Proxmark3 community

DrFalken

Contributor

Registered: 2020-02-28

Posts: 4

Unknown encoding of a 125kHz LF signal (Remote Key-less Entry)

Looking for another set of eyes on this waveform/capture it has me puzzled at the moment. I have experience recovering data from ASK/FSK signals recorded with a HackRF that have various encodings such as Manchester but this one has me a bit confused. I currently suspect it might be Pulse Width Modulation…

Setup: The capture was taken with the Proxmark3 RDV4 configured with the following basic settings.

[usb] pm3 --> lf config L t 120
lf sniff

The Proxmark was then placed by the LF emitter on a Nissan meant to stimulate the Key fob watch responds at a UH frequency (315MHz), the passive entry button was pressed on the vehicle with the Key fob in range resulting in a successful capture with the proxmark3. I saved the capture in both the .pm3 and wav format links below to the files. 

Links:
https://drive.google.com/file/d/1Lvkj6F … sp=sharing
https://drive.google.com/file/d/1YSj2sB … sp=sharing

The Problem: I am not confident in any method I have used thus far to get valid bits out of this capture,  I believe it to be ASK with a clock of 32 but from there I struggle to use the proxmarks tool chain in the client to get the data to bits. I have also attempted to analyze the capture in Universal Radio Hacker with little to no success.

Image:
https://drive.google.com/file/d/1fDAVYa … sp=sharing

Hardware/Software Info:

[ CLIENT ]           
 client: RRG/Iceman          
 compiled with GCC 7.4.0 OS:Linux ARCH:x86_64   

 [ PROXMARK3 RDV4 ]           
external flash:                present           
smartcard reader:           present           

 [ PROXMARK3 RDV4 Extras ]           
 FPC USART for BT add-on support: absent           
          
 [ ARM ]
 bootrom: RRG/Iceman/master/release (git) 
 os: RRG/Iceman/master/release (git) 
 ompiled with GCC 6.3.1 20170620

 [ FPGA ]
 LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
 HF image built for 2s30vq100 on 2020-01-12 at 15:31:16

Any help would be appreciated!

Last edited by DrFalken (2020-03-04 18:16:18)

mwalker

Moderator

Registered: 2019-05-11

Posts: 318

Re: Unknown encoding of a 125kHz LF signal (Remote Key-less Entry)

I had a very quick look at one of the dumps and did an ask demod, and had a quick look at the plot.

00000000.1....11100011111111111111111111111111111111111111111111..0101000.11.000000000000000.1....11100011100110111000011101.
11111111..0101000.11.00000000000000000000000000000000000000000000.1....111000111111111111111..0101000.11.00.1.0..00.111.00..0.
00000000.1....11100011111111111111111111111111111111111111111111..0101000.11.000000000000000.1....11100011100110111000011101..0000000000000

There did seem to be a section that was repeated. 
the "." was not decoded.  looking at the plot the spacing/timing at those spots seemed a little off, so maybe a pause in the transmit ?

The middle line kinda looks to be the invert of the other two

iceman

Administrator

Registered: 2013-04-25

Posts: 9,506

Website

Re: Unknown encoding of a 125kHz LF signal (Remote Key-less Entry)

looks like a PWM..   Since we are talking about a car,  it could be  pcf793x,  hitag-x  type of tag.

DrFalken

Contributor

Registered: 2020-02-28

Posts: 4

Re: Unknown encoding of a 125kHz LF signal (Remote Key-less Entry)

Thank you for the feedback and suggestions, I have taken a few more samples and plan to keep plugging away at it. My goal is to analyze the seed and key relationship between the car and key fob, but this obviously requires a good decode of the LF data.

DrFalken

Contributor

Registered: 2020-02-28

Posts: 4

Re: Unknown encoding of a 125kHz LF signal (Remote Key-less Entry)

So a bit more information, I have included three more samples below along with some details from the IC on the key fob.

NXP
F7952A15
CD5076  03
TnD14171

Haven't had much luck finding a datasheet that will help with determining the data encoding…

Links to captures:
https://drive.google.com/file/d/1Nf1r9m … sp=sharing
https://drive.google.com/file/d/1YrunxF … sp=sharing
https://drive.google.com/file/d/1h3dqzN … sp=sharing