Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-04-19 18:45:06

Kepouick
Contributor
Registered: 2017-03-11
Posts: 11

Nedap card very strange results, Iceman read this please.

Hi,

I explained my story: I wanted to make a clone of my Nedap access badge, following several posts on the forum so I managed to clone this one on a T5577. After several tests my clone is operational.
When I execute the command: "lf search u" followed by the command "data rawdemod 0 64 1 0", the result on the 2 access cards is not identical, yet this badge works (the door opens ) Could you tell me more? (In fact the result is the same but unpacked several bits).

2nd question: I tried using the t55xx command to read the original nedap. Obviously I'm not back from it.
But the strangest thing is when doing more reading manipulation on the original and the clone I got to read the different block of the original nedap badge (lf t55xx read b0 to 7 and also lf t55xx info)
Is that what happened to you already ?? Can the information be useful to you? How does it happen that I get to read the block while it is not possible?

PS; I use the fork iceman

Offline

#2 2017-04-19 18:59:19

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Nedap card very strange results, Iceman read this please.

First, rawdemod 0 is not valid. 
Second there are improvements made to the t55xx cmds in the master repo that fixes many bugs that are not in Iceman's fork.
Third, things on lf don't have to be the same hex as long as they are the same binary

Offline

#3 2017-04-19 19:11:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Nedap card very strange results, Iceman read this please.

lets test something fun,  lets test the brand new data plot from @marshmellow just merged into PM3 Master today.

And if you can share a trace (lf read/data save) it will also help. Nedap is not fully solved yet. The unencrypted one can be cloned with raw hex, if I remember it correct.


and I think he means  "data ra am..."

Offline

#4 2017-04-19 19:12:37

Kepouick
Contributor
Registered: 2017-03-11
Posts: 11

Re: Nedap card very strange results, Iceman read this please.

- So I do not have to believe in the values that give it to me when I use my original card?

- i have tested many different bit rates, when changing the block 0 in the t5577, when i do the tests I have the same results without shifting, but I do not know yet if the clone is operational

Offline

#5 2017-04-19 19:15:24

Kepouick
Contributor
Registered: 2017-03-11
Posts: 11

Re: Nedap card very strange results, Iceman read this please.

i use data "rawdemod ab 0 64 1 0"

sorry for my poor English. wink

Offline

#6 2017-04-19 19:17:37

Kepouick
Contributor
Registered: 2017-03-11
Posts: 11

Re: Nedap card very strange results, Iceman read this please.

Iceman your remember is correct , the first 64 bit is encrypted

Offline

#7 2017-04-19 20:47:03

Kepouick
Contributor
Registered: 2017-03-11
Posts: 11

Re: Nedap card very strange results, Iceman read this please.

-- T55x7 Configuration & Tag Information --------------------         
-------------------------------------------------------------         
Safer key                 : 15         
reserved                  : 98         
Data bit rate             : 6 - RF/100         
eXtended mode             : No         
Modulation                : 16 - Biphase         
PSK clock frequency       : 2         
AOR - Answer on Request   : Yes         
OTP - One Time Pad        : Yes - Warning         
Max block                 : 1         
Password mode             : No         
Sequence Start Terminator : Yes         
Fast Write                : No         
Inverse data              : Yes         
POR-Delay                 : Yes         
-------------------------------------------------------------         
Raw Data - Page 0         
     Block 0  : 0xFC590B2B  11111100010110010000101100101011         
-------------------------------------------------------------

Offline

#8 2017-04-19 22:18:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Nedap card very strange results, Iceman read this please.

that doesnt look like a good config block.

Offline

#9 2017-04-19 23:02:36

Kepouick
Contributor
Registered: 2017-03-11
Posts: 11

Re: Nedap card very strange results, Iceman read this please.

i confirm , i have again bricks a t5577 !!!!!!
i waiting many day's for reception my new TT5577 sad

wipe command doesn't work, no no noooooooooo.......  RIP

FYI : i don't remake the strange value with the real proxmark git. I hate Iceman ( this is a joke ).

Now i'm going break mifare, lol.
Have a good night

Offline

#10 2017-04-19 23:38:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Nedap card very strange results, Iceman read this please.

can ppl stop writing abritrary config block 0 values and not understand what can happen...

Offline

#11 2017-04-20 00:48:02

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Nedap card very strange results, Iceman read this please.

Should I tell him about the testmode cmd?

Ah, but that would require compiling the latest master repo...

Offline

#12 2017-04-20 00:50:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Nedap card very strange results, Iceman read this please.

You should tell him about the testmode cmd,  and he should compile and test the new PM3 master...  I did today wink

Offline

#13 2017-04-20 03:12:03

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Nedap card very strange results, Iceman read this please.

If you can compile the latest github master code and you don't mind wiping your entire t5577 (including traceability blocks) you can run the new lf t55xx write [testmode] option to write a VALID block 0 and recover your tag(s). You must send a valid block 0 data with it though.

Offline

#14 2017-04-20 11:58:01

Kepouick
Contributor
Registered: 2017-03-11
Posts: 11

Re: Nedap card very strange results, Iceman read this please.

marshmellow wrote:

Should I tell him about the testmode cmd?

Ah, but that would require compiling the latest master repo...

It's good I work with new repo, i test writing with testmode but for now i don't save my cards

Offline

Board footer

Powered by FluxBB