Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-07-29 09:52:30

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

[finished] Jablotron functionality demod/clone/sim

From the following discussions where  @hexa3e8 , had a Jablotron system.

REF: www.proxmark.org/forum/viewtopic.php?id=3332&p=1
REF: http://www.proxmark.org/forum/viewtopic.php?id=3387

I've implemented a command set for it:  "LF JABLOTRON"

pm3 --> lf jablotron
help             This help
read             Attempt to read and extract tag data
clone            clone jablotron tag
sim              simulate jablotron tag
pm3 --> lf jablotron clone h
clone a Jablotron tag to a T55x7 tag.
Usage: lf jablotron clone [h] <card ID> <Q5>
Options:
      h          : This help
      <card ID>  : jablotron card ID
      <Q5>       : specify write to Q5 (t5555 instead of t55x7)

Sample: lf jablotron clone 112233
pm3 --> lf jablotron sim h
Enables simulation of jablotron card with specified card number.
Simulation runs until the button is pressed or another USB command is issued.

Usage:  lf jablotron sim [h] <card ID>
Options:
      h          : This help
      <card ID>  : jablotron card ID

Sample: lf jablotron sim 112233
pm3 --> lf jablotron clone 101630
Preparing to clone Jablotron to T55x7 with FullCode: 101630
Blk | Data
----+------------
 00 | 0x00158040
 01 | 0xffff0000
 02 | 0x1016306c
pm3 -->
pm3 --> lf search
Reading 30000 bytes from device memory

Data fetched
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

Jablotron Tag Found: Card ID 101630
Raw: FFFF00001016306C
Checksum: 6C [OK]
Printed:  1410-00-0010-1630

Valid Jablotron ID Found!

[edit]  changed the output and corrected it here also.

Offline

#2 2016-07-29 11:20:12

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: [finished] Jablotron functionality demod/clone/sim

... Although I had followed, mid-way I have not understood well your sorts of revenge's number experiments then I lost it ...

Tag is reported as Nedap or Non-Nedap, have symmetry in the hex ID ... Now uses Reserved Modulation and not bi-phase and tag still function well...

Very interesting... Will play with it this weekend.

Thank for the great work iceman, Marshmellow and hexa3e8 for an interesting study on new tag/card type

Last edited by ntk (2016-08-01 17:21:32)

Offline

#3 2016-07-29 11:30:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: [finished] Jablotron functionality demod/clone/sim

The confusing part is that NEDAP has Biphase modulation,  and a preamble of  1111110
where JABLOTRON has Diphase (inverted biphase)  and a preamble of 1111 1111 1111 1111 0

The nedap parity checks should (when imp correct) have detected a failure.  It also did.

Nedap has 128bit
Jablotron has 64bit.

thats why it was so confusing.

Credits goes to  @hexa3e8 aswell.

Offline

#4 2016-07-29 19:12:43

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [finished] Jablotron functionality demod/clone/sim

I have to say again, A big thumbs up for marshmellow and iceman!  Great to have a new fork. I have tested the new version.
I post my comments below here. I hope my remarks are understandable.

-lf search  [works great, card recognised]

-Is it possible to make the command shorter?  lf jab instead of jablotron (especially after testing smile )

-lf read   I see printed: 1410-00-0010-1630  [is correct]
the card ID = 101630 [that is right, but the system thinks card id=14100000101630  maybe print:systemnumber:14100000101630 , so print also without the -] or something similar.

-lf jablotron sim

pm3 --> lf jablotron read
Reading 30000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
Jablotron Tag Found: Card ID 101630          
Raw: FFFF00001016306C          
Checksum: 6C [OK]          
Printed:  1410-00-0010-1630    

Usage:  lf jablotron sim h <card ID>         
Options:         
      h          : This help         
      <card ID>  : jablotron card ID         
         
Sample: lf jablotron sim d 112233 

lf jablotron sim d 101630   [does not work when Card ID found is used like this]   number becomes: 14100000000013 
should the card iD be like 0000101630?
test:  same result --> 14100000000013
I think card ID can be up to 10 digits? (that test is on another post)

In the text in post above here it says: Sample  : lf jablotron sim d 123456789
but when I perform:

lf jablotron sim help

I see: Sample: lf jablotron sim d 112233     
does this mean we have to use hex instead of the found card ID? not really sure but it looks different to me. the Card-ID doesn work.
so far some results. I will test later the clone function.

Offline

#5 2016-07-29 19:29:13

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [finished] Jablotron functionality demod/clone/sim

the sim function has a bug in the implementation
try `lf jab sim 18CFE`

i assume iceman will find and fix it soon wink

Last edited by marshmellow (2016-07-29 19:29:36)

Offline

#6 2016-07-29 19:32:05

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [finished] Jablotron functionality demod/clone/sim

the reader spesonds with:   14100000019364

I have no doubts iceman will solve it.

Last edited by hexa3e8 (2016-07-29 19:33:24)

Offline

#7 2016-07-29 19:32:11

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [finished] Jablotron functionality demod/clone/sim

clone has the same bug

Offline

#8 2016-07-29 19:33:30

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [finished] Jablotron functionality demod/clone/sim

hexa3e8 wrote:

the reader spesonds with:   14100000019364

Thanks!

Last edited by marshmellow (2016-07-29 19:47:11)

Offline

#9 2016-07-29 19:34:52

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [finished] Jablotron functionality demod/clone/sim

I noticed it, so I wait with testing clone function.

Offline

#10 2016-07-29 19:36:54

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [finished] Jablotron functionality demod/clone/sim

@marshmellow, it is early in the afternoon in your location? here the evening starts and the weekend begins... so some more time for the forum.

Offline

#11 2016-07-29 19:37:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: [finished] Jablotron functionality demod/clone/sim

The cardID is a hex,  but you can only use 0-9  instead of normal 0-F..

so the clone or sim will happily take the HEX,  but the valid reader will not recognise it.

lf jab clone  292829  should be fine
lf jab clone  2f2829   should fail

Offline

#12 2016-07-29 19:42:55

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [finished] Jablotron functionality demod/clone/sim

the bug is that the help shows a d in front of the data in the example/sample and there should not be one.
try `lf jab sim 101630`

Last edited by marshmellow (2016-07-29 19:50:00)

Offline

#13 2016-07-29 19:48:11

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [finished] Jablotron functionality demod/clone/sim

lf jab clone  292829  works on t55xx card.   reader output -->  14100000292829  smile

lf jab sim 101630 works, reader output --> 14100000101630 smile

Offline

#14 2016-07-29 19:50:37

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [finished] Jablotron functionality demod/clone/sim

hexa3e8 wrote:

@marshmellow, it is early in the afternoon in your location? here the evening starts and the weekend begins... so some more time for the forum.

looks like we will have to find a new tag type to discover as this one is pretty well put to bed.

Offline

#15 2016-07-29 19:53:31

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: [finished] Jablotron functionality demod/clone/sim

Ok, fixed. The help text has been changed.  Pull the changes and try smile



And thanks for point it out!

Offline

#16 2016-07-29 20:03:42

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [finished] Jablotron functionality demod/clone/sim

Totally smashed. I have some more tags which I can donate to the forum but it could be that it is my knowledge (or the lack of it) or the tag isn't completely uncovered.(sort of) I have posted some about HT2 tag. a paxton.  After finishing the jablotron I will focus again on that one.
I will update it right away.

Offline

#17 2016-07-29 20:14:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: [finished] Jablotron functionality demod/clone/sim

@hex3e8,   once you're hitting that big wave just ride it bro.  Like a champ. 
Jablontron is quite done,  just the minor hex over wrapping of values @marshmellow42 mentioned in the other thread.

Go wild with the HT2 tag or Paxton.

I've updated the first post, to reflect the changes done.
And your idea of the printing id,  was it in another way you wanted it?   Do you have a picture of the tag?

Offline

#18 2016-07-29 20:19:08

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [finished] Jablotron functionality demod/clone/sim

lf jab sim 101630

smile  reader output: 14100000101630

lf jab sim 12101630

wink  so a longer number works: 14100012101630

lf jab sim 1212101630

wink  also works: 14101212101630

 lf jab clone 1212101630

readers responds the same as the previous one.
works extremely easy now!

Offline

#19 2016-07-29 20:32:35

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [finished] Jablotron functionality demod/clone/sim

I guess it is perfect!   especially the clone function, to easy now.  big_smile
You guys Rock!

@iceman , Thinking of it, I like it the way you created it. just leave it as it is. the printed number on the card is exactly the way you present it.
Jablotron Tag Found: Card ID 294467         
Raw: FFFF0000294467EE         
Checksum: EE [OK]         
Printed:  1410-00-0029-4467 

al the info a person would need is in here.
Wonderful!

Offline

#20 2016-07-29 22:26:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: [finished] Jablotron functionality demod/clone/sim

I changed the demod printing to deal with the hex number,
It shows card id right,  the raw bytes is right,  and checksum is still calc over raw bytes (has to be verified)


Jablotron Tag Found: Card ID 294485
Raw: FFFF000029447FD6    <<--- difference here 
Checksum: D6 [OK]
Printed: 1410-00-0029-4485

Meaning that we can call clone/sim with a raw hexbytes (from a sniff?)  or cardid from a printed badge.

Offline

#21 2016-07-29 23:42:15

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [finished] Jablotron functionality demod/clone/sim

pulled and tested, now also with the new raw data.
(search,read,sim and clone work perfect)
A fun thing I noticed is that the reader takes a longer time to respond, like an extra sec and I have to be much closer to the reader before it finally beeps when I use the "lf sim FFFF00001016306C" command (with the raw data) compared to the "lf jab sim 101630" command. The reader reacts but the lf jab sim command seems a lot stronger signal. (Does that sound plausible by the way both commands work?)

the "lf simask c 64 i b d FFFF00001016306c" works as fast as the "lf jab sim 101630" command.

Offline

#22 2016-07-29 23:58:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: [finished] Jablotron functionality demod/clone/sim

In the code behind,  "lf jab sim" uses "lf simask" function. They should execute in the same time.
but the "lf sim" I don't know why it is seem to send a bad signal. Maybe @marshmellow knows?  He re-wrote a lot of it.

Offline

#23 2016-07-30 03:11:33

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [finished] Jablotron functionality demod/clone/sim

I believe you misunderstand what `lf sim` does.

lf sim doesn't take a raw data parameter.  it only attempts to simulate a read tag from the buffer so you must read a tag first then attempt to simulate it.   (it tries to mimic the read waveform without understanding it)

it works pretty well with strong ask tag reads, but not so well with fsk or psk (sometimes works with fsk).  if you have the raw data you must use the specific modulation and encoding sim cmd.

Last edited by marshmellow (2016-07-30 03:15:32)

Offline

#24 2016-07-30 18:56:03

hexa3e8
Contributor
From: EARTH
Registered: 2016-06-27
Posts: 81

Re: [finished] Jablotron functionality demod/clone/sim

that makes sense, I tried to use the RAW data to test,since it was changed, but because lf jab sim and clone work fine (you don't need the RAW for that) I thought lets use the lf sim function. my mistake. If I am right we don't need the RAW data anymore to (re)produce cards.(since the sim and clone function is perfect). It is there for the total picture. right?
The title of the post is finished. I totally agree. If I encounter some problems or have some new findings about jablotron I will let you guys know. Now I am waiting for my batteries from china so I can use the proxmark3 without a pc,to put it in the sim mode and experience some adventures. cool

Offline

#25 2016-07-31 21:21:36

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: [finished] Jablotron functionality demod/clone/sim

Didn't HID have this same number format for its HID Clock & Data / H10320 format?   Where hex only can contain 0-9 ?

Offline

#26 2016-08-01 15:41:53

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [finished] Jablotron functionality demod/clone/sim

yes clock & data format uses a hex number as a decimal, but it errors if the value doesn't conform (0-9) and it has multiple parities.  (Clock & Data is a common transmission protocol used often instead of Wiegand)

Last edited by marshmellow (2016-08-01 15:42:25)

Offline

Board footer

Powered by FluxBB