000011110000000101010010100000 0000

FC30 = 11110
10832 = 00000010101001010000

Offline

#4 2014-12-22 13:25:03

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

If I am not mistaken in the calculations...
Record these blocks in Temik will give you a copy of the card
block 0:  00150060  -> bit rate 64cpb  ;Direct modulation, Bifaze;3 block
block 1:  319CF718
block 2:  C6318AA6
block 3:  1864319F

Offline

#5 2014-12-22 23:45:31

Upgrade
Contributor
Registered: 2014-12-14
Posts: 36

Re: Decoding Cloning Guardall/Verex Key Fob

Sentinel, could I ICQ or skype you?

Offline

#6 2015-02-23 16:12:22

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: Decoding Cloning Guardall/Verex Key Fob

Sentinel wrote:

If I am not mistaken in the calculations...
Record these blocks in Temik will give you a copy of the card
block 0:  00150060  -> bit rate 64cpb  ;Direct modulation, Bifaze;3 block
block 1:  319CF718
block 2:  C6318AA6
block 3:  1864319F

Hi Sentinel,
I am a newbie. Pls forgive me if I am asking stupid questions.

How do you calculate the block 1, 2, 3? Thanks

Offline

#7 2015-02-24 13:03:03

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: Decoding Cloning Guardall/Verex Key Fob

Lenox wrote:
Sentinel wrote:

If I am not mistaken in the calculations...
Record these blocks in Temik will give you a copy of the card
block 0:  00150060  -> bit rate 64cpb  ;Direct modulation, Bifaze;3 block
block 1:  319CF718
block 2:  C6318AA6
block 3:  1864319F

Hi Sentinel,
I am a newbie. Pls forgive me if I am asking stupid questions.

How do you calculate the block 1, 2, 3? Thanks

You can find more details here : http://www.proxmark.org/forum/viewtopic.php?pid=13323#p13323

Offline

#8 2015-02-24 20:12:56

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: Decoding Cloning Guardall/Verex Key Fob

The following the reading from a Verex Fob.
FC: 30 GX1002: 28417

proxmark3> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag         
Checking for known tags:
Using Clock: 64 - Invert: 0 - Bits Found: 250         
ASK/Manchester decoded bitstream:         
1011111010001000         
0101110111101000         
1001011111000101         
0111011110110101         
1110111100000010         
0001011100111001         
1011111010001000         
0101110111101000         
1001011111000101         
0111011110110101         
1110111100000010         
0001011100111001         
1011111010001000         
0101110111101000         
1001011111000101         
No Known Tags Found!
proxmark3>

Just do not know how to calculate the value for the block 1, 2, 3 etc.

Offline

#9 2015-02-24 20:21:16

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

Probably doesn't matter where you start, just as long as you get the entire repeating bitstream

Offline

#10 2015-02-24 20:27:16

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: Decoding Cloning Guardall/Verex Key Fob

0001 0101 1101 1110   15DE
1101 0111 1011 1100   D7BC
0000 1000 0101 1100   085C
1110 0110 1111 1010   E6FA
0010 0001 0111 0111   2177
1010 0010 0101 1111   A25F

That is the pattern I can find. But what 's next?  Thanks.

Offline

#11 2015-02-24 22:18:37

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

hi Lenox
Coding Guardall card not "ASK/Manchester"
Post *.mp3 , and I will try to decode

Offline

#12 2015-02-24 22:24:16

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

Or use command 
data biphaserawdecode [offset] [invert] - just biphase decode (need to askrawdemod first)

Offline

#13 2015-02-24 23:48:24

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: Decoding Cloning Guardall/Verex Key Fob

Sentinel wrote:

hi Lenox
Coding Guardall card not "ASK/Manchester"
Post *.mp3 , and I will try to decode

Thanks for your quick response.

This is the investigate file: http://www.filedropper.com/investigated-verex

Meanwhile I will try to learn how to decode it. So much fun....

Offline

#14 2015-02-25 03:47:03

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

is there a card number printed on the tag?  is it 1777?

Sentinel is correct - depending on pm3 os version you need to
data askrawdemod - data biphase
to get the bitstream

or for latest github version
data rawdemod ar  -  data biphase

while the correct demod is ask/biphase I'm not convinced a tag couldn't be emulated with ask/man since there were no errors in the manchester decoding, as long as you used the correct config settings for ask/man it should output an identical wave to the biphase one.  but some tags may create errors in the manchester demod making those impossible to emulate with ask/man.

Last edited by marshmellow (2015-02-25 03:53:23)

Offline

#15 2015-02-25 04:16:51

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: Decoding Cloning Guardall/Verex Key Fob

marshmellow wrote:

is there a card number printed on the tag?  is it 1777?

The wrinting on the fob:  Verex FCC ID: ELVUTOA  GX1002 FC: 30  28417
I am using the latest windows client :pm3-bin-0.0.7

Offline

#16 2015-02-25 04:37:23

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

On 0.0.7 then the first two data commands will get the bitstream.  askraw and biphase.   
And I missed a word when converting the ID, I now get 28417.

Look for the 11111 in the bitstream.  It is the starting point (or ending point based on sentinels info above.)

Last edited by marshmellow (2015-02-25 05:26:05)

Offline

#17 2015-02-25 16:06:06

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: Decoding Cloning Guardall/Verex Key Fob

Wow!  It works!
Marshmellow, Sentinel, app_o1: Thanks a lot for your help. You guys are awesome. smile

Offline

#18 2015-02-25 22:20:34

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: Decoding Cloning Guardall/Verex Key Fob

marshmellow wrote:

On 0.0.7 then the first two data commands will get the bitstream.  askraw and biphase.   
And I missed a word when converting the ID, I now get 28417.

Hi Marshmellow, I have a newbie question if you do not mind.

Where do you see the ID number: 28417? Which step?

Thanks,

Offline

#19 2015-02-25 23:07:10

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

follow the steps in post #3 of this topic

or see: http://www.proxmark.org/forum/viewtopic … 731#p10731 for great picture done by sentinel

Last edited by marshmellow (2015-02-25 23:15:27)

Offline

#20 2015-02-26 00:00:47

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

tThr2MO.png
EC D5 EC EC EC 2F 34 E2 EE
CE 5D CE CE CE F2 43 2E EE
00 93 00 00 00 3C 8D C2 02

Last edited by Sentinel (2015-02-26 00:38:28)

Offline

#21 2015-02-26 00:04:53

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

marshmellow, my result is not 28417 (( were mistake ?

Offline

#22 2015-02-26 00:06:56

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

night sleep is necessary, but not decode card smile

Last edited by Sentinel (2015-02-26 00:41:54)

Offline

#23 2015-02-26 05:37:20

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

sentinel made 2 small mistakes. (probably due to lack of sleep tongue )

EC D5 FC EC EC 2F 3C E2 EE
CE 5D CF CE CE F2 C3 2E EE (word swap)
CE CE CE CE CE CE CE CE CE (xor key)
00 93 01 00 00 3C 0D E0 20 (after xor)
-- 100100 11 0000000100000000 0 00000000011110 00000110111100000001 0 0000  (binary)
-- -36bit cs ---------------- p ------FC------ --------Card-------- p ????

Offline

#24 2015-03-10 02:59:08

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

The latest github code now includes a demod for this in lf search, or through the command data askgproxiidemod (after a lf read and data samples)

Offline

#25 2015-05-07 20:02:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

The data you got is actually the same repeating raw pattern

Notice it says it did not find any tag type it recognized so it cannot identify the start point.

Offline

#26 2015-05-07 20:15:57

Upgrade
Contributor
Registered: 2014-12-14
Posts: 36

Re: Decoding Cloning Guardall/Verex Key Fob

I'm confident its a gprox key.

Is there a recent firmware that I'm not aware of?

Last edited by Upgrade (2015-07-12 08:02:39)

Offline

#27 2015-05-07 20:23:58

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

You are using an older build, I can tell from the output.

Offline

#28 2016-02-25 14:56:43

Cardedit
Member
Registered: 2016-02-25
Posts: 8

Re: Decoding Cloning Guardall/Verex Key Fob

I know there's a mention that the Chubb readers will only respond to a certain parity. I'm assuming that had to do with the "lock code" feature. Is it in fact the parity that controls this?  New to forum! Thanks

Offline

#29 2016-02-25 16:13:13

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

besides the xor obfuscation there is a 2 bit checksum or parity that is of an unknown calc, which makes guessing card numbers you don't have trial and error.  if these are not correct the reader will ignore the tag.

none of it protects from a direct clone.

Offline

#30 2016-02-25 16:28:37

Cardedit
Member
Registered: 2016-02-25
Posts: 8

Re: Decoding Cloning Guardall/Verex Key Fob

so would it be somewhat possible to encode a blank card to work with a "locked" reader?

Offline

#31 2016-02-25 16:39:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Decoding Cloning Guardall/Verex Key Fob

maybe the keyfob is a t55x7 tag...

Offline

#32 2016-03-01 17:16:45

Cardedit
Member
Registered: 2016-02-25
Posts: 8

Re: Decoding Cloning Guardall/Verex Key Fob

So if I wanted to encode a card with just a random ID and have it read by the reader do you figure it would be possible?

Offline

#33 2016-03-01 17:35:01

Cardedit
Member
Registered: 2016-02-25
Posts: 8

Re: Decoding Cloning Guardall/Verex Key Fob

Id be curious to figure the format out.

Here's what know so far. When a box of the cards ships to the customer, a chart chips with them that has the printed card number on the side of the card compared to what will actually show up in the system. Most end customers don't use that chart, they just swipe at a reader, and add the card from whatever number shows up.

Id be very curious to see if it is just the facility code that prevents a card from being read at a reader if its not the same... I do have access to readers, and a box of cards.

Offline

#34 2016-03-01 20:23:41

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

most readers will read any valid tag, it is the access system that rejects incorrect facility codes or invalid card numbers.  if you have a proxmark and can share some traces of your cards (lf read   ...  data samples   ...   data save tracename.pm3 )  we could look into what is yet unknown about this format.

Offline

#35 2016-03-20 15:00:06

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Decoding Cloning Guardall/Verex Key Fob

There has been working code out since a couple of weeks already,   don't know if its in PM3  master yet,   me & marshmellow did it, so you will find in our forks.

There is only one issue with it.  a 2-bit parity checksum,   which is not figured out yet.
meaning you will make for 4different version of your clone at the most to find the one that works.

pm3 --> lf guard
help             This help
read             Attempt to read and extract tag data
clone            <Facility-Code> <Card Number>  clone Guardall tag
sim              <Facility-Code> <Card Number>  simulate Guardall tag
pm3 -->

Last edited by iceman (2016-03-20 15:01:01)

Offline

#36 2016-03-21 23:02:33

Cardedit
Member
Registered: 2016-02-25
Posts: 8

Re: Decoding Cloning Guardall/Verex Key Fob

So Jeff1551, is it a Chubb gprox card or not? Perhaps a picture?

Iceman - I do have cards and reader available, however I'll have to order a Proxmark unit to capture the info you need. I can send you the data from maybe a dozen of the Chubb cards, maybe we can find a pattern?

Cheers!

Offline

#37 2016-03-21 23:06:58

Cardedit
Member
Registered: 2016-02-25
Posts: 8

Re: Decoding Cloning Guardall/Verex Key Fob

The thing about the Gprox II cards is that they have two variations, the Chubb ones have a certain lock code, where as the others don't. It basically means that the Chubb cards can only be read at a Chubb reader, the others can be read at any gprox II reader. Any regular gprox II reader can be converted to a Chubb reader by passing programming cards in front of it. Once the reader is converted, no changing it back. My issue is that I have readers, but need to be able to create or program card with the Chubb lock code so that they can be used in a system (Chubb doesn't sell just cards). Similar issue to jeff here, but not exactly the same.

Let me know how I can help! Cheers

Offline

#38 2016-03-21 23:53:21

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

Cloning a tag is easy.  Creating a new ID from just an ID number takes a couple tries...

Offline

#39 2016-03-22 01:38:32

Cardedit
Member
Registered: 2016-02-25
Posts: 8

Re: Decoding Cloning Guardall/Verex Key Fob

What card would you encode the data onto? Any way of just modifying a card to make it work? Again I'm not sure what the reader looks for when making a decision wether to acknowledge the card or not

Offline

#40 2016-03-22 07:06:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Decoding Cloning Guardall/Verex Key Fob

@Cardedit , If you can read cards and sniff traffic between reader & card,   and upload somewhere then we can have a look at the 2-bit parity problem.

Offline

#41 2016-03-23 00:08:14

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

A t55x7 would do.  And yes it could be reused.

Offline

#42 2016-04-01 08:22:23

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

Unfortunately, to generate complete code card is not enough to choose the 2-bit parity sad Byte, which is used at the beginning, for the XOR operation also participates in the checksum. So, it is necessary to select the 10 bit. I have collected from the microcontroller unit and reader VEREX. And now you can brute force select the 10-bit. If it is necessary to calculate the card, write the number, and I'll pick the 10-bit
see http://www.proxmark.org/forum/viewtopic.php?id=1459
Example 40-bit cards:
CODE 0000000001
0 0x00150060
1 0x3BDEA7BC
2 0xEF3BCEF3
3 0xBCEF7BDF

CODE 0000000002
0 0x00150060
1 0x2258C624
2 0x89224892
3 0x2489025F

CODE 0000000003
0 0x00150060
1 0x335C8734
2 0xCD334CD3
3 0x34CD535F

Offline

#43 2016-04-01 13:01:46

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

@jeff1551
It is not clear, what kind of video you want to see?

Offline

#44 2016-04-01 13:38:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

@sentinel, are you saying the xor key is calculated and not just random?  What would it be calculated from, the tid?

Offline

#45 2016-04-02 06:26:28

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

@marshmellow: "xor key" and 2 bits for each card is a unique combination. Microcontroller emulates cards with speed 0.3 sec. Thus for ~5 minutes, you can go through 1024 combined.

Offline

#46 2016-04-02 06:41:37

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

@jeff1551: if you have a card Guardal, it can be very easy to copy using proxmark. If you only have the card number, it is also possible to do it, but more difficult. because it will be necessary to pick up 1024 options. In any case, you will need proxmark.

Offline

#47 2016-04-02 07:04:20

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

as I wrote, for me no trouble, start the calculation of 1024 for your card number and the length of Wiegand

Offline

#48 2016-04-02 14:15:21

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Decoding Cloning Guardall/Verex Key Fob

Sentinel wrote:

@marshmellow: "xor key" and 2 bits for each card is a unique combination. Microcontroller emulates cards with speed 0.3 sec. Thus for ~5 minutes, you can go through 1024 combined.

Meaning there is only one valid xor key and one valid 2 bits for each wiegand data?

Offline

#49 2016-04-02 17:38:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Decoding Cloning Guardall/Verex Key Fob

I'm also curious about how the xor-key relates to the 2bit parity.   Is it crc-10 or a custom ?

Offline

#50 2016-04-02 18:27:48

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Decoding Cloning Guardall/Verex Key Fob

@marshmellow
@iceman
Reader G-Prox II understands only 1 of the 1024 options.
Unfortunately, I can't understand how the G-Prox generates these 10 bits.
I have a quite large table with accurate 10 bit CRC(?). but after a few days of work, I abandoned this puzzle.

Offline

Board footer

Powered by FluxBB