Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2016-07-30 02:31:25

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Hi iceman. Thanks for the instruction.

I search forum for "Ltrim" "Rtrim" and tried to read about usage. But I Could not workout where from the plot to cut left or right.

I have tried to chop to see only the 3 repeat spikes, then also see only one of the three spikes etc and run your instruction but I still can not get anything useful.

How do you find the right points to trim?

Last edited by ntk (2016-07-30 10:13:46)

Offline

#52 2016-07-30 17:17:15

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

You'll find those commands under "data".

If you can run the "data plot"  you'll understand quite fast how the trim works...  from the left or from the right.

Offline

#53 2016-07-30 17:57:30

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

I'm looking at armsrc (ModThenAcquireRawAdcSamples125k)  which "lf cmdread" calls.

It has some ridiculous waiting times,  first 2seconds to shut of device,  then 2.5seconds for powering up.   4.5sec in total.
No wonder,   as with other LF commands (like under  lfsampling.c)  they uses 0.05sec powering up.

Before I change, I better ask why these spindelay (our sleep() smile is so high?

Offline

#54 2016-07-31 21:01:05

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

guys, I have read every post I could find in the search containing paxton, ht2 tag, hitag. but all the commands and tips (lf cmdread/lf se/lf hitag list etc)given there did not result in any data being read from my tag. @ntk I noticed that you are trying to achieve this for quite a while now and don't want to leave the battle without a fight....good thinking,but that long period without a smile got me worried a bit. sad  I think we have the same type of tag.(see picture from previous post). Unfortunately I do not have a reader to snoop any signal. My best guess to wake up the tag is by using the "lf hitag reader" options but so far not something to be proud of. Has anyone in the forum succeeded in reading a tag like this with the proxmark3?
Is it possible to give some more clues? (To me this tag seems a popular tag nowadays)
@iceman If I understand correctly then you are figuring out/changing the wake up call settings for these kind of tags.(these?: lf cmdread d 80 z 100 o 200).

Offline

#55 2016-07-31 21:13:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

I was looking inside the source code and the PM3 master has a inital delay of 4.5seconds before starting to send the commands.
So when you are using that command you need to wait much longer than usual.  I've set that inital delay down significantly in my fork if you want to test it out.

Since you cant sniff the traffic between valid reader and your tag its harder to figure out what kind of wakeup command the tag needs.  try something like this?

data plot
lf cmdread d 80 z 100 o 200 c 00001 H
lf cmdread d 80 z 100 o 200 c 00011 H
lf cmdread d 80 z 100 o 200 c 00111 H
lf cmdread d 80 z 100 o 200 c 01111 H
lf cmdread d 80 z 100 o 200 c 11111 H
lf cmdread d 80 z 100 o 200 c 10000 H
lf cmdread d 80 z 100 o 200 c 11000 H
lf cmdread d 80 z 100 o 200 c 11100 H
lf cmdread d 80 z 100 o 200 c 11110 H

Offline

#56 2016-07-31 21:23:26

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

@iceman Thanks, latest version is compiling, I will try it. Is a wake up command a fixed code for that type of tag or is it programmable during installation of the system? meaning every tag has its own wakeup command.

Offline

#57 2016-07-31 21:32:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

You can see it as a concept.  The card will not answer if it doesn't get the right wakeup command.  It is normally part of a protocol, so its the same for all reader/tags for that specific system.

Paxton seem to have a shadowcard, which blocks the first one.
www.proxmark.org/forum/viewtopic.php?pid=23426#p23426


edit:  http://www.paxton.co.uk/docs/Applicatio … AN1010.pdf

Offline

#58 2016-07-31 21:45:22

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

-no results, no nice graph in the plot. Interesting pdf.

Offline

#59 2016-07-31 22:40:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Lets reproduce,   the tag as @marshmellow mentions gives the uid.

-- 1F 8B 0F AF
data plot
data load sn1.pm3
data ltrim 3540
data rtrim 1300
data norm
data raw am 32

You should be able to test simulating with the following against a valid reader if you can.  Not sure anymore if ntk or hexa3e8 drives this thread.. 

lf simask c 32 i m d af0f8b1f

Offline

#60 2016-07-31 22:55:58

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Now you'll need to find out what the reader is sending to make the tag wakeup.
and send the same command smile

Offline

#61 2016-08-01 03:21:23

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Sorry today is a crazy days I had 3 different jobs at 3 different parts of town, all required me to be present, so no prompt answer from me. also this afternoon I had to collect the proxmark from other place today to setup for the experiment before I could answer.

Thanks Iceman to fix the raw command

iceman wrote:

Now you'll need to find out what the reader is sending to make the tag wakeup.
and send the same command smile

definitely the reader has sent "11000" because that is "c0" we see in the out.ht2 reader keeps sending out "C0" until Tag answers on it withits tags ID. "C0" is 1100 0000 and the protocole says reader sends our 5bytes so that makes "11000" which is the correct wake up code

I have no problem who is driving if hexa3e8, or other Kommilitone is quicker and could test out a new command before me, iceman. All helping hands are helpful, you are also efficient, at least three of us can catch up with you 

I just have the whole  setup ready to work about 23:30 tonight. Sorry again  for late reply.

Offline

#62 2016-08-01 04:07:40

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

iceman wrote:

Lets reproduce,   the tag as @marshmellow mentions gives the uid.

-- 1F 8B 0F AF
data plot
data load sn1.pm3
data ltrim 3540
data rtrim 1300
data norm
data raw am 32

You should be able to test simulating with the following against a valid reader if you can.  Not sure anymore if ntk or hexa3e8 drives this thread.. 

lf simask c 32 i m d af0f8b1f

pm3 --> data load sn1.pm3
loaded 39999 samples
pm3 --> data ltrim 3540
pm3 --> data rtrim 1300
pm3 --> data norm
pm3 --> data raw am 32

Using Clock:32, Invert:0, Bits Found:39
# Errors during Demoding (shown as 7 in bit stream): 6
ASK/Manchester - Clock: 32 - Decoded bitstream:
1111110101111000
0111110001011000
177777
pm3 --> data pr x
DemodBuffer: FD787C5839

In spikes I am still struggling to understand how to know at Ltrim=3540 and not including the repeated spike part before that too, also Rtrim 1300 does not mean trim at the cursorB position, but dt is used  as Rtrim value. Is it correct?

even without the 77777 I have 11111101011110001so F8B1  Also swap endians and you have 1F 8B 0F AF from FD787C5839 !!! No wonder I could not understand, I must have missed at least few lessons here.

Last edited by ntk (2016-08-01 05:00:19)

Offline

#63 2016-08-01 04:19:27

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

iceman wrote:

You should be able to test simulating with the following against a valid reader if you can.  Not sure anymore if ntk or hexa3e8 drives this thread.. 

lf simask c 32 i m d af0f8b1f

Report on Proxmark shows this.

pm3 --> lf simask c 32 i m d af0f8b1f
preparing to sim ask data: 32 bits
#db# Simulating with clk: 32, invert: 1, encoding: 1, separator: 0, n: 1024
pm3 -->

the PM3 antenna hovers above Elatec TWN3 during simulation, Elatec TWN3 multi reader can not see any simulation

Last edited by ntk (2016-08-01 05:01:56)

Offline

#64 2016-08-01 08:04:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Just a quick note,   0xC0 = 11000000  not 110000...

lf cmdread d 80 z 100 o 200 c 11000000 H

Offline

#65 2016-08-01 09:22:14

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

lf cmdread d 80 z 100 o 200 c 11000000 H

does work!

the result from this call
the graphic result from this call

Offline

#66 2016-08-01 09:53:23

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

it is something periodic but demodulate the original data does not give any sense.

definitely we have to learn exactly howto use the trim command, from the look of this samples we have to do that LTRIM/RTRIM commands often, or each time...

according to periodic graph where are parameter to pick for LTRIM RTRIM,   at yellow limiter CursorA=16920, at blue limiter cursorB=23752, or dt=6832?

Offline

#67 2016-08-01 09:54:37

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Also protocol said:
"The instruction START_AUTH cannot be repeated, because at the same time the crypto unit is ini-
tialized. A second START_AUTH resets the statemachine. Therefore the transponder only responds
to every second START_AUTH."

Very awkward saying. "A second START_AUTH resets the statemachine. Therefore the transponder only responds
to every second START_AUTH"

I would interpret: Tag only responds to the first call, then third, fifth  START_AUTH etc

Offline

#68 2016-08-01 17:01:02

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

That is one UGLY signal.  something isn't right with the capture.  positioning or antenna might need to be changed.

Offline

#69 2016-08-01 20:46:15

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

that could be the influence of other reader nearby.
Any suggestion how the trace could look like Marshmellow?

I have this consistent trace I still can make any sense of it. But it show only one peak here!

plot
trace

Last edited by ntk (2016-08-01 20:46:32)

Offline

#70 2016-08-01 22:22:48

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

I am a little bit in a disadvantage because I have no reader so unfortunately I cannot snoop and help much. But I am for sure following every post her in the forum meanwhile I try to get my tag to get out of his coma. only a rubbish result with "data plot -> lf config H -> lf se u". Nothing with variations of the "lf cmdread d 80 z 100 o 200 c 11000000 H" command. So I think the best way is to eventually also snoop the communication when I have a reader. Meanwhile hoping that @ntk can solve his/this puzzle together with @iceman and @marshmellow. Now I am more a "wanting to be a helping hand", So @ntk keep in the driving seat. If I have a good data plot... hmm I will post it if that might help.

Offline

#71 2016-08-02 10:14:05

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

@Marshmellow, @iceman if you could evaluate the graph in post#66 and  #69 too see it makes more sense, then it would help me to continue to take more small traces.

it is hard because from what receive I don't know what is right, also I tried to set a threshold (240/200/120/80) limit using the lf config t option but it seems not to stay on in the report of cmdread ( still see 0 in there)

I have also invested in a small LCR meter, variety of copper wires (0.25, 0.5, 0.75) , arduino experiment parts, cable, connector, small parts so  from last week of August I hope more easier I can experiment with making other small focus antenna relying on better technique. Hopefully the antenna result can give me more ground to understand these paxton hitag alike tags. perhaps a small business opportunity too if someone ever needs focus antenna for PM3 I want/can/will do for them.   

I understand raw command or cmdread command is causing device (PM3) doing 2 actions: First To send out a specific code (like '11000') so tags in the inductive field will react, will be waked up, they would do something, and second the active device (PM3) still actively waiting for 10s or so to capture what ever the tags communicated.

So to experiment with cmdread, all other readers should be off, we don't need to have them. Also we should make sure they are off in the near premise for not capturing UGLY readings/traces

My current aim is also taking multiple small traces for someone (in the background) who had agreed to give support. So the decoding tag situation does looks with yours interest here in the forum and potential support in the background much more hopeful.

I also have some new ideas reading parameter when use the cmdread i hope I can do soon when I feel safe I move a litttle better in right direction. I will put together soon here so you can evaluate it does make send then I start   

PLs Bear with mine speed too, some tiem late reply due to my work nature, no internet and nothing to do with electronic, Im in large pressure and can only evening experiment when I can carve  some times together, but I don't abandon until I can be able to see PX like an EM or a basic wiegand, basic HID stuffs. That is me.

Last edited by ntk (2016-08-08 08:33:01)

Offline

#72 2016-08-02 22:31:04

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Dismissed experiment, data not reproduceable, false conclusion 
a CMDread experiment with a random 125 kHz tag

part1
I use any tag with legit content. I do clear buffer and send cmdread, then take the graph so that I can compare with the result of the second part of the experiment.

proxmark3> data buffclear
#db# Buffer cleared (40000 bytes)
proxmark3> lf cmdread d 80 z 100 o 200 c 11000000 H
#db# LF Sampling config:
#db#   [q] divisor:           88
#db#   [b] bps:               8
#db#   [d] decimation:        1
#db#   [a] averaging:         1
#db#   [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: ff ff ff ff 00 00 00 23 ...
proxmark3> data samp
Reading 39999 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
proxmark3> lf cmdread d 80 z 100 o 200 c 11000000 H
#db# LF Sampling config:
#db#   [q] divisor:           88
#db#   [b] bps:               8
#db#   [d] decimation:        1
#db#   [a] averaging:         1
#db#   [t] trigger threshold: 0
proxmark3>
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 00 00 00 00 00 00 15 a8 ...
proxmark3> data samp
Reading 39999 bytes from device memory


Data fetched
Samples @ 8 bits/smpl, decimation 1:1
proxmark3>

https://www.dropbox.com/s/zsz9vmwkmxtps9v/exp_cmdread_p1.png?dl=0

CMDread exp part2:
Here I run data bufferclear, then do a "lf se". I take the graph for comparing with what I see in part1.
https://www.dropbox.com/s/3n3t0r4j0clmsu2/exp_cmdread_p2.png?dl=0

Result of CMDread exp:
Compare the graph from exp part1 and exp part2, I see a first spike different overlapped by a normal reading graph, I would get by using "lf se". So device sent out cmdsend  with the code 11000000, what the tag  will not understand, but it does not matter because 1sec later device open listening mode and capture, what we normally also capture if we run directly "lf se"


Now I run the similar 2-parts experiment on the paxton fob
Result:
I see the one spike then flat line in prt1; in part 2 I see noise, or could be something in there with very weak amplitude.
https://www.dropbox.com/s/ij3gll4badcfbvr/wake_2.png?dl=0

Conclusion:
I see the one spike then flat line, compare to the noise when received by using "lf se"; also compare this result to the result we had from running that cmdread exp on a random working tag; it looks like, apart from the first spike somehow caused by CDMread own action, the device has captured/listened to nothing, or fob has not done anything


Question:
when a PAXRD (I will just call it PAXRD instead of the long name "the Elatec TWN3/4 multi 125 reader".) in the near premise (coud be 2 to 3cm from tag or PM3 antenna) what is different?

PAXRD sends something what cause suddenly the existence of ugly trace/graph.
why PM3 suddenly hears very clearly communication

when send cmdread copmmand, PM3 is in active mode, and will listen to tag reaction so when a PAXRD is near and active, it influence the tag in a way it seems to me that the disability of not having a focused small antenna when study very small tags suddenly disappeared

When the graph is the result of not the reaction of the tag on receiving the command "11000" (or "11000000" ) code, then where is that ugly graph come from as a result, a snoop?
If is is result of a "reading from tag", why signal is so strong, why listening disability of standard antenna on small tags suddenly disappeared? did it disappear or PM3 has only listened to something we don't suspect

In the previous snoop-paxton-1.pm3 trace (or paxton_sn1.pm3 from iceman post) we can get out the tag ID so those snoops definitely come listening the communication bewteen PAXRD and the paxton fob? what about the new UGLY trace, it look very strong signal, could we extract anything related to this fob?

Last edited by ntk (2016-08-08 08:35:26)

Offline

#73 2016-08-03 00:12:25

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Dismissed experiment, data not reproduceable, false conclusion 

[b] New "cmdread" and "data raw demod am 32" experiment [/b]

despite seeing nearly empty line, i save the trace, rawdem and saw the repeated code as shown in the log below.

[code]
pm3 --> lf cmdread d 80 z 100 o 200 c 11000000 H
#db# LF Sampling config:
#db#   [q] divisor:           88
#db#   [b] bps:               8
#db#   [d] decimation:        1
#db#   [a] averaging:         1
#db#   [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: ff ff ff 00 00 00 00 00 ...
pm3 --> data sam
Reading 39999 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
pm3 --> data rawdemod am 32
DEBUG: Bitlen from grphbuff: 39999
DEBUG: Too many errors found, errors:1248, bits:1250, clock:32
pm3 --> data print x
DemodBuffer: BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE
85571BEF3
pm3 --> data buff
#db# Buffer cleared (40000 bytes)
pm3 --> lf cmdread d 80 z 100 o 200 c 11000000 H
#db# LF Sampling config:
#db#   [q] divisor:           88
#db#   [b] bps:               8
#db#   [d] decimation:        1
#db#   [a] averaging:         1
#db#   [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: ff ff ff 00 00 00 00 00 ...
pm3 --> data sam
Reading 39999 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
pm3 --> data rawdemod am 32
DEBUG: Bitlen from grphbuff: 39999
DEBUG: Too many errors found, errors:1248, bits:1250, clock:32
pm3 --> data print x
DemodBuffer: BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE
85571BEF3
pm3 -->
[/code]

I did use "data bufferclear" before each new cmdread, so the result representing something truely exists and what ever it is, it is consistent
[url=https://www.dropbox.com/s/134b14p8qpic4zn/cmdread_bef38095.png?dl=0] plot  [/url]

[url=https://www.dropbox.com/s/uomn3icq1r27fum/paxton_cmdread1.pm3?dl=0] trace [/url]

I went a step further now I don't use the parameter H in lf cmdread. What should I receive would you expect to see?

[code] pm3 --> data buff
#db# Buffer cleared (40000 bytes)
pm3 --> lf cmdread d 80 z 100 o 200 c 11000000
#db# LF Sampling config:
#db#   [q] divisor:           95
#db#   [b] bps:               8
#db#   [d] decimation:        1
#db#   [a] averaging:         1
#db#   [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: b0 82 5c 00 00 16 ff ff ...
pm3 --> data sam
Reading 39999 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
pm3 --> data save cmdread_new_2.pm3
saved to 'cmdread_new_2.pm3'
pm3 --> data rawdemod am 32
DEBUG: Bitlen from grphbuff: 39999
DEBUG: no data found 0, errors:0, bitlen:0, clock:32
pm3 --> data print x
DemodBuffer: BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE
85571BEF3
pm3 -->[/code]

[color=blue]
We still see the repeated code!!!! "
BEF380951FE85571BEF380951FE85571
BEF380951FE85571BEF380951FE85571
BEF380951FE85571BEF380951FE85571
BEF380951FE"
[/color]
I don't understand and have not all the facts, but I am tempted to use T55x7 to emulate a AM modul, RF/64 with 4 data blocks and check if it has any similarity to the bullet fob I am experimenting with

lf t55xx wr b 0 d 00148080
lf t55xx wr b 1 d BEF38095
lf t55xx wr b 2 d 1FE85571
lf t55xx wr b 3 d BEF38095
lf t55xx wr b 4 d 1FE85571

... continue

Last edited by ntk (2016-08-04 09:27:26)

Offline

#74 2016-08-03 00:40:04

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Dismissed experiment, data not reproduceable, false conclusion 

now I have the t55x7 emulator of the code BEF38095...

ran "lf se u"

log file
[code] 
pm3 --> data buff
#db# Buffer cleared (40000 bytes)
pm3 --> lf se
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

DEBUG: Just Noise Detected
DEBUG: Error - only noise found
DEBUG: Just Noise Detected
DEBUG: Error - only noise found
DEBUG: Just Noise Detected
DEBUG: Bitlen from grphbuff: 30000
DEBUG: no data found -3, errors:0, bitlen:30000, clock:0
DEBUG: no data or error found -3, clock: 0
Error gProxII: ASKbiphaseDemod failed 1st try
DEBUG: no data or error found -3, clock: 32
DEBUG: Bitlen from grphbuff: 30000
DEBUG: no data found -3, errors:0, bitlen:30000, clock:0
ASKDemod failed
Carrier: rf/2
no data found, clk: 32, invert: 0, numbits: 6, errCnt: 0
Error1: 0
Carrier: rf/2
no data found, clk: 16, invert: 0, numbits: 11, errCnt: 0
DEBUG: no data or error found -3, clock: 64
Error Jablotron: ASKbiphaseDemod failed
DEBUG: no data or error found -3, clock: 64
Error NEDAP: ASKbiphaseDemod failed

No Known Tags Found!

pm3 --> data save reading of the t55x7 paxton emulator.pm3
saved to 'reading of the t55x7 paxton emulator.pm3'
[/code]

[url=https://www.dropbox.com/s/ltgziujjfq533fo/reading%20of%20the%20t55x7%20paxton%20emulator.png?dl=0] plot [/url]
[url=https://www.dropbox.com/s/c1h8s7pkl706y1z/reading%20of%20the%20t55x7%20paxton%20emulator.pm3?dl=0] trace [/url]

and 

[b][color=blue]My goodness me[/color][/b]

[b][color=blue]that is the mysterious plot I remember since 9 months when I first tried to read the bullet fob and saw so many times afterwards trying to understand it [/color][/b]

[b][color=blue]hahaha, is it heúrēka or what is it.... Is it eureka... Or is it not ?... [/color][/b]

[b][color=blue]heúrēka
heúrēka
heúrēka[/color][/b]

pls someone recheck this finding .

Last edited by ntk (2016-08-04 09:28:09)

Offline

#75 2016-08-03 01:08:38

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Dismissed experiment, data not reproduceable, false conclusion 

What I don't understand is ASK modulation, RF/64, 4 data blocks with different content we do at least once a week, (or maybe once a month) and  until now we can easily run "lf se u" to analyze such emulators.

How comes that this stink normal procedure of emulating an ASK, rf/64, 4 data blocks with only this special  content "BEF38095..." creates a fob which cause the effect "Just Noise Detected" on the PM3

will anyone of you want to order focus antennas from me?
or ... when not ... will anyone of you want to buy some of the tools to make focus antenna from me? very beautiful tools you will like them immediately.

Last edited by ntk (2016-08-04 09:28:47)

Offline

#76 2016-08-03 05:59:27

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

wow... ...  that is about all i have to say.  you are so far off i don't know where to begin.

Offline

#77 2016-08-03 08:49:28

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

"you are so far off i don't know where to begin." on the 'wrong path' you mean... Possible something is wrong I don't expect that it turns suddenly to something so easy.

It was just going blindly a step further from what material one has got by trying to digging up in every direction. I clear buffer prior to each new experiment, so what I got in memory can be only from what I just read/ just experiment and also being sure not a random product each time you run it would change value/form

I was surprised too, as with paxt bullet fob it seems to react on lf hitag list command, confirmed with its ID, and being caught by "lf snoop". So it can't jst not be so easy lf cmdread, then data sample, demodulate and emulate

It could be a fatal attraction to wrong conclusion at 2:00 in the morning. after receiving the mysterious string "DemodBuffer: BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF380951FE85571BEF3" , a byebye from tiredness after a long day ...   

maybe started from that step that flat graph and mysterious string and check for me that that trace was wrong reading from there...

I did wonder too but why the consistency of mysterious string did come out each time I retest, If I manage to write a tool to auto get the trace, the plot, then share, and post result, then you would see I'd posted it over 10x consistent compare to what I have posted regarding the demodulation and data string.

Yes i did run again and again to make sure that step is consistent, before I made decision to chopped it down to data block and commit to next step: doing emulation on a AT55xx

I did found an important step not matching, that could prove the experiment has gone wrong. The Elatec does read the bullet fob each time, but it did not read this emulated T55x7 tag! Yet thing are not so bleak as it does not read the few t55x7 I have on me at all. I have contacted Elatec already and asked why

Offline

#78 2016-08-03 09:05:04

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Here is what I have asked Elatec to look into

"
Elatec TWN3 Multi 125 USB RFID Reader & Writer

Mit dem TWN3 Multi 125 kann mit der Scripting-Funktion sowohl die Seriennummer eines Transponders ausgelesen werden, als auch Segmente gelesen oder beschrieben werden.
Das Senden von Präfix- und Suffix- Zeichen (wie z.B. "#") vor oder nach den übermittelten Transponderdaten sowie das Anordnen / Umsortieren von Transponderdaten ist möglich.

Das TWN3 Multi 125 kann als USB HID-Leser betrieben werden, oder mit der Konfigurationssoftware zu einem virtuellen ComPort mit vollem Zugriff auf die Transponder konfiguriert werden.


Unterstützte Transponder
EM4100, EM4102, EM4105, EM4200, EM4150, EM4350, EM4450
FDX-B
HITAG 1/2/S
MIRO, Q5
T5557, T5567, T5577
TITAN, UNIQUE, ZOODIAC

according to this specification TWN3 multi should read T5557, T5567, T5577. But it does not. Could you pls check is it a bug in the firmware"

this is German. but no problem you can translate

Last edited by ntk (2016-08-03 09:07:52)

Offline

#79 2016-08-03 09:55:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

The plot picture  from #74  just looks like noice to me.
Looking at the trace from #74,  its just noice.

Sorry @ntk,  I can't see what you are seeing.


edit:
looked at the trace from #73,  its just a one spike then noice.

Offline

#80 2016-08-04 09:45:39

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

pm3 --> data setdebug 4
...
pm3 --> data buff
#db# Buffer cleared (40000 bytes)
pm3 --> lf cmdread d 80 z 100 o 200 c 11000000 H
...
pm3 --> data sam
...
pm3 --> data rawdemod am 32
...
pm3 --> data print x

Using these commands in this order I was falsely lead to conclusion there was a set of reproduceable datas.

However confirmation test on the Elatec has failed because:
-the copy is from type IDRO-A (4102)
-the real bullet fob is from type TDRW-C(Hitag2)

So expriment in #73 #74 dismissed.
Sorry to waste your time.

Offline

#81 2016-08-04 12:58:03

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

You'd get a lot farther if you read the help or command description before you use a command.   (Or both if they exist for the cmd) (try running just `data` - see command discriptions...)

First there is no debug 4 in lf / data.

Second debugging levels are to debug the demod code, if you aren't doing that it won't be helpful.

Third if the demod fails there will be nothing valid in the demod buffer so printing it won't be helpful.

Fourth use the hitag cmds and hitag list. You've identified it as a hitag2.

Fifth what do you want to do with your tag?

Last edited by marshmellow (2016-08-04 17:40:07)

Offline

#82 2016-08-05 01:55:11

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Thanks you for your advises Marshmellow, I am aware this is an sensitive sector... Thing was near dead since 2008, 2009 for there-must-be-a-reason, now trying to revive it, your must be somehow so naive or a near-idiot 

You'd get a lot farther if you read the help or command description before you use a command.   (Or both if they exist for the cmd)
First there is no debug 4 in lf.

I knew about {0|1|2) I reused command buffer, wanted the deepest level. If trace not came I would set level 2

Second debugging levels are to debug the demod code, if you aren't doing that it won't be helpful.

When you drowned anything you tried, any straw you grasped

Third if the demod fails there will be nothing valid in the demod buffer so printing it won't be helpful.

If you look at the log, Idid a clear buffer before sending cmdread, I knew I failed on graph, failed on demod, but there was something coming out from data print hex...I was first shocked too. 

Fourth use the hitag cmds and hitag list. You've identified it as a hitag2.

I got stuck soon every where I turned. In the "lf snoop" "lh hitag snoop" "lf higtag list" "lf cmdred"... Some lttle things came to light, some useful information contained, but the communication not going all the way as expected in protocol. So I am not even sure that could be hitag2, unless somebody very experienced with hitag2 told me, "Stick with it, few more steps only and you can solve it, you are nearly there...", then I would only stick to that sector. Problem is we don't know anything for sure about this piece

Fifth what do you want to do with your tag?

More than 5 yrs ago I first saw someone using a piece of plastic to open a door. I thought must be somesort of radio infrared but nope no red lED,  no battery inside, nothing etc. but it opens door. Days-in-days-out and last for ever! I resigned "Woah,  magic..." But I knew It tortured\bothered my mind how it could open door, only I had no courage. Understand that "Woah magic" was not on my priority list, no money for electronic toys... Until little more than a year ago, I finally understood it. its technology, simulate it, emulate it, copy it, you can explain to people to your children who perhaps would one day be hit with "Woah magic!", or you could also warn people that the technology is not safe, but not by telling raising one finger but to show them that it really potentially less safe than a good mechanic lock... Kind of Show me don't talk.

The same is for this bullet fob now, I know it does open door, but it is like a brick in your hand, on your table, on your mind. You have now PM3 and you can understand some stuffs, but you can't read this bullet, can't show it, can't see it, can't understand it, all that you know: somehow it opens doors. .

If you got a brick like that, what would you want to do with your tag?

To be frank, i want to know so well that I can copy it. I believe it holds the answer why we can not read bewator Siemens in general German LF tag (those who are hiding well their protocole)... If we understand how this fob working we will those tags arent no brick no more. Call me naive I want to know, I can not understand why\how many capable people for year could brush them, the unknown, by side as if nothing bother them, ...I can't forget those few words, bullet/bewator/Cotag/Siemens ... solved, then I can move on in life move on to other hack to HF study ....

1995 I told peole if using PC camera, cover it when you don't use, if have a PC at home, PC monitor should not be in sensitive room it could be controlled and observed you from far people looked at me as if I am the mischief. If I in 2015 tell them don't go for fancy car, don't fall in love for latest technology if you know fucks about them, soon they will have no need of bullet to take you out, when\where they ever they want, would you call mine being a criminal....   

if you want to hint on criminal activity in "Gone in 360sec" "Gone in 60 seconds", then yes I do know those lectures. 

But if learning the RFID technique to have a joy-ride, to steal a car, I am not that stupid.

If learning hitag2 for opening car to steal it, then my higher priority is not to steal a car, but to pulling up a net of consumers, a network first to chop cars into spares, a triaden gang to earn the sit in the auto consum industry perhaps you ahve enough underlings to start to deal with drug too, as that always make more money than steal and sale the hot whole car, and go to prison because of leaving too many traces behind.

Call me Thief Spend time learn to use RFID\PM3 to crack hitag2 chips to steal car, would be the stupidest thing, the lowest of the low priority on my list.

Oh no, if being capable of pulling up a net of criminal consumers to quickly make a whole car disappear, THAT is the right thing to do. Being that far I would not care howto steal it without making a scatch. If being that capable I just go to car I want, I spite on it and I take it with or without hitags1/2/s car immpobiliser GPS or what ever you want to put in it, on it around it.

I was at first very much insulted by reading your advises/question, but you,iceman and Asper were some of the first people giving me help to understand RFID and I know you know more then you show to say, I just got to be patient... so instead of lying around, I take the courage to tell you that is more than a bullet, that is just not that simple as you see.

Last edited by ntk (2016-08-05 03:04:28)

Offline

#83 2016-08-05 04:41:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

I struggle with assisting you mainly due to a major communication gap.  The translation just is not good.  I can't understand 3/4 of what you say.  And when you write a book, I get nothing.  That and I have very little time that before I read one post there are 5 more.

Your tag appears very strongly to be a hitag2 tag.  It followed the protocol.  Hitag2 can be a crypto enabled chip.  Only hope of dumping it if it is in crypto mode or password mode (and your tag is in one of them, probably crypto) is to snoop it's communication with a valid reader.

That or guess the key, maybe it is left default but I doubt it.

The twn3/4 does not support hitag crypto and is not a valid reader.  It can only read the uid.  As can the pm3. 

Even if you snoop a valid authentication with crypto you would have to have at least two captured and then have a valid crypto attack script built to attempt to recover the key. 

These are not easy items to get or build successfully.

No one gave up on hitag.  They proved there was a weakness and moved on.

Last edited by marshmellow (2016-08-05 04:43:36)

Offline

#84 2016-08-05 22:05:15

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Thank you for your advise and reassuring Marshmellow.

(Why do you need translation? Where in the world do you live? I already write English. Well not very posh, not pure breed but kind of Ninja or MMA English.) only joking, I am not native English.

I have read and re-read 5x your msg , contemplated, then read once more the hitag2 protocol, and going through the list of my questions regarding hitag commands sector. Now I think I can answer you.

I will stick with hitag2 from now.

Offline

#85 2016-08-05 22:58:45

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Experiment reading bullet fob using hitag commands

After Re-reading the Hitag2 protocol, and with backing of Marshmellow's thoughts  I run the next set of experiments. Here is  the set of results. I am still struggling to make sense of it, hope on your feed back. Remember the tag ID is "1F 8B 0F AF"


Experiment on Authentication with Password mode, method I

trace1
graph1
trace2
trace3



Experiment on Authentication with Password mode, method II


trace1
graph1
trace2
trace3


Experiment on Authentication with Key authentication mode

trace1
graph1
trace2
trace3


Experiment of testing of recoded Authentications! (What does "recoded" means????)

graph
trace

all other readers switch off, no other fobs in near premise.  so not resulted from bad influence
Very strong apmplitude 
Graphic results are re-produceable, after power off test system

Still, have not seen something nearly like that before, waiting for your comment.

Last edited by ntk (2016-08-06 13:40:30)

Offline

#86 2016-08-05 23:11:20

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

New question in Experiment reading bullet fob using hitag commands


Howto get Nr and Ar for testing the command authentication using hitNr and hitAr?
I know the answer is here but I can not understand this code

		case RHT2F_AUTHENTICATE: {
			DbpString("Authenticating using nr,ar pair:");
			memcpy(NrAr,htd->auth.NrAr,8);
			Dbhexdump(8,NrAr,false);
			bQuiet = false;
			bCrypto = false;
			bAuthenticating = false;
			bQuitTraceFull = true;
		} break;

What is the meaning of this command  "Testing of recoded Authentications"! (What does "recoded" means????)

	case RHT2F_TEST_AUTH_ATTEMPTS: {
			Dbprintf("Testing %d authentication attempts",(auth_table_len/8));
			auth_table_pos = 0;
			memcpy(NrAr, auth_table, 8);
			bQuitTraceFull = false;
			bQuiet = false;
			bCrypto = false;
		} break;"		

Offline

#87 2016-08-07 05:53:43

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

new records of experiment 07-08-2016
New day. Disconnect and reconnect system to do reading of this fob again

Questions:
Is this trace random?
Are these false readings?
What is contained in the trace? what can we use from these traces?



PM3 acts as reader, cmd Key Authentication

plot
trace

the trace seems to be reproduceable.
But rawdemod am 32 shown error
data rawdemod  am       
Using Clock:40, Invert:0, Bits Found:513         

# Errors during Demoding (shown as 7 in bit stream): 1          
ASK/Manchester - Clock: 40 - Decoded bitstream:          

PM3 acts as reader, cmd Test recorded Authentication
"Testing of recoded Authentications" should be "Testing of recorded Authentications" according to source code cmdlfhitag.c
"lf hitag reader 25"

plot
trace

Conclusion
After resetting/ clear data, the reading show "repeated" strange form again and again
But data rawdemod shown errors, is it because antenna not good? but why we get strong amplitude and re-produceable result?
What is/are in these traces?

Offline

#88 2016-08-26 10:02:33

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

ntk, the Elatec TWM3/4 can read the T5557, T5567, T5577 series of tags but as they do not have a serial number you need to read them block by block and you need to know the frequency mod 32/64/128 as you need to set that first
the taks can have 4 or 7 blocks from what I've seen and also if they have been written to by the Smartcard Deluxe machine that most locksmiths use then the Elatec will read it incorrectly so basically only new chips are reliably read.
I have the TWN4 Developement kit, a Paxton Net2 reader and software, NFC ACS ACR122U Mifare Reader and HID OminKey iClass reader. as I use them for my business.

Offline

#89 2016-08-27 04:32:11

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Onisan wrote:

ntk, the Elatec TWM3/4 can read the T5557, T5567, T5577 series of tags but as they do not have a serial number you need to read them block by block and you need to know the frequency mod 32/64/128 as you need to set that first
the taks can have 4 or 7 blocks from what I've seen....

you seem to have a different SW. I can not find any space to set frequency mod


Onisan wrote:

... also if they have been written to by the Smartcard Deluxe machine that most locksmiths use then the Elatec will read it incorrectly so basically only new chips are reliably read.

Smartcard Deluxe machine as machine from JMA, TRS, RW, Hickleys
Electronic key programming machine "Touch Memory TMD5RF"

Onisan wrote:

I have the TWN4 Developement kit, a Paxton Net2 reader and software, NFC ACS ACR122U Mifare Reader and HID OminKey iClass reader. as I use them for my business.

very interesting set, lot of thing I could learn in there.

Offline

#90 2016-08-27 06:30:35

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

if you need to clone to TPX4 would it better for experimental purpose going for TPX5, multiple write possible?
  re-writable TPX5

I see there are also CN1  (compatible to TXP1), CN2  (compatible to TXP2), CN3 (compatible to TXP3/TXP4) and have read that not every cloner can work with/to every TXPx/CNx!!!

I read that you have " the TWN4 Developement kit, a Paxton Net2 reader and software, NFC ACS ACR122U Mifare Reader and HID OminKey iClass reader. as I use them for my business.", it would help me to know whether you have enrolled Pxtn fob, tested clone of Paxtn fob to TPX4, or TPX5 or CN3 and also tested again valid Paxtn reader.

which reader would work? which transponder chip is recommendable? I have interest in the mini zed-bull black version, for experiment I would use the TPX5 multiple write... But I am not sure the combination would work all the way until test successful on the valid reader too... That would be a problem cause I don't have the valid Paxtn reader.

Can I make a shameless proposal here, If you only possess theory until now, would you have interest to test the theory to work, paxtn to ID46, clone to TPX3/TPX4 or CN3?

I make that  proposal not because I don't believe in your words, it is because you have valid  paxtn reader & net2 software over there? I want to know about this paxtn, but after the experiment we may gain some extra knowledge we may be able to apply to other interesting areas too

Last edited by ntk (2016-08-28 12:59:03)

Offline

#91 2016-08-28 17:13:08

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

this is all what I can find about ZED related to hitg2
"It is possible to edit latest generation transponder hitg 2 with Zed-
BULL Pc software. Pages of hitag 2 transponders can be   both read and
written   with   Zed-BULL   and   Zed-BULL   PC   Software.   Software   shows
transponder type (PCF7936/7941/7942/7943/7944/7946/7947), transponder mode (Password Mode or Crypto Mode), frequency mode (Manchester or Biphase), transponder pages
and transponder configuration bits to the user and can be edited by the user"

but that is all there to read!

Either it is "so simple", just a case of simple read all pages and write all pages over, so that it is not worth to give further theory, OR there is a surprise: It may process every step but not give a working Paxtn fob at all, like a working Paxtn clone key on a paxtn entry system, because "Paxtn is Paxtn" and "it is impossible to clone Paxtn" as they already announce, why don't you people just accept it, and live with it .... hmmmmmm

Last edited by ntk (2016-08-28 17:29:42)

Offline

#92 2016-09-19 12:42:24

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

The Paxton Net2 System doesn't read the ID of the fob but a number saved to one of the hitag2 pages.
it's that number that the system uses to open close the doors not the ID.

I have an iDTONIC EVO LF desktop reader arriving tomorrow that comes with an SDK so hopefully Paxton have left the RWD Password as 4D394B52 and the High password as 4F4E and I should be able to read all pages and write to a standard Hitag2 Fob.

I'll let you know the outcome.
If they've changed the password then hopefully someone on here could sniff the signal between the fob and reader to get that as it would be the same for all blue ring Bullet fobs?

the SILCA RW4 Plus machine is able to read and write the bullet fobs but you need to be at the door to do it as the sniffer needs to be used. the problem with that is the machine isn't portable unless you have a car for power (cigarette lighter). which I don't have.

the other problem with the silca is it uses class transponder chips GTI which are the only ones it can clone to and are too expensive in comparison to other chines CN3s

Paxton don't want people to know the fob can be cloned but I can absolutely guarantee it can.

Offline

#93 2016-09-19 12:47:16

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

If the Paxton is password protected with a different password I am happy to lend the Paxton reader and software to someone so they can sniff and find the real password, as long as they share the info with me as it's the one fob I have been stuck on and it's bugging the crap out of me.

Offline

#94 2016-09-23 10:15:25

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

We are in the same boat Onisan. This "impossible to copy/clone" challenge.

"the other problem with the silca is it uses class transponder chips GTI which are the only ones it can clone to and are too expensive in comparison to other chines CN3s"
indeed very expensive just for experiment, also it is not rewritable.
CN3 are rewritable, but to re-write the CN3 you would need special equipment not every equip does, e.g like Tk9000.

I think it uses standard PW.

Does your new HW perform pass expectation?

Last edited by ntk (2016-09-23 12:47:57)

Offline

#95 2016-09-28 16:46:15

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

So I don't think that the Paxton Bullet Hitag2 is in Password mode as I can't log into it. I can read the serial number but no other pages, I have some Hitag2 Crystal fobs that I am able to read all pages with. they have sequential numbers on them so I have 10 going from 158860 to 158869
my reading gives me 7 pages which I think are backwards for instance
Printed number: 00158865
Gives pages
0  259A978D
1  C90000AA
2  4CE92DD7
3  21C35383
4  00000000
5  00000000
6  00000000
7  575F4F4B

Page 0 is the UID but in reverse as the TWN reads it as 8D979A25

No Idea how the printed number is derived though as all 10 fobs hace the same pages for 1,4,5,6 and 7   so only 2 and 3 change.

looks like it's back to the drawing board unless someone can sniff the password with the proxmark

Offline

#96 2016-09-29 14:52:52

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Onisan wrote:

Page 0 is the UID but in reverse as the TWN reads it as 8D979A25

No Idea how the printed number is derived though as all 10 fobs have the same pages for 1,4,5,6 and 7   so only 2 and 3 change.

Interesting. " Hitag2 Crystal fobs" as glass tag or chip in ID46 sector?

What do you use to read 00158865?

Onisan wrote:

unless someone can sniff the password with the proxmark

Marshmellow has given infos that this bullet possibly has crypto mode and Proxmark3 can not support password mode or crypto mode. If it does not support those two modes, can you still use it to sniff the communication then???

Offline

#97 2016-09-29 15:13:10

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

The Hitag2 Crystal Progeny Fobs are door entry fobs the number is what is printed on the front of the fob and whe you buy them (product-code 3805-10) they are recognised by the progeny software with the number, same as Paxton, Paxton have a number stored in the pages of the card which it reads and uses to authenticate users.

I am sure Proxmark supports Hitag2 in standard transportable password mode when you know the password.

The rfidler hardware can sniff the exchange between a hitag2 and reader so I am sure the Proxmark can as well.

Offline

#98 2016-09-30 01:08:53

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

This Crystal proximity fob   looks very much like a blue EM UID or a t55x7 chip, but a lot more expensive. And you say it is a hitag2 type!!! Do you have data paper for this fob? regarding configuration etc ...  Can you use Proxmark to read or write it?

This progeny HID fob looks familiar!!! I have seen somewhere recently... Is it not on the hand of the Australian reality program reporter, @iceman ...

Last edited by ntk (2016-09-30 15:55:24)

Offline

#99 2016-10-03 08:46:37

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

The Crystal fobs I have are def Hitag2 the TWN4 recognises them as such and returns the UID fro Page 0
they are in standard password mode so with the idtronic Evo Desktop Reader/Writer I can read all 8 pages and write to the fob as well.
I am cloning a fob this week for a guy in Manchester and if it works he'll order another 9 from me so fingers crossed.
it would be nice to understand the encryption of pages 2 and 3 to determine the ID it produces, I've tried various basic arithmetic
like converting to octal or decimal Xor etc but no luck.
I'll keep digging though as I have 10 fobs to play with.

I don't own the Proxmark yet. I'd get one if I could sniff the password that is passed by the Paxton bullet fob to the reader and vice a versa as that's one of the last fobs I'm stuck on.

Offline

#100 2017-03-21 21:47:26

gaetan
Contributor
Registered: 2017-03-21
Posts: 3

Re: [waste of time infos] Proxmark3 Can't read a bullet form fob

Hi Onisan,

May I ask if you've made any progress with the Net2 fobs?

Looking at your site, it seems you are now able to clone them – is that right?

Offline

Board footer

Powered by FluxBB