Proxmark3 community

app_o1

Contributor

Registered: 2013-06-22

Posts: 247

Help for decoding a 125 KHz PSK trace.

Here I come again with another trace that I am trying to decode.

The only marking on the card is "702 065 " - I don't have another example so I don't know which one of these numbers is the card number....

http://speedy.sh/T5ZHR/702-065-.pm3

I think I managed to isolate the repetitive data :

I tried to decode as follow :
High or medium bars = 1
Low bars = 0

I obtain :

0000 0000 0001 0001 0000 0000 0001 0000 0000 0001 0001 0000 0001 0001 0000 0001 0001 0001 0001 0000 0000 0001 0001 0000 0000 0001 0001 0001 0001 0000 0001 0001 0001 0000 0001 0000 0001 0000 0001 0001 0000 0000 0001 0000 0000 0001 0000 0001 0001 0001 0000 0000 0001 0000 0001 0001

-> 1100100110110111100110011111100110111
Which doesn't make any sense to me (yet)... I am probably doing it all wrong. But it seems to be somehow coherent...

Any help would be appreciated !

Last edited by app_o1 (2015-06-06 10:12:49)

app_o1

Contributor

Registered: 2013-06-22

Posts: 247

Re: Help for decoding a 125 KHz PSK trace.

I found this on the manufacturer website  :

It looks very similar to the 26-bit AWID Data format.

So I am guessing my way of decoding is wrong...

app_o1

Contributor

Registered: 2013-06-22

Posts: 247

Re: Help for decoding a 125 KHz PSK trace.

And then, I realized that if I do a "data dec" and invert the trace, it looks more like what a FSK transmission.
And it that case, I am getting
0000010001110110110101110111010101110110100110010001110010111001
Which is not looking better...

app_o1

Contributor

Registered: 2013-06-22

Posts: 247

Re: Help for decoding a 125 KHz PSK trace.

I wrote the result to block 1 and 2 of a T55x7...
block 0 = 0x0010
block 1 = 0x0476
block 2 = 0x7699

The result looks similar... (looks like I have only the envelope in the first screenshot) I am trying stuff... Not sure where I am going with this. Not sure what to try next...

Last edited by app_o1 (2015-06-06 10:13:09)

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Help for decoding a 125 KHz PSK trace.

I know Motorola rearranges the bits randomly

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Help for decoding a 125 KHz PSK trace.

I used a reader ASR-503 (Motorola) 37 bit
P1 0 0 0 X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 0 0 0 0 0 0 Y1 Y2 Y3 Y4 Y5 Y6 Y7 Y8 Y9 Y10 Y11 Y12 Y13 Y14 Y15 Y16 P2
that's what patterns discovered. Bits are mixed according to the table
2  X2   
3  Y8   
4  X10   
5  Y16   
6  Y15   
7  Y4   
8  X4   
9  Y9   
10 Y14   
11 Y3   
12 Y10   
13 Y1   
14 X5   
15 X6   
16 P2   
17 Y11   
18 Y2   
19 X3   
20 X7   
21 X1   
22 Y13   
23 Y12   
24 Y7   
25 Y5   
26 X9   
27 Y6   
28 X8

app_o1

Contributor

Registered: 2013-06-22

Posts: 247

Re: Help for decoding a 125 KHz PSK trace.

How is this related to my case ?
It is definitely not an Indala card.

Does the last screenshot I posted look like a trace from an Indala card  ?
I just wrote the result of this decoding : 0000010001110110110101110111010101110110100110010001110010111001
to a T55x7 using "0x00107060" for block 0. I don't think it has anything to do with the original trace... I am just out of idea...

app_o1

Contributor

Registered: 2013-06-22

Posts: 247

Re: Help for decoding a 125 KHz PSK trace.

I am still struggling with this one...
I figured out that the last digits printed on the card are the card number. (in this case : 55881)
And, I am assuming that the previous digits printed on the card is the facility code. (065)

If,
Fac = 065 = 0x0041 = 0100 0001
Card No = 55881 = 0xDA49 = 1101 1010 0100 1001,
then it should give :

0 01000001 1101101001001001 0

Is it correct ?
Does anybody see this sequence of bits on the trace I uploaded ?
Because I am not...

I also tried to add odd or even parity bits to every 4 bits but it is not looking better...
And also, when looking at the trace, I am seeing 64 bits not just 26...

Last edited by app_o1 (2014-02-05 12:18:16)

adam@algroup.co.uk

Contributor

From: UK

Registered: 2009-05-01

Posts: 203

Website

Re: Help for decoding a 125 KHz PSK trace.

If it really is PSK (and from the original trace it looks like it is)  you should decode it like this:

Load the data into proxmark plot screen and find a trace that has the smallest gap between a high spike and a low spike. left-click your mouse to drop the yellow bar on the high spike, and then right click on the low one to drop the purple bar. Now look at the value 'dt' in the data on the bottom of the graph. It should be a nice even number like 16 or 32 or 64 etc. Now go back to the proxmark screen and type 'data grid 32' (using whatever the dt value was).

What you have just done is measured the smallest phase shift, which should be a single bit (in most cases). Now you can use that measurement to read the data:

Align the grid so the spikes are all neatly intersected by a grey grid line, then starting from the left with a 0, every grid line represents a bit. if there is a spike (either high or low, doesn't matter), change the bit value. if there is no spike, keep the same value.

i.e. if you have 3 grid lines, spike, two grid lines, spike, 5 grid lines, spike... , that is '00011000001...'

I hope that makes sense!

BTW, your file link has expired so I couldn't take a look myself.

Last edited by adam@algroup.co.uk (2013-09-17 09:58:27)

app_o1

Contributor

Registered: 2013-06-22

Posts: 247

Re: Help for decoding a 125 KHz PSK trace.

Thanks a lot for helping me ! I was actually following the few tips from your blog for decoding.
"data grid 32" seems to fit.

I got myself some more cards. (different Facility Code than the previous one) and card numbers are n+1 ! So it makes it much easier to analyze.

Cards are marked as follow :
801 023 03747
801 023 03746
801 023 03745

I assume, 053 is the FAC (because it has to be between 0 and 255). 0374X is the card number.

Here are the traces of each of these bad boys :
http://speedy.sh/Rz6U/45.pm3
http://speedy.sh/Sfmg/46.pm3
http://speedy.sh/C7fj/47.pm3

Click on the file name to download. No need to use their download manager...

Here, I aligned all 3 traces for easy comparison.

The blue box somehow seems to be representing 0x0 and the red 0x1 (based on the last digit of the card number 5, 6 and 7)

It looks like there are 64 bits.

Last edited by app_o1 (2015-01-27 09:37:33)

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Help for decoding a 125 KHz PSK trace.

[01001000010000010101001001010100]  11001011100101000001001000101100  45.pm3
[01001000010000010101001001010100]  00101100101000100011001100011111  46.pm3
[01001000010000010101001001010100]  00101011110111110001010011010010  47.pm3

numbers printed on the cards differ by 1 bit and route vary greatly from each other
however, there is a constant part of 32 bits. Accident?

app_o1

Contributor

Registered: 2013-06-22

Posts: 247

Re: Help for decoding a 125 KHz PSK trace.

What do you think of this = 45 :

It looks promising !

Although, my antenna is in really bad shape... Programming and reading might not be the best.
I need to make a new antenna.

The trace is here : http://www.sendspace.com/file/x6i5lo

Last edited by app_o1 (2014-02-05 07:45:13)

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Help for decoding a 125 KHz PSK trace.