Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2016-09-15 19:27:21
- HighPressure
- Contributor
- Registered: 2016-07-17
- Posts: 56
BEGEH - Entry Card System
Hi
A friend of mine gave me his BEGEH token for research.
I cant read it with proxmark, as I thought.
hw tune shows its 13.56 and hw search as well as all manual checks did not succeed.
after some resarch I found following detailed resources:
mainly site 104 - end of document
https://secenv.seclab.tuwien.ac.at/secenv/static/inetsec2/10_Radio_SDR_RFID.pdf
the key is used by postman, police and others to enter buildings "without a key"
I'm not a programmer, but I guess when these guys manage it to read them, it should be possible with proxmark too?
anyone? 
Offline
#2 2016-09-21 16:48:12
- HighPressure
- Contributor
- Registered: 2016-07-17
- Posts: 56
Re: BEGEH - Entry Card System
ok funny thing.. I swapped now for testing to the proxmark original build and original flash fullimage
now hf search results
proxmark3> hf search
#db# DownloadFPGA(len: 42096)
Tag UID : the 16digit token id
Tag Info: Texas Instrument; Tag-it HF-I Plus (RF-HDT-DVBB tag or Third Party Products)
Valid ISO15693 Tag Found - Quiting Search
while running the iceman build wont find this
Offline
#3 2016-09-21 17:27:32
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: BEGEH - Entry Card System
thats because my iso15 is not working with my changes to the timers...
Offline
#4 2016-09-21 20:17:09
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: BEGEH - Entry Card System
Iceman's build tends to be bleeding edge, which can break some older functionality at times.
Offline
#5 2016-10-14 20:32:14
- HighPressure
- Contributor
- Registered: 2016-07-17
- Posts: 56
Re: BEGEH - Entry Card System
as I was curios whats up with this card I just did an git pull and make clean all
then I flashed back to proxmark master...
proxmark3> hw ver
[[[ Cached information ]]]
Prox/RFID mark3 RFID instrument
bootrom: master/v2.2.0-264-gd1057e7-dirty-suspect 2016-10-14 17:48:01
os: master/v2.2.0-264-gd1057e7-dirty-suspect 2016-10-14 17:48:03
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 188608 bytes (72%). Free: 73536 bytes (28%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)
......
# LF antenna: 31.07 V @ 125.00 kHz
# LF antenna: 29.43 V @ 134.00 kHz
# LF optimal: 36.44 V @ 129.03 kHz
# HF antenna: 22.26 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3> hw tune
Measuring antenna characteristics, please wait........#db# DownloadFPGA(len: 42096)
.
# LF antenna: 31.07 V @ 125.00 kHz
# LF antenna: 29.43 V @ 134.00 kHz
# LF optimal: 36.44 V @ 129.03 kHz
# HF antenna: 28.89 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3> hf search
no known/supported 13.56 MHz tags found
proxmark3> hf 15 demod
proxmark3> hf 15 read
proxmark3> hf 15 record
#db# fin record
proxmark3> hf 15 reader
#db# 0 octets read from IDENTIFY request:
#db# 0 octets read from SELECT request:
#db# 0 octets read from XXX request:
proxmark3> hf 15 findafi
proxmark3> hf 15 dumpmemory
Sending bytes to proxmark failed
Sending bytes to proxmark failed
No Tag found.
#db# AFI Bruteforcing done.
proxmark3> hf list raw
Recorded Activity (TraceLen = 122 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
The card is not dead.. cause when I go out to my front door and hold the card to the reader it opens the door
I tried to do a hf mf sniff but it doesnt do anything
as it doesnt recognize it in any commands I guess it wont do anything with snooping others too.
so any idea what could be the reason or how to get on with it?
Offline
#6 2016-10-14 20:42:46
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: BEGEH - Entry Card System
there is the "subcommand" under "hf 15" which is better then the first level *secret*
hf 15 cmd
Offline
#7 2016-10-14 22:04:41
- HighPressure
- Contributor
- Registered: 2016-07-17
- Posts: 56
Re: BEGEH - Entry Card System
ahh yeah... I missed those as I remembered this from playing round with some other cards earlier, but did not think of some other commands behind cmd :-P
basically no luck with the basics...
i've started debug mode as i read here in the forum that its giving better results then.
I did play round with the commands and tried it over and over again and the result is not very steady and coming over again...
BUT ! I finaly got some responses 
1 out of like 10-20 tries it replies with Detected UID E***80D**EA81*** (*** just hidden here as the card is still active and not mine)
basically I found it only with
proxmark3> hf 15 cmd sysinfo -2 *
#db# SEND
#db# &.... 26 01 00 f6 0a
#db# error, uneven octet! (extra bits!) mask=40
#db# RECV
#db# SEND
#db# &.... 26 01 00 f6 0a
#db# error, uneven octet! (extra bits!) mask=10
#db# RECV
#db# NoErr CrcFail!
#db# ..... 00 00 1d 17 a8
#db# SEND
#db# &.... 26 01 00 f6 0a
#db# RECV
#db# NoErr CrcOK
#db# ........ 00 00 1d 17 a8 0e d1 80
#db# ...r 07 e0 07 72
Detected UID E***80D**EA81***
with the same accuracy I managed also to get this response:
proxmark3> hf 15 cmd read -2 u 0
#db# SEND
#db# . .GP 02 20 00 47 50
#db# ran off end!
#db# error, uneven octet! (extra bits!) mask=02
#db# RECV
#db# NoErr CrcFail!
#db# .....w.. 00 00 00 00 00 77 cf 00
#db# ........ 00 00 00 00 00 00 00 00
#db# ...... . 00 00 00 00 cc fc 20 00
#db# ........ 00 f4 ff ff 00 f4 ff ff
#db# ........ 01 00 00 00 00 01 00 00
#db# K*..X> . 4b 2a 10 00 58 3e 20 00
#db# ........ 05 00 00 00 88 0a 00 00
#db# .. 0a 00
CRC failed
*EDIT*
uhhh found the magic corner on the proxmark with this card... way more far away than with other tags.
proxmark3> hf 15 dumpmemory
#db# SEND
#db# &.... 26 01 00 f6 0a
#db# error, uneven octet! (extra bits!) mask=02
#db# RECV
#db# NoErr CrcFail!
#db# ........ 00 00 1d 17 a8 0e d1 80
#db# ... 07 e0 07
#db# SEND
#db# &.... 26 01 00 f6 0a
#db# ran off end!
#db# error, uneven octet! (extra bits!) mask=02
#db# RECV
#db# NoErr CrcFail!
#db# ........ 00 00 1d 17 a8 0e d1 80
#db# ...r.... 07 e0 07 72 02 00 00 00
#db# ...... . 00 00 00 00 cc fc 20 00
#db# ........ 00 f4 ff ff 00 f4 ff ff
#db# ........ 01 00 00 00 00 01 00 00
#db# K*..X> . 4b 2a 10 00 58 3e 20 00
#db# ....(... 05 00 00 00 28 01 00 00
Reading memory from tag UID=E***80D**EA81***
Tag Info: Texas Instrument; Tag-it HF-I Plus (RF-HDT-DVBB tag or Third Party Products)
Last edited by HighPressure (2016-10-14 22:09:42)
Offline
Pages: 1