Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Bonjour Guys
I'm trying to get infos on this little guy but i'm stuck !
Prox/RFID mark3 RFID instrument
bootrom: master/v2.2.0-566-g8614a5a-suspect 2017-07-18 08:43:28
os: master/v3.0.1-71-g5c814c3-suspect 2017-08-23 12:09:33
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/07/13 at 08:44:13
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 195644 bytes (37%). Free: 328644 bytes (63%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 44.41 V @ 125.00 kHz
# LF antenna: 19.80 V @ 134.00 kHz
# LF optimal: 45.51 V @ 123.71 kHz
# HF antenna: 30.52 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
With him on LF some power is drained.
Measuring antenna characteristics, please wait.........
# LF antenna: 42.35 V @ 125.00 kHz
# LF antenna: 19.94 V @ 134.00 kHz
# LF optimal: 43.86 V @ 123.71 kHz
# HF antenna: 30.49 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3> lf read
#db# LF Sampling config:
#db# [q] divisor: 95
#db# [b] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 4e 33 1f 13 0b 06 47 76 ...
Reading 39999 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
lf search dont show anything and i have tryed every lf standard whitout success...
Any ideas ?
Last edited by yugnat (2017-08-25 10:35:58)
proxmark3> data raw p1
Using Clock:16, invert:0, Bits Found:2498
PSK1 demoded bitstream:
0000000000000001
0011111111110101
1110001101000000
1111110111110111
0111101000000111
0000000000000000
0111111111111111
1000111111111101
0111100011010000
0011111101111101
1101111010000001
1100000000000000
0001111111111111
1110001111111111
0101111000110100
0000111111011111
0111011110100000
0111000000000000
0000011111111111
1111100011111111
1101011110001101
0000001111110111
1101110111101000
0001110000000000
0000000111111111
1111111000111111
1111010111100011
0100000011111101
1111011101111010
0000011100000000
0000000001111111
1111111110001111
proxmark3> data raw fs
Using Clock:32, invert:0, fchigh:12, fclow:8
FSK?? decoded bitstream:
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
1101111011111111
1111111110111101
0111010111111111
proxmark3> data raw nr
Tried NRZ Demod using Clock: 8 - invert: 0 - Bits Found: 4990
NRZ demoded bitstream:
0000000000000000
0000000000000000
1000001110000000
0000000000111010
0110000010000011
1101100101000000
0001000000000011
1000000000111000
0011100000001100
1000000000000100
0010100000000000
0000000000000000
0000100000000000
0000000000000000
0000100000111000
0000000000000011
1010011000001000
0011110110010100
0000000100000000
0011100000000011
1000001110000000
1100100000000000
0100001010000000
0000000000000000
0000000010000000
0000000000000000
0000000010000011
1000000000000000
0011101001100000
1000001111011001
0100000000010000
0000001110000000
And the pm3 file : https://www.sendspace.com/file/yix88d
Last edited by yugnat (2017-08-25 13:01:24)
that is a nasty one...
proxmark3> data askedge 28
proxmark3> data rawd am s 8
Found Sequence Terminator - First one is shown by orange and blue graph markers
Using Clock:8, Invert:0, Bits Found:513
ASK/Manchester - Clock: 8 - Decoded bitstream:
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0000111000000000
1110000011100000
0011001000000000
0001000010100000
0000000000000000
0000000000100000
0000000000000000
0000000000100000
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0000111000000000
1110000011100000
0011001000000000
0001000010100000
0000000000000000
0000000000100000
0000000000000000
0000000000100000
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0000111000000000
1110000011100000
0011001000000000
0001000010100000
note: for some reason this combo makes the graph overlay go incorrect.. a bug i will look into...
any numbers on the tag or do you know what system it goes to?
I can't demod it with manchester clk 8, but the NRZ works well
pm3 --> da ra nr
DEBUG: (NRZrawDemod) Tried NRZ Demod using Clock: 8 - invert: 0 - Bits Found: 4990
DBEUG: (setClockGrid) demodoffset 0, clk 8
NRZ demoded bitstream:
0000000000000000
0000000000000000
1000001110000000
0000000000111010
0110000010000011
1101100101000000
0001000000000011
1000000000111000
0011100000001100
1000000000000100
0010100000000000
0000000000000000
0000100000000000
0000000000000000
0000100000111000
0000000000000011
1010011000001000
0011110110010100
0000000100000000
0011100000000011
1000001110000000
1100100000000000
0100001010000000
0000000000000000
0000000010000000
0000000000000000
0000000010000011
1000000000000000
0011101001100000
1000001111011001
01
pm3 --> da print x
DemodBuffer: 000000008380003A6083D94010038038380C8004280000000800000008380003A6083D94010038038380C8004280000000800000008380003A608
3D940100380
just be aware the nr demod wouldn't have pulled out the ST.
proxmark3> data printd x
DemodBuffer: 0000E9820F6500400E00E0E0320010A00000002000000020
0000E9820F6500400E00E0E0320010A00000002000000020
0000E9820F6500400E00E0E0320010A0
is your 6 blocks of data on the tag.
Why i don't have the same output from data print x ?
proxmark3> data print x
DemodBuffer: 0000000107000074C107B28020070070701900085000000010000000107000074C107B28020070070701900085000000010000000107000064C107B280200700
@iceman, the sequence terminator determines the proper start position. i haven't gone through and manually demoded the entire string yet but what i did was correct.
Just left for you to test a t55x7 card to see if this works. The shape of your green tag looks like a card will not work, but hey, you can at least test it.
block 0 , 6blocks, stt, man == 000080C8
lf t55 write b 1 d 0000E982
lf t55 write b 2 d 0F650040
lf t55 write b 3 d 0E00E0E0
lf t55 write b 4 d 320010A0
lf t55 write b 5 d 00000020
lf t55 write b 6 d 00000020
lf t55 write b 0 d 000080C8
Also, I'm curious if the coffee machine changes the data when used.
Ok, i have just write a T55 and the demod values are not the same !
did you end up with 7's or did it NOT say that the Sequence Terminator was found?
the data askedge value (28) may not apply for every read. the number may need to be adjusted to get the proper read. (use slider on graph overlay to see what the numbers do)
Hi guys,
first, thank you again to spend time with me on this little guy !
I have tried my t55XX against the reader but no luck !
I have filled my green tag with 0.9€ so i have 1€ on cofee machine and 1.04€ on snickers machine.
The datas are now different :
https://www.sendspace.com/file/kvk4mj
proxmark3> data askedge 28
proxmark3> data rawd am s 8
Found Sequence Terminator - First one is shown by orange and blue graph markers
Using Clock:8, Invert:0, Bits Found:513
ASK/Manchester - Clock: 8 - Decoded bitstream:
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0110100000000000
1110000011100000
0101111000000000
1011000010100000
0000000000000000
0000000000100000
0000000000000000
0000000000100000
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0110100000000000
1110000011100000
0101111000000000
1011000010100000
0000000000000000
0000000000100000
0000000000000000
0000000000100000
0000000000000000
1110100110000010
0000111101100101
0000000001000000
0110100000000000
1110000011100000
0101111000000000
1011000010100000
But as i am not a pro in data demod i can't say what's happend ...
I can't demod it with manchester clk 8, but the NRZ works well
I'm liking PSK1 better. Once cleaned up a bit, the 2 dumps the OP posted result in:
1: 00000000000000001111111111111111000111111111101011110001101000000111111011111011101111010000001110
2: 00000000000000001111111111111111000101111111101010001110101011111000010111111011101110110000010110
However, looking at the plot for the 2nd dump the data looks questionable, though it does decode reasonably. As the OP has made multiple purchases and reloads it doesn't make a very good A/B comparison.
(Random ramblings: My questions about the system: Does the card store the balance remaining or total loaded + total purchases and makes the machine subtract them to get the remaining balance? Or perhaps both? That could explain the 0.04 difference between the 2 machines. Big endian or little? Scrambled data or clear? Any CRC or parity? As for the machines, do they write the balance back to the card before vending, and if so do they reject the vend if it's unable to? That may make it tricky to clone if it uses a non-standard command set)
The reader is a hole and i don't think a card will work with it !
A round sticker tag on a wooden or plastic rod would probably work better.
Can you post more dumps?
1) Dump the card as it currently is
2) Make 1 (and only 1!) purchase or refill
3) Dump it again
It is definitely Manchester with a sequence terminator.