Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-11-30 14:52:04

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Unknown 125Khz tag cloning strange error [SOLVED]

Hello community, hello all the smart people out there,

I have this LF tag, its pretty straightforward but, when I write the data to a new fob, it yields different output.

Not sure its a bug or Im doing something wrong.

My rig

Proxmark3 RFID instrument
         
 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-19-gfeea1a45 2017-10-05 18:09:38
      os: iceman/master/ice_v3.1.0-19-gfeea1a45 2017-10-05 18:09:44
 [ FPGA ]
 LF image built for 2s30vq100 on 2015/03/06 at 07:38:04
 HF image built for 2s30vq100 on 2017/05/17 at 17:48:26
         
 [ Hardware ]          
  --= uC: AT91SAM7S512 Rev B          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 220509 bytes (42%) Free: 303779 bytes (58%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory     

Measuring antenna characteristics, please wait......          
# LF antenna: 36.16 V @   125.00 kHz          
# LF antenna: 21.45 V @   134.00 kHz          
# LF optimal: 36.16 V @   125.00 kHz          
# HF antenna: 33.82 V @    13.56 MHz          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.


Then the Initial detection

pm3 --> lf search u
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
         
 
Checking for known tags:
         
 
No Known Tags Found!
         
 
Checking for Unknown tags:
         
Possible Auto Correlation of 25600 repeating samples          
Possible 3200 bytes          
Possible  2 blocks, width 1600          
Possible  4 blocks, width 800          
Possible  8 blocks, width 400          
Possible 16 blocks, width 200          
DEBUG: (FSKrawDemod) Using Clock:50, invert:0, fchigh:10, fclow:8          
FSK2 decoded bitstream:          
1101100110101000
1101111001011111
1111111111011111
1101111111011111
1101111111011111
1101111111011111
1101111111011111
1101001101111001
1101100110101000
1101111001011111
1111111111011111
1101111111011111
1101111111011111
1101111111011111
1101111111011111
1101001101111001
1101100110101000
1101111001011111
1111111111011111
1101111111011111
1101111111011111
1101111111011111
1101111111011111
1101001101111001
1101100110101000
1101111001011111
1111111111011111
1101111111011111
1101111111011111
1101111111011111
11          
 
Unknown FSK Modulated Tag Found!          
 
Valid T55xx Chip Found
Try `lf t55xx` commands
         
pm3 --> lf t55 detect
Chip Type  : T55x7          
Modulation : FSK2a          
Bit Rate   : 4 - RF/50          
Inverted   : Yes          
Offset     : 32          
Seq. Term. : No          
Block0     : 0x80107080          


pm3 --> lf t55 info
         
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 8          
 reserved                  : 0          
 Data bit rate             : 4 - RF/50          
 eXtended mode             : No          
 Modulation                : 7 - FSK 2a RF/10  RF/8          
 PSK clock frequency       : 0          
 AOR - Answer on Request   : No          
 OTP - One Time Pad        : No          
 Max block                 : 4          
 Password mode             : No          
 Sequence Start Terminator : No          
 Fast Write                : No          
 Inverse data              : No          
 POR-Delay                 : No          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x80107080  10000000000100000111000010000000          
-------------------------------------------------------------          
pm3 --> lf t55 read
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 255 | 01010101 | 00000001000000010000000100000001 | ....          



pm3 --> lf t55 detect
Chip Type  : T55x7          
Modulation : FSK2a          
Bit Rate   : 4 - RF/50          
Inverted   : Yes          
Offset     : 32          
Seq. Term. : No          
Block0     : 0x80107080          
         
pm3 --> lf read
#db# LF Sampling config:          
#db#   [q] divisor.............95 (125 KHz)          
#db#   [b] bps.................8          
#db#   [d] decimation..........1          
#db#   [a] averaging...........Yes          
#db#   [t] trigger threshold...0          
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample          
#db# buffer samples: 30 00 12 6c ae dc d8 7e ...          
Reading 39999 bytes from device memory
         
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1          
pm3 --> data save new.pm3
saved to 'new.pm3'          
 
pm3 --> lf t55 dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 80107080 | 10000000000100000111000010000000 | ..p.          
 01 | 00010101 | 00000000000000010000000100000001 | ....          
 02 | 01010101 | 00000001000000010000000100000001 | ....          
 03 | 01010164 | 00000001000000010000000101100100 | ...d          
 04 | 6265721A | 01100010011001010111001000011010 | ber.          
 05 | 00000000 | 00000000000000000000000000000000 | ....          
 06 | 00000000 | 00000000000000000000000000000000 | ....          
 07 | 00000000 | 00000000000000000000000000000000 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 80107080 | 10000000000100000111000010000000 | ..p.          
 01 | C02A1441 | 11000000001010100001010001000001 | .*.A          
 02 | 9567518D | 10010101011001110101000110001101 | .gQ.          
 03 | 00000000 | 00000000000000000000000000000000 | ....          

Now I tried to clone

lf t55 wr b 0 d 80107080
lf t55 wr b 1 d 00010101
lf t55 wr b 2 d 01010101
lf t55 wr b 3 d 01010164
lf t55 wr b 4 d 6265721A 

After cloning I dimp the new fob:

pm3 --> lf t55 dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 80107080 | 10000000000100000111000010000000 | ..p.          
 01 | 00020202 | 00000000000000100000001000000010 | ....          
 02 | 00040404 | 00000000000001000000010000000100 | ....          
 03 | 020202C8 | 00000010000000100000001011001000 | ....          
 04 | 6265721A | 01100010011001010111001000011010 | ber.          
 05 | 00000000 | 00000000000000000000000000000000 | ....          
 06 | 00000000 | 00000000000000000000000000000000 | ....          
 07 | 00000000 | 00000000000000000000000000000000 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 80107080 | 10000000000100000111000010000000 | ..p.          
 01 | 80542883 | 10000000010101000010100010000011 | .T(.          
 02 | 2E159924 | 00101110000101011001100100100100 | ...$          
 03 | 00A00003 | 00000000101000000000000000000011 | ....          
pm3 -->

As you can see, block 1,2,3 data is not identical to the original fob's. What I am doing wrong here? Or am I?

I tried following:

Tried a different blank, overwrote the blocks several times, change the fobs proximity to the antenna, etc


How do I get desired output , please help , thanks for your suggestion

Last edited by Heru (2017-12-19 23:25:06)

Offline

#2 2017-11-30 14:55:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Unknown 125Khz tag cloning strange error [SOLVED]

1.  always use  lf t55 detect after writing a config block.
2. its fsk,  hard to get a starting point,  sometimes you see that you will need a different offset when printing..
0202 -> 0101 is just one step away....

And to make sure,  try out the pm3 official,   and see if your tag gets identified correct.

Offline

#3 2017-11-30 15:04:34

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Unknown 125Khz tag cloning strange error [SOLVED]

Did you re detect the clone before running the t55xx dump cmd?  T55xx read cmds require the detect cmd first to have a chance at being accurate.

That said the t55xx read blk (dump) can not perfectly identify the start bit of the stream as it is dependent on many variables. So the output can be offset by a bit now and then.

Edit- Iceman beat me to it smile

Offline

#4 2017-11-30 15:10:58

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Unknown 125Khz tag cloning strange error [SOLVED]

Btw I always double-check the t-55 read commands of the broadcast blocks with the rawdemod commands

Offline

#5 2017-11-30 15:18:24

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Unknown 125Khz tag cloning strange error [SOLVED]

For the record, I did re-detect the clone. before running dump command

Also, block 0,4 changes were immediate. It showed the correct output straight away, Did not have to re-detect,

@iceman, I'm obsessed with your build, Not really keen to change the firmware back and forth. to be honest

But maybe its a good opportunity to try the official build for me, thanks

Last edited by Heru (2017-11-30 15:32:33)

Offline

#6 2017-12-19 23:24:11

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Unknown 125Khz tag cloning strange error [SOLVED]

This one is solved,

Apparently, this card is a cloned one, not the original card, The original card had 0x00107080 value which indicates its a Pyramid tag.

so this clone has 80107080 value and the original has 00107080, yet still the both keys works, that is funny.

Another funny thing is you cannot force write t55x5 successfully with following values

lf t55 wr b 0 d 80107080
lf t55 wr b 1 d 00010101
lf t55 wr b 2 d 01010101
lf t55 wr b 3 d 01010164

It will always be shown as

pm3 --> lf t55 dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 80107080 | 10000000000100000111000010000000 | ..p.          
 01 | 00020202 | 00000000000000100000001000000010 | ....          
 02 | 00040404 | 00000000000001000000010000000100 | ....          
 03 | 020202C8 | 00000010000000100000001011001000 | ....          

Offline

#7 2017-12-20 03:53:36

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Unknown 125Khz tag cloning strange error [SOLVED]

Those values are one and the same in binary.  Change tag position on the antenna or change antenna and your results will vary on t55x7 read. 

In other words, depending on your antenna, tag position, and tag modulation lf t5 read may be a bit off in the conversion from binary to hex.  Timing varies on the different pm3 equipment out there so... 
Btw it works perfectly almost always on my setup...

Offline

#8 2017-12-20 04:22:24

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Unknown 125Khz tag cloning strange error [SOLVED]

marshmellow wrote:

Those values are one and the same in binary.  Change tag position on the antenna or change antenna and your results will vary on t55x7 read. 

In other words, depending on your antenna, tag position, and tag modulation lf t5 read may be a bit off in the conversion from binary to hex.  Timing varies on the different pm3 equipment out there so... 
Btw it works perfectly almost always on my setup...

OK, good to know, thank you sir!

Offline

Board footer

Powered by FluxBB