Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
OK, I introduced a bug from a test where I tried to use up to 45 bits in short format.
Fixed in r651. Sorry for this.
Could you please try now?
I also added block commands for EM4xxx (tested with EM4305, EM4269 and EM4469) based cards. This will allow soon to use these cards for cloning.
Last edited by Cex (2013-01-24 14:35:14)
Offline
Thanks, I'll try it out tonight (in about 12 hours from now). I had a look through the code and diffs to try and find the bug and didn't even notice the change from 11 to 12.
I also have one very minor comment about your code; it looks like the editor you're using is set up with soft tabs (replaced with spaces) and a tab width of 2 (?), and it makes the code misaligned when viewed on Google Code and editors with different tab widths.
Offline
A question: should lfops.c:781 be testing for hi2 as it does at :738?
It also seems like hi2 should be passed back to the caller as *high and *low are for consistency, but that would involve supporting the 84-bit format in CMDHIDsimTAG.
Offline
A question: should lfops.c:781 be testing for hi2 as it does at :738?
Yes, it should, for consistency. I'll fix when possible, along with the TABs
It also seems like hi2 should be passed back to the caller as *high and *low are for consistency, but that would involve supporting the 84-bit format in CMDHIDsimTAG.
Surely, but I do not have time for this now. If you are interested in that functionality you can make the changes and ask Roel for SVN access for commit.
Offline
The latest commit works perfectly, thank you.
I didn't mean to suggest you need to make the changes to CMDHIDsimTAG, I was more just thinking out loud.
I'd make the change myself, but I don't have the hardware to test it with.
Offline
Thanks for all of your hard work on this guys! I got a new PM3 last week and flashed r671 osimage on it straightaway, but I did not do the FPGA as well. Now it seems that I have a flasher issue, see this post:
http://www.proxmark.org/forum/viewtopic … 1551#p1551
I guess I will have to JTAG it
When I am trying to clone a card I am also having issues. I am using lf hid sim, see this post:
http://www.proxmark.org/forum/viewtopic … 1550#p1550
But the write does not work. I suspect two possible issues:
1. My FPGA needs to be updated to the one from r671, can anyone confirm this?
2. My card does not support writes. I have an HID Crescendo C700. It definitely has a prox chip as I can read it using lf hid fskdemod, it returns FFFFFFFFFF as the ID. I am pretty sure that it can be written to as the shop that I purchased it from offers to ship it with custom data written to it. When I asked them they said "you can only write to the card using the official writer". I guess they mean the HID 6100 series writers. Is the PM3 able to achieve the same job?
Thanks,
Michael.
Offline
MF,
Regarding HID genuine credentials they are password protected.
You will need to find out the 32-bit password in order to modify them with Proxmark3.
You also need to know the IDIC used in your credentials and use the proper programming algorithm.
As far as I know HID used Atmel AT5557 in the proxcard line and EM4469/4269/4305 in the proxcardII line of products.
Offline
Hi Cex,
Great, thank you. How would I specify that password during the clone process?
Thanks,
Michael.
Offline
There's no implementation for cloning with password, but you can check the password by writting the second block of data with 0xAAAAAAAA.
If the password is OK this will make a part of the card UID to read as FFFF or 0000.
There are block commands for both T55x7 and EM4xxx.
Once you get the correct password you can either write the card block by block or modify the clone command to accept a password.
Offline
Just curious, is there only one (global system wide) password for all tags or are they diversified (derived from the ID and some (global?) secret).
Offline
Version II of HID cards have a lot number that I think is requested when using official programmer, which suggests that the password may be different for each job lot (besides blank cards can't be written and also request for the lot), but version I cards do not have a job number printed (at least I have some old ones that do not have it), which suggests that the password should be the same as there's no way of distinguising between cards, so both of them are possible.
Offline
Excuse my ignorance whilst im learning the ins and outs - Is it possible to clone a HID Prox card used in a Proxpoint system such as the one below, to a T55x7 card if I don't know the password? Does anyone know if the T55x7 cards work on Proxpoint readers?
Thanks
Offline
You don't need to know the HID password to copy HID card data onto a T55x7 card. However, you would need to know the password if you were trying to write/modify an original HID card. HID utilizes the password feature when they program their cards at the factory in order to prevent their cards from later being modified.
All T55x7 cards support the password feature but its use is optional. If you desire to use a password you must define a 32-bit password and then set the password enable bit in Block 0.
In regards to your last question ... Yes, a T55x7 card work with a HID Proxpoint reader if Block 0 has been programmed with the correct HID modulation and data encoding parameters.
Last edited by carl55 (2013-04-10 00:53:46)
Offline
Thanks for the info Carl. Can I read the HID modulation and encoding params off an existing HID card / fob which I have?
Essentially I wan't to make a copy (legally) of a programmed HID card I already have, onto a blank T55x7 card.
I also have a blank/spare HID iClass fob. I assume this will be passworded so I won't be able to copy the site ID from the existing fob onto this one?
Cheers
Offline
The HID modulation and data encoding parameters needed to program Block 0 of a T55x7 card can be found in the following chart.
http://www.proxmark.org/files/Documents … xample.pdf
Regarding your second question, I am not sure exactly what you are trying to do. You appear to be intermixing questions about 125Khz Prox and 13.56Mhz iClass technologies.
It is certainly possible to write card information to an iClass card/fob that is obtained from a different credential (either standard Prox or iClass) but you need to have the proper keys and iclass programming tools. The Proxmark3 currently does not support this capability.
Offline
Having some trouble with installation. I downloaded the files from http://www.proxmark.org/files/Various%20Software/PM3_T55x7_v2.zip
Getting the following error when attempting make. Any pointers would be greatly appreciated.
root@bt:~/proxmark3-t55x7# make
make -C bootrom all
make[1]: Entering directory `/root/proxmark3-t55x7/bootrom'
perl ../tools/mkversion.pl .. > version.c || cp ../common/default_version.c version.c
arm-none-eabi-gcc -c -I../include -I../common -Wall -Werror -pedantic -std=c99 -I. -Os -mthumb -mthumb-interwork -o obj/version.o version.c
arm-none-eabi-gcc -c -I../include -I../common -Wall -Werror -pedantic -std=c99 -I. -Os -mthumb -mthumb-interwork -o obj/cmd.o ../common/cmd.c
../common/cmd.c: In function 'cmd_send':
../common/cmd.c:69:11: error: 'USB_CMD_DATA_SIZE' undeclared (first use in this function)
../common/cmd.c:69:11: note: each undeclared identifier is reported only once for each function it appears in
make[1]: *** [obj/cmd.o] Error 1
make[1]: Leaving directory `/root/proxmark3-t55x7/bootrom'
make: *** [bootrom/all] Error 2
Offline
Рroposed to be added to the draft transcript UID MOTOROLA cards (37bit)
pSrc - card array from one unit in a sequence
static unsigned char bConv[] = {32, 6, 16, 14, 24, 25, 20, 4, 31, 26, 21, 30, 23, 3, 2, 32, 29, 22,
5, 1, 7, 27, 28, 17, 19, 15, 18, 0};
void PSKconvert(unsigned char *pSrc)
{
unsigned char mask,i;
unsigned long lDst;
lDst = 0;
for( i=0; i<28; ) {
for( mask = 0x80; mask; mask >>= 1 ) {
if( *pSrc & mask ) {
if( bConv[ i ] <=31 )
lDst |= (1L << bConv[ i ]);
}
if( ++i >= 28 ) break;
}
pSrc++;
}
bPSK[0] = 0;
bPSK[1] = lDst;
bPSK[2] = lDst>>8;
bPSK[3] = lDst>>16;
bPSK[4] = lDst>>24;
}
Offline
Hi xm,
I haven't found a fix for this yet, but will update if I come across anything.
Offline
I have a strange manchester encoded 125kHz card with 105 bits data that I want to clone to a T55x7-card.
105 bits seems kind of mysterious. It seems to have a header of "111111111" just like an EM4102-tag but it can't be that.
Maybe it is only 96 bit because the last bits (97-105) is always "101010101", maybe it isn't part of the relevant tag data? I don't really know.
Anyways, is it possible to configure the T55x7 for 105 bits, or must I choose 4 whole blocks which gives 128 data bits?
Last edited by urkis (2013-09-09 19:07:16)
Offline
you must use whole blocks, but filling the remaining bits with all 0 often works as the reader will just see it as a gap in the transmission. if you want to post the trace we might be able to shed some more light on it...
Offline
Hi guys, I am also having some problems writing to what I think is a T5577 card.
As above, the terminal says:
proxmark3> lf hid clone 200459d32d
Cloning tag with ID 200459d32d
proxmark3>
proxmark3> #db# DONE!
It appears that data is in fact being written to the card but a HID reader won't register the card.
If I use the proxmark I get the following:
proxmark3> data samples 16000
Reading 16000 samples
Done!
proxmark3>
proxmark3> data plot
proxmark3>
proxmark3> data detectclock
Auto-detected clock rate: 63
proxmark3>
proxmark3> data mandemod 63
Manchester decoded bitstream
0 0 0 1 1 0 1 0 0 1 0 1 0 0 1 0
1 0 1 0 1 1 0 1 0 1 1 0 1 1 1 1
1 1 0 0 0 0 0 0 0 0 1 1 0 1 0 0
1 1 0 0 0 1 1 0 0 0 1 1 0 1 0 0
0 0 0 0 1 1 0 1 0 0 1 0 1 0 0 1
0 1 0 1 0 1 1 0 1 0 1 0 1 1 1 1
1 1 1 0 0 0 0 0 0 0 0 1 1 0 1 0
0 1 1 0 0 0 1 1 0 0 0 1 0 0 0 1
1 1 1 1 1 0 0 1 0 1 1 0 1 0 1 1
0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 0
0 0 0 0 1 1 1 1 1 1 1 1 0 0 1 0
proxmark3>
Similarly, the trace looks good. I can post a screenshot on request.
The cards I purchased are here: http://www.ebay.com.au/itm/10pcs-RFID-125KHz-Writable-Rewrite-T5567-T5577-thick-card-Proximity-Access-card-/111092216880?pt=Intercoms_Access_Controls&hash=item19dd9cb430
And the description says:
10 pcs RFID 125KHz Writable Rewrite T5557 T5567 T5577 thick card Proximity Access card
Specifications:Chips: T5577.
Frequency: 125KHZ.
Storage: 330bits, 10 blocks.
Reading distance: 0-10 cm or further.
Dimension: 85.88mm*53.98mm*1.96mm.
Packaging: 10 pcs thick T5577 cards
Can anyone shed some light on why a HID reader doesn't recognise these cloned cards?
Offline
@nmrn: what happens when the HID reader doesn't register the card? Does it beep? Are you able to use proxmark to read the card back, e.g. lf hid fskdemod?
Offline
@nmrn: what happens when the HID reader doesn't register the card? Does it beep? Are you able to use proxmark to read the card back, e.g. lf hid fskdemod?
No, the reader doesn't beep nor does the light come on. There is no wiegand output either. All of these things work with the original HID tag.
The proxmark will not read it using hid fskdemod but if I collect some samples and look at the plot it is obvious there is a card there outputting data (data as shown above). I'm still confused as to what's happening. Does the size of the card (330 bit in the case of the ones I bought) have anything to do with how they need to be written?
Offline
just try a different angle when you are programming your card. The angle, distance to the antenna, orientation is "tricky"...
pms wrote:@nmrn: what happens when the HID reader doesn't register the card? Does it beep? Are you able to use proxmark to read the card back, e.g. lf hid fskdemod?
No, the reader doesn't beep nor does the light come on. There is no wiegand output either. All of these things work with the original HID tag.
The proxmark will not read it using hid fskdemod but if I collect some samples and look at the plot it is obvious there is a card there outputting data (data as shown above). I'm still confused as to what's happening. Does the size of the card (330 bit in the case of the ones I bought) have anything to do with how they need to be written?
Offline
just try a different angle when you are programming your card. The angle, distance to the antenna, orientation is "tricky"...
Thanks, this was it. Also my home made antenna wasn't powerful enough even though it can read and emulate cards. When I tried programming with one of the PCB antennas, I found that it was necessary to hold the card perpendicular to the coil when programming.
Offline
Hi guys, I am also having some problems writing to what I think is a T5577 card.
As above, the terminal says:
proxmark3> lf hid clone 200459d32d Cloning tag with ID 200459d32d proxmark3> proxmark3> #db# DONE!
It appears that data is in fact being written to the card but a HID reader won't register the card.
If I use the proxmark I get the following:
proxmark3> data samples 16000 Reading 16000 samples Done! proxmark3> proxmark3> data plot proxmark3> proxmark3> data detectclock Auto-detected clock rate: 63 proxmark3> proxmark3> data mandemod 63 Manchester decoded bitstream 0 0 0 1 1 0 1 0 0 1 0 1 0 0 1 0 1 0 1 0 1 1 0 1 0 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 0 0 1 1 0 1 0 0 1 1 0 0 0 1 1 0 0 0 1 1 0 1 0 0 0 0 0 0 1 1 0 1 0 0 1 0 1 0 0 1 0 1 0 1 0 1 1 0 1 0 1 0 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 1 1 0 1 0 0 1 1 0 0 0 1 1 0 0 0 1 0 0 0 1 1 1 1 1 1 0 0 1 0 1 1 0 1 0 1 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 1 0 proxmark3>
Similarly, the trace looks good. I can post a screenshot on request.
The cards I purchased are here: http://www.ebay.com.au/itm/10pcs-RFID-125KHz-Writable-Rewrite-T5567-T5577-thick-card-Proximity-Access-card-/111092216880?pt=Intercoms_Access_Controls&hash=item19dd9cb430
And the description says:
10 pcs RFID 125KHz Writable Rewrite T5557 T5567 T5577 thick card Proximity Access card
Specifications:Chips: T5577.
Frequency: 125KHZ.
Storage: 330bits, 10 blocks.
Reading distance: 0-10 cm or further.
Dimension: 85.88mm*53.98mm*1.96mm.
Packaging: 10 pcs thick T5577 cardsCan anyone shed some light on why a HID reader doesn't recognise these cloned cards?
How do you know that from the "data mandemod " command the output is correct ? And why there is no askdemod previously?
Offline