Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-08-25 09:45:10

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Mysterious green tag

Bonjour Guys smile
I'm trying to get infos on this little guy but i'm stuck !

some tag

Prox/RFID mark3 RFID instrument
bootrom: master/v2.2.0-566-g8614a5a-suspect 2017-07-18 08:43:28
os: master/v3.0.1-71-g5c814c3-suspect 2017-08-23 12:09:33
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/07/13 at 08:44:13

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 195644 bytes (37%). Free: 328644 bytes (63%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune

Measuring antenna characteristics, please wait.........
# LF antenna: 44.41 V @   125.00 kHz
# LF antenna: 19.80 V @   134.00 kHz
# LF optimal: 45.51 V @   123.71 kHz
# HF antenna: 30.52 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

With him on LF some power is drained.

Measuring antenna characteristics, please wait.........
# LF antenna: 42.35 V @   125.00 kHz
# LF antenna: 19.94 V @   134.00 kHz
# LF optimal: 43.86 V @   123.71 kHz
# HF antenna: 30.49 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3> lf read
#db# LF Sampling config:
#db#   [q] divisor:           95
#db#   [b] bps:               8
#db#   [d] decimation:        1
#db#   [a] averaging:         1
#db#   [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 4e 33 1f 13 0b 06 47 76 ...
Reading 39999 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1

plot

lf search dont show anything and i have tryed every lf standard whitout success...
Any ideas ?

Last edited by yugnat (2017-08-25 10:35:58)

Offline

#2 2017-08-25 10:51:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mysterious green tag

Try the manual demodulation commad;

data raw 

And how about you save a trace and upload on sendspace.com or similar,  so users can analyse it, 

data save nnnnn

Offline

#3 2017-08-25 11:10:50

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Re: Mysterious green tag

proxmark3> data raw p1

Using Clock:16, invert:0, Bits Found:2498
PSK1 demoded bitstream:
0000000000000001
0011111111110101
1110001101000000
1111110111110111
0111101000000111
0000000000000000
0111111111111111
1000111111111101
0111100011010000
0011111101111101
1101111010000001
1100000000000000
0001111111111111
1110001111111111
0101111000110100
0000111111011111
0111011110100000
0111000000000000
0000011111111111
1111100011111111
1101011110001101
0000001111110111
1101110111101000
0001110000000000
0000000111111111
1111111000111111
1111010111100011
0100000011111101
1111011101111010
0000011100000000
0000000001111111
1111111110001111


proxmark3> data raw fs

Using Clock:32, invert:0, fchigh:12, fclow:8
FSK?? decoded bitstream:
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111


proxmark3> data raw nr
Tried NRZ Demod using Clock: 8 - invert: 0 - Bits Found: 4990
NRZ demoded bitstream:
0000000000000000
0000000000000000
1000001110000000
0000000000111010
0110000010000011
1101100101000000
0001000000000011
1000000000111000
0011100000001100
1000000000000100
0010100000000000
0000000000000000
0000100000000000
0000000000000000
0000100000111000
0000000000000011
1010011000001000
0011110110010100
0000000100000000
0011100000000011
1000001110000000
1100100000000000
0100001010000000
0000000000000000
0000000010000000
0000000000000000
0000000010000011
1000000000000000
0011101001100000
1000001111011001
0100000000010000
0000001110000000

And the pm3 file : https://www.sendspace.com/file/yix88d

Last edited by yugnat (2017-08-25 13:01:24)

Offline

#4 2017-08-25 14:12:13

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Mysterious green tag

that is a nasty one...

proxmark3> data askedge 28
proxmark3> data rawd am s 8

Found Sequence Terminator - First one is shown by orange and blue graph markers

Using Clock:8, Invert:0, Bits Found:513
ASK/Manchester - Clock: 8 - Decoded bitstream:
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0000111000000000
1110000011100000
0011001000000000
0001000010100000
0000000000000000
0000000000100000
0000000000000000
0000000000100000
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0000111000000000
1110000011100000
0011001000000000
0001000010100000
0000000000000000
0000000000100000
0000000000000000
0000000000100000
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0000111000000000
1110000011100000
0011001000000000
0001000010100000

note: for some reason this combo makes the graph overlay go incorrect..  a bug i will look into...

any numbers on the tag or do you know what system it goes to?

Offline

#5 2017-08-25 14:27:49

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Re: Mysterious green tag

No brand or number on it !
It used in cofee machine.
Another graph with different zooming :
plot

Offline

#6 2017-08-25 14:32:10

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mysterious green tag

I can't demod it with manchester clk 8,   but the NRZ works well

pm3 --> da ra nr
DEBUG: (NRZrawDemod) Tried NRZ Demod using Clock: 8 - invert: 0 - Bits Found: 4990
DBEUG: (setClockGrid) demodoffset 0, clk 8
NRZ demoded bitstream:
0000000000000000
0000000000000000
1000001110000000
0000000000111010
0110000010000011
1101100101000000
0001000000000011
1000000000111000
0011100000001100
1000000000000100
0010100000000000
0000000000000000
0000100000000000
0000000000000000
0000100000111000
0000000000000011
1010011000001000
0011110110010100
0000000100000000
0011100000000011
1000001110000000
1100100000000000
0100001010000000
0000000000000000
0000000010000000
0000000000000000
0000000010000011
1000000000000000
0011101001100000
1000001111011001
01

pm3 --> da print x
DemodBuffer: 000000008380003A6083D94010038038380C8004280000000800000008380003A6083D94010038038380C8004280000000800000008380003A608
3D940100380

Offline

#7 2017-08-25 14:34:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Mysterious green tag

just be aware the nr demod wouldn't have pulled out the ST.

proxmark3> data printd x
DemodBuffer: 0000E9820F6500400E00E0E0320010A00000002000000020
0000E9820F6500400E00E0E0320010A00000002000000020
0000E9820F6500400E00E0E0320010A0

is your 6 blocks of data on the tag.

Offline

#8 2017-08-25 14:48:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mysterious green tag

hm,, that 00000002 seems wrong.   Is it a parity bit it should be in a different position, like 

pm3 --> da print x o 3
00000001 00000001 0000074C 107B2802 00700707 01900085

Offline

#9 2017-08-25 14:50:32

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Re: Mysterious green tag

Why i don't have the same output from data print x ?

proxmark3> data print x
DemodBuffer: 0000000107000074C107B28020070070701900085000000010000000107000074C107B28020070070701900085000000010000000107000064C107B280200700

Offline

#10 2017-08-25 14:52:14

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Mysterious green tag

@iceman, the sequence terminator determines the proper start position.  i haven't gone through and manually demoded the entire string yet but what i did was correct.

Offline

#11 2017-08-25 14:52:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mysterious green tag

most likely because you didn't run the same commands as @marshmellow

Offline

#12 2017-08-25 14:57:08

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Re: Mysterious green tag

Right, now i have same output smile

Offline

#13 2017-08-25 15:15:48

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mysterious green tag

Just left for you to test a t55x7 card to see if this works.  The shape of your green tag looks like a card will not work,  but hey, you can at least test it.

block 0 ,  6blocks, stt, man   == 000080C8

lf t55 write b 1 d 0000E982
lf t55 write b 2 d 0F650040
lf t55 write b 3 d 0E00E0E0
lf t55 write b 4 d 320010A0
lf t55 write b 5 d 00000020
lf t55 write b 6 d 00000020
lf t55 write b 0 d 000080C8

Offline

#14 2017-08-25 15:17:41

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Mysterious green tag

Also, I'm curious if the coffee machine changes the data when used.

Offline

#15 2017-08-25 15:27:04

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Re: Mysterious green tag

Sorry, i don't understand. You want i try to write some data without password ?

Offline

#16 2017-08-25 15:31:30

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Re: Mysterious green tag

I'm pretty sure the data change !
We have 2 machine with no network between them.
Actually the first shows  0.10€
The second shows 0.14€
When i fill with 1€ they show 1.10 and 1.14
:!

Offline

#17 2017-08-25 15:31:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mysterious green tag

...no,  I want you to test writing those blocks to a t55x7 card,  and use the card against the reader (coffee machine)

And you can try reading the t55x7 card with yr pm3 to see if you get the same demod values.

Offline

#18 2017-08-25 15:33:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mysterious green tag

pro-tip:
you should read your tag before / after recharging it.   So you can track the differences in the data.

Offline

#19 2017-08-25 15:35:36

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Re: Mysterious green tag

ho ok smile
The reader is a hole and i don't think a card will work with it !
Like you said i can try.
I let you know monday smile
Right now i write my T55 and look for demod !

Offline

#20 2017-08-25 15:36:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mysterious green tag

whats the name of the coffee machine?

Offline

#21 2017-08-25 15:41:37

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Re: Mysterious green tag

I'm home to day, but i think it's a rheavendors !
I'll take a picture monday.

Offline

#22 2017-08-25 16:03:30

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Re: Mysterious green tag

Ok, i have just write a T55 and the demod values are not the same !

Offline

#23 2017-08-26 05:11:23

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Mysterious green tag

yugnat wrote:

Ok, i have just write a T55 and the demod values are not the same !

did you end up with 7's or did it NOT say that the Sequence Terminator was found? 
the data askedge value (28) may not apply for every read.  the number may need to be adjusted to get the proper read.  (use slider on graph overlay to see what the numbers do)

Offline

#24 2017-08-26 08:44:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Mysterious green tag

... I got the same numbers after writing to a t55x7,  took some time to get the right output. 
My guess is that pm3 didn't like the clk 8 very much.

Offline

#25 2017-08-29 09:41:56

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Re: Mysterious green tag

Hi guys,
first, thank you again to spend time with me on this little guy !
I have tried my t55XX against the reader but no luck !
I have filled my green tag with 0.9€ so i have 1€ on cofee machine and 1.04€ on snickers machine.
The datas are now different :
https://www.sendspace.com/file/kvk4mj

proxmark3> data askedge 28
proxmark3> data rawd am s 8

Found Sequence Terminator - First one is shown by orange and blue graph markers          

Using Clock:8, Invert:0, Bits Found:513          
ASK/Manchester - Clock: 8 - Decoded bitstream:          
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0110100000000000
1110000011100000
0101111000000000
1011000010100000
0000000000000000
0000000000100000
0000000000000000
0000000000100000
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0110100000000000
1110000011100000
0101111000000000
1011000010100000
0000000000000000
0000000000100000
0000000000000000
0000000000100000
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0110100000000000
1110000011100000
0101111000000000
1011000010100000

But as i am not a pro in data demod i can't say what's happend ...

Offline

#26 2017-08-29 10:00:50

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Mysterious green tag

Do you have a Picture of the Tag?

Offline

#27 2017-08-29 10:12:10

yugnat
Contributor
From: France
Registered: 2017-08-23
Posts: 18

Re: Mysterious green tag

On my first post !

Offline

#28 2017-09-11 03:20:12

lonewolf
Contributor
Registered: 2016-09-03
Posts: 37

Re: Mysterious green tag

iceman wrote:

I can't demod it with manchester clk 8,   but the NRZ works well

I'm liking PSK1 better.  Once cleaned up a bit, the 2 dumps the OP posted result in:
1: 00000000000000001111111111111111000111111111101011110001101000000111111011111011101111010000001110
2: 00000000000000001111111111111111000101111111101010001110101011111000010111111011101110110000010110

However, looking at the plot for the 2nd dump the data looks questionable, though it does decode reasonably.  As the OP has made multiple purchases and reloads it doesn't make a very good A/B comparison.

(Random ramblings: My questions about the system: Does the card store the balance remaining or total loaded + total purchases and makes the machine subtract them to get the remaining balance?  Or perhaps both?  That could explain the 0.04 difference between the 2 machines.  Big endian or little?  Scrambled data or clear?  Any CRC or parity?  As for the machines, do they write the balance back to the card before vending, and if so do they reject the vend if it's unable to?  That may make it tricky to clone if it uses a non-standard command set)

yugnat wrote:

The reader is a hole and i don't think a card will work with it !

A round sticker tag on a wooden or plastic rod would probably work better.

Can you post more dumps?
1) Dump the card as it currently is
2) Make 1 (and only 1!) purchase or refill
3) Dump it again

Offline

#29 2017-09-11 05:42:35

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Mysterious green tag

It is definitely Manchester with a sequence terminator.

Offline

Board footer

Powered by FluxBB