Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

  • Logged in as ikarus
  • Last visit: Today 11:22:42

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2021-03-03 00:36:23

re4per24
Contributor
Registered: 2021-02-04
Posts: 3

writing a 37 bit fob from only data

Hi, Im somewhat new to this, I have a proxmark3 RDV2 and also the RDV4... obviously I use the RDV4 more.
I have an ESP-Key, from redteamtools.com, and have extracted this data from a read, but do not know how to write the fob from only raw data... I get one 37 bit card info and all the other cards are 36 bit... the reader is a KeyScan reader.. Can anybody help me write one of the two fobs properly so it will work ??

the raw data goes as follows:

Raw: f08a52316
Length: 36 bit
Binary: 111100001000101001010010001100010110


and this is the 37 bit card:

Raw: 1708a2623d
Facility: 14405
UserID: 78110
Length: 37 bit
Binary: 1 011100001000101 00010011000100011110 1

I am asuming this is a Low frequency card as it is from an HID KeyScan system

Offline

#2 2021-03-04 03:17:52

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: writing a 37 bit fob from only data

It has been a while since I generated a Keyscan card so I hope this is correct ...

Every Keyscan card that I have seen is 36-bit. I have never encountered a 37-bit Keyscan credential.
The 36-bit Keyscan format breaks down like this:

Bit 1 = Even Parity
Bits 2-11 : Fixed Field=900 (0x384) - This field defines it as a Keyscan credential.
Bits 12-19 : 8-bit Facility Code
Bits 20-35 : 16-bit Card Number/UserID
Bit 36 : Odd Parity

So your card = 1  1110000100  01010001  1001000110001011  0
This equates to a facility code of 82 (0x51) and a card number of 37259 (0x918b)

The above binary stream must then be Manchester encoded before being written to a T55x7 fob or card. The proper encoding information and HID start sentinel must also precede the Manchester encoded data.
All of this information would require a T55x7 credential to be programmed as follows:

Block 0 = 0x00107060 (This block has the proper encoding settings for a HID/Keyscan card)
Block 1 = 0x1D5555AA (0x1D55 is the HID start sentinel and 0xAA is the start of your raw manchester encoded data stream)
Block 2 = 0x55959966
Block 3 = 0x595A5669
Block 4 = 0x00000000
Block 5 = 0x00000000
Block 6 = 0x00000000
Block 7 = 0x00000000

Offline

#3 2021-03-04 09:43:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: writing a 37 bit fob from only data

... edit...  if I use the right values, it matches.

[usb] pm3 --> lf hid clone -w C15001 --fc 82 --cn 37259 --oem 900
...

[usb] pm3 --> lf hid reader
[+] [C15001] - HID KeyScan 36-bit;  FC: 82  CN: 37259  OEM: 900    parity: valid  
[=] raw: 000000000000003f08a52316
[usb] pm3 --> lf t55 detect                                           
...
[usb] pm3 --> lf t55 du                                                           
[+] Reading Page 0:                                                               
[+] blk | hex data | binary                           | ascii                     
[+] ----+----------+----------------------------------+-------                    
[+]  00 | 00107060 | 00000000000100000111000001100000 | ..p`                      
[+]  01 | 1D555AAA | 00011101010101010101101010101010 | .UZ.    
[+]  02 | 55959966 | 01010101100101011001100101100110 | U..f    
[+]  03 | 595A5669 | 01011001010110100101011001101001 | YZVi          
[+]  04 | 00000000 | 00000000000000000000000000000000 | ....                      
....

Offline

#4 2021-03-04 22:53:59

re4per24
Contributor
Registered: 2021-02-04
Posts: 3

Re: writing a 37 bit fob from only data

thank you for your help. I will try this info and let you know if it works or not. It is very confusing to see my ESP-key put out a 37 bit and then 36 bit from the same system..
heres a few more cards from the same ESP-Key:

Raw  = 709c5cefd
Length = 36 bit
Binary = 011100001001110001011100111011111101


Raw = f09443c67
Length = 36 bit
Binary = 111100001001010001000011110001100111

Raw = 709c5cdd0

Raw = 7089da4fb

etc..

So do they all equal the same facility code of 82 ?? or does the facility code even matter in this case??

Offline

#5 2021-03-05 16:32:53

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: writing a 37 bit fob from only data

Here is the breakdown for the four credentials you listed above.
The raw data is really the important part. The facility code is only important if whatever software tool you are using is able to take advantage of it.

Raw  = 709c5cefd
Length = 36 bit
Binary = 0 1110000100 11100010 1110 0111 0111 1110 1  F=226 CN=59262


Raw = f09443c67
Length = 36 bit
Binary = 1 1110000100 10100010 0001 1110 0011 0011 1  F=162 CN=7731

Raw = 709c5cdd0
Length = 36 bit
Binary = 1 1110000100 11100010 1110 0110 1110 1000 0  F=226 CN=59112


Raw = 7089da4fb
Length = 36 bit
Binary = 1 1110000100 01001110 1101 0010 0111 1101 1  F=78 CN=53885

Offline

#6 2021-03-05 20:47:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: writing a 37 bit fob from only data

Sounds like someone is walking around with a weaponized reader....

Offline

#7 2021-03-17 20:57:52

blogfish
Contributor
Registered: 2013-06-05
Posts: 17

Re: writing a 37 bit fob from only data

Hey Carl. Over which bits are the parity bits calculated?

Offline

#8 2021-03-18 15:51:04

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: writing a 37 bit fob from only data

If you label the wiegand code  bits from 1 to 36 with bit 1 being the rightmost (lsb) bit and bit 36 being the leftmost (msb) bit then:
Bit 36 = Even Parity for bits 19-35.
Bit 1 = Odd Parity for bits 2-18.

Offline

Quick reply

Write your message and submit

Board footer

Powered by FluxBB