Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hello PM forums,
I'm stuck trying to duplicate an unknown LF tag to a T5577 which seems to have a delay at the end of the first block stretching the wave out. So far I've been able to decode the original tag data as being manchester encoded data of 2 blocks
Decoded data was (With an error reading 77, the delay) :
0000000000000000
0000000000000000
0000000000000011
1000000000101011
1010101101017700
0100001101000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0111000000000101
0111010101101017
7000100001101000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000111000000000
This is the closest I've been able to get it :
Block 0 = 00000000000010001000000001000000 = 00088040
Block 1 = 11100000000010101110101011010110 = E00AEAD6
block 2 = 00001000011010000000000000000000 = 08680000
I cannot figure out how to make the final bit between block 1 and 2 to be twice as long though. I've highlighted this part below in red. Any help would be greatly appreciated. The T5577 documention mentions Demodulation Delay but I can't seem to get this feature working.
Original Wave :
Cloned Wave on T5577 :
Simulated Wave from lf sim (Works to open the door) :
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: /-suspect 2015-11-19 10:08:09
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S512 Rev B
Research the sequence terminator config setting in the ata55x7 chips.
Update : RFID 100% cloned thanks to help above from Marshmellow regarding Sequence Terminators.
The process I took was as follows. The 77 reading in the wasn't actually part of the datastream that had been misread as I though, it was the Sequence Terminator that is placed before block 0 on every sequence (5.11.3 http://www.atmel.com/images/atmel-9187-rfid-ata5577c_datasheet.pdf )
First, perform a 'lf read 10000' or 'lf search' to get the data from your card.
Demodulate it to get out the binary representation from the waveform the card generates. Having inspected the graph of the wave perviously I knew it was using amplitude shift keying modulation, with a clock rate of 32
proxmark3> lf read 10000
#db# LF Sampling config:
#db# [q] divisor: 95
#db# [b] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: ff ff ff ff ff ff ff ff ...
proxmark3>
proxmark3> data detectclock a
Auto-detected clock rate: 32, Best Starting Position: 0
proxmark3>
proxmark3> data rawdemod am 32
Using Clock:32, Invert:0, Bits Found:494
# Errors during Demoding (shown as 7 in bit stream): 4
ASK/Manchester - Clock: 32 - Decoded bitstream:
0000000000000000
0001110000000001
0101110101011010
1770001000011010
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000001110000000
0010101110101011
0101770001000011
0100000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000001110000
0000010101110101
0110101770001000
0110100000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000001110
0000000010101110
1010110101770001
0000110100000000
0000000000000000
00000000000000
proxmark3>
The datastream was then as follows when split up by the delimiter 77
0000000000000000000000000000000000000000000000000000000000011100000000010101110101011010177
00010000110100000000000000000000000000000000000000000000000000000000000000000000000000000000000000011100000000010101110101011010177
00010000110100000000000000000000000000000000000000000000000000000000000000000000000000000000000000011100000000010101110101011010177
00010000110100000000000000000000000000000000000000000000000000000000000000000000000000000000000000011100000000010101110101011010177000100001101
0000000000000000
Obviously this is a repeating pattern above. So I split out a single line of it :
00010000110100000000000000000000000000000000000000000000000000000000000000000000000000000000000000011100000000010101110101011010177
This was then broken up into 32 bit chucks so I can write those to the tag in pages. There was a leftover 1 before the 77, so I figured this extra bit was a false bit caused by the sequence terminators being read (the 77 is the sequence terminator). I converted the binary to hexadecimal at http://www.binaryhexconverter.com/binary-to-hex-converter
00010000110100000000000000000000 = block 1 = 10D00000
00000000000000000000000000000000 = block 2 = 00000000
00000000000000000000000000000000 = block 3 = 00000000
00011100000000010101110101011010 = block 4 = 1C015D5A
I updated the config lines for block 0 to run basic mode, Manchester encoding, output pages 1-4 and include the sequence terminator (See page 9 in PDF above)
00000000000010001000000010001000 = block 0 = 00088088
The codes were then written to the T5577 Card, written twice just incase.
lf t55xx write b 0 d 00088088
lf t55xx write b 1 d 10D00000
lf t55xx write b 2 d 00000000
lf t55xx write b 3 d 00000000
lf t55xx write b 4 d 1C015D5A
I then did a 'lf investigate' on the new cloned T5577 card and investigated the plot in the waveform viewer (Opened using 'data plot'). Comparing the cloned waveform with the original in photoshop we have an exact match. Testing the cloned card on the reader and we have a successful read. Boom!
Well done. You have used the tools well.
Out of curiosity, does the tag have a printed number on it and do you know what reader/system it belongs to?
Thanks for the info / follow up.
On the company website, there is a downloadable excel sheet, how to convert between Company printed number and Wiegand.
SiteCode http://pastebin.com/DSX9YsYk
UserCode http://pastebin.com/1MrEbMdm
Someone who likes excel formulas can give it a go..
I can now calc Presco printed number into wiegand,
Almost done with a presco clone command too..
pm3 --> lf pres re
Number: 123456789 --> Sitecode 30 | usercode 8665 <-- looking for.
Calc: SiteCode 30 | UserCode 8665
Now I'm missing wiegand to raw data... Like adding the parity bits.
Been thinking if there is a presco demod needed too, looking at your blocks that you used to clone, the 0x10D in block 1, looks like a start pattern.
Last edited by iceman (2016-02-13 21:00:06)
unfortunately without a printed number and/or the readout directly from the reader/access control system, it will be difficult to know for sure how the raw data translates to the sitecode/usercode information.
however, I have a theory.
the spreadsheet formulas appear to just convert a number to base 10 from base 12.
do that to base 16 and you possibly have the raw data (excluding the preamble and leading zeros)
123456789 --> 1E8021D9 which is remarkably similar to 1C015D5A...
coincidence? cannot be sure without more data.
Says what?
Who says the raw data should have parities.
1E = sc:30
21D9 = uc:8665
80 = ?
The 1E8021D9 is what you get converting the number from their calc to hex. (Without the division or modulation operations which breaks down their calc to the different parts)
Not always. Readers can spit out wiegand from a mifare uid... And some wiegand formats don't have parities.
Now the 80 might be a checksum, but we don't have enough info. And I kinda doubt it...
He said earlier that there were no printed numbers on his tag. And his demod is accurate, not sure what more a trace will tell.
if maybe we get lucky with the printed number, so we can see the raw data vs the outcome from the presco-num -> sc and uc.
if not, well, a trace from more the one tag is always nice to have. Just to see some bytes is repeating.
agreed, a Printed ID or additional tags would be helpful in figuring out the data format.
I have tags/cards somewhere but I couldn't find them among all of the other tag types I have in storage.
I also have NIDAC / Presco readers that I have disassembled...
Plastics (front / back)
Plastics (inside front / back)
PCB top layer
PCB bottom layer
Any hints on what physical form factor the cards are? I think they were a clam shell type from memory.
looks like mainly clamshells and keyfobs: http://www.presco.com.au/#!presco-access-cards/c1q3
I have a LF ASK Sequence terminator detection routine i'm now testing in my fork. so far it seems to work in my limited testing.
the routine attempts to auto detect the clock by measuring the shortest low to low wave, then attempts to detect the ST for that clock. if it finds two ST's it will drop all samples prior to and including the first ST - and then loop through and remove the rest of the ST's in the trace. it then can be demodulated with the standard ASK routine, with the benefit that the demoded data should start with the first bit after the ST.
this detection will likely only work on good strong reads with a strong antenna.
in my fork - `lf search u` will take advantage of the new routine. or you can run `data rawdemod am s`
also I started adding it to the lf t5xx detect - so it might work there as well...
it will need a bit more testing before it goes into the main GitHub repo however.
Last edited by marshmellow (2016-02-16 20:12:00)
the datasheet suggests that only ask and fsk. (my detection routine is only good for ASK currently...)
actually detecting it on FSK should be very easy no field for a full clock cycle would be hard to miss on fsk.... but I've never seen one, so i'm not sure if it is worth the code.