Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2017-05-03 11:02:07

lockakey
Contributor
Registered: 2015-10-10
Posts: 22

[unknown] Kaba / SafLok

Trying to read and duplicate a new type of rfid I just ran across.
System is manuf by Kaba, 3rd party by Saflok. I found a distributor sheet claiming 125/13.56
EDIT: It looks like this also goes by the name In-Sync

kabdual.jpg

Tried an lf search u and got some funny results.
If anyone can point me in the right direction, I'd greatly appreciate it.
capturedata.jpg

Checking for Unknown tags:
Possible Auto Correlation of 1 repeating samples          
Using Clock:16, invert:0, Bits Found:1109          
PSK1 demoded bitstream:          
1010101010101010
1001010110110101
0101010101010101
0101101010100101
0101010101101010
1010100101010101
0101010101010101
0101010101010101
0101010101010101
0011011010110101
0110101010101010
1010101010010101
0101010101010101
0100111010101010
1010101011010101
0110101010101010
1010101010100101
0101010101101010
1010101001010110
0101010111010100
1101010110101010
1010101010100110
1010101101010101
0101010101101011
0101101010101010
1010101010101010
1010101010101010
1010101010101010
1110100010101010
1010101011010101
0101010101010101
0100101010101010
Possible unknown PSK1 Modulated Tag Found above!
Could also be PSK2 - try 'data rawdemod p2'          
Could also be PSK3 - [currently not supported]          
Could also be NRZ - try 'data nrzrawdemod

Also here is a data samples 16000
https://pastebin.com/ZuT9H686



I found a site that sells originals with options.

safinfo.jpg

Last edited by lockakey (2017-05-03 11:41:50)

Offline

#2 2017-05-03 12:47:31

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [unknown] Kaba / SafLok

Looks like a hitag s, which means your tag needs a proper wake up cmd to respond. (And you would likely need a pwd to do anything meaningful with the chip.). Look in the lf hitag section, I think there might be some limited hitag s functions.

Offline

#3 2017-05-05 07:06:00

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: [unknown] Kaba / SafLok

I have also looked in the Hitag attack paper. Its seem to be hard to implement the attack. But is it possible ?

Offline

#4 2017-05-05 10:59:18

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [unknown] Kaba / SafLok

Kaba could be a legic-possibility too. I have read at one place the mother lock company (Assa Abloy) provides exceptional most highest safety entrance system, mechanic or digital. Working for US Gov. like Army bases etc. they adapted and managed to seal off security issue quite quickly and successfully  ... perhaps due to immense cash reserve. I could be wrong. look like you have lot of funs there.

Last edited by ntk (2017-05-05 12:34:36)

Offline

#5 2017-05-05 12:48:39

lockakey
Contributor
Registered: 2015-10-10
Posts: 22

Re: [unknown] Kaba / SafLok

Ok, so after a few more whitepapers and a few hundred google links....

Dorma uses it
http://products.dorma.com/content/downl … 217_lo.pdf

Kaba looks the same
http://www.kaba-adsamericas.com/media/6 … aa1245.pdf


this appears as a [Hitag S with up to 2048 bits.] Its encoded with a SamRF unit sold by company.
I checked with an east asia company that claims to be able to copy the sk but not the uid.
Ill have the device shortly.

Im running into a wall with this. If you guys have any further info im around.
the keyfobs are marke KABA in small in the bottom right corner.
Website sells it as a "multi unit system" -Kaba InSync
We just 3dprinted some plastic designs to simulate the shape and function of the black fob.

Anything more I can do to help?

Last edited by lockakey (2017-05-05 12:56:58)

Offline

#6 2017-05-05 13:17:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: [unknown] Kaba / SafLok

Did you try the hitag commands?

Offline

#7 2020-03-20 06:05:53

Mabenhav
Contributor
Registered: 2020-03-03
Posts: 2

Re: [unknown] Kaba / SafLok

I'm assuming the fob being discussed here is the "InSync Key with Hitag S" [1] for the "InSync Lock Series" [2].

https://www.dormakaba.com/resource/blob … f-data.pdf
https://www.dormakaba.com/us-en/solutio … ies-293070

It's been a few years since this discussion, so I'm curious if any progress been made with this particular fob (or Hitag S in general)?

Also, assuming that we're discussing the same fob, I'm wondering how lockakey was able to get anything back from "lf search u"...because I'm getting "No data found". I assume it needs a wake-command, but that seems like it would be particularly difficult to sniff for this type of lock.

Last edited by Mabenhav (2020-03-20 06:38:09)

Offline

Pages: 1

Board footer

Powered by FluxBB