Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2012-11-26 11:45:31

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Guardall G-Prox II, 125 kHz

Hi All!
Maybe someone knows format Guardall G-Prox II ?

Card number 1365205

Read from card:(96bit)
1101 0
0110 0
1100 0
0000 0
0101 0
0110 0
1101 0
0110 0
1000 0
1011 0
0001 0
0010 0
0011 0
0011 0
1101 0
0101 0
1101 0
0110 0
1111 1 0 - may be start marker ?

Offline

#2 2012-11-27 00:06:38

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Guardall G-Prox II, 125 kHz

There is very little information to work with here.

The start is typical of a number of readers indicating the number of bits used in the card format (26 in this case). Assuming this is correct, that would mean that your card data is possibly '10011110101011101011011111' meaning that:
SC/FC is 61
and CN/IN is 23919

There are a lot of guesses here and I'd surprised if I'm right.

Where do you get 96 from?
When you say the card number is 1365205, do you mean this is printed on the card?

Offline

#3 2012-11-27 10:35:19

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

Hi, 0xFFFF !
I have 8 cards with printed numbers. COOLEDIT programs I recorded and decoded bit sequence. MODULATION was not Manchester, biphase.
Analogs for conventional cards began to look long sequence 1. The longest was 5 bits. So they had to do so on 5 bits never ranked in the data sequence. To do this, every 5 bit is ZERO

printed numbers:
1365205   
1365208   
1365209   
1365210   
1367510   
1367511   
1367512   
1367513   


0 1101 0 0110 0 1100 0 0000 0 0101 0 0110 0 1101 0 0110 0 1000 0 1011 0 0001 0 0010 0 0011 0 0011 0 1101 0 0101 0 1101 0 0110 0 11111
0 1011 0 0000 0 0110 0 0110 0 0011 0 0000 0 1011 0 0000 0 1110 0 1101 0 0111 0 0100 0 0010 0 0101 0 1011 0 0010 0 1011 0 0000 0 11111
0 0111 0 0000 0 1010 0 0110 0 1111 0 0000 0 0111 0 0000 0 0010 0 1101 0 1011 0 0100 0 1110 0 0101 0 0111 0 0001 0 0111 0 0000 0 11111
0 0011 0 0011 0 1010 0 0101 0 1011 0 0011 0 0011 0 0011 0 0110 0 1110 0 1111 0 0111 0 0110 0 0110 0 0011 0 0001 0 0011 0 0011 0 11111
0 0010 0 0000 0 1011 0 0110 0 1010 0 0000 0 0010 0 0000 0 0111 0 1101 0 0000 0 0100 0 0100 0 1011 0 0010 0 0010 0 0010 0 0000 0 11111
0 1110 0 0000 0 0111 0 0110 0 0110 0 0000 0 1110 0 0000 0 1011 0 1101 0 1100 0 0100 0 1000 0 1011 0 1110 0 0001 0 1110 0 0000 0 11111
0 0010 0 0010 0 1111 0 0100 0 1010 0 0010 0 0010 0 0010 0 0111 0 1111 0 0000 0 0110 0 1100 0 1001 0 0010 0 0010 0 0010 0 0010 0 11111
0 1110 0 0010 0 0011 0 0100 0 0110 0 0010 0 1110 0 0010 0 1011 0 1111 0 1100 0 0110 0 0000 0 1001 0 1110 0 0001 0 1110 0 0010 0 11111

Offline

#4 2012-12-03 10:53:23

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

If you apply an operation to XOR standing next byte:
686901BA998467C01D 
6B6A01BA998AE9407B
6B6A01BA998A298078
696801BA9989EA40BA
696801BA9EF2964072
696801BA9EF2568071
6B6A01BA9EF3D70032
6B6A01BA9EF317C031 

XOR  apply to all code cards - get the difference

6B6A01BA998AE9407B     000000000000C0C003 
6B6A01BA998A298078

696801BA9EF2964072     000000000000C0C003
696801BA9EF2568071

6B6A01BA9EF3D70032    000000000000C0C003
6B6A01BA9EF317C031

Offline

#5 2012-12-29 22:13:52

scotchtape
Member
Registered: 2012-12-29
Posts: 5

Re: Guardall G-Prox II, 125 kHz

I have the same questions... except I am a total noob.
I have a g-prox ii fob and don't know how to work with it!

Does the proxmark3 even work with it?

Offline

#6 2013-01-20 11:09:52

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

Hi Scotchtape!
Unfortunately, I was unable to decipher the information on the proxcard ((( Proxmark3 not worked with GPROX card.
If you have a sufficient number of cards and a desire to cooperate, I can send you the reader, print complete information about card

Offline

#7 2013-01-21 23:13:24

scotchtape
Member
Registered: 2012-12-29
Posts: 5

Re: Guardall G-Prox II, 125 kHz

I would but I'm a total noob smile
I also don't have a g-prox "card" - I have a 4 button fob that I think uses the G-prox RFID format.
I'm not sure if it has a printed number, it has an FCC number on it though.

It works with a verex reader.  I'm not sure what the "card number" is.
Wish I could help more too!

Offline

#8 2013-01-21 23:16:39

scotchtape
Member
Registered: 2012-12-29
Posts: 5

Re: Guardall G-Prox II, 125 kHz

I did notice the that their website says it's a 36-bit format though?
Says it comes it 26, 36, and 40 bit formats:

http://verextech.interlogix.com/downloads/G-Prox_II_Cards_DS.pdf

Offline

#9 2014-04-08 14:15:48

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

QONO6A.bmp

Offline

#10 2014-04-08 15:48:22

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Guardall G-Prox II, 125 kHz

Question @ Sentinel:   how does the 1-74474F-1 relate at all to the card number?  what part of the 1-74474F-1 increments for card number 1365206?  Thanks!  great information!

EDIT:
I think I figured it out.  the next card would be 1-744750-1  incrementing in hex.  it appears to have no direct relationship to the external printed number.  (maybe just add 6255226 to the external number and convert to hex to get the internal number?)

Last edited by marshmellow (2014-04-08 18:54:06)

Offline

#11 2014-04-09 07:49:15

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

to Marshmellow
Printed     Wiegand26
1365205  1-74474F-1     add  6255226
1365208  1-744752-1
1365209  1-744753-0
1365210  1-744754-1

1367510  1-7449AC-1    add 6253526
1367511  1-7449AD-0
1367512  1-7449AE-0
1367513  1-7449AF-1

possible shall be calculated in the software access control for a range of cards?

Offline

#12 2014-04-09 08:08:45

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

7vyimUD.jpg
Experimenting with the encryption key and the first byte sequence, I managed to get 27 bit Weigand. Carefully looking at the first byte of a piece, I realized that he is 26 smile

Last edited by Sentinel (2014-10-13 08:56:18)

Offline

#13 2014-04-15 16:18:34

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

f4FOz5.bmp
my generator cards worked night and here is the result. Weigand generate sequence then was selected key (8bit) and two strange bits - 1024 options. If the reader read this card - its code recorded in the log file. Rather, these are a 10 bit of this - CRC10. calculate it would be quite difficult: (

PS fixed a bug,  that was noticed Marshmellow

Last edited by Sentinel (2014-04-16 10:03:48)

Offline

#14 2014-04-15 17:47:27

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Guardall G-Prox II, 125 kHz

@Sentinel:  are you attempting to identify the Parity? (or P?).
With your data I've worked out this parity structure that works with the cards I've tested:

Wiegand data:
   XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXX
L   EE E   E  E  E     E  E   E   E E  E    
R   OO OOOOO OO OO OOOOO OOOO O  OO O OO OOO

where LR = P = 10 or 00 or 01 or 11
and E = even parity digit, O = odd parity digit

I'm doing further testing to see it if works for all card data I have

thoughts?

Edit: ...

Last edited by marshmellow (2014-04-15 22:02:34)

Offline

#15 2014-04-15 18:55:19

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

@marshmellow: Now I will check your theory)
Guardal reader responds to only one combination of 1024 states. Assume that P - is not parity, as part of the CRC10 .. I think we should look for math forum and ask there, as the output of the restore poltnom CRC:)
Still have a few features. Weygand value lies in the range  20 ... 40 bits. for values less than 19bit, and I could not find CRC. just nothing works, if you change the 0x0100 (16bit)

Offline

#16 2014-04-15 19:29:43

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Guardall G-Prox II, 125 kHz

I fixed my issue, my application wasn't following my map correctly(and I flip flopped odd and even on the R).  I've adjusted the parity map I used above a little and it appears to work with the samples I have. (which admittedly is limited) 

That said, I have no clue how the Key is generated.  but it is possible that if the Parity is incorrect then the reader wouldn't respond.  in that case you would need to have the correct key and the correct calculated parity bits as you suggest.  once we know the parity calculation for sure then the key is likely a crc8 of sorts.
but really the math you are doing is out of my current reach so i'll yield to you and any math forum you find smile

btw: we also do not know the calculation for the last wiegand bit the -1 or -0.

Last edited by marshmellow (2014-04-15 19:46:05)

Offline

#17 2014-04-15 20:09:08

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

@marshmellow:
"btw: we also do not know the calculation for the last wiegand bit the -1 or -0."
As far as I understood, at guardal, like HIDD parity bits stored on the card.. all sequences have been read and transferred to Weigand interface. Although not all of them are correct from the point of view of the last bit parity. for example:
10010010 011010 11 0000000100000000 00000000000000000000000000 00000000000000 (all zero)

Offline

#18 2014-04-15 20:18:55

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

my device enumerates codes with rate 4 per second smile  goes through all the options (1024) about 4 minutes..

Offline

#19 2014-04-15 20:21:37

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Guardall G-Prox II, 125 kHz

is the card with all zero's a valid number?  what is the card number output by the reader?  it doesn't follow the format 1-XXXXXX-P.  that may change the parity calculation.  I may not have the calculations perfect (missing a bit or using a bit I shouldn't) but from what I see it looks very much like a parity calculation.

With HID readers, if the binary prefix or header is incorrect it will not output any wiegand.  is it possible the guardal reader checks the parity as part of the decrypt function and ignores invalid data?

Offline

#20 2014-04-15 20:22:37

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Guardall G-Prox II, 125 kHz

Sentinel wrote:

my device enumerates codes with rate 4 per second smile  goes through all the options (1024) about 4 minutes..

Nice smile

Offline

#21 2014-04-15 20:45:34

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

@marshmellow:
>With HID readers, if the binary prefix or header is incorrect it will not output any wiegand. 

If you do not put the first 1 (defining the beginning of Weygand) in Hidd sequence, you can get a zero-Weigand. Reader beeps, but nothing gives to Weigand. with my HIDD reader passed this trick)

Offline

#22 2014-04-15 22:01:41

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Guardall G-Prox II, 125 kHz

you are correct that HID readers will do that as long as the header bits are correct (the header is not part of the wiegand data).

Offline

#23 2014-04-15 22:16:08

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Guardall G-Prox II, 125 kHz

can you check this line in your image file above:

10010010 011010 10 0000000100000000 00000000000000000000010000 00000000000000   92-1

the 10 and 92-1 appear to be mismatched.

Offline

#24 2014-04-16 09:55:33

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

@marshmellow:
ups...I wrote HEX data manually - so wrong)
10010010 011010 10 0000000100000000 00000000000000000000010000 00000000000000  92-2

Offline

#25 2014-04-16 09:59:19

Sentinel
Contributor
Registered: 2012-11-26
Posts: 191

Re: Guardall G-Prox II, 125 kHz

Here tried consistently generate Weigand 26 ..

10010010 011010 11 0000000100000000 00000000000000000000000000 00000000000000
10010011 011010 11 0000000100000000 00000000000000000000000001 00000000000000
10010000 011010 11 0000000100000000 00000000000000000000000010 00000000000000
10010001 011010 11 0000000100000000 00000000000000000000000011 00000000000000

11010001 011010 01 0000000100000000 00000000000000000000000100 00000000000000
11010000 011010 01 0000000100000000 00000000000000000000000101 00000000000000
11010011 011010 01 0000000100000000 00000000000000000000000110 00000000000000
11010010 011010 01 0000000100000000 00000000000000000000000111 00000000000000

00010010 011010 10 0000000100000000 00000000000000000000001000 00000000000000
00010011 011010 10 0000000100000000 00000000000000000000001001 00000000000000
00010000 011010 10 0000000100000000 00000000000000000000001010 00000000000000
00010001 011010 10 0000000100000000 00000000000000000000001011 00000000000000

01010011 011010 00 0000000100000000 00000000000000000000001100 00000000000000
01010010 011010 00 0000000100000000 00000000000000000000001101 00000000000000
01010001 011010 00 0000000100000000 00000000000000000000001110 00000000000000
01010000 011010 00 0000000100000000 00000000000000000000001111 00000000000000

10010010 011010 10 0000000100000000 00000000000000000000010000 00000000000000

10110110 011010 01 0000000100000000 00000000000000000000100000 00000000000000
10110111 011010 01 0000000100000000 00000000000000000000100001 00000000000000
10110100 011010 01 0000000100000000 00000000000000000000100010 00000000000000
10110101 011010 01 0000000100000000 00000000000000000000100011 00000000000000

It is strange that no one else met such cards: (

Last edited by Sentinel (2014-04-16 10:06:19)

Offline

#26 2015-02-23 03:33:33

Lenox
Contributor
Registered: 2015-01-29
Posts: 42

Re: Guardall G-Prox II, 125 kHz

I see Chubb system using Verex fob.
Is there any way to decode this fob yet?

Offline

#27 2015-02-23 09:53:40

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Guardall G-Prox II, 125 kHz

More info here.

Offline

#28 2015-02-23 14:06:36

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Guardall G-Prox II, 125 kHz

The new data rawdemod ar  and data biphaserawdecode  should get you the binary programmed on the chip. 
You would need to find the start of the bitstream and
then follow sentinel's procedure to decrypt to get the card ID and fc.

Last edited by marshmellow (2015-02-25 23:28:45)

Offline

#29 2015-03-12 01:56:06

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Guardall G-Prox II, 125 kHz

there is a new auto demod for this tag now included in <lf search> , or <data askgproxiidemod>

Offline

Board footer

Powered by FluxBB