Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
2,5 seconds of google search: datasheet - other infos.
It is a Wiegand 26 or 32 bit format (by default) but factory can use other transponder types by request (see last sentence in the datasheet).
Joe or anyone else on the forum - did you have luck cloning the Radio Secura Key?
I'm trying to clone the Radio Secura Key Tag (it's wiengand 26 or 32 format but it doesn't say proximity).
I'm farely new to the scene. Any direction or steps to decode and clone this key would be most helpful!
i don't believe there are specific functions for the PM3 to currently auto demodulate or clone this tag. that doesn't mean it can't be done though. you will need to first identify the modulation of the tag (as we already know the frequency is LF). you can do this by lf read - data samples 12000 - data plot - and identifying the waveform. (look around for examples on the forum there are many) after you know the modulation you can learn to demodulate it to get the binary string. then you need to identify the start and end (or repeating binary) of the chip transmission. then you can take that information and figure out how to clone it to an ATA5577.
I'd like to see a trace before I agree that "nobody can clone this tag". it appears to be a simple format from the datasheets.
Definitely ask modulation. Can you post a trace file?
lf read
data samples 20000
data save c:\trace1.pm3
Then post the pm3 file to some file share and link to it here.
I'd like to see a trace before I agree that "nobody can clone this tag". it appears to be a simple format from the datasheets.
HI, marshmellow,
Here, i have the tag now ...
proxmark3> lf search
#db# buffer samples: eb e3 de d8 ca ca c1 b8 ...
Reading 20000 samples
Done!
Checking for known tags:
Using Clock: 40 - Invert: 0 - Bits Found: 400
ASK/Manchester decoded bitstream:
0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000
1111111110011000
0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000
1111111110011000
0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000
1111111110011000
0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000
1111111110011000
0000000000001000
Recovered 499 raw bits, expected: 625
worst metric (0=best..7=worst): 8 at pos 792
UID=0000000000000000000000000000000000000000000000000000000000000000 (000000000)
Occurrences: 7 (expected 7)
proxmark3>
can you save a trace and post it ( data save [path/filename] )?
also is there any markings on the tag? an id number or anything?
see this thread:
http://www.proxmark.org/forum/viewtopic.php?id=2189
your tag matches it's demod.
the repeating binary string you got above will help you understand what you need to do (along with the linked thread)
it was demodulated correctly
let me know if you have further questions after reading that thread.
block 0 is the configuration block for ata55x7 tags. it will be the same for each tag TYPE you are trying to emulate. look at the first post in http://www.proxmark.org/forum/viewtopic.php?id=1767. it will help you understand what the block 0 bits mean.
also the demod you received above identifies all the information needed to build a block 0.
Using Clock: 40 - Invert: 0 - Bits Found: 400
ASK/Manchester decoded bitstream:
(plus the length of repeating pattern)
i would follow what worked for http://www.proxmark.org/forum/viewtopic.php?id=2189...
but i can't determine the start and end bits..
0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000
1111111110011000
0000000000001000
0100011001010001
0110110010101100
0001011001110000
0000000000000000
I'm trying to decode this key, can I please get a sanity check to see if I am doing this right?
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
Block 0: 000C8060
Block 1: Fxxxxxxx
Block 2: 0xxxxxxx
Block 3: 7xxxxxxx
Any help or feedback appreciated! Thanks in advance.
Last edited by Upgrade (2015-04-09 22:52:48)
looks about right.
Now I have to ask... The x's in the blocks 1-3 are a mask to attempt to not give out your cards ID?
Block 1 is really FF96.......
after you write that to your card did you read it with the pm3 and verify the write took?
I also have a 2nd key here.
0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000
0001101001100000
1010001010011111
1111000000000000
0000000000000000
Is it possible that I only have the repeating signal for 2 blocks only?
This seems to be the case for this key, the 3rd block is just a repeat of block 1.
Any ideas?
for the first tag you had 3 repeating blocks and looks like the securakey, but you didn't show the detected clock or modulation.
the second tag it looks similar to a EM410x since you only have 64 bits repeating, but it doesn't match the parities of an em410x. so it may be something else. again you don't show the detected clock or modulation.
the clock and modulation is important for getting the correct block 0 settings. the joe's tag had a clock of rf/40.
Last edited by marshmellow (2015-04-10 05:00:30)
Here's the info for the 2nd key
lf search
#db# buffer samples: df de d8 cf c5 be b9 b4 ...
Reading 20000 samples from device memory
NOTE: some demods output possible binary
if it finds something that looks like a tag
Checking for known tags:
Using Clock: 40 - Invert: 0 - Bits Found: 400
ASK/Manchester decoded bitstream:
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
0000000001101001
1000001010001010
0111111111000000
0000000000000000
No Known Tags Found!
this was Joe's post #13
I'm trying to decode this key, can I please get a sanity check to see if I am doing this right?
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000
0000000001111111
1100101101000000
0000000000000000
0001000010000100
0000000000111101
1010000000000000Block 0: 000C8060
Block 1: Fxxxxxxx
Block 2: 0xxxxxxx
Block 3: 7xxxxxxxAny help or feedback appreciated! Thanks in advance.
from this binary data I have difference result
A000007F
CB400000
1084003D
Last edited by ntk (2015-07-07 04:41:35)
Sorry to hijack this thread.
I would like to consolidate the knowledge here. How can you be certain without any further measurement that this
ASK
clock 40
no inverse
is it based on experience or on the post #13 from Joe, where lf search given the reasonable looking binary bits, without any 7 equal error, after guessing ASK/manchester Mod alone?
I wonder if you run "data clockdetect a" what would you receive? 8? 32? 40? 64?
I dont have the card & reader so I can not test myself, but my hex for data bits result from binary is different than I read here so I wonder what is going on where is that shifting of bit happening when we start with same binary strings
learn what repeating bits means. LF dumb tags just spit out repeating bits. it is up to you to pick out where the data begins and ends.
@Marshmellow
"Learn what repeating bits means. it is up to you to pick out where the data begins and ends."
I always fall in that "repeating bits"
and please answer for me too " How can you be certain without any further measurement that this
ASK
clock 40
no inverse
" Is it from lf search result?
If you are referring to this
Using Clock: 40 - Invert: 0 - Bits Found: 400
ASK/Manchester decoded bitstream:
then yes it is part of the output of lf search u
If you are referring to this
Using Clock: 40 - Invert: 0 - Bits Found: 400 ASK/Manchester decoded bitstream:
then yes it is part of the output of lf search u
thank wish I have secure to play to test with
lf search u found this.
I am having trouble identifying the blocks. Any help would be greatly appreciated!
proxmark3> lf search u
#db# Sampling config:
#db# [q] divisor: 95
#db# bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: ff ff ff ff ff ff fe f4 ...
Reading 20000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
DEBUG: error during fskdemod
DEBUG: Error - problem during FSK demod
DEBUG: Error demoding fsk
DEBUG: Error - problem during FSK demod
DEBUG: Error demoding fsk
Error1: 0
DEBUG: Bitlen from grphbuff: 20000
Using Clock: 40 - Invert: 0 - Bits Found: 500
ASK/Manchester decoded bitstream:
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
Using Clock: 40 - invert: 0 - Bits Found: 1000
ASK demoded bitstream:
0101001011001010
1010101010101101
0101010101010101
0101010101010101
0101010101010101
0101010101001011
0010110100110011
0101010101001101
0101001011001010
1010101010101101
0101010101010101
0101010101010101
0101010101010101
0101010101001011
0010110100110011
0101010101001101
0101001011001010
1010101010101101
0101010101010101
0101010101010101
0101010101010101
0101010101001011
0010110100110011
0101010101001101
0101001011001010
1010101010101101
0101010101010101
0101010101010101
0101010101010101
0101010101001011
0010110100110011
0101010101001101
Biphase Decoded using offset: 0 - # errors:0 - data:
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
0101000011111001
1101001111111101
1111111111111111
1111111111111010
Error gProxII_Demod
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 2560 repeating samples
DEBUG: Bitlen from grphbuff: 20000
Using Clock: 40 - Invert: 0 - Bits Found: 500
ASK/Manchester decoded bitstream:
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
Unknown ASK Modulated and Manchester encoded Tag Found!
if it does not look right it could instead be ASK/Biphase - try 'data rawdemod a
b'
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
0110010100000010
0001101111111110
0000000000000000
0000000000000011
proxmark3>
Last edited by Upgrade (2015-07-17 03:19:17)
You shouldn't need to have 'data setdebug' on (1).
The ask/Manchester data looks similar to previous tags. Is there a number printed on the tag? I'd guess the preamble is the 111111111
if you take these blocks (as a starting point in your repeating output
0000000000000011
0110010100000010
0001101111111110
0000000000000000
You'll get:
1790019 ( 0x1B5043 ) ( 110110101000001000011 )
- 110110 10100000 1000011
00000000000000110110 0 10100000 0 1000011 0 1111111110 0000000000000000
Last edited by iceman (2015-07-18 21:07:00)
if you take these blocks (as a starting point in your repeating output
0000000000000011 0110010100000010 0001101111111110 0000000000000000
You'll get:
1790019 ( 0x1B5043 ) ( 110110101000001000011 ) - 110110 10100000 1000011 00000000000000110110 0 10100000 0 1000011 0 1111111110 0000000000000000
Wouldn't I still need the other blocks?