Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-07-08 20:19:41

Geka
Contributor
Registered: 2017-07-03
Posts: 6

[solved] Clone ICT, Unknown FSK Modulated Tag

Hello,

Can you please help me to clone ICT, Unknown FSK Modulated Tag?

I've reviewed the below topics but still have some troubles to clone it.
I am not sure how to do repeating binary value with fsk2 modulation and RF/50. Is it possible to provide some guide or links for reference?
- Decoding & Cloning ICT Key Fob
- ICT Key Fob - Bad signal?
- Help with decoding and cloning ict tag


Fob looks like this one:
ICT fob

blk | hex data | binary                           | ascii
----+----------+----------------------------------+-------
 00 | 101070E0 | 00010000000100000111000011100000 | ..p.
 01 | F6A55995 | 11110110101001010101100110010101 | ..Y.
 02 | 2D3352B5 | 00101101001100110101001010110101 | -3R.
 03 | CCB2D532 | 11001100101100101101010100110010 | ...2
 04 | 2AD4B2AD | 00101010110101001011001010101101 | *...
 05 | B2D552D4 | 10110010110101010101001011010100 | ..R.
 06 | D334CB2A | 11010011001101001100101100101010 | .4.*
 07 | 00000000 | 00000000000000000000000000000000 | ....
Reading Page 1:
blk | hex data | binary                           | ascii
----+----------+----------------------------------+-------
 00 | 101070E0 | 00010000000100000111000011100000 | ..p.
 01 | E0150A64 | 11100000000101010000101001100100 | ...d
 02 | 2B9425BA | 00101011100101000010010110111010 | +.%.
 03 | 00000000 | 00000000000000000000000000000000 | ....
 
Using Clock:50, invert:0, fchigh:10, fclow:8
FSK2 decoded bitstream:
1101111111011111
0001111000111111
1101111111011111
0001111000111111
1101111111011111
0001111000111111
1101111111011111
0001111000111111
1101111111011111
00011110

Unknown FSK Modulated Tag Found!
0101001011001101
0010101010101101
0010101100101100
1100101100110100
1101010101111111
1111111111111111
1111111110000100
1010110101010011
0011010101010010
1100110010101101
0100101010110011
0100110100101010
1100110101010101
0010101101001101
0101001011001101
0010101010101101
0010101100101100
1100101100110100
1101010101111111
1111111111111111
1111111110000100
1010110101010011
0011010101010010
1100110010101101
0100101010110011
0100110100101010
1100110101010101
0010101101001101
0101001011001101
0010101010101101
0010101100101100
1100101100110100
1

Sample dataset:
https://pastebin.com/rUVCtN3s

Thank you!

Last edited by Geka (2017-07-17 16:49:05)

Offline

#2 2017-07-10 18:11:22

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: [solved] Clone ICT, Unknown FSK Modulated Tag

The answer is there ?

You need a lf t55 blank chip to do so.

I could clone one for you and send it to you. Just buy it off my shop if you need to.

lf t55 wrbl b 0 d 101070E0 (for page 0)
lf t55 wrbl b 1 d F6A55995
follows

lf t55 wrbl b 0 d 101070E0 1 (page 1 onwards)
lf t55 wrbl b 0 d E0150A64 1
follows ?

Last edited by Dot.Com (2017-07-10 18:13:08)

Offline

#3 2017-07-10 21:20:46

Geka
Contributor
Registered: 2017-07-03
Posts: 6

Re: [solved] Clone ICT, Unknown FSK Modulated Tag

Thanks Dot.Com for your reply.

The problem is when I try to copy the first 8 blocks I get the below output. It will not change blk 5.
Can you also confirm how should I copy the "Reading Page 1" information? Looks like I can't get correct blk 1 and 2 in Page 1.

Last edited by Geka (2017-07-20 00:46:44)

Offline

#4 2017-07-10 21:46:31

Geka
Contributor
Registered: 2017-07-03
Posts: 6

Re: [solved] Clone ICT, Unknown FSK Modulated Tag

Below are results with different t55 fob, let me know if you see something incorrect?

Thanks!

blk | hex data | binary                           | ascii
----+----------+----------------------------------+-------
 00 | 101070E0 | 00010000000100000111000011100000 | ..p.
 01 | ED4AB32B | 11101101010010101011001100101011 | .J.+
 02 | 2D3352B5 | 00101101001100110101001010110101 | -3R.
 03 | CCB2D532 | 11001100101100101101010100110010 | ...2
 04 | 2AD4B2AD | 00101010110101001011001010101101 | *...
 05 | B2D552D4 | 10110010110101010101001011010100 | ..R.
 06 | D334CB2A | 11010011001101001100101100101010 | .4.*
 07 | 00000000 | 00000000000000000000000000000000 | ....
Reading Page 1:
blk | hex data | binary                           | ascii
----+----------+----------------------------------+-------
 00 | 101070E0 | 00010000000100000111000011100000 | ..p.
 01 | E0150A59 | 11100000000101010000101001011001 | ...Y
 02 | 31E1A2F1 | 00110001111000011010001011110001 | 1...
 03 | 00000000 | 00000000000000000000000000000000 | ....
pm3 -->

Last edited by Geka (2017-07-20 00:47:29)

Offline

#5 2017-07-11 04:54:17

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [solved] Clone ICT, Unknown FSK Modulated Tag

Writing small fobs with a pm3 often requires a small focused antenna or multiple write attempts per block.

Offline

#6 2017-07-16 22:52:21

Geka
Contributor
Registered: 2017-07-03
Posts: 6

Re: [solved] Clone ICT, Unknown FSK Modulated Tag

Thank you marshmellow!

I noticed that when I write all the blocks first except 0 it will look OK but then once I try to change block 0 (block 4, 6 or sometimes just 5 will change to different values)
Even if I try writing multiple time to block 4 and 6, or just block 5 after setting block 0 they will not change.

Could be any other problem? I don't think it's the antenna or multiple write attempts issue.

Thanks!

Last edited by Geka (2017-07-16 23:14:20)

Offline

#7 2017-07-17 06:14:17

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: [solved] Clone ICT, Unknown FSK Modulated Tag

after changing block 0 you have to re-detect the t55xx tag before attempting to read again.  (lf t55 detect)

and even then, if tag moves or for some other reason the tag powers up a little differently it could mess up the offset of the bits on a block read.

(t55xx don't have any sync pattern to verify where the block payload begins or ends so we just guess based on timing)

Offline

#8 2017-07-17 16:48:18

Geka
Contributor
Registered: 2017-07-03
Posts: 6

Re: [solved] Clone ICT, Unknown FSK Modulated Tag

Thanks marshmellow, got resolved it now.
I think it was the bootrom/ fullimage version problem. One I got latest version I was able to write the blocks correctly with blk 0.

Offline

#9 2017-09-20 17:56:18

fidel
Contributor
Registered: 2016-10-17
Posts: 28

Re: [solved] Clone ICT, Unknown FSK Modulated Tag

Hi,
Where can  I  get the latest bootrom version ?
I am trying to Clone ICT fob,
Lf read, Lf T55 detect, and lf dump output on the two tags are identical but the clone does not work what could cause that.
Also the Block 3 of page 1 on the cloned fob is 00a00003.
I have Changed it to match the original with 0000000o, but still no luck.
Thank you for any help.

Offline

#10 2017-09-27 09:13:14

Dan from OZ
Contributor
Registered: 2017-09-27
Posts: 17

Re: [solved] Clone ICT, Unknown FSK Modulated Tag

Hey Geka

Can you show us what you did and how you solved it please

Sorry i though my card was an ICT but it was not

Last edited by Dan from OZ (2017-10-04 14:36:06)

Offline

Board footer

Powered by FluxBB