Sorry to gravedig an old post but could I possibly grab that firmware image? Also, has anybody sniffed the reader-card crypto exchange? Not to get too optimistic, but it would be funny if I could just replay the signal on my SDR ^_^
Here's a snapshot of all the firmware files in Doors.NET circa 2018: https://gofile.io/?c=jATxO9
The relevant files are NXT_v020568.bin and possibly RIM_v030321.bin, depending on whether it turns out to be the card reader itself or the RIM interface module that decrypts the sequence emitted by the card.
There is no reader-card crypto exchange, the tag just transmits a repeating and fixed 16-byte sequence when activated. However, the data in the sequence itself is encrypted. So it's easy to clone a tag using a standard T55xx by copying the byte sequence, but you can't map from the card number to the byte sequence or vice versa without understanding how it is encrypted.
Some useful links:
http://www.microchip.com/wwwproducts/en/PIC16F88
http://ww1.microchip.com/downloads/en/D … 30487c.pdf
http://ww1.microchip.com/downloads/en/D … 01291H.pdf
https://www.nxp.com/docs/en/reference-m … 554_RM.pdf
Good luck!
]]>HackAgenda,
What were the commands you used to read the NXT Keri fob that was not detected by the standard LF SEARCH?
thanks.
The tags can be read by a "lf search u", followed by "data rawdemod fsk2" then "data print x".
]]>Hey guys,
I have a couple of Keri NXT keychain-style tags, with serial numbers that begin with N. The format is not Pyramid or anything detected by the standard lf search, but I have made some progress and have successfully cloned one of the tags to a standard T5557 card.
-- T55x7 Configuration & Tag Information -------------------- ------------------------------------------------------------- Safer key : 0 reserved : 0 Data bit rate : 4 - RF/50 eXtended mode : No Modulation : 5 - FSK 2 RF/8 RF/10 PSK clock frequency : 0 AOR - Answer on Request : No OTP - One Time Pad : No Max block : 4 Password mode : No Sequence Start Terminator : No Fast Write : No Inverse data : Yes POR-Delay : No ------------------------------------------------------------- Raw Data - Page 0 Block 0 : 0x00105082 00000000000100000101000010000010 -------------------------------------------------------------
----
HackAgenda,
What were the commands you used to read the NXT Keri fob that was not detected by the standard LF SEARCH?
thanks.
Some additional information from http://license.kerisys.com/docs/Serial_ … _Rev-A.pdf: the 4 digits of the tag serial number (after the 'N', or the 'K', etc.) are a manufacturing date code. The first 3 digits are the day of the year (e.g. 358), the last digit is the last digit of the year (e.g. 5 for 2015). This confirms that it isn't related to the internal code.
Thanks for this.
]]>One thing I've learned is the Keri NXT cards have an "internal card number" which is a bit scramble of the "external card number". The algorithm to convert between the two is quite simple. However, the internal card number bears no relation with the 11 bytes of data stored in the card's memory. I'm pretty sure the 11 bytes include a checksum because modifying a single bit at a time and writing the number to a T55xx produces a card that the reader doesn't respond to in any way at all, whereas with a valid card the reader will immediately beep before talking to the controller.
Would love to figure out whether the reader actually decodes the 11 bytes into the "internal card number" before sending it over the RS-485 link, or whether it sends the 11 bytes raw and just computes a checksum. If it's the latter then I'll need to decompile the NXT controller firmware to figure out the decode algorithm, which will be more difficult since the firmware is much larger, MPC555X, and in a different format.
]]>NXXXZ AABBBB
where
XXXZ = manufacture date code
- Z is the last digit of the year (e.g. 5 for 2015) (decimal)
- X, the day of the year (e.g. 358) (decimal)
AABBBB= sitecode << 32 | cardnumber
I have a couple of Keri NXT keychain-style tags, with serial numbers that begin with N. The format is not Pyramid or anything detected by the standard lf search, but I have made some progress and have successfully cloned one of the tags to a standard T5557 card.
What I have so far: it's a 125kHz carrier, FSK2 modulation, RF/50 bitrate, inverted. Cloning is as easy as lf search u, data rawdemod fsk2, data print x. Then configure the T5557 like below, and write the 16 bytes of data to blocks 1-4 like any other tag. The card serial number is Wiegand format with an 8-bit site code and 16-bit user code, printed as something like NXXXX YYYYYY where YYYYYY=65536*site+user. The XXXX seems to be irrelevant (probably just for Keri's record keeping).
What I don't have yet: the card 26-bit Wiegand code is encrypted into the 128 bit data, and the encryption seems very difficult to break. I have two tags with adjacent serial numbers, and the bit patterns look completely different apart from a standard 4-byte start sequence. The other 96 bits are encrypted (Keri does advertise NXT as using 96-bit encryption, so this makes sense). It can't be that difficult because the reader has to undo the encryption, so it's likely something simple, but I haven't figured it out yet.
Ask: I need a copy of the firmware .bin file for any Keri NXT-compatible reader. Can't get this from Keri without a dealer login. Then I can perform disassembly and static analysis to figure out the encryption (I'm pretty sure the 26-bit Wiegand data is sent unencrypted over the RS-485 link). PM me if you can help!
I would share the card serial numbers here but it may reveal my identity so I'm going to not do that on the public forum at least.
-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key : 0
reserved : 0
Data bit rate : 4 - RF/50
eXtended mode : No
Modulation : 5 - FSK 2 RF/8 RF/10
PSK clock frequency : 0
AOR - Answer on Request : No
OTP - One Time Pad : No
Max block : 4
Password mode : No
Sequence Start Terminator : No
Fast Write : No
Inverse data : Yes
POR-Delay : No
-------------------------------------------------------------
Raw Data - Page 0
Block 0 : 0x00105082 00000000000100000101000010000010
-------------------------------------------------------------