Proxmark3 community

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: KeyFOB at 153mHz

That is also my next question, I had since yesterday, this time I have the door system or a outdated reader (cheap plastic housing/very old used in hospital/aimed to be destroyed) so I can try out command and test out make sure it i working what I have done.

In the future when I come around new model /tag/key/card how can I be sure that it works....not everyone in PM3 group has a door system to check the result out.

Is there any technique we can apply afterwards to reassure that what we have done has made sense and has been applied correctly, and should work also in a real case scenario too? If there are practices you use, I would like to read/ to learn about them. Some sort of black-box testing.

For example if without the real scenario (a tag, a door system, an idea to run) I would not know that all 5 experiments yesterday worked un-expectedly, I was perplex and still hope after you and the people here like nezrab, app01 etc. have helped me during the trial, until we seeing success, now you all could still help me with checking/explaining too, why more than one experiment was working, because I did expect only one case should work, the rest should fail.

if I have had no door, how did I run test on the scenarios I had yesterday to tell they would pass or fail

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: KeyFOB at 153mHz

At beginning of this project, it was the UID which causes concern they may use in the communication to check rightfulness of the tag.

Thanks Marshmellow to reassure UID is not a big problem...

Now that I know it truly not uses the tag unique UID for authentication, a new question bother me could we write the data to any 125Khz tag like EM4xx and make it work to, why do we have to use T55x7 (its force is wrtable UID)? if not why not?

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: KeyFOB at 153mHz

Oh, I may have the answer. Wont work because HW imcompatible. This type of reader would not understand the EM41xx tags at all

What exactly happens when an 125kHz comes near a reader, from RF power / induction the principle does not care which name the tag has

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: KeyFOB at 153mHz

Any chip that can be configured to output the modulation and encoding your system needs could be used.  The ata55x7s are just the most commonly used and widely available.  There are many other chips with various config options.

The information you are looking for "how does prox work" is widely available.

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: KeyFOB at 153mHz

Thanks marshmellow.

No I don't want to ask how how does prox work, I haven't been clear in my thought. I expect what you very nicely formulate "Any chip that can be configured to output the modulation and encoding your system needs could be used" so why we heard only cloning to AT55x7, cloning to Q5 ... and that has confused me, because any chip which outputs the modulation and encoding could be used to make copy

I know the chinese sell the cloner coming with blue/red/yellow/orange chip, I know on the market there are clear epoxy tag, when fly through the forum I only see writing to T55x7 and Q5... Why? because we know about T55x7 chip best that is why we can configure it... Or because the T55x7 is the bet economic olution to choe?

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: KeyFOB at 153mHz

as a beginner I have so many questions many eve not in clear shape how to form so please bear with my question

after we successfully clone we could have closed this project,

But I still  have questions and if closed I am not sure how/where to put ...

Yesyter day i did 5 experieent I expect 4 will fail and only one passes. Surprisingly 4 all 5 pass! I must ask because I don't understand how/ why I intentionally put "wrong thing" in the tag and door is still open!!!

Not just to learn the command methodes and run it propoerly, but there is more after the second of success. I hope you could understand me.

en4rab

Contributor

Registered: 2013-04-22

Posts: 36

Re: KeyFOB at 153mHz

marshmellow is right and i should read the data-sheets   
Aparently the t55x7 are a bit more  complicated than my q5's and the inverse bit doesnt have any effect unless you also set the x-mode bit, so the config words 00080082 and 00080080 would result in the same non inverted output. So your first 2 experiments were basically the same and worked because aparently the reader checks for both non inverted and inverted data and will accept either.

The second 2 experiments worked because of both the fact the reader seems to accept both inverted/non inverted and because of the way these tags work they just repeat the same string of 128 bits over and over so you can just take any 128 consecutive bits and program that even if you start halfway through a sequence eventually you will send the full sequence and the reader will (should) accept it.

Imagine if the tag sent the words "secret pass" and the reader looked for "se" to mark the start of the message then checked the rest, if your tag sent "t passsecre" again and again the reader would see "t passsecret passsecret passsecre...." and find what it was looking for.
However if you were looking at tag numbers on an access control database and wanting to recreate a tag from that number you would need to figure out where the tag number starts and finishes so you could work out how the tag number is encoded in the bits, then you could recreate a tag from its number rather than having to have an original to copy.

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: KeyFOB at 153mHz

marshmellow is right and i should read the data-sheets   
Aparently the t55x7 are a bit more  complicated than my q5's and the inverse bit doesnt have any effect unless you also set the x-mode bit, so the config words 00080082 and 00080080 would result in the same non inverted output. So your first 2 experiments were basically the same and worked because apparently the reader checks for both non inverted and inverted data and will accept either.

Yes thank you Nezrab that clears my whole confusion now.

The second 2 experiments worked because of both the fact the reader seems to accept both inverted/non inverted and because of the way these tags work they just repeat the same string of 128 bits over and over so you can just take any 128 consecutive bits and program that even if you start halfway through a sequence eventually you will send the full sequence and the reader will (should) accept it.

even that we can copied it now , look at the tag it i amazing how the first person could come on the idea of a pair of reader & tag ... the first time I saw a tag I wonder 'where is battery' ... no blade and "nothing" it till can open a door  ...awesome ...  "even if you start halfway through a sequence eventually you will send the full sequence" amazing

Imagine if the tag sent the words "secret pass" and the reader looked for "se" to mark the start of the message then checked the rest, if your tag sent "t passsecre" again and again the reader would see "t passsecret passsecret passsecre...." and find what it was looking for.
However if you were looking at tag numbers on an access control database and wanting to recreate a tag from that number you would need to figure out where the tag number starts and finishes so you could work out how the tag number is encoded in the bits, then you could recreate a tag from its number rather than having to have an original to copy.

very nice example . I like it. I think we can let this thread be closed now.

Thank you all the people join here for all yours helps.

Last edited by ntk (2015-05-30 23:21:52)

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: KeyFOB at 153mHz

I think we can let this thread be closed now.

. Interesting thing about that is that this thread is actually about 153kHz tags.  The other thing is, on this forum there is no closing threads.

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: KeyFOB at 153mHz

But have to admitted, it was very challenging and frustrated in the first few days just to get main SW built and to understand when crashed is not your fault and ... to understand you are long not "on top of the tree" over and over again ....

Thank Charlie Walton, thank Jonathan Westhues, Gaucho and all people who done works here, you have made my world a lot richer in knowledge ....

Last edited by ntk (2015-07-05 11:49:38)

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: KeyFOB at 153mHz

.

Last edited by marshmellow (2015-05-31 02:06:04)

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: KeyFOB at 153mHz

I switched back to firmware 0.0.7, for some reason 2.0.0 wont program my Q5 tags.

@en4rab, can you take a look at http://www.proxmark.org/forum/viewtopic … 244#p16244 and give me a hand with the Q5?

Faxtastic

Member

Registered: 2015-07-29

Posts: 2

Re: KeyFOB at 153mHz

I am in UK and use lots of these fobs, where can I get them cheaply or generic 153khz prox fobs?

Bernard

iceman

Administrator

Registered: 2013-04-25

Posts: 9,538

Website

Re: KeyFOB at 153mHz

have you managed to read them with a PM3?

Faxtastic

Member

Registered: 2015-07-29

Posts: 2

Re: KeyFOB at 153mHz

Where can I get some samples to test 

Or is there a way that I can make them myself?

I am in WATFORD WD24 4JP UNITED KINGDOM

07837287098