Software PSK Decoding

ryan · 2009-07-28 18:49:22

Can anybody point me to any good documentation on the proper way to decode a PSK-encoded signal in software? I'm trying to implement a generic pskdemod function for the pm3, but I want to ensure that the way I'm doing it is robust and doesn't just happen to work on the few psk traces I have.

XEROEFFECT · 2009-07-31 09:56:26

Hey Ryan,

I am trying to decode a key fob made by a company called Keri with psk-3 modulation and don't know where to start. So far, all I have thrown at it has failed. I have uploaded my trace called keri.pm3 here

http://www.proxmark.org/files/index.php?dir=Uploads%2F

Information on the fob itself can be found here

http://www.kerisys.com/pages/products/psp/psk-3.asp

Do you have any info you could share with me regarding PSK modulation and how to go about decoding it?

Thank you.

ryan · 2009-07-31 15:18:28

Do you have any documentation stating that the fob actually uses phase-shift keying for modulation? It looks to me like PSK is a product name, and that doesn't necessarily imply that the underlying modulation of the comms is PSK.

The only reason I ask is that when I compare it to examples of modulation schemes found on the web, your trace seems to look more like FSK than PSK. To me it looks more like this:

http://upload.wikimedia.org/wikipedia/c … sk.svg.png

Than this:

http://www.pctechguide.com/images/61psk.gif

XEROEFFECT · 2009-07-31 16:42:58

Come to think of it...... Your right. When I look at hexsamples on my tag in google code it corresponds with FSK, here's the link

http://code.google.com/p/proxmark3/sour … n149&r=149

Why the hell I cant decode it??

I have exactly the same fob as in the data sheet. I guess maybe they come in different mods.

Last edited by XEROEFFECT (2009-07-31 16:45:40)

d18c7db · 2009-08-01 04:25:06

Bud, that waveform is definitely FSK, there are 8 and 10 cycle periods, same as an HID tag modulation. because of that, if you run it through fskdemod, the pulses become obvious, each pulse has a duration of 50 cycles (turn on grid 50). After that it's a piece of piss to see that the data is a set of nine 10000000 (possibly a sync pattern) followed by 56 bits of data 10100000000000001011010110100110000100011000000000000000 which is hex A000B5A6118000.

If that data was manchester decoded you'd end up with 28 bits which would be close to what you want but it's not manchester. As to how you map this to the number printed on the tag, I dunno and frankly it probably doesn't matter.

If you were to create a routine to simulate your tag with the PM3, look at what I did for hidsimtag, it should be trivial for you to copy that function and adapt it. You don't need to manchester encode that data, just send out the bit pattern including the sync pattern.

I'm going back to my hangover now...

Oh BTW, what's your address, now that I have the key for your apartment bulding?

Last edited by d18c7db (2009-08-01 04:32:19)

XEROEFFECT · 2009-08-01 09:29:25

psssssssssst d18c7db, how can I add your graph command onto my pm3? im at work @ the moment and left my baby home...... so I cant experiment right now.... do i have to flash anything again?? at the moment i have 20090713. I noticed your grid came into effect on the 20/07/09. Please provide some instructions for the dumb ones in here, like myself, who find even the simplest things challenging.

God bless your cotton socks.
May you live to 100!

Last edited by XEROEFFECT (2009-08-01 09:31:28)

XEROEFFECT · 2009-08-01 09:34:08

Oh, and by the way, Im still trying to analyse how you got those numbers....... how long did it take you to figure it out??

duran97 · 2009-08-01 09:48:27

Xeroeffect, given that you're problem is that you need an extra tag to access you're apparentment, is one of the people going to be carrying a PM3 around to open the door? Just wondered .....

XEROEFFECT · 2009-08-01 11:01:25

Hello Duran,
I missed you

I think it would look sus carrying pm3 around..... especially when theres cameras everywhere...... I could on the other hand offer my tag and carry PM3 instead. It's so small and cute

I love the challenge of trying to decrypt whats on the tag.... Duran... how do you think d18c7db compiled all those 1's and 0's? Did he look at the google code page and analyse the data with pen and paper- like i'm trying to do?

Whats your expert opinion?

henryk · 2009-08-01 12:32:14

Note that it's not actually necessary to carry around a pm3 just to emulate the tag. Basically all tags that can be read with loread can be emulated by a simple 3 part circuit and an audio player (e.g. iPod; although a mobile phone with audio playing capability should work, if you can find the right connector). See the slides to my talk Analyzing an unknown access control system

d18c7db · 2009-08-01 13:49:50

Oh you're not supposed to look at the raw data and analyse it with pen and paper. That's what the plot window is for.

Load the data in the graph and at a glance you can tell something about it. Zoom in and out and see the patterns, find out if the pattern repeats, figure out how long the pattern is by using the cursors. Zoom all the way in and see how many samples make a cycle of the waveform. Are they all the same of are there waveforms with different cycles (frequencies). Decode it with some function like I did with fskdemod and see if the result makes some sense. If you get reasonably looking higs and lows, look at the duration of the shortest highs and shortest lows, that often tells you how long a bit duration is.

It probably took me between 5 and 10 mins to analyse your waveform especially when I saw it was fsk and the modulation matched the HID tags so I already had fskdemod to demodulate the waveform.

XEROEFFECT · 2009-08-01 14:41:45

Thanks Henry....... your slides really are awsome and I've put that on my 'To Do' list. Imagine that hey....... using an Ipod.... PFFFFFT...... what security?

Hey, d18c7db, how to load your graph? What do I need to get it up......please feed me...... i'm hungry.

Thanks D1

Last edited by XEROEFFECT (2009-08-01 14:55:13)

samy · 2009-08-01 19:06:37

XERO, start with an existing tag that we've decoded and learn how the entire process works.

Take one of the EM4102 traces from the traces dir and follow the LF tutorial that Ed put together. Sure, follow all the steps to decoding, but I would recommend *understanding* what everything does afterwards (the askdemod, how he figured everything out, etc). In fact, I would take one of them and try to decode it entirely manually. Afterwards, read about every function that exists.

Sure, we've built features to reduce the amount of manual labor but you're going to be stuck within the few functions we do have built unless you really understand what's going on. Our functions don't do everything (yet), so sometimes there will be a bit of manual labor.

We'll be happy to help but you need to learn the basics first.

d18c7db · 2009-08-01 23:19:01

Yeah you have to do your homework, go to the wiki and read this then read this section at least.

XEROEFFECT · 2009-08-02 02:01:06

Thank you d18c7db and Samy, You rock my world!!

I will go back to the drawing board and drill my head with these functions until I can understand the basics.

Maybe, seeing you now have my appartment key, you guys could come over for coffee and teach me few things......

Happy Sunday everyone!!

XEROEFFECT · 2009-08-03 04:31:19

d18c7db, I have read a lot of materials, manuals- you name it........ Im not good when it comes to programming side of things and I really need your help on this one.

you wrote:

'Decode it with some function like I did with fskdemod and see if the result makes some sense'

How come I don't have the command FSKDEMOD when I am currantly flashed to the recent Jul 13 2009??

I'v been looking for your grid function everywhere..... I can see it on the wiki page under updates.... but it's all source code. What do I do with it??

Please help me.

Your dumb friend,
Xero

Last edited by XEROEFFECT (2009-08-03 04:37:21)

d18c7db · 2009-08-03 06:03:49

These commands must be typed in the command window that comes up when you run "prox gui", make sure the PM3 is attached via USB, then all the commands are available. The commands must be typed in lowercase so stay away from the n00b CAPS LOCK. Type help to see all the commands available.

To get the plot window up type plot. After the plot window comes up you must click back on the command window to issue more commands. Type grid 100 in the window and a grid pops up with a spacing of 100 samples, try other numbers as you please.

Type load blah.pm3 to load the the samples file named blah.pm3 <insert your own filename there, don't just try blah.pm3>, you might have to use a path name if the blah.pm3 isn't located in the prox.exe directory, this is standard basic windows stuff.

Once a sample is loaded click the graph window and try all the arrow keys to see what they do (zoom in/out, move left/right).

Click back to the command window and type fskdemod

Use common sense, this is all basic stuff, you should probably know how to drive the software by now.
If something doesn't work, try something else until you get it right.

Last edited by d18c7db (2009-08-03 06:04:30)

XEROEFFECT · 2009-08-03 09:21:09

d18c7db,

Thats exactly what me is doing and still getting errors........

heres a few screen shots....

http://www.proxmark.org/files/index.php?dir=Uploads%2F

Look at commands.jpg to see that both fskdemod and grid x arn't there

look at example.jpg to see that when either command is started it returns an error

also, wht is it everytime I try to click on the graph prox gui stops responding??

look at error.jpg

what is it i'm doing wrong?

Last edited by XEROEFFECT (2009-08-03 13:34:59)

samy · 2009-08-03 18:53:26

You must be running older firmware of some sort. I would reflash all the code to ensure you have the latest stuff (bootrom, fpga and osimage).

XEROEFFECT · 2009-08-04 00:28:32

Samy & d18c7db wrote:

samy wrote:
Hey guys,
- any source code that can be beneficial in any sort of stand-alone mode (basically anything *not* related to plotting) should be built into the ARM, not the GUI/UI [the old code we can just slowly start porting over, no need to do it all at once]

d18c7db wrote:
It's a little more complicated than that. I agree that as much as possible useful code should make it's way to the ARM for those wishing to run in untethered mode, but I personally find it quite useful to have processing code in the client that can run offline (without the board attached). One of the reasons I wrote fskdemod was that I wanted to take raw capture files, load them in the client and decode them there. Thechnically by your definition fskdemod is redundant as we have hidfskdemod and should be deleted smile

Guys, back in 2008 this was discussed, I think plain FSKDEMOD was scrapped and replaced with HIDFSKDEMOD. I also think that d18c7dbs' grid function wasn't included in the r52 cause he created it after the release date.

whats your opinion on this one?

I've been reading through posts tryng to track down this fskdemod and grid function. Sometimes I just wanna breakdown.

Last edited by XEROEFFECT (2009-08-04 00:33:57)

d18c7db · 2009-08-04 01:14:18

The commands you want were added a few weeks ago, flash the latest SVN and you'll be OK. On second thought, before you flash anything make sure you can recover through JTAG if it all fubars, otherwise you'll end up with a $400 paper weight.

This entire thread is utterly unrelated to PSK decoding. XERO if you want further help, can you start a new thread please. Ta

Last edited by d18c7db (2009-08-04 01:17:52)

XEROEFFECT · 2009-08-04 03:47:41

Ryan,

I have uploaded an actual PSK-3 tag waveform....... Take a look & see what you think..... this is the one that the documentation above reffers to...... sorry Ryan, I think I got my tags crossed earlier on when i made the first post. Although the first tag was also made by Keri- It was a clamshell card. This one is a fob.

File name is keripsk-3.pm3

http://www.proxmark.org/files/index.php?dir=Uploads%2F

Last edited by XEROEFFECT (2009-08-04 03:51:10)

d18c7db · 2009-08-04 05:23:31

This is also a FSK modulated tag, same as the other trace you uploaded, can be decoded by the same technique I described in my other post.

XEROEFFECT · 2009-08-04 05:27:51

OMG.... whats wrong with me??

d18c7db · 2009-08-10 23:16:43

Ryan, getting back on topic after a lengthy noob hijack, you might want to look at Microchip application note AN680, page 4. It shows a PSK modulated signal. If the real live signal looks like that it should be a breeze demoding it. Do you have a PSk tag you can upload a raw sample of it so I could take a look?

ryan · 2009-08-11 00:40:14

Thanks for putting the thread back on topic, d18.

When I posted this topic, I was still under the impression that the homeagain.pm3 trace in SVN was some kind of PSK. I know you looked at it once and had the comments of "Does not smell like FSK, probably a simple encoding".

After staring at this trace for several hours along with various examples of PSK encoded waveforms, what led me to think that it might be PSK is that it seems like every 16 samples there is either a phase change or a little "bump" like at the bottom of the first few cycles in the trace. I just don't know if the bumps are significant or not.

Did you mean something specific by "simple encoding"?

XEROEFFECT · 2009-08-11 03:46:21

Hey d18c7db,

How have you been?? Just wondering which n00b you're on about I was just busy moving homes..... rent went up again!! anyways, really missed you guys. But i'm back....... arn't u happy

ntk · 2015-07-08 05:19:07

post #13

samy wrote:

...
Take one of the EM4102 traces from the traces dir and follow the LF tutorial that Ed put together. ...
We'll be happy to help but you need to learn the basics first.

is this lf tutorial still around?

I have problem with finding data rate by put somehow mark right and left on the graph to get the correct data rate. Does that technique described in the above mention lf-tutorial written by Ed? Or someone has a docu link on this matter for me

marshmellow · 2015-07-08 12:35:17

1. Any tutorial from 2009 likely doesn't apply anymore
2. I believe they were referring to the wiki, which is now on github and has been updated some.

ntk · 2015-07-08 13:46:29

i think I found it https://github.com/Proxmark/proxmark3/wiki/lf%20tag%20operations. it contains answer to my question modulation scheme and bit rate

Proxmark3 community

Announcement

#1 2009-07-28 18:49:22

Software PSK Decoding

#2 2009-07-31 09:56:26

Re: Software PSK Decoding

#3 2009-07-31 15:18:28

Re: Software PSK Decoding

#4 2009-07-31 16:42:58

Re: Software PSK Decoding

#5 2009-08-01 04:25:06

Re: Software PSK Decoding

#6 2009-08-01 09:29:25

Re: Software PSK Decoding

#7 2009-08-01 09:34:08

Re: Software PSK Decoding

#8 2009-08-01 09:48:27

Re: Software PSK Decoding

#9 2009-08-01 11:01:25

Re: Software PSK Decoding

#10 2009-08-01 12:32:14

Re: Software PSK Decoding

#11 2009-08-01 13:49:50

Re: Software PSK Decoding

#12 2009-08-01 14:41:45

Re: Software PSK Decoding

#13 2009-08-01 19:06:37

Re: Software PSK Decoding

#14 2009-08-01 23:19:01

Re: Software PSK Decoding

#15 2009-08-02 02:01:06

Re: Software PSK Decoding

#16 2009-08-03 04:31:19

Re: Software PSK Decoding

#17 2009-08-03 06:03:49

Re: Software PSK Decoding

#18 2009-08-03 09:21:09

Re: Software PSK Decoding

#19 2009-08-03 18:53:26

Re: Software PSK Decoding

#20 2009-08-04 00:28:32

Re: Software PSK Decoding

#21 2009-08-04 01:14:18

Re: Software PSK Decoding

#22 2009-08-04 03:47:41

Re: Software PSK Decoding

#23 2009-08-04 05:23:31

Re: Software PSK Decoding

#24 2009-08-04 05:27:51

Re: Software PSK Decoding

#25 2009-08-10 23:16:43

Re: Software PSK Decoding

#26 2009-08-11 00:40:14

Re: Software PSK Decoding

#27 2009-08-11 03:46:21

Re: Software PSK Decoding

#28 2015-07-08 05:19:07

Re: Software PSK Decoding

#29 2015-07-08 12:35:17

Re: Software PSK Decoding

#30 2015-07-08 13:46:29

Re: Software PSK Decoding

Board footer