github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-03-12 04:35:36 -07:00
Code Issues Packages Projects Releases Wiki Activity

Updated LF Tag Operations (markdown)

scott4290 2021-08-01 18:05:35 -04:00
parent e3fb4f1f1f
commit b4ad7d6500
1 changed files with 11 additions and 13 deletions

24
LF-Tag-Operations.md

@ -7,12 +7,11 @@
***
### Low frequency tag operations
This page presents how the Proxmark3 can be used for working with simple low frequency tags. The commands are valid for the current GitHub version of the Proxmark (the askdemod command argument format was recently modified).
This page presents how the Proxmark3 can be used for working with simple low frequency tags. The commands are valid for the current GitHub version of the Proxmark.
### Reading an unknown tag
```
- Update -
Try the new 'lf search' command.
Try the 'lf search' command.
```
Below is a scan of an unknown physical access tag which I wanted to identify : a "thick" clamshell kind of tag, meaning with 99% certainty a LF tag.
@ -26,7 +25,7 @@ Note : use lf config to configure the read command to read the tag with addition
Then you can download the trace using data samples. By default, data samples only downloads the beginning of the trace. Use data samples 20000 (or any other value below 40000) to download a longer trace.
`proxmark3> data samples 20000 `
`proxmark3> data samples -n 20000 `
`proxmark3> data plot `
From the waveform, the tag does a simple ASK bitstream modulation : the tag modulates the signal amplitude to transmit its bitstream to the reader.
@ -40,7 +39,12 @@ In order to get a meaningful reading when setting the purple and yellow markers,
### Finding the tags bitstream period
Once you are satisfied with the acquired trace, the next step is to determine whether the tags signal is send in a periodic way (i.e. repeated) : the proper and simple way to do this is to autocorrelate the signal and find the peak period : the proxmark client offers a simple autocorrelation feature to this end :
`proxmark3> data autocorr 2000 g`
`proxmark3> data autocorr -w 2000 -g`
<b>[Edit needed:]<br>
[usb] pm3 --> data autocorr -w 2000 -g<br>
[=] Using window size 2000<br>
[!] ⚠️ window must be smaller than trace (1223 samples)<br>Update graph below.</b>
The plot will be updated :
![](http://i.imgur.com/uKbha5n.png)
@ -59,21 +63,15 @@ The next step is to understand how each symbol is transmitted. Zooming in (keybo
Now, lets try to extract a meaningful bitstream from the tag. By using the askdemod command which is available in firmware 20090328 and later, we can turn the analog capture into a nicer looking bitstream which will be ready for further analysis : we will try with a positive bit encoding convention. What does this mean ? Depending on the tag manufacturers design, field modulation will either mean a logical "0" or a logical "1". The askdemod command therefore gives a choice to decode the bitstream one way or another.
`proxmark3> data askdemod 1`
```
- Update -
now use the 'data dirthreshold <thres up> <thres down>' or 'data askedgedetect'
Use the command: 'data dirthreshold -u <thres up> -d <thres down>' or 'data askedgedetect'
```
On the trace, the bitstream now looks like this :
![](http://i.imgur.com/GvTcfy8.png)
You can see on the trace that there are "long" and "short" zero and one modulations : typically, this indicates some sort of manchester encoding. We can use the Proxmarks mandemod command to attempt a manchester demodulation of the bitstream. This command takes the clock period as its argument.
Since the July 2009 SVN versions, you do not need to give the clock rate as argument anymore, since the mandemod function can now autodetect the clock rate.
`proxmark3> data mandemod 64 `
```
- Update -
now use the 'data rawdemod am'
Use the command: 'data rawdemod --am'
```
and this is the Manchester demodulated answer:
> Unsynchronized, resync...