Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-04-10 22:32:33

bandguy
Member
Registered: 2015-04-10
Posts: 7

clone hid corp 1000 on t55x7 tags

Hi All,

I've been attempting this the last few days to no avail. I do understand the parity scheme of corp 1000 (verified a few random cards on the brivo card calculator). On a side note, I have cloned 26/37 bit cards without a problem (and I understand the underlying formats).

When I scan a corp 1000 card (lf read, data samples 16000, data fskdemod) I get the 44 bit binary output (and hex). Everything seems ok.

I use the hid clone option to write the hex output from above into the t55x7 tag. When I read the tag again it seems to match 100% to the original card. When I scan it on an access control system it doesn't work. Upon checking logs, two different systems both show "card misread" or "unsupported number of bits". One identified the format as a 37 bit card instead of 35.

As far as i understand, the card should look like: 0000 0010 1PPS SSSS SSSS SSSC CCCC CCCC CCCC CCCC CCCP

P = Parity, S = Site/Facility C= Card

Is there something I'm missing? Is it supposed to be written differently to the T55x7 tags?

Offline

#2 2015-04-11 02:32:07

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: clone hid corp 1000 on t55x7 tags

From what you have posted, it appears that your understanding of the 35-bit Corp 1000 format is correct.

I assume that both backend controllers that you were testing it with actually do support 35-bit card formats. If they don't, a similar error message would be manifested.

It would be beneficial if you posted an example of the card data that is not being read correctly. That way someone could possibly take the data and run it through a independent calculator to compare the 44-bit codes and T55x7 register settings that are being generated.

If the backend controller is reporting an error then you could also try reading your card using a separate standalone Prox reader while monitoring the corresponding wiegand code output on a DSO or logic analyzer. That would tell you how each cards data (original and clone) is being read and interpreted.

Offline

#3 2015-04-11 02:48:23

bandguy
Member
Registered: 2015-04-10
Posts: 7

Re: clone hid corp 1000 on t55x7 tags

I couldn't find any logs on either system other than 'card misread' and 'unsupported number of bits'. I looked at at each and the corporate 1000 format is supported for setting up new users. I'm not sure how i'd find the data that's being read incorrectly.

For example, when I read an actual card, and the clone, I get:

proxmark3> lf read
#db# buffer samples: blah blah xx xx xx xx ...                 
proxmark3>
proxmark3> data samples 16000
Reading 16000 samples
Done!
proxmark3>
proxmark3> data fskdemod
actual data bits start at sample 4353         
length 50/50         
bits: '000000010111100001001000000111000011001001010'         
hex: 0000002f 0903864a

2120 / 115493

Both clone and original have identical bits and hex output.

Is there something else I should check. I don't have any other kind of prox reader laying around except the proxmark3

Thanks!!

Offline

#4 2015-04-11 03:23:30

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: clone hid corp 1000 on t55x7 tags

I took your data and ran it through my own 35-bit calculator. The output results appear to be the same as yours.

Fac Code = 2120
Card Number = 0115493
44-bit Hex Code = 0x02F0903864A

T55x7 Registers:
Block 0 = 0x00107060
Block 1 = 0x1D5559AA
Block 2 = 0x5596555A
Block 3 = 0x95696599

Unfortunately I am not sure why your card is not being read correctly.
Unless you can monitor the wiegand output of the reader directly I see no other way to zero in on the problem. Anyone else have any ideas?

Offline

#5 2015-04-11 03:43:00

bandguy
Member
Registered: 2015-04-10
Posts: 7

Re: clone hid corp 1000 on t55x7 tags

The one thing that confuses me is that per this link:

http://www.proxmark.org/forum/viewtopic.php?id=1767

it almost looks like the blocks on the t55xx are backwards. Or am i misreading it? i.e. block 1 carries the final 16 bits of the card instead of the first 16 bits.

Offline

#6 2015-04-11 03:46:22

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: clone hid corp 1000 on t55x7 tags

It appears you may be using an older firmware version. could there be a bug?  Try updating and see if it fixes it.

Offline

#7 2015-04-11 03:47:39

bandguy
Member
Registered: 2015-04-10
Posts: 7

Re: clone hid corp 1000 on t55x7 tags

The one and only other thing that just dawned on me is that we currently use 26 bit and 37 bit cards in both facilities. I was just playing with 35 bit to see if they would work. I wonder if the access control systems don't know what to do since we defined 37 bit cards already. Perhaps it's seeing the 35 bit cards as 37 bit and 'freaking out' since the data is probably wrong (parity, etc...)?

Offline

#8 2015-04-11 03:49:17

bandguy
Member
Registered: 2015-04-10
Posts: 7

Re: clone hid corp 1000 on t55x7 tags

marshmellow wrote:

It appears you may be using an older firmware version. could there be a bug?  Try updating and see if it fixes it.

what's the latest verison? apparently i'm running:

proxmark3> #db# Prox/RFID mark3 RFID instrument                 
proxmark3> #db# bootrom: svn 0 2014-04-01 12:12:24                 
proxmark3> #db# os: svn 0 2014-04-01 12:12:24                 
proxmark3> #db# FPGA image built on 2014/03/24 at 21:54:44

Offline

#9 2015-04-11 03:54:50

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: clone hid corp 1000 on t55x7 tags

A lot has changed in LF since that build.  (Though admittedly not a lot related to cloning hid cards).  If you compile yourself look at the current github code, otherwise have a look at aspers precompiled code under the windows client forum. 
But to be honest I am not aware of any specific changes I think will help...   If your system is not programmed to accept a specific bit format it likely will give you an invalid tag response of some sort.

Offline

#10 2015-04-11 03:57:41

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: clone hid corp 1000 on t55x7 tags

bandguy wrote:

The one thing that confuses me is that per this link:

http://www.proxmark.org/forum/viewtopic.php?id=1767

it almost looks like the blocks on the t55xx are backwards. Or am i misreading it? i.e. block 1 carries the final 16 bits of the card instead of the first 16 bits.

That page needs a fix as it read the blocks in big endian and the block numbers got labeled incorrectly.  Thanks for pointing it out as I thought I had fixed all those...

Last edited by marshmellow (2015-04-11 03:59:03)

Offline

#11 2015-04-11 03:58:12

bandguy
Member
Registered: 2015-04-10
Posts: 7

Re: clone hid corp 1000 on t55x7 tags

sounds good. Perhaps i'll take a clone over to a facility i know uses corp 1000 wink

If it works on there, perhaps our config is preventing the card from being read properly.

Thanks for your help!!

Offline

#12 2015-04-11 03:59:16

bandguy
Member
Registered: 2015-04-10
Posts: 7

Re: clone hid corp 1000 on t55x7 tags

marshmellow wrote:
bandguy wrote:

The one thing that confuses me is that per this link:

http://www.proxmark.org/forum/viewtopic.php?id=1767

it almost looks like the blocks on the t55xx are backwards. Or am i misreading it? i.e. block 1 carries the final 16 bits of the card instead of the first 16 bits.

That page needs a fix as it read the blocks in big endian and the block numbers got labeled incorrectly.  Thanks for pointing it out.


ha, ok. I thought I was going crazy for a second wink

Offline

#13 2015-04-11 04:06:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: clone hid corp 1000 on t55x7 tags

BTW, with the newer firmware you get new raw tools to use so you could get the full raw binary of the tags to compare including the preamble.  Also a good t55x7 block read to verify the data on your t55x7 chip.  (And an lf search command that outputs all you need to know about a lot of different tags...)

Offline

#14 2015-11-26 08:17:20

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: clone hid corp 1000 on t55x7 tags

limayi wrote:

Hi

I'm trying to configure a HID 37-bits card, format A10202. Can anyone please help me?

Can you describe the Wiegand format structure?  If so I can give you the Manchester.

Offline

Board footer

Powered by FluxBB