Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2008-11-28 05:43:01

d18c7db
Contributor
Registered: 2008-08-19
Posts: 292

HID tag decoder and simulator

I implemented a couple of new commands hidfskdemod and hidsimtag.

hidfskdemod loops continuously (or until the button is pressed) and if a HID tag enters the field it will capture and do the FSK demodulation and manchester decoding of the waveform to return the tag ID as a hex number. I know very little about HID tags but it seems the TAG ID is a 44 bit number and the number printed on the tag is bits 16 though 1 (bit 0 is always 0)

hidsimtag will take a hex number (tag ID) as a parameter and create the proper FSK manchester encoded waveform and continuously broadcast it. This could in principle be modified to run a loop and broadcast several IDs in sequence if one wanted to search for a hit in a certain range.

Anyone interested in test driving this code?

Offline

#2 2008-11-30 11:40:16

Dennyxiao
Contributor
Registered: 2008-11-01
Posts: 43

Re: HID tag decoder and simulator

Hi, i'm insterested in the test .

PS, do you know some detail about INDALA PSK (26bits and 37 bits) cards?

Offline

#3 2008-12-16 02:29:05

d18c7db
Contributor
Registered: 2008-08-19
Posts: 292

Re: HID tag decoder and simulator

New code 20081211_prox uploaded. It has the HID prox cards demodulator (hidfskdemod) and the simulate by ID (hidsimtag) commands as well as the LCD driver code I've posted about earlier.

Offline

#4 2009-01-05 10:11:02

brokentesting
Member
Registered: 2008-11-22
Posts: 13

Re: HID tag decoder and simulator

d18c7db,


Thanks for you excellent contributions to the Proxmark and the Proxmark
Community.

smile 

Keep up the excellent work!!!!!!!!!!!!

Offline

#5 2009-01-15 11:06:11

Dennyxiao
Contributor
Registered: 2008-11-01
Posts: 43

Re: HID tag decoder and simulator

Proxmark is nice tools to do analysis.

Offline

#6 2009-01-30 22:25:49

n0t
Contributor
Registered: 2008-11-24
Posts: 26

Re: HID tag decoder and simulator

d18c7db,

Trying to read an HID tag; I'm assuming they're both 125 kHz but when I run hidfskdemod nothing happens.
The yellow light stays on (until I press the button) but I cannot read the tag???
I've got two cards I'm testing with; one average slim and the other slim like a credit card.

My tune results:
# LF antenna @   6 mA /  8056 mV [1273 ohms] 125Khz
# LF antenna @   8 mA / 10070 mV [1187 ohms] 134Khz
# HF antenna @   0 mA /    96 mV [235 ohms] 13.56Mhz

Any advice?
Thanks.

Offline

#7 2009-01-31 02:36:39

d18c7db
Contributor
Registered: 2008-08-19
Posts: 292

Re: HID tag decoder and simulator

Check that you're receiving a proper signal, start with loread and plot, does your waveform look like the one in this thread?

Offline

#8 2009-02-04 15:33:29

n0t
Contributor
Registered: 2008-11-24
Posts: 26

Re: HID tag decoder and simulator

I wish....  Not receiving anything.
I'm going to try an older version.  Strange stuff happening with 20081211_prox.
Ever since I flashed bootrom-merged.s19, fpgaimage.s19 and osimage.s19 to my prox I can never reflash without jtagging.
I've got two to test with and the same thing is happening...  I think one is screwed up though, damn thing keeps rebooting.

Offline

#9 2009-02-04 16:11:04

n0t
Contributor
Registered: 2008-11-24
Posts: 26

Re: HID tag decoder and simulator

Finally.... After all the software changes I decided to re-check hardware...
It was a h/w issue probably somewhere in the fpga; now I'm getting a nice waveform.
I'm a happy camper.... going to test now.....

Offline

#10 2009-02-05 01:13:21

d18c7db
Contributor
Registered: 2008-08-19
Posts: 292

Re: HID tag decoder and simulator

Glad it's sorted. Re not being able to reflash without jtagging, the newer version code need you to hold the button down to reflash. Read the change.txt in the doc directory.
Your issue might have been an out of sync FPGA image and osimage, newer osimage talks to the FPGA with a slightly different serial method (not bitbanging anymore) so the FPGA code had to change a little.
It's all explained in the chages.txt

Offline

#11 2009-03-07 21:51:04

wrc
Member
Registered: 2009-02-08
Posts: 4

Re: HID tag decoder and simulator

I hate to resurrect an old thread, but this code works great.  It saved me countless hours of work...if my work would even reach this level.

Offline

#12 2009-04-07 03:07:11

hugo
Member
Registered: 2009-04-02
Posts: 3

Re: HID tag decoder and simulator

I am testing hidfskdemod and hidsimtag agains't a USB RF Ideas Model RDR-6082AKU, and both softwares doesn't give me the same result.

Here is the result of hidfskdemod:
#db# TAG ID
#db# 00000020, 05879390, 0000c9c8 (What are the first 2 number for?)

Using my PcProx reader the same card return a slightly different value:00.00.00.00.00.C3.C9.C8 (C3 represent the Facility Code, and C9C8 is the ID Code)

If I say to emulate c9c8
> hidsimtag c9c8
Emulating tag with ID 0            c9c8

My pcProx Reader read: 00.00.00.00.00.00.64.E4.

and If I emulate c3c9c8

> hidsimtag c3c9c8
Emulating tag with ID 0          c3c9c8
My pcProx Reader read: 00.00.00.00.00.61.E4.E4.

Am I doing something wrong or is this a bug? Let me know how I can help

Offline

#13 2009-04-07 06:59:12

d18c7db
Contributor
Registered: 2008-08-19
Posts: 292

Re: HID tag decoder and simulator

There's no bug. If you want to simulate your tag you should use the first two hex numbers concatenated,
for example hidsimtag 2005879390

The last hex number is derived from the previous two like so ( (2005879390 / 2) AND 0x1FFFF)
When converted to decimal should be the number printed on your tag, eg 0xc9c8 = 51656

What confused you is that your PC reader doesn't show you the full tag ID, just the facility code and serial number.

Hope this helps smile

Last edited by d18c7db (2009-04-07 07:09:14)

Offline

#14 2009-04-07 09:07:40

hugo
Member
Registered: 2009-04-02
Posts: 3

Re: HID tag decoder and simulator

Thanks, it work a lot better smile

Offline

#15 2009-04-08 23:44:45

rule
Moderator
Registered: 2008-05-21
Posts: 416

Re: HID tag decoder and simulator

Any of you know what this document is all about?
http://rfid-reader.googlecode.com/files … Format.pdf

Is it useful for decoding HID tag numbers? Shall I put it in the files section?

Offline

#16 2009-04-09 07:35:43

touf
Contributor
Registered: 2008-12-11
Posts: 27

Re: HID tag decoder and simulator

HID readers, like most readers, send data to the system they are connected throw two format : Wiegand or Data/clock

that's what your files is about.

that transmission takes place once the reader have read the tag. it is the non-RF part of it's job.


it do is interresting, but probably not for the proxmark users.

Offline

#17 2009-05-30 14:38:38

cptnslick
Member
Registered: 2009-05-27
Posts: 7

Re: HID tag decoder and simulator

I want the proxmark to run the hidsimtag command when it starts up without having to hook it to a pc and issue the command.

lets say my card scanned out at 00000020, 05879390, 0000c9c8

I thought this would be as simple as putting the following command in just before the final for loop in the AppMain() function.

----code snip----

//start by sending HID key
CmdHIDsimTAG(20, 5879390);

//wait for commands
for(;;) {
    UsbPoll(FALSE);
    WDT_HIT();
}

----code snip----

When I use the proxmark, with the code above, the reader beeps but doesn't open the door. so I know it's at least transmitting something. If I use the laptop to send the command with the gui it opens the door.

Can anyone explain what I am doing wrong? Thanks

Offline

#18 2009-05-31 01:32:05

d18c7db
Contributor
Registered: 2008-08-19
Posts: 292

Re: HID tag decoder and simulator

What if you tried? Any difference?

SpinDelay(1000);
CmdHIDsimTAG(20, 5879390);
CmdHIDsimTAG(20, 5879390);
CmdHIDsimTAG(20, 5879390);

Offline

#19 2009-06-01 12:11:40

cptnslick
Member
Registered: 2009-05-27
Posts: 7

Re: HID tag decoder and simulator

Thanks for your quick reply.

The code you suggested didn't fix it. This is very strange to me. I have been staring at the code for days now and I can't figure out why this won't work.

Any other ideas?

Would anyone else like to give it a try on their proxmark and let me know what happens?

thanks!

Offline

#20 2009-06-01 12:57:27

proxcat
Contributor
Registered: 2008-11-28
Posts: 62
Website

Re: HID tag decoder and simulator

Cptn,

You might have a representation problem. Try

CmdHIDsimTAG(0x20, 0x5879390);

Instead.

cptnslick wrote:

I want the proxmark to run the hidsimtag command when it starts up without having to hook it to a pc and issue the command.

lets say my card scanned out at 00000020, 05879390, 0000c9c8

I thought this would be as simple as putting the following command in just before the final for loop in the AppMain() function.

----code snip----

//start by sending HID key
CmdHIDsimTAG(20, 5879390);

//wait for commands
for(;;) {
    UsbPoll(FALSE);
    WDT_HIT();
}

----code snip----

When I use the proxmark, with the code above, the reader beeps but doesn't open the door. so I know it's at least transmitting something. If I use the laptop to send the command with the gui it opens the door.

Can anyone explain what I am doing wrong? Thanks


[url=http://proxmark3.com/]Buy a Proxmark[/url]

Offline

#21 2009-06-03 04:02:34

cptnslick
Member
Registered: 2009-05-27
Posts: 7

Re: HID tag decoder and simulator

Proxcat, that was a great idea. It works now.

Thank you for the help.

BTW, I am very happy with the proxmark3 I purchased from you recently. It is much nicer than I could have built it.

Cptnslick

Offline

#22 2009-06-17 03:53:42

hugo
Member
Registered: 2009-04-02
Posts: 3

Re: HID tag decoder and simulator

I did my own similar hack for running proxmark without a computer. when it boot the card is in listen mode unti it see a hid card then it switch to emulate mode. each time the button is pressed the id of the card increment by one allowing brute forcing...

ideally i would like to find a way to store the card number in the flash memory. i'll post my code when it's clean if anyone is interested...

Offline

#23 2009-06-17 08:18:18

shinechou
Contributor
Registered: 2008-10-20
Posts: 35

Re: HID tag decoder and simulator

hugo wrote:

I did my own similar hack for running proxmark without a computer. when it boot the card is in listen mode unti it see a hid card then it switch to emulate mode. each time the button is pressed the id of the card increment by one allowing brute forcing...

ideally i would like to find a way to store the card number in the flash memory. i'll post my code when it's clean if anyone is interested...

very nice work! would u like to share ur code?

Offline

#24 2009-06-18 01:00:00

cptnslick
Member
Registered: 2009-05-27
Posts: 7

Re: HID tag decoder and simulator

I like where your idea is going.

If you added the lcd mod to the system, you could have your scanned cards displayed there so you could write them down and program them in later. With the lcd you could probably get 20 or so codes on the screen.

Now that I think about it, would it be possible to use that same serial interface the lcd is using to write codes to a USB drive? I will post that question in the Board Mods secton too.

Anyway, back to code ideas......

I am adding a third argument to the function that takes A B C or D

A B C & D = colors of LEDs

    SpinDelay(1000);
    CmdHIDsimTAG(0x0, 0x0, A);
   
    SpinDelay(1000);
    CmdHIDsimTAG(0x0, 0x0, B);
   
    SpinDelay(1000);
    CmdHIDsimTAG(0x0, 0x0, C);
   
    SpinDelay(1000);
    CmdHIDsimTAG(0x0, 0x0, D);

now I can store multiple codes, each time i push the button it should jump to the next step, change the led color and transmit a new code. I haven't tried it yet, but it should work.

You could use your code that reads and then transmits for the last step insted of just hard coding it in there.

Keep the ideas coming!

Offline

#25 2009-07-07 04:10:21

rleroy
Contributor
From: Between a REQB and a ATQB
Registered: 2009-03-04
Posts: 61

Re: HID tag decoder and simulator

d18c7db wrote:

Anyone interested in test driving this code?

It might be a little bit late (7 months later), but I've tried hidfskdemod and hidsimtag functions in front of a real HID security system and it worked flawlessly!

Wonderful!

Offline

#26 2009-07-07 09:51:19

duran97
Contributor
Registered: 2009-06-16
Posts: 63

Re: HID tag decoder and simulator

The HID functions are defintely useful for my line of business.  Something similar for Indala cards would be fantastic - the indalademod is there, but having something similar to the HID functions would be useful indeed.

Offline

#27 2009-07-07 11:09:29

szymonunion
Contributor
Registered: 2009-07-05
Posts: 46

Re: HID tag decoder and simulator

Rleroy,

what firmware version did you use - 20081211_prox or 2009xxxx ?


Regards,

--
SzYmOn


Regards,

--
SzYmOn

Offline

#28 2009-07-07 13:31:15

rleroy
Contributor
From: Between a REQB and a ATQB
Registered: 2009-03-04
Posts: 61

Re: HID tag decoder and simulator

Duran97: Probably... But I never came across Indala cards yet smile

szymonunion: The one right here: http://proxmark3.googlecode.com/files/p … 03-r29.zip . It works very well!

Offline

#29 2009-07-07 18:55:17

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: HID tag decoder and simulator

I would write HID-like functions for Indala but I don't have cards/reader...any specifics that are recommended?

Offline

#30 2009-07-07 19:59:46

duran97
Contributor
Registered: 2009-06-16
Posts: 63

Re: HID tag decoder and simulator

I can send you a card samy.

The readers aren't cheap, and I've not seen a desktop model yet, just ones that intergrate into an access control system.  I can however trial anything you write on the system at work.

In saying that, a proxmark will already read the cards, so if you had two.

Might be slightly tricker that the HID functions, as keys come in two lengths. The ones I have are 224 bit keys.

Hopefully the existing Indala function gives you sufficient insight.

I'd actually be happy if there was a generic function that ran a loread until a card was detected and then saved that sample.  That could be used whatever the low frequency card was, with the demodulation and simulation done latter.

Offline

#31 2009-07-07 20:02:51

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: HID tag decoder and simulator

duran97, cool.

I'd be happy to build that function in then have you test at your work. I'll PM you.

Offline

#32 2009-07-08 16:06:12

apmsylvain
Member
From: Paris (FRANCE)
Registered: 2009-01-06
Posts: 8

Re: HID tag decoder and simulator

Hi,

Have you any information on the card HID ProxCard II (http://www.hidglobal.com/documents/proxcard_ds_en.pdf).

On mine, a number is printed "05429 11432784-1".
Do you know if it is or a part of the UID ?
Could the proxmark help me to emulate the card ?

> hidfskdemod
#db# TAG ID
#db# 00000020, 06e22a6b, 00001535

In a previous post I see that 2006e22a6b is the UID and we could emulate with

> hidsim 2006e22a6b

Is it the good command for this kind of card ?

Thanks.

Last edited by apmsylvain (2009-07-08 16:06:40)

Offline

#33 2009-07-08 19:38:10

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: HID tag decoder and simulator

apmsylvain, correct, your hidsim command above will simulate the tag you were able to read.

Offline

#34 2009-07-09 17:21:18

apmsylvain
Member
From: Paris (FRANCE)
Registered: 2009-01-06
Posts: 8

Re: HID tag decoder and simulator

Hi samy,

Thanks for your confirmation,  do you know the link between the number printed on the card and its UID ?

Offline

#35 2009-07-09 18:12:19

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: HID tag decoder and simulator

There are usually two numbers printed on the card, e.g. 05429 11432784-1.

The first number, 05429, is the serial number of the card -- but it's not enough to simulate a card, you still need the facility code. I believe the 11432784-1 is a sales order number that is linked to the card. The facility code isn't printed on the card (unless embedded in the sales order number that I don't know about).

#db# 00000020, 06e22a6b, 00001535

In hidfskdemod, the first two hex blocks (20 06e22a6b) contain the entire serial and all the info to reproduce the card (hence why you only need those for hidsimtag).

The last hex block printed (1535) is information that's already contained in the serial, but convenient as when converted to decimal, is the first number on your tag.

donttasemebro:~ samy$ 3 hd 1535
5429

You can also extract this number from the last 2 bytes of the entire serial (2a6b):

donttasemebro:~ samy$ perl -le 'print 0x2a6b >> 1'
5429

Offline

#36 2009-07-11 03:01:51

duran97
Contributor
Registered: 2009-06-16
Posts: 63

Re: HID tag decoder and simulator

Hugo, by the way your PCProx can read the full ID from a HID card - just of matter of configuring it.  If you can't get it going, let me know and I'll work out how I've sent my one up.

Offline

#37 2013-02-04 01:37:46

scotchtape
Member
Registered: 2012-12-29
Posts: 5

Re: HID tag decoder and simulator

It might be kinda late but...
If I have the Facility ID and the Card Number, how do I figure out the hex value for the proxmark to simulate?
I've been banging my head on a wall all day trying to figure this out...

Any help appreciated...

Offline

#38 2013-02-04 15:55:25

carl55
Contributor
From: Colorado USA
Registered: 2010-07-04
Posts: 166

Re: HID tag decoder and simulator

If your HID card uses a 26-bit format then you can try this:
http://www.proxmark.org/files/Documents … xample.pdf

Offline

#39 2013-02-08 03:05:27

scotchtape
Member
Registered: 2012-12-29
Posts: 5

Re: HID tag decoder and simulator

Interesting, thank you.
I know in my code, the preamble part looks something like
100.. 0001 then the facility and card number...
Just wondering if all HIDs are the same, or what the preamble does.
I did try writing other values there and the card starts reading different values even though the facility and card code remain the same.

Offline

#40 2013-06-20 17:57:38

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,301

Re: HID tag decoder and simulator

is anyone interested in the HID bit structure for > 37 bit LF Prox cards?  I don't know where to post it - and i'm not allowed to post links to it anyway...  Just thought I'd try to share anyway...

Offline

#41 2013-06-20 23:00:18

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 630

Re: HID tag decoder and simulator

marshmellow, put it here.


Want to contact me? Here's my email address...
modhex(ecijhhhhhhhhfchdhbidhniihghdduhehvhtduhbig)

Offline

#42 2014-02-20 04:03:15

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,301

Re: HID tag decoder and simulator

Looks like http://www.proxmark.org/forum/viewtopic.php?id=1767 is another thread for these formats.

Offline

Board footer

Powered by FluxBB