Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi Guys,
//hw tune without the tag
# LF antenna: 28.32 V @ 125.00 kHz
# LF antenna: 34.24 V @ 134.00 kHz
# LF optimal: 38.77 V @ 129.03 kHz
# HF antenna: 12.94 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
//hw tune with the tag
# LF antenna: 23.65 V @ 125.00 kHz
# LF antenna: 33.83 V @ 134.00 kHz
# LF optimal: 35.48 V @ 130.43 kHz
# HF antenna: 12.69 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
Last edited by JasZ (2015-11-21 04:01:16)
Hmmm. The crc failed. Is it an animal tag or a card/key fob?
Then I expect your tag is not a fdx-b, but you see a false positive. Are you running a recent firmware build?
Then I expect your tag is not a fdx-b, but you see a false positive. Are you running a recent firmware build?
not the latest one , it's 2.1.0 at the moment
do i need to update the firmware?
I think 2.1 had a bug in the fdx-b that caused many false positives. So that explains it. You should be able to 'data rawdemod ab' it and get a raw data stream. Are there any indications of what system or type of tag it is? Numbers on the tag?
Last edited by marshmellow (2015-11-05 04:56:56)
btw - lf search first then data rawdemod ab
Hmmm. Try data rawdemod ab 1
Last edited by marshmellow (2015-11-06 14:12:51)
actually i believe your tag to be the same as the one found here http://www.proxmark.org/forum/viewtopic.php?id=2541
so:
lf search
data rawdemod am
should get the raw binary of the tag
then
data printdemod x o 1 (can play with the offset - 0 1 or o 2 or o 3 etc. until you see your printed ID in the string somewhere.)
should get you the hex values of the blocks
Last edited by marshmellow (2015-11-06 23:47:26)
Is it this kind of Viking tag?
so the viking demod should be a 26bit Wiegand according to pdfs from site.
Using calc: http://www.brivo.com/support/card-calculator/
The post #10 looks ok, the #12 doesn't.
JazS post #12 Printed: 0000F46D
Internal Card # 31286
Facility Code # 0
JazS post #10 Printed: 0708640B
Internal Card # 12805
Facility Code # 132
Doesn't make sense to have the raw printed tho. Plus there is a checksum?
as marshmellow mentioned, it's a false positives caused by v2.1
now i'm using a different windows compiled version and it doesn't say FDX-B anymore.
0746e0d3
[== Undefined ==]
#db# Sampling config:
#db# [q] divisor: 95
#db# [b] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 9a a5 ad b8 b5 b0 b3 aa ...
Reading 20000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Reading 39999 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
#db# Sampling config:
#db# [q] divisor: 95
#db# [b] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 7d 8a 8a 80 78 77 81 7d ...
Reading 20000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
Using Clock: 32 - Invert: 0 - Bits Found: 500
No Known Tags Found!
Reading 39999 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
Using Clock: 32 - Invert: 0 - Bits Found: 500
ASK/Manchester decoded bitstream:
1000111100100000
0000000000000000
0111010001101110
0000110100110010
1000111100100000
0000000000000000
0111010001101110
0000110100110010
1000111100100000
0000000000000000
0111010001101110
0000110100110010
1000111100100000
0000000000000000
0111010001101110
0000110100110010
1000111100100000
0000000000000000
0111010001101110
0000110100110010
1000111100100000
0000000000000000
0111010001101110
0000110100110010
1000111100100000
0000000000000000
0111010001101110
0000110100110010
1000111100100000
0000000000000000
0111010001101110
Last edited by JasZ (2015-11-08 23:33:02)
but 0746e0d3 is at minimum 27 bits. so the thought of it being a 26 bit format is out.
Last edited by marshmellow (2015-11-09 17:57:14)
I've just pushed a viking demod to my fork. lf search should now identify this tag. I would like to identify the checksum at the end to be thorough and to reduce the false positives. To do that we need samples of valid tags and their checksum. (Or just saved traces)
Edit... the checksum is a simple xor. xor all bytes and A8 and you get the 1byte checksum.
Last edited by marshmellow (2015-11-10 06:24:46)
@Go_tus, out of curiosity, does lf search correctly identify and demodulate it?
lf search work well, but for this viking tag, 8 bytes uid must be known before tag can be demod. I don't think it has to be included in lf search. For animal tag, I will run the test and post it, will test on 3 animal tags on lf search command.
i just fixed a small bug in my code for the viking demod, it now functions as it should.