Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi,
I have embarked on a project to embed 125 KHz tags of different types on the same support. I have been doing a bit of research on the internet but the topic does not seem to have been treated much in depth.
To explain it better with an example: let's assume that I have an access controlled by a HID prox tag reader and another controlled by a EM4100 reader, the objective is to use one and only one physical card/fob (call it, a "smart tag") to get it recognised by both the HID and the EM4100.
The constrains are that the "smart tag" be passive and of a cost comparable to a T5577.
Does anybody know of any solution already available (or a project underway) for this problem ?
One potential architecture is to have the smart tag send the various tags in sequence. Eeach reader would react when a tag of its own type is sent but not when the other types are. There are potentially many practical difficulties (time-outs, false positives, etc.) for such an implementation. Any better idea out there ?
Thanks in advance to everyone for any feedback.
Offline
hm.. a card that can send out two different modulation schemas, in a alternating way... I don't think I ever seen a LF tag which can do that at the same time. T5577 can pretend different but only one at the time
Offline
@am There is one solution I'm aware of. Not a card, but a FOB and pretty it would cover your needs. 4 cards on one. KEYSYS
My idea on it would be todo what COIN card and similar multi MAG cards with an interactive element do or did. It would be a more expensive project. R&D would be costly. The new thin film flexible lithium ceramic cells could be the ticket. https://www.youtube.com/watch?v=z9QWD0haXtU
Couple that with the touch e-screen and or a couple thin film buttons to switch between them.
Another idea would be to use 4 of the cards or small form factor stickers. use an NO (normally open) thin film switch. Cut the antenna leads and solder them to the switch. place 4 on a card. Press and hold the one you want to be active. --- That is just a dirty method. But a simple one.
Same method as mentioned in the dirty one. Remove 4 or 5 chips and use 1 card antenna. Connect leads to the chips and interrupt them again using the NO Thin film buttons. Would work....
Here is the KEYSYS though
https://tinylabs.io/keysy/
KEYSY
COMPATIBILITY
Keysy supports 125kHz RFID keycards/keyfobs. These are typically perimeter access control systems that require the keycard/keyfob to be placed within 10cm of the reader. Anything that works farther away is unsupported.
Supported Models
HID Prox (Proxcard, ISOProx, ProxKey)
(Emulation not supported on multiClass readers, can still clone to rewritable)
HID Indala (Motorola Indala)
EM400x, EM410x, EM420x
Noralsy (KCP3000)
Farpointe Pyramid
Keri (KC-10X, MT-10X, PKT-10X)
Kantech ioProx
DoorKing (DKProx) [Not DKProx Long Range]
AWID (Low frequency only – CS-AWID, GR-AWID, KT-AWID, PW-AWID)
(Emulation not supported, can still clone to rewritable)
Radio Key (SecuraKey RKKT-01, RKKT-02)
Viking
Visa2000
Schlage IBF iButton (RFID portion only)
T55x7 compatible keycard/keyfob
Have a card/fob that isn’t on either list? Email compat@tinylabs.io with a picture of the card/fob and we will promptly take a look to determine if it is supported.
Unsupported Models
Automotive Keyfobs
Garage Door openers that require pushing a button (rather than waving in front of a reader)
Mass transit cards
Stored value cards
Hotel keys
HID iClass, iClass SE
Mifare Classic 1k/4k
Mifare Plus EV1
Mifare DESFire EV1/2
Mifare Ultralight
Farpointe Delta, Farpointe Ranger
DKProx Long Range (AVI)
AWID (all HF and UHF tags)
Any other RFID cards/fobs not operating at 125kHz.
Offline
the keysy is interesting but his design choice of locking down the t5577 card with his diversified key is just a dick move.
Offline
FYI
saw on a market pretty fobs contained 4 different t5577's that connected to a shared antenna with a 4 buttons. Looks like a nice toy.
Offline
Hi, Iceman
Have you found a way to unbrick a t5577 card locked by Keysy? Anyway I can use my own empty t5577 with Keysy duplicator?
Thank you
the keysy is interesting but his design choice of locking down the t5577 card with his diversified key is just a dick move.
Offline
There are some solutions for it now.
Depending on your t5577 card, if its a genuine atmel version, you can unlock it,
or you can use the `lf t55 sniff` to get which pwd was used and wipe your tag using it.
Offline
Hello Iceman,
I ran "lf t55 sniff" on a Keysy Fob to try and find out the password that's being used. I'm having an issue with the output of that command. See below.
There is an issue with the output as mwalker didn't get that in his output. http://www.proxmark.org/forum/viewtopic.php?id=6482 I tried with an AWID fob, and the "lf t55 sniff' and got a similar result. Running the latest Iceman fork.
Any suggestions on what could possibly be going wrong and how i could find the Keysy Password so that i can program other t55xx fobs with this password, and then use the keysy programmer?
[usb] pm3 --> lf t55 sniff
[#] LF Sampling config
[#] [q] divisor.............95 ( 125.00 kHz )
[#] [b] bits per sample.....8
[#] [d] decimation..........1
[#] [a] averaging...........No
[#] [t] trigger threshold...0
[#] [s] samples to skip.....0
[#] LF Sampling Stack
[#] Max stack usage.........4040 / 8480 bytes
[#] Done, saved 44028 out of 0 seen samples at 8 bits/sample
[=] Reading 44027 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1
[=] T55xx command detection
[+] Downlink mode | password | Data | blk | page | 0 | 1 | raw
[+] ----------------------+----------+----------+-----+------+-----+-----+-------------------------------------------------------------------------------
[+] Default Read | | | 6 | 0 | 7 | 15 | 101110
[+] Default Read | | | 4 | 0 | 7 | 23 | 100100
[+] Default Read | | | 0 | 1 | 7 | 15 | 110000
[+] Default Read | | | 5 | 0 | 7 | 17 | 100101
[+] Default Read | | | 0 | 1 | 7 | 13 | 110000
[+] -----------------------------------------------------------------------------------------------------------------------------------------------------
In another article http://www.proxmark.org/forum/viewtopic.php?id=6475 the block 0 of the Keysy fob is a bit different from what i found after running "lf t55xx dump".
[usb] pm3 --> lf t55xx dump
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00088040 | 00000000000010001000000001000000 | ...@
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
[+] 04 | 00000000 | 00000000000000000000000000000000 | ....
[+] 05 | 00000000 | 00000000000000000000000000000000 | ....
[+] 06 | 890E17B1 | 10001001000011100001011110110001 | ....
[+] 07 | 80D87046 | 10000000110110000111000001000110 | ..pF
[+] Reading Page 1:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00088040 | 00000000000010001000000001000000 | ...@
[+] 01 | E0150A8C | 11100000000101010000101010001100 | ....
[+] 02 | 3F830F58 | 00111111100000110000111101011000 | ?..X
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
Last edited by ebodyyy (2021-01-02 04:50:26)
Offline
I ran lf t55 sniff while programming several original keysy cards (identified as T5577) using keysy. Each sniff was different. Probably the sniffing does not work as expected, but I have no experience with carrying out useful sniffs.
If someone haa a hint where is a good post that explains how to get reproducible sniffs that would be helpful.
Offline