Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi,
I've read over all the other topic on Guardall G-Prox II fobs and still a little confused on how to edit this type of fob in 36-bit. I want to see if I can change and FC or Card# but under the clone commands im having a few issues. I notice that there is a note that it currently work only on 26bit formats. When i try and enter values in for the FC and Card # it doesn't match the original. I know i can write the 4 blocks from the Raw data but trying to do it by the Clone functions
anyone able to point me in the correct direction?
Original
pm3 --> lf sea u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
G-Prox-II Found: Format Len: 36bit - FC: 30 - Card: 3949, Raw: f896612962589613a969609c
Valid Guardall G-Prox II ID Found!
Copy
pm3 --> lf gpr cl 36 30 3949
Preparing to clone Guardall to T55x7 with Facility Code: 30, Card Number: 3949
Blk | Data
----+------------
00 | 0x00150060
01 | 0xF98C67B8
02 | 0xC6324C63
03 | 0x38CD0800
pm3 --> lf sea u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
G-Prox-II Found: Format Len: 36bit - FC: 1920 - Card: 3947, Raw: f98c67b8c6324c6338cd0800
Valid Guardall G-Prox II ID Found!
pm3 --> lf gpr cl
clone a Guardall tag to a T55x7 tag.
The facility-code is 8-bit and the card number is 16-bit. Larger values are truncated.
Currently work only on 26bit
That would be because of a 36b format vs 26b.
clone a Guardall tag to a T55x7 tag.
The facility-code is 8-bit and the card number is 16-bit. Larger values are truncated.
Currently work only on 26bit
You have access to more credentials from this system? So we might be able to add a 36b format support?
If you wouldn't mind enable debug statements during a read and paste the output from it? And make a trace file and share it here?
data setd 1
lf gprox read
data setd 0
lf read
data save f lf_gprox_36_30_3949.pm3
That would be because of a 36b format vs 26b.
clone a Guardall tag to a T55x7 tag.
The facility-code is 8-bit and the card number is 16-bit. Larger values are truncated.
Currently work only on 26bitYou have access to more credentials from this system? So we might be able to add a 36b format support?
If you wouldn't mind enable debug statements during a read and paste the output from it? And make a trace file and share it here?
data setd 1 lf gprox read data setd 0 lf read data save f lf_gprox_36_30_3949.pm3
FC: 30 - Card: 3949
[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#] high..........255
[#] low...........7
[#] mean..........126
[#] amplitude.....129
[#] is Noise......No
[#] THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 19, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index 19
[#] data
10011111000100101100110000100101
00101100010010110001001011000010
01110101001011010010110000010011
10011111000100101100110000100101
0010110001001011000100101100001
[#] DEBUG: (preambleSearchEx) preamble found at 3
[#] DEBUG: (preambleSearchEx) preamble 2 found at 99
[#] DEBUG: gProxII byte 0 after xor: 92
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 00
[#] DEBUG: gProxII byte 4 after xor: 3c
[#] DEBUG: gProxII byte 5 after xor: 01
[#] DEBUG: gProxII byte 6 after xor: ed
[#] DEBUG: gProxII byte 7 after xor: a0
[#] DEBUG: (setClockGrid) demodoffset 211, clk 64
[+] G-Prox-II Found: Format Len: 36bit - FC: 30 - Card: 3949, Raw: f896612962589613a969609c
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db# [q] divisor.............95 ( 125.00 kHz)
#db# [b] bits per sample.....8
#db# [d] decimation..........1
#db# [a] averaging...........No
#db# [t] trigger threshold...0
#db# [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1
FC: 30 - Card: 14489
[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#] high..........255
[#] low...........6
[#] mean..........126
[#] amplitude.....129
[#] is Noise......No
[#] THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 12, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index 12
[#] data
11011111000100111100110001100101
00111100010011110001001111000010
00110110001111011100011100010010
11011111000100111100110001100101
00111100010011110001001111000010
[#] DEBUG: (preambleSearchEx) preamble found at 3
[#] DEBUG: (preambleSearchEx) preamble 2 found at 99
[#] DEBUG: gProxII byte 0 after xor: 92
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 00
[#] DEBUG: gProxII byte 4 after xor: 3c
[#] DEBUG: gProxII byte 5 after xor: 07
[#] DEBUG: gProxII byte 6 after xor: 13
[#] DEBUG: gProxII byte 7 after xor: 20
[#] DEBUG: (setClockGrid) demodoffset 204, clk 64
[+] G-Prox-II Found: Format Len: 36bit - FC: 30 - Card: 14489, Raw: f89e6329e2789e11b1ee3896
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db# [q] divisor.............95 ( 125.00 kHz)
#db# [b] bits per sample.....8
#db# [d] decimation..........1
#db# [a] averaging...........No
#db# [t] trigger threshold...0
#db# [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1
FC: 30 - Card: 3949
http://www.filedropper.com/lfgprox36303949
FC: 30 - Card: 14489
http://www.filedropper.com/lfgprox363014489
Last edited by Charlie (2020-09-10 21:39:58)
Using proxmark3 easy 512M - Thought it use to say "PM3OTHER" for Client. Did I mess up the compiling?
[ CLIENT ]
client: RRG/Iceman/master/release (git)
compiled with MinGW-w64 10.2.0 OS:Windows (64b) ARCH:x86_64
[ PROXMARK3 ]
[ ARM ]
bootrom: RRG/Iceman/master/release (git)
os: RRG/Iceman/master/release (git)
compiled with GCC 9.3.1 20200408 (release)
[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 259616 bytes (50%) Free: 264672 bytes (50%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
Is that the lastest?
Original
[usb] pm3 --> lf sea u
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] G-Prox-II - len: 36 FC: 30 Card: 3949, Raw: f896612962589613a969609c
[+] Valid Guardall G-Prox II ID found!
[+] Chipset detection: T55xx
Copy
[+] Chipset detection: T55xx
[usb] pm3 --> lf gp cl 36 30 3949
[=] Preparing to clone Guardall to T55x7 with Facility Code: 30, Card Number: 3949
[+] Blk | Data
[+] ----+------------
[+] 00 | 00150060
[+] 01 | F98C67B8
[+] 02 | C6318C55
[+] 03 | 38CD0986
[+] Success writing to tag
[+] Done
[usb] pm3 --> lf sea u
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] G-Prox-II - len: 36 FC: 30 Card: 3949, Raw: f98c67b8c6318c5538cd0986
[+] Valid Guardall G-Prox II ID found!
[+] Chipset detection: T55xx
[usb] pm3 -->
Last edited by Charlie (2020-09-13 16:36:04)
I pulled the latest from https://github.com/RfidResearchGroup/proxmark3.git and still having issues when trying to write a 36bit by FC and ID.
I should be able to get a few more cards to test, Would that help for testing?
I was able to get a few more samples today, these were 26bit format but didn't follow the same raw data format at the clone commands
Format Len: 26bit - FC: 10 - Card: 39176
[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#] high..........255
[#] low...........12
[#] mean..........125
[#] amplitude.....130
[#] is Noise......No
[#] THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 56, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index 56
[#] data
10111110001001101001110101101010
01101000100110101000011010000101
11100000011000001001101000100110
10111110001001101001110101101010
0110100010011010100001101001010
[#] DEBUG: (preambleSearchEx) preamble found at 2
[#] DEBUG: (preambleSearchEx) preamble 2 found at 98
[#] DEBUG: gProxII byte 0 after xor: 6a
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 05
[#] DEBUG: gProxII byte 4 after xor: 4c
[#] DEBUG: gProxII byte 5 after xor: 84
[#] DEBUG: gProxII byte 6 after xor: 00
[#] DEBUG: gProxII byte 7 after xor: 00
[#] DEBUG: (setClockGrid) demodoffset 184, clk 64
[+] G-Prox-II Found: Format Len: 26bit - FC: 10 - Card: 39176, Raw: f89a75a9a26a1a178182689a
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db# [q] divisor.............95 ( 125.00 kHz)
#db# [b] bits per sample.....8
#db# [d] decimation..........1
#db# [a] averaging...........No
#db# [t] trigger threshold...0
#db# [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1
Format Len: 26bit - FC: 10 - Card: 39171
[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#] high..........255
[#] low...........12
[#] mean..........125
[#] amplitude.....130
[#] is Noise......No
[#] THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 59, clk 64
[#] Biphase Decoded using offset 1 | clock 64 | #errors 0 | start index 59
[#] data
10111110001001111010110100101010
01111000100111101000011110000101
10101010011100001001100000100111
10111110001001111010110100101010
0111100010011110100001111001010
[#] DEBUG: (preambleSearchEx) preamble found at 2
[#] DEBUG: (preambleSearchEx) preamble 2 found at 98
[#] DEBUG: gProxII byte 0 after xor: 69
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 05
[#] DEBUG: gProxII byte 4 after xor: 4c
[#] DEBUG: gProxII byte 5 after xor: 81
[#] DEBUG: gProxII byte 6 after xor: c0
[#] DEBUG: gProxII byte 7 after xor: 00
[#] DEBUG: (setClockGrid) demodoffset 187, clk 64
[+] G-Prox-II Found: Format Len: 26bit - FC: 10 - Card: 39171, Raw: f89eb4a9e27a1e16a9c2609e
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db# [q] divisor.............95 ( 125.00 kHz)
#db# [b] bits per sample.....8
#db# [d] decimation..........1
#db# [a] averaging...........No
#db# [t] trigger threshold...0
#db# [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1
Format Len: 26bit - FC: 10 - Card: 39172
[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#] high..........255
[#] low...........13
[#] mean..........125
[#] amplitude.....130
[#] is Noise......No
[#] THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 54, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index 54
[#] data
00111110001001100001110101001010
01100000100110001000011000000101
11000110011010001001100000100110
00111110001001100001110101001010
0110000010011000100001100001010
[#] DEBUG: (preambleSearchEx) preamble found at 2
[#] DEBUG: (preambleSearchEx) preamble 2 found at 98
[#] DEBUG: gProxII byte 0 after xor: 6a
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 05
[#] DEBUG: gProxII byte 4 after xor: 4c
[#] DEBUG: gProxII byte 5 after xor: 82
[#] DEBUG: gProxII byte 6 after xor: 00
[#] DEBUG: gProxII byte 7 after xor: 00
[#] DEBUG: (setClockGrid) demodoffset 182, clk 64
[+] G-Prox-II Found: Format Len: 26bit - FC: 10 - Card: 39172, Raw: f89875298262181719a26098
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db# [q] divisor.............95 ( 125.00 kHz)
#db# [b] bits per sample.....8
#db# [d] decimation..........1
#db# [a] averaging...........No
#db# [t] trigger threshold...0
#db# [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1
Format Len: 26bit - FC: 10 - Card: 39180
[usb] pm3 --> data setd 1
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#] high..........255
[#] low...........13
[#] mean..........125
[#] amplitude.....130
[#] is Noise......No
[#] THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset 54, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index 54
[#] data
00111110101001100001110101000010
01100010100110000000011000100101
11001100011010101001110010100110
00111110101001100001110101000010
0110001010011000000001100011010
[#] DEBUG: (preambleSearchEx) preamble found at 2
[#] DEBUG: (preambleSearchEx) preamble 2 found at 98
[#] DEBUG: gProxII byte 0 after xor: 6b
[#] DEBUG: gProxII byte 1 after xor: 01
[#] DEBUG: gProxII byte 2 after xor: 00
[#] DEBUG: gProxII byte 3 after xor: 05
[#] DEBUG: gProxII byte 4 after xor: 4c
[#] DEBUG: gProxII byte 5 after xor: 86
[#] DEBUG: gProxII byte 6 after xor: 40
[#] DEBUG: gProxII byte 7 after xor: 00
[#] DEBUG: (setClockGrid) demodoffset 182, clk 64
[+] G-Prox-II Found: Format Len: 26bit - FC: 10 - Card: 39180, Raw: fa9875098a60189731aa7298
[usb] pm3 --> data setd 0
[usb] pm3 --> lf read
#db# LF Sampling config
#db# [q] divisor.............95 ( 125.00 kHz)
#db# [b] bits per sample.....8
#db# [d] decimation..........1
#db# [a] averaging...........No
#db# [t] trigger threshold...0
#db# [s] samples to skip.....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
[=] Reading 39999 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1
FC: 10 - Card: 39171
http://www.filedropper.com/lfgprox261039171_2
FC: 10 - Card: 39172
http://www.filedropper.com/lfgprox261039172
FC: 10 - Card: 39176
http://www.filedropper.com/lfgprox261039176
FC: 10 - Card: 39180
http://www.filedropper.com/lfgprox261039180
Did anyone ever figure out why the raw data is different after writing to a T55x7 ?
Write each block starting with the zero block - using the T55xx7 commands for writing blocks. This should fix it.
Last edited by diamondrail (2021-11-30 22:59:21)
Were you able to produce a clone by using the lf gproxii clone --fmt xx --fc xxx --cn xxxx command?
I have a few more to test
pm3 --> data setd -1
[=] client debug level... 1 ( debug messages )
[usb] pm3 --> lf gprox read
[#] LF signal properties:
[#] high..........255
[#] low...........9
[#] mean..........126
[#] amplitude.....129
[#] is Noise......No
[#] THRESHOLD noise amplitude......8
[#] DEBUG: (setClockGrid) clear settings
[#] DEBUG: (setClockGrid) demodoffset -17, clk 64
[#] Biphase Decoded using offset 0 | clock 64 | #errors 0 | start index -17
[#] data
[+] DemodBuffer:
[+] 10011111010000011100000011100111
[+] 00100001000000010100000111010010
[+] 00110000001111000000101101000011
[+] 10011111010000011100000011100111
[+] 0010000100000001010000011101
[#] DEBUG: (preambleSearchEx) preamble found at 3
[#] DEBUG: (preambleSearchEx) preamble 2 found at 99
[#] DEBUG: gProxII byte 0 after xor: 91
[#] DEBUG: gProxII byte 1 after xor: f6
[#] DEBUG: gProxII byte 2 after xor: 60
[#] DEBUG: gProxII byte 3 after xor: 00
[#] DEBUG: gProxII byte 4 after xor: 28
[#] DEBUG: gProxII byte 5 after xor: 11
[#] DEBUG: gProxII byte 6 after xor: 31
[#] DEBUG: gProxII byte 7 after xor: 90
[#] DEBUG: (setClockGrid) demodoffset 175, clk 64
[+] G-Prox-II - len: 36 FC: 20 Card: 35212, Raw: fa0e0739080a0e9181e05a1c