Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I see someone tried few years ago to decoding an apartment tag from Urxet domys, with x is an m and y is u. I would like to know more about that one.
is it possible to have trace and using PM3 commands nowadays to follow the steps they did in that thread, mostly they did anually at that time. I like to understand and be able to use the knowledge as today time, but all the old traces are deleted.
Could someone help me with practice and theory
Offline
Start with these traces:
https://www.sendspace.com/file/l1as6w
https://www.sendspace.com/file/es5y1q
https://www.sendspace.com/file/cyim7b
https://www.sendspace.com/file/nf91ox
https://www.sendspace.com/file/eazlt0
Last edited by app_o1 (2015-05-30 15:54:37)
Offline
Thanks, very kind of you App-o1
Offline
How would you start your study with an unknown trace? would you do the following way or will you process it differently? Pls be kind to comment.
So I receive a new trace unknown of which type.
first I would plot it, then go to
http://www.proxmark.org/forum/viewtopic.php?id=1839, and put a grid on it and compare as some say.... But I a not experienced so I could not see difference or similarity there for certainty
second, I will use "data rawdemod" and go through each option ab/ar/ask....psk1,pk2 then I look at the result to see which one could be the right demodulation.
<a href=http://www.filedropper.com/traceunknowntag><img src=http://www.filedropper.com/download_button.png width=127 height=145 border=0/></a><br /><div style=font-size:9px;font-family:Arial, Helvetica, sans-serif;width:127px;font-color:#44a854;> <a href=http://www.filedropper.com >online backup storage</a></div>
with default am option I have got
p1, p2 give nothing so not that modulation type
fs, gives all 0, nr give simple pattern does not has 000000 or 1111111 to indicate a marker so perhaps not
what a bout ar, ab, am
why not go for ar, ab modulation
it clear that am give the most clear result
EM410x pattern found:
Is that the reason we decide to go for EM type and am modulation? there would be no false positive or how do you know?
what is about the other information?
HoneyWell IdentKey
..
Pattern Paxton : 25....
...
Pattern Sebury :
they are all big names of access control system... why shouldn't we fall for them? or is there any value in them just in case for example this tag can be copy in several way as honeywell, paxton sebury way?
how can we be so sure that it could only be EM type, with am-modulation to do the rest of the job? Do we have enough information to do the rest of the job or not?
and for copy we must use one operate at 125 kHz, but which one? the blue round tag, the red the yellow, the AT55x7 what is criterien to make a choice here?
Last edited by ntk (2015-06-02 17:33:21)
Offline
Still no comment. so maybe this is the way
looked at the result for all the 'data rawdemod' 'am' option bring out suggestion this is an EM chip.
I look reasonable information ... or it could be false positive, , but assume it is EM and write it ... humm... that is the easiest thing to do, no need to hex and bin conversion etc .. or play out other tricks...So maybe I should simply just accept it is EM and start writing it.
lf EM4x EM410xwrite zzzzzzz 1
with 0 at the end for T55555 chip
with 1 at the end for TS55x7 chip
because the demodulation result shows zzzzzzz in"
EM410x pattern found:
EM TAG ID : zzzzzzz "
Ha, no error message ... bingo ... bangbang ... Job done...
End of experiment.
Hang on is it not too early for an "END"???
Upto now is only guess works .. How can we be sure that if you do a copy of the owner chip based on this unknown trace, your chip is going to work?
Last edited by ntk (2015-05-30 21:58:42)
Offline
If I don't have an door accessing system where this EM fob is allowed to entry, how can I be certain or almost certain, that what I have cloned is correct
Offline
I don't have money to buy an EM41 door entry system, with management SW etc, I know that for cloning them we woulod need to write only the tag ID not even the UID of the tag. That sounds like a database in the management office checks with Tag ID data to allow tag coming in.
regarding the question after the guessing and cloning to T55xx, how could I know what I done is right, I havent any clues how to do until now
This afternoon when seeing a little miniature model motor on the ground. It is so awsome because it is so small, so nice, so neat so petite,... and thanks to it an idea suddenly jumped into my mind: Well I don't have money for real door entry system to test my cloned EM-fob against, but I can build a model door entry: I could make a door entry model with arduino, a reader MFRC522 or PN532 for 125 kH, connect to a database where tag ID is check and allow to get through. So I simulate a EM-entry system.
Do you think that it can work?
What else I mayhave missed to think carefully about?
Could it be the affirmative test that the clone of a EM-key is correct? and I can use it as my second regression test ... Or perhaps one don't even need to go that far to be able to confirm the cloner is done corretly....
Offline
when it comes to making money and giving your customers a warm and fuzzy guarantee, you are on your own.
Offline
too high up philosophy ...
please explain a little more Marshmellow
Last edited by ntk (2015-06-02 17:34:30)
Offline