Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hello all and thank you in advance for your help. I need help cloning 3 125khz cards from the manufacturer Paradox.
I have the traces of 3 cards available here:
http://yourfilelink.com/get.php?fid=957619
The numbers on each card are in the filename for each trace.
Paradox--96:40426-APJN08.pm3
Paradox--108:01827-APOC11.pm3
Paradox--112:10262-APOC13.pm3
There was someone else who working with a paradox card on the forum here:
http://www.proxmark.org/forum/viewtopic.php?id=1844
What steps are necessary to decode / clone these suckers?
Thanks!
as discussed in http://www.proxmark.org/forum/viewtopic.php?id=1844 the proxmark's current programming can't decode the bitstream directly without code changes. but it can plot the wave and you can manually decode the fsk waveform (apply a 50 x grid over it and line it up). once you get a bit stream you can then program a ATA55xx chip card to match.
as far as your bitstreams, because you uploaded a trace I will decode 2 of the 3 for you:
108_01827:
Raw FSK Demod:
00001111010101010101010101010110100110100101 01010101011010100101100101011010 10101010101001011010
Manchester demod:
0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0 0 0 0 0 0 1 1 1 0 0 1 0 0 0 1 1 1 1 1 1 1 1 0 0 1 1
Bit Interpretation:
FC 108 Card 01827 Checksum/Parity?
96_40426:
00001111010101010101010101010110100101010101 10010110101001101010100110011001 10011010010110011010
0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 1 0 0 1 1 1 0 1 1 1 1 0 1 0 1 0 1 0 1 1 0 0 1 0 1 1
96 40426
the 00001111 appears to be the prefix or start of data (instead of HID's 00011101)
to clone, take hex of raw FSK Demod and program a ATA55xx blocks 1-3 and program the configuration block the same as an HID standard card (refer to other topics for details on these)
Last edited by marshmellow (2014-08-26 02:12:55)
Thanks for your help!
So can you tell me where I am going wrong?
I cant get it to output the manchester decoding.
Here are the commands I have used:
lf read
data samples 16000
data fskdemod
data grid 50 0
data hpf
data threshold 0
At this point my plot has gone from analog to digital between -1 and 1 with a grid. How do I output the raw fsk?
Also, when I try to "data mandemod" or "data mandemod 50" the data I get: dozens of "Warning: Manchester decode error for pulse width detection. (too many of those messages mean either the stream is not Manchester encoded or the closk is wrong). What am I missing Marshmellow?
the proxmark's current programming can't decode the bitstream directly without code changes. but it can plot the wave and you can manually decode the fsk waveform (apply a 50 x grid over it and line it up).
by manually decode I meant look at the wave plot and MANUALLY decode it by hand. then manually decode the Manchester data. or if you are good at coding, you could look to adjust the fskdemod to work properly.
So:
lf read
data samples 16000
data plot
data grid 50 0
then left and right arrows (or trim grid) to line up the grid to your waveform.
Last edited by marshmellow (2014-08-18 20:58:52)
Last edited by marshmellow (2014-08-18 21:27:07)
I am a total newbie. Is there a set of commands or script to clone Paradox FOBs automatically? I don't understand enough to decode manually! Or, is there another system (other than Proxmark 3) that would do it automatically? I have used ProxClone to easily clone HID FOBs, but Paradox are not possible with it... Any recommendation appreciated! Thanks!
The new fskrawdemod can demod these but you will need to learn a bit to clone. But all the info is on the forum
Actually, in my github fork there is a auto demod command for this and other FSK tags.. I'm still working on others so I haven't pushed it to the main... The output from the demod could be used to write a copy. If you have a lot to copy I suggest you learn some code.
The new "data fskparadoxdemod" can demod these. Cloning is an extra few steps.
The new "data fskparadoxdemod" can demod these. Cloning is an extra few steps.
I received my Proxmark3 a week ago and flashed it to CDC and the latest version I found for windows (756).
I cloned a few HID and Indala.
To try reading and cloning, if I am lucky, a Paradox I would love to use the fskparadoxdemod command.
Where can I get the proper patch file and where can I find instructions on how to patch the file into the version I have (Windows 7)? I Googled it but could not find the answer...
Also, probably another stupid question: to stop reading I can press the Proxmark3 button. Is there a keyboard shortcut in the GUI that would do the same thing (like Ctrl Break or ESC...), I did not see anything like that in the doc I read...
Thanks for your time!
You need the github code, or aspers compiled windows client files.
There is no keyboard key that mimics the proxmark button
Well I guess I did something wrong
I downloaded Asper's 0.0.7 and flashed the full FPGA then the OS. Both flashes went smoothly and indicated they succeeded. However the Proxmark is now stuck with both yellow and red light s lit! Unplugging and waiting a while did not change anything. I tried re-flashing both and it succeeded again but did not fix the problem... I did not touch the bootrom.
Even though I did not flash the bootrom, do I need to flash it with the bootrom included in 0.0.7? I thought the bootrom rarely needed to be changed... I don't want to risk screwing the Proxmark more than it is as I don't have a JTAG...
Any suggestion on what I can do ? Thanks!
Last edited by Earman (2015-02-12 05:23:27)
Should have flashed the bootrom first. Might still be able to
Last edited by marshmellow (2015-02-12 05:20:35)
Just flashed bootrom and everything OK now. A HUGE thanks for your help! I thought of trying it but was afraid to make it worse... Can you confirm that bootrom must be flashed first for each revision? Thanks.
From the old 756 to the new code the bootrom has changed. It doesn't change often but 756 is hundreds of commits behind.
It isn't usually changed often, but shouldn't hurt to flash it when in doubt. If you keep up with github it is mentioned in an update if a bootrom change happened.
OK. Thanks! I just tried the fskparadoxdemod which is in bin 0.0.7 GUI but it does not seem to work. I only get the Help list (like if the command is not recognized). It may not be the latest version for that parameter...
data fskparadox
Should work
Is it in the data menu?
Hmmm. I thought I had that in before 0.0.7 was made... I'll check tomorrow, when I'm at my pc
Are you using the GUI or the command line?
It appears the GUI has some issues with the settings.xml file. At the top of the GUI window it should let you type a command in. Try typing just data and look through the list of commands. It should be there. I hope to get some time tomorrow to go through the settings.xml file to see what other errors exist
I put the paradox demod under LF -> TAGs (I would like to separate specific cards/tags commands form generic commands and in the GUI I can do that ).
Anyway the command is "lf data fskparadoxdemod" (it can be not working in the 0.0.7, maybe I forgot to add "data" between lf and fskparadoxdemod).
I hope to get some time tomorrow to go through the settings.xml file to see what other errors exist
Great ! Please use this file to test, it is my latest with new lf and hf additions (this file is not fully compatible with 0.0.7 because some stuff was not yet implemented in that version). It only misses the very latest lf modifications (I updated it almost 2-3 days ago).
Last edited by asper (2015-02-12 10:05:18)
I'm going to post a few changes needed to the settings.xml file in this post: http://www.proxmark.org/forum/viewtopic.php?id=2260
I'm going to post a few changes needed to the settings.xml file in this post: http://www.proxmark.org/forum/viewtopic.php?id=2260
Thanks for your work! Does the paradox command work on your Proxmark3? On mine the command is not recognized even when I use the proper command "lf data fskparadoxdemod" directly in line command mode... so I am wondering if it's not only the XML file which has some errors but the flashed code also as it does not recognize the command, at least with the 0.0.7 version I flashed. I am assuming that the flashed ode must match the commands set... The other commands I tries (HID and INDALA) work fine.
lf data fskparadoxdemod is not the proper command.
It should be as iceman said
data fskparadoxdemod
But you need to do either an lf search or lf read - data samples first
I applied all your corrections to the xml settings file... (should I upload the updated file?) and the tags Paradox command is now recognized. However, it does not start reading the paradox fob I tried. It just shows: proxmark3> data fskparadoxdemod and stops.
Did you try a lf search?
Congrats
So, why is it not starting reading with the fskparadoxdemod command if it recognizes it as a proper Paradox? Anything I should do differently?
Last edited by Earman (2015-02-12 20:10:50)
The "data" demod commands require (as we've said) two other commands to be sent before using them
lf read
data samples
Or else a data load... To load from a saved trace.
Without one of those there is no data to demod.
If you got the lf search to demod it why are you still trying to demod it again?
Carl's post should give you an idea if you have an ata5577 http://www.proxmark.org/forum/viewtopic … 9379#p9379
Just have to split the 96 bit or 12 digit id over blocks 1-3