Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-01-08 18:54:13

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Hacking on Farpointe/Pyramid 26 bit, need encoding help

Hi,

Please check out what I found for encoding.  There is one byte of data that does not make sense to me.  If anyone knows what this is it's appreciated.  Thanks!

Offline

#2 2015-01-08 18:55:48

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Sorry having problem uploading image...

Offline

#3 2015-01-08 19:00:36

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Here we go...

1420740012_fp26.jpg

Offline

#4 2015-01-08 19:02:48

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Forgot to mention this is using Atmel 5577...

Offline

#5 2015-01-08 19:09:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

the algorithm for this checksum is currently not known outside of farpointe.  if you do make progress do share.  wink

Offline

#6 2015-01-08 19:15:26

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

a few samples were shown here as well: http://www.proxmark.org/forum/viewtopic.php?id=1655

Offline

#7 2015-01-08 19:22:49

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

This has to be a CRC, I just don't know how CRCs really work at this point...how to generate them.

Offline

#8 2015-01-09 02:35:48

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

I guess brute force could also work...there are only 7 bits and 128 possibilities.  You could make a setup to try each possibility against a reader, and when the checksum is found...program a card with the result?!  Not pretty but possible...

Offline

#9 2015-01-09 06:38:04

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

I have 10 cards. Same FAC and with UIDs that follow each other.
If it can help, I will post them here.

Last edited by app_o1 (2015-01-09 11:53:35)

Offline

#10 2015-01-09 08:02:13

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

It might help.  More samples the better.

Offline

#11 2015-01-09 12:07:52

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

.

Last edited by app_o1 (2015-01-09 12:11:57)

Offline

#12 2015-01-09 16:47:11

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

One thing that I did find out is that all of the data in banks 0 to 4 have an effect on this checksum.

Offline

#13 2015-01-09 16:48:21

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Does the Proxmark have a command in it's command set to emulate a card?

Offline

#14 2015-01-09 16:49:03

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

If you print all block data in bytes, it would be easier smile  I'm too lazy to type in binary from a photo.

Offline

#15 2015-01-09 16:51:44

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

How do you know the config block affects the checksum?

Offline

#16 2015-01-09 17:06:23

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Sorry my typo, all blocks 1-4 have an effect on the checksum.  Block 0 has nothing to do with it.

Offline

#17 2015-01-10 16:23:00

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

app_o1 wrote:

I have 10 cards. Same FAC and with UIDs that follow each other.
If it can help, I will post them here.

Change your mind?

Offline

#18 2015-01-10 17:00:47

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

I have some sequential cards also...i can post the scans early next week...

Offline

#19 2015-01-11 15:33:00

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

marshmellow wrote:
app_o1 wrote:

I have 10 cards. Same FAC and with UIDs that follow each other.
If it can help, I will post them here.

Change your mind?

Yes. It belongs to an office building and it is still being used today.
I can share in private. To whoever wants it (raw traces*10) please let me know your email address.

Offline

#20 2015-01-11 15:41:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Can you send it via ICQ, you have mine.  If not I can put my email here.

Offline

#21 2015-01-12 15:34:04

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

-

Last edited by app_o1 (2015-01-17 02:51:10)

Offline

#22 2015-01-16 18:21:59

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

hkplus wrote:

I have some sequential cards also...i can post the scans early next week...

can you post traces with printed card numbers?

Offline

#23 2015-01-17 07:41:47

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Sorry something came up this week but I can do the traces on Monday..

Offline

#24 2015-01-17 07:43:38

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Been working on a card emulator for brute force attack. Can't seem to find something appropriate

Offline

#25 2015-01-17 15:13:15

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Hmmm. Need a sim command that works first, then we could use lua to script the input attempts.

Offline

#26 2015-01-24 05:08:00

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

OK so I promised you some card checksums.  I set up a hacky mechanical setup using an air cylinder with an AT5577 tag attached to the end of its arm, a programmer, a reader and wrote some software.  This Rube Goldberg contraption just started cycling through all of the checksums for site code zero, starting at tag ID 0.  Here are some results for about 300 cards discovered for the first couple of hours of run time:

First number is Facility Code (decimal), Second number is Card ID (decimal) and third number is discovered checksum (hexadecimal).  If you follow the Farpointe format guidelines outlined above and then replace the "UNKNOWN" byte with the HEX byte listed below for a particular card number the tag works on the reader everytime...now im either going to find an electronic way to discover these checksums or work on the actual algorithm that computes these checksums.  In the mean time I am going to let the air cylinder chug away until I get to ID 65535 for all of FC 0.  This is expected to take around 24 days.  Who cares about the FC anyway? lol

(FC  ID CS)
0 0 C7
0 1 1A
0 2 B9
0 3 64
0 4 E6
0 5 3B
0 6 98
0 7 45
0 8 58
0 9 85
0 10 26
0 11 FB
0 12 79
0 13 A4
0 14 07
0 15 DA
0 16 3D
0 17 E0
0 18 43
0 19 9E
0 20 1C
0 21 C1
0 22 62
0 23 BF
0 24 A2
0 25 7F
0 26 DC
0 27 01
0 28 83
0 29 5E
0 30 FD
0 31 20
0 32 F7
0 33 2A
0 34 89
0 35 54
0 36 D6
0 37 0B
0 38 A8
0 39 75
0 40 68
0 41 B5
0 42 16
0 43 CB
0 44 49
0 45 94
0 46 37
0 47 EA
0 48 0D
0 49 D0
0 50 73
0 51 AE
0 52 2C
0 53 F1
0 54 52
0 55 8F
0 56 92
0 57 4F
0 58 EC
0 59 31
0 60 B3
0 61 6E
0 62 CD
0 63 10
0 64 70
0 65 AD
0 66 0E
0 67 D3
0 68 51
0 69 8C
0 70 2F
0 71 F2
0 72 EF
0 73 32
0 75 4C
0 76 CE
0 77 13
0 78 B0
0 79 6D
0 80 8A
0 81 57
0 82 F4
0 83 29
0 84 AB
0 85 76
0 86 D5
0 87 08
0 88 15
0 89 C8
0 90 6B
0 91 B6
0 92 34
0 93 E9
0 94 4A
0 95 97
0 96 40
0 97 43
0 98 3E
0 99 E3
0 100 61
0 101 BC
0 102 1F
0 103 C2
0 104 DF
0 105 02
0 106 A1
0 107 7C
0 109 FE
0 110 80
0 111 5D
0 112 BA
0 113 67
0 114 C4
0 115 19
0 116 9B
0 117 46
0 118 E5
0 119 38
0 120 25
0 121 F8
0 122 5B
0 123 5D
0 124 04
0 125 D9
0 126 7A
0 127 A7
0 128 DA
0 130 A4
0 131 79
0 132 FB
0 133 26
0 134 85
0 135 86
0 136 45
0 137 98
0 138 3B
0 139 E6
0 140 64
0 141 B9
0 142 1A
0 143 C7
0 144 20
0 147 83
0 148 01
0 149 DC
0 150 7F
0 151 A2
0 152 BF
0 153 62
0 154 C1
0 155 1C
0 156 9E
0 157 43
0 158 E0
0 159 3D
0 160 3E
0 161 37
0 162 94
0 163 49
0 164 CB
0 165 16
0 166 B5
0 167 68
0 168 75
0 169 A8
0 170 0B
0 171 D6
0 172 54
0 173 89
0 174 2A
0 175 F7
0 176 F8
0 177 CD
0 178 6E
0 180 31
0 181 EC
0 182 4F
0 183 92
0 184 8F
0 185 52
0 186 F1
0 187 2C
0 188 AE
0 189 73
0 190 D0
0 191 0D
0 192 6D
0 193 B0
0 194 13
0 195 CE
0 196 4C
0 197 91
0 198 32
0 199 EF
0 200 F2
0 201 2F
0 202 8C
0 203 51
0 204 D3
0 205 0E
0 206 AD
0 207 70
0 208 97
0 209 4A
0 210 E9
0 211 34
0 212 B6
0 213 6B
0 214 C8
0 216 08
0 217 D5
0 218 76
0 219 AB
0 220 29
0 221 F4
0 222 57
0 223 8A
0 224 5D
0 225 80
0 226 23
0 228 FE
0 229 A1
0 230 02
0 231 DF
0 232 C2
0 233 1F
0 234 20
0 235 61
0 236 E3
0 237 3E
0 238 9D
0 239 40
0 240 A7
0 241 7A
0 242 D9
0 243 04
0 244 86
0 245 5B
0 246 F8
0 247 25
0 248 38
0 249 E5
0 250 46
0 251 9B
0 252 19
0 253 C4
0 254 67
0 255 BA
0 256 97
0 257 4A
0 258 E9
0 259 34
0 260 B6
0 261 6B
0 262 C8
0 263 15
0 264 08
0 265 D5
0 266 76
0 267 AB
0 268 29
0 269 F4
0 270 58
0 271 8A
0 272 6D
0 273 B0
0 274 13
0 275 CE
0 276 4C
0 277 91
0 278 32
0 279 EF
0 280 F2
0 282 8C
0 283 51
0 284 D5
0 285 0E
0 286 AD
0 287 70
0 288 A7
0 289 7A
0 291 04
0 292 86
0 293 5B
0 294 F8
0 295 25
0 296 38
0 297 E5
0 298 46
0 299 9B
0 300 19
0 301 C4
0 302 67
0 303 BA
0 304 5E
0 305 80
0 306 23
0 308 FE
0 309 A1
0 310 02
0 311 DF
0 312 C2
0 313 1F

Offline

#27 2015-01-24 05:13:27

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

The contraption...

Last edited by hkplus (2015-11-26 08:09:46)

Offline

#28 2015-01-24 05:15:47

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Forgot to mention, that the "unknown" bytes provided include the proper odd parity bit.  That poor 5577 eeprom is going to have a brain hemorrhage considering all of the continuous write cycles it's experiencing.  Arm moves back and forth about every 500 mS.

Last edited by hkplus (2015-01-24 05:22:25)

Offline

#29 2015-01-24 05:22:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Sweet!   I'll take a look at the samples soon.   It would be great to do the same thing just incrementing the fc (nothing else). 

And we could shorten the list of numbers significantly by just running 1 binary bit (or 2^x where x starts at 0 and increments). That would tell us how the checksum calc is affected by each bit.

Offline

#30 2015-01-24 05:24:06

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Is the arm to remove the tag from the reader field?

Offline

#31 2015-01-24 05:34:31

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

I can run other site codes and IDs...whatever you want because I wrote the control software.  Yes the arm is to move the card out of the field of the Farpointe reader and over the programmer.  I started with a 4" long air cylinder, but it was not enough distance, the reader kept messing up the programmer, so I moved to an 6" air cylinder and put the thing in a steel surplus electrical box that seems to work as a shield.  The programmer is an Atmel (GIS brand) programmer.  I used the GIS .DLL and wrote a control program in VB.NET to control the programmer.  The device that drives the valve is actually an access control.  It has an open command set and you send commands to it via TCPIP.  I am using it's relay, that is normally used to open doors, to drive the valve that runs the air cylinder under software control.  I am also using it's 26 bit Wiegand port...if the access control sees anything come off of the reader, it converts the reader's Wiegand data to decimal and sends it back to my control software over the same TCPIP connection that is used to control the relay.  Everytime the arm moves into the reader, I wait for up to 500 mS to see if data is coming off of the reader via the access control.  If it sees data, that means that the correct checksum was found and I record the results in a .TXT file.  If nothing comes back, then I increment the checksum and try the process again. It's hacky but it works and reliably.  I had to add a verification to the write cycle on the card to retry the write if the program cycle fails, so I retry the write up to 5 times...this keeps the setup running unattended.  I can start on Facility Code 1 on Monday or some other range of ID if you wish. I understand your request for incrementing one bit...I will get this for you also.  I tried to make an electronic card emulator, but I could not get the thing to work right.  I used an Atmel AVR processor hooked up to a coil that I pulled out of a clamshell card, but I could not get the firmware correct to work...yet.  I will try to work on finding IDs 0-300 on FC 1 next week...I have a feeling that there is some type of XOR circuit/algorithm going on with the checksum.

Last edited by hkplus (2015-03-20 02:22:24)

Offline

#32 2015-01-24 05:54:19

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

I'd be very interested in a complete list of 1 bit values with checksums.  Example:

0000000000000000
0000000000000001
0000000000000010
0000000000000100
0000000000001000
0000000000010000
...

For both card number and fc, with checksums

Offline

#33 2015-01-24 05:56:13

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Let me work on that for you next week...:)  It seems that you have a few of these now...card numbers 1,2,4,8,16 and others?

Last edited by hkplus (2015-01-24 06:06:58)

Offline

#34 2015-01-24 06:08:50

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Card numbers 1 and 2 are like what you are asking...one bit position change generates a huge change in the checksum...which is why I think it's an XOR train of some type...

0 1 1A
0 2 B9

Offline

#35 2015-01-24 06:22:39

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Yep, we have 0 through 256.
So we all we need for the card number is 512, 1024, 2048, 4096, 8192, 16384, 32786

Then 1,2,4,8,16,32,64,128 for the fc

Offline

#36 2015-01-24 06:29:23

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Except without the wp it is
0 1 1A
0 2 39
0 3 64
0 4 66

Right?

Last edited by marshmellow (2015-01-24 06:31:21)

Offline

#37 2015-01-24 06:37:09

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

The other thing is with all those parities one bit change could change 2 or 3 other parity bits.  If those parity bits are part of the calc it will make it a little more difficult.

Offline

#38 2015-01-24 06:42:41

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

marshmellow wrote:

The other thing is with all those parities one bit change could change 2 or 3 other parity bits.  If those parity bits are part of the calc it will make it a little more difficult.

The Wiegand parity is not in the "unknown" byte.  ID 1 and ID 2 should have the same lower wiegand odd parity.  My software calculates the odd parity over the first seven bits of the checksum byte then adds this parity to the LSB of the unknown byte.  Did I answer your question?  I am pretty sure that the parity bits in the Farpointe Manchester encoding do change the checksum value.

Last edited by hkplus (2015-01-24 06:44:27)

Offline

#39 2015-01-24 06:45:30

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

marshmellow wrote:

Except without the wp it is
0 1 1A
0 2 39
0 3 64
0 4 66

Right?

I am not sure where you are getting these numbers from?

Offline

#40 2015-01-24 22:00:57

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

sorry i misunderstood your "includes parity" comment.  i understand now.

Offline

#41 2015-01-24 23:09:44

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Just browsed a bit with my mobile... Hava you seen that if you start at 27:01. Follow the crcs upwards. Then look at 148:01, follow the crcs downwards. Its the same sequence. Haven:t got a computer right now, so I can't reallly explore it further atm. But may be a clue?

Offline

#42 2015-01-24 23:42:30

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

More checksums...the contraption broke down for a bit when the actual prox tag physically broke off of the arm somehow...

0 0 C7
0 1 1A
0 2 B9
0 3 64
0 4 E6
0 5 3B
0 6 98
0 7 45
0 8 58
0 9 85
0 10 26
0 11 FB
0 12 79
0 13 A4
0 14 07
0 15 DA
0 16 3D
0 17 E0
0 18 43
0 19 9E
0 20 1C
0 21 C1
0 22 62
0 23 BF
0 24 A2
0 25 7F
0 26 DC
0 27 01
0 28 83
0 29 5E
0 30 FD
0 31 20
0 32 F7
0 33 2A
0 34 89
0 35 54
0 36 D6
0 37 0B
0 38 A8
0 39 75
0 40 68
0 41 B5
0 42 16
0 43 CB
0 44 49
0 45 94
0 46 37
0 47 EA
0 48 0D
0 49 D0
0 50 73
0 51 AE
0 52 2C
0 53 F1
0 54 52
0 55 8F
0 56 92
0 57 4F
0 58 EC
0 59 31
0 60 B3
0 61 6E
0 62 CD
0 63 10
0 64 70
0 65 AD
0 66 0E
0 67 D3
0 68 51
0 69 8C
0 70 2F
0 71 F2
0 72 EF
0 73 32
0 75 4C
0 76 CE
0 77 13
0 78 B0
0 79 6D
0 80 8A
0 81 57
0 82 F4
0 83 29
0 84 AB
0 85 76
0 86 D5
0 87 08
0 88 15
0 89 C8
0 90 6B
0 91 B6
0 92 34
0 93 E9
0 94 4A
0 95 97
0 96 40
0 97 43
0 98 3E
0 99 E3
0 100 61
0 101 BC
0 102 1F
0 103 C2
0 104 DF
0 105 02
0 106 A1
0 107 7C
0 109 FE
0 110 80
0 111 5D
0 112 BA
0 113 67
0 114 C4
0 115 19
0 116 9B
0 117 46
0 118 E5
0 119 38
0 120 25
0 121 F8
0 122 5B
0 123 5D
0 124 04
0 125 D9
0 126 7A
0 127 A7
0 128 DA
0 130 A4
0 131 79
0 132 FB
0 133 26
0 134 85
0 135 86
0 136 45
0 137 98
0 138 3B
0 139 E6
0 140 64
0 141 B9
0 142 1A
0 143 C7
0 144 20
0 147 83
0 148 01
0 149 DC
0 150 7F
0 151 A2
0 152 BF
0 153 62
0 154 C1
0 155 1C
0 156 9E
0 157 43
0 158 E0
0 159 3D
0 160 3E
0 161 37
0 162 94
0 163 49
0 164 CB
0 165 16
0 166 B5
0 167 68
0 168 75
0 169 A8
0 170 0B
0 171 D6
0 172 54
0 173 89
0 174 2A
0 175 F7
0 176 F8
0 177 CD
0 178 6E
0 180 31
0 181 EC
0 182 4F
0 183 92
0 184 8F
0 185 52
0 186 F1
0 187 2C
0 188 AE
0 189 73
0 190 D0
0 191 0D
0 192 6D
0 193 B0
0 194 13
0 195 CE
0 196 4C
0 197 91
0 198 32
0 199 EF
0 200 F2
0 201 2F
0 202 8C
0 203 51
0 204 D3
0 205 0E
0 206 AD
0 207 70
0 208 97
0 209 4A
0 210 E9
0 211 34
0 212 B6
0 213 6B
0 214 C8
0 216 08
0 217 D5
0 218 76
0 219 AB
0 220 29
0 221 F4
0 222 57
0 223 8A
0 224 5D
0 225 80
0 226 23
0 228 FE
0 229 A1
0 230 02
0 231 DF
0 232 C2
0 233 1F
0 234 20
0 235 61
0 236 E3
0 237 3E
0 238 9D
0 239 40
0 240 A7
0 241 7A
0 242 D9
0 243 04
0 244 86
0 245 5B
0 246 F8
0 247 25
0 248 38
0 249 E5
0 250 46
0 251 9B
0 252 19
0 253 C4
0 254 67
0 255 BA
0 256 97
0 257 4A
0 258 E9
0 259 34
0 260 B6
0 261 6B
0 262 C8
0 263 15
0 264 08
0 265 D5
0 266 76
0 267 AB
0 268 29
0 269 F4
0 270 58
0 271 8A
0 272 6D
0 273 B0
0 274 13
0 275 CE
0 276 4C
0 277 91
0 278 32
0 279 EF
0 280 F2
0 282 8C
0 283 51
0 284 D5
0 285 0E
0 286 AD
0 287 70
0 288 A7
0 289 7A
0 291 04
0 292 86
0 293 5B
0 294 F8
0 295 25
0 296 38
0 297 E5
0 298 46
0 299 9B
0 300 19
0 301 C4
0 302 67
0 303 BA
0 304 5E
0 305 80
0 306 23
0 308 FE
0 309 A1
0 310 02
0 311 DF
0 312 C2
0 313 1F
0 314 BC
0 315 61
0 316 E3
0 317 3E
0 318 9D
0 319 9E
0 320 20
0 321 FD
0 322 5E
0 323 83
0 324 01
0 325 DC
0 326 7F
0 327 A2
0 328 BF
0 329 62
0 330 C1
0 331 1C
0 332 9E
0 333 43
0 334 E0
0 335 3D
0 336 DA
0 337 07
0 338 A4
0 339 79
0 340 FB
0 341 26
0 343 58
0 344 45
0 345 98
0 346 3D
0 347 E6
0 348 64
0 349 B9
0 350 1A
0 351 C7
0 352 10
0 353 CD
0 354 6E
0 355 B3
0 356 31
0 357 EC
0 358 4F
0 359 92
0 360 8F
0 362 F1
0 363 2C
0 364 2F
0 365 73
0 366 D0
0 367 0D
0 368 EA
0 369 37
0 370 94
0 371 49
0 372 CB
0 373 16
0 374 B5
0 375 68
0 376 75
0 377 A8
0 378 0B
0 379 D6
0 380 54
0 381 89
0 382 2A
0 383 F7
0 384 8A
0 385 57
0 386 F4
0 387 29
0 388 AB
0 389 76
0 390 D5
0 391 08
0 392 15
0 393 C8
0 394 6B
0 395 B6
0 396 34
0 397 E9
0 398 4A
0 399 97
0 400 70
0 401 AD
0 402 0E
0 403 D3
0 404 51
0 405 8C
0 406 2F
0 407 F2
0 408 EF
0 409 32
0 410 91
0 411 4C
0 412 CE
0 413 13
0 414 B0
0 415 B3
0 416 BA
0 417 67
0 418 C4
0 419 19
0 420 9B
0 421 46
0 422 E5
0 423 38
0 424 25
0 425 F8
0 426 5B
0 427 86
0 428 89
0 429 D9
0 430 7A
0 431 A7
0 432 40
0 433 9D
0 434 3E
0 435 E3
0 436 61
0 437 BC
0 438 1F
0 439 C2
0 440 DF
0 441 02
0 442 A1
0 443 7C
0 444 7F
0 445 23
0 447 5D
0 448 3D
0 449 E0
0 450 43
0 451 9E
0 452 1C
0 453 C1
0 454 62
0 455 BF
0 456 C1
0 457 7F
0 458 DC
0 459 01
0 460 02
0 461 5E
0 462 FD
0 463 20
0 464 C7
0 465 1A
0 466 B9
0 467 64
0 468 E6
0 469 3B
0 470 98
0 471 45
0 472 58
0 473 85
0 474 26
0 475 FB
0 476 79
0 477 A4
0 478 07
0 479 DA
0 480 0D
0 481 D0
0 482 73
0 483 AE
0 484 2C
0 485 F1
0 486 52
0 487 54
0 488 92
0 489 94
0 490 EC
0 491 31
0 492 B3
0 493 6E
0 494 CD
0 495 10
0 496 F7
0 497 2A
0 499 54
0 500 57
0 501 0B
0 502 A8
0 503 75
0 504 68
0 505 B5
0 506 B6
0 507 CB
0 508 49
0 509 94
0 511 EA
0 512 0D
0 513 D0
0 514 73
0 515 AE
0 516 2C
0 517 F1
0 518 52
0 519 8F
0 521 4F
0 522 EC
0 523 31
0 524 B3
0 525 6E
0 526 CD
0 527 10
0 528 F7
0 529 2A
0 530 89
0 531 54
0 532 D6
0 533 0B
0 534 A8
0 535 75
0 536 68
0 537 B5
0 538 16
0 539 CB
0 540 49
0 541 94
0 542 37
0 543 EA
0 544 3D
0 545 E0
0 546 43
0 547 9E
0 548 1C
0 549 C1
0 550 62
0 551 BF
0 552 A2
0 553 7F
0 554 DC
0 555 01
0 556 83
0 557 5E
0 558 FD
0 559 20
0 560 C8
0 561 1A
0 562 B9
0 563 64
0 564 E6
0 565 3B
0 566 98
0 567 45
0 568 58
0 569 85
0 570 26
0 571 FB
0 572 79
0 573 A4
0 574 07
0 575 DA
0 576 BA
0 577 67
0 578 C4
0 579 19
0 580 9B
0 581 46
0 582 E5
0 583 38
0 584 25
0 585 F8
0 586 5B
0 587 86
0 588 04
0 589 D9
0 590 7A
0 591 A7
0 592 40
0 593 9D
0 594 3E
0 595 E3
0 596 61
0 597 BC
0 598 1F
0 599 C2
0 600 DF
0 601 02
0 602 A1
0 603 7C
0 605 FE
0 606 80
0 607 5D
0 608 8A
0 609 57
0 611 29
0 612 AB
0 613 76
0 614 D5
0 615 08
0 616 15
0 617 C8
0 618 6B
0 619 B6
0 620 34
0 621 EA
0 622 4A
0 623 97
0 624 70
0 625 AD
0 626 0E
0 627 D3
0 628 51
0 629 8C
0 630 2F
0 631 F2
0 632 EF
0 633 32
0 634 91
0 635 4C
0 636 CE
0 637 13
0 638 B0
0 639 6D
0 640 10
0 641 CD
0 642 6E
0 643 B3
0 644 31
0 645 EC
0 646 4F
0 647 92
0 648 8F
0 649 52
0 650 F1
0 651 2C
0 652 AE
0 653 75
0 654 D0
0 655 0D
0 656 EA
0 657 37
0 658 94
0 659 49
0 660 CB
0 661 16
0 662 B5
0 663 68
0 664 75
0 665 A8
0 666 0B
0 667 D6
0 668 54
0 669 89
0 670 2A
0 671 F8
0 672 20
0 673 FD
0 674 5E
0 675 83
0 676 01
0 677 DC
0 678 7F
0 679 A2
0 680 BF
0 681 62
0 682 C1
0 683 1C
0 684 9E
0 685 43
0 686 E0
0 687 3D
0 688 DA
0 689 07
0 690 A4
0 691 79
0 692 FB
0 693 26
0 694 85
0 695 58
0 696 45
0 697 98
0 698 3B
0 699 E9
0 700 64
0 701 B9
0 702 1A
0 703 C7
0 704 A7
0 705 7A
0 706 D9
0 707 04
0 708 86
0 709 5B
0 710 F8
0 711 25
0 712 38
0 713 E5
0 714 46
0 715 9B
0 716 19
0 717 C4
0 718 67
0 719 BA
0 720 5D
0 721 80
0 722 23
0 724 FE
0 725 A1
0 726 02
0 727 DF
0 728 C2
0 729 1F
0 730 BC
0 731 61
0 732 E3
0 733 3E
0 734 9D
0 735 40
0 736 97
0 737 4A
0 738 E9
0 739 34
0 740 B6
0 741 6B
0 742 C8
0 743 15
0 744 08
0 745 D5
0 746 76
0 747 AB
0 748 29
0 749 F4
0 750 57
0 751 8A
0 752 6D
0 753 B0
0 754 13
0 755 CE
0 756 4C
0 757 91
0 758 32
0 759 EF
0 760 F2
0 761 2F
0 762 8C
0 763 51
0 764 D3
0 765 0E
0 766 AD
0 767 70
0 768 5D
0 769 80
0 770 25
0 772 FE
0 773 A1
0 774 02

Offline

#43 2015-02-13 15:06:15

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Ok, so at this point I'm pretty sure that the checksum is an 8 bit crc... The problem now is finding both the correct polynomial and determining the source message data... Which has been difficult at this point... But running software simulations...

Offline

#44 2015-02-14 00:08:04

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

I noticed that values 00, 03, 06, 09 and 0C are missing... this can be only a coincidence... but this can also be a starting point.

Offline

#45 2015-02-14 22:58:56

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

when you are testing CRC's are you removing the odd parity per byte first?
something like this (most leading zeros omitted):

Hex		CRC
04000001	63
04000002	0D
04000004	5C
04000007	32
04000008	73
0400000B	1D
0400000D	4C
0400000E	22
04000010	2C
04000013	42
04000015	13
04000016	7D
04000019	3C
0400001A	52
0400001C	03
0400001F	6D
04000020	1E
04000023	70
04000025	21
04000026	4F
04000029	0E
0400002A	60
0400002C	31
0400002F	5F
04000031	51
04000032	3F
04000034	6E
04000037	00
04000038	41
0400003B	2F
0400003D	7E
0400003E	10
04000040	7B
04000043	15
04000045	44
04000046	2A
04000049	6B
0400004A	05
0400004C	54
0400004F	3A
04000051	34
04000052	5A
04000054	0B
04000057	65
04000058	24
0400005B	4A
0400005D	1B
0400005E	75
04000061	06
04000062	68
04000064	39
04000067	57
04000068	16
0400006B	78
0400006D	29
0400006E	47
04000070	49
04000073	27
04000075	76
04000076	18
04000079	59
0400007A	37
0400007C	66
0400007F	08
04000080	38
04000083	56
04000085	07
04000086	69
04000089	28
0400008A	46
0400008C	17
0400008F	79
04000091	77
04000092	19
04000097	26
04000098	67
0400009B	09
0400009D	58
0400009E	36
040000A1	45
040000A2	2B
040000A4	7A
040000A7	14
040000A8	55
040000AB	3B
040000AD	6A
040000AE	04
040000B0	0A
040000B3	64
040000B5	35
040000B6	5B
040000B9	1A
040000BA	74
040000BC	25
040000BF	4B
040000C1	20
040000C2	21
040000C4	1F
040000C7	71
040000C8	30
040000CB	5E
040000CD	0F
040000CE	61
040000D0	6F
040000D3	01
040000D5	50
040000D6	3E
040000DA	7F
040000DC	40
040000DF	2E
040000E0	5D
040000E3	33
040000E5	62
040000E6	0C
040000E9	4D
040000EA	23
040000EC	72
040000EF	1C
040000F1	12
040000F2	7C
040000F4	2D
040000F7	2E
040000F8	02
040000FB	6C
040000FD	3D
040000FE	53
04000100	6D
04000105	52
04000106	3C
04000109	7D
0400010A	13
0400010C	42
0400010F	43
04000111	22
04000112	4C
04000114	1D
04000117	73
04000118	32
0400011B	5C
0400011D	0D
0400011E	63
04000121	10
04000127	41
04000128	00
0400012B	6E
0400012D	3F
0400012E	51
04000130	5F
04000133	31
04000135	60
04000136	0E
04000139	4F
0400013A	21
0400013C	70
0400013F	1E
04000141	1F
04000142	1B
04000144	4A
04000147	24
04000148	65
0400014B	0B
0400014D	5A
0400014E	34
04000150	3A
04000153	54
04000155	05
04000156	6B
04000159	2A
0400015A	44
0400015C	15
0400015F	7B
04000160	7C
04000163	66
04000165	37
04000169	18
0400016A	76
0400016C	27
0400016F	49
04000171	47
04000172	29
04000174	78
04000177	16
04000178	57
0400017B	39
0400017D	68
0400017E	06
04000181	36
04000182	58
04000184	09
04000187	67
04000188	26
0400018B	48
0400018D	19
0400018E	77
04000190	79
04000193	17
04000195	46
04000196	28
04000199	69
0400019A	07
0400019C	56
0400019F	38
040001A0	4B
040001A3	25
040001A5	74
040001A6	1A
040001A9	5B
040001AA	35
040001AC	64
040001B1	04
040001B2	6A
040001B4	3B
040001B7	55
040001B8	14
040001BB	7A
040001BD	2B
040001BE	45
040001C0	2E
040001C3	40
040001C5	11
040001C9	7F
040001CA	50
040001CC	01
040001CF	6F
040001D1	61
040001D2	0F
040001D4	10
040001D7	30
040001D8	71
040001DB	1F
040001DD	4E
040001DE	20
040001E1	53
040001E2	3D
040001E4	6C
040001E7	02
040001E8	43
040001EB	2D
040001ED	7C
040001EE	12
040001F0	1C
040001F3	72
040001F5	23
040001F6	4D
040001F9	0C
040001FA	62
040001FC	33
040001FF	5D
04000200	4B
04000203	25
04000205	74
04000206	1A
04000209	5B
0400020A	35
0400020C	64
0400020F	0A
04000211	04
04000212	6A
04000214	3B
04000217	55
04000218	14
0400021B	7A
0400021D	2C
0400021E	45
04000221	36
04000222	58
04000224	09
04000227	67
04000228	26
0400022B	48
0400022D	19
0400022E	77
04000230	79
04000235	46
04000236	28
04000239	6A
0400023A	07
0400023C	56
0400023F	38
04000241	53
04000242	3D
04000247	02
04000248	43
0400024B	2D
0400024D	7C
0400024E	12
04000250	1C
04000253	72
04000255	23
04000256	4D
04000259	0C
0400025A	62
0400025C	33
0400025F	5D
04000260	2F
04000263	40
04000265	11
04000269	7F
0400026A	50
0400026C	01
0400026F	6F
04000271	61
04000272	0F
04000274	5E
04000277	30
04000278	71
0400027B	1F
0400027D	4E
0400027E	4F
04000281	10
04000282	7E
04000284	2F
04000287	41
04000288	00
0400028B	6E
0400028D	3F
0400028E	51
04000290	5F
04000293	31
04000295	60
04000296	0E
04000299	4F
0400029A	21
0400029C	70
0400029F	1E
040002A0	6D
040002A3	03
040002A5	52
040002A6	3C
040002A9	7D
040002AA	13
040002AF	2C
040002B1	22
040002B2	4C
040002B4	1E
040002B7	73
040002B8	32
040002BB	5C
040002BD	0D
040002BE	63
040002C0	08
040002C3	66
040002C5	37
040002C6	59
040002C9	18
040002CA	76
040002CC	27
040002CF	49
040002D1	47
040002D4	78
040002D7	16
040002D8	17
040002DB	39
040002DD	68
040002DE	06
040002E1	75
040002E2	1B
040002E4	4A
040002E7	24
040002E8	65
040002EB	0B
040002ED	5A
040002EE	34
040002F0	3A
040002F3	54
040002F5	05
040002F6	6B
040002F9	2A
040002FA	44
040002FC	15
040002FF	7B
04000301	45
04000302	2B
04000304	7A
04000307	14
04000308	55
0400030B	3B
0400030D	6A
0400030E	04
04000310	0A
04000313	64
04000315	35
04000316	5B
04000319	1A
0400031A	74
0400031C	25
0400031F	4B
04000320	38
04000323	56
04000325	07
04000326	69
04000329	28
0400032A	46
0400032C	17
0400032F	79
04000331	77
04000332	19
04000334	48
04000337	26
04000338	67
0400033B	09
0400033D	58
0400033E	59
04000340	5D
04000343	33
04000345	62
04000346	0C
04000349	4D
0400034A	23
0400034C	72
0400034F	1C
04000351	12
04000352	7C
04000354	2D
04000357	43
04000358	44
0400035B	6C
0400035D	3D
0400035E	53
04000361	20
04000362	4E
04000364	1F
04000367	71
04000368	30
0400036B	5E
0400036D	0F
0400036E	61
04000370	6F
04000373	01
04000375	50
04000376	3E
04000379	3F
0400037A	11
0400037F	2E
04000380	1E
04000383	70
04000385	21
04000386	4F
04000389	0E
0400038A	60
0400038C	31
0400038F	5F
04000391	60
04000392	3F
04000394	6E
04000397	00
04000398	01
0400039B	2F
0400039D	7E
0400039E	10
040003A1	63
040003A2	0D
040003A4	5C
040003A7	32
040003A8	73
040003AB	1D
040003AD	4C
040003AE	22
040003B0	2C
040003B3	42
040003B5	13
040003B6	7D
040003B9	3C
040003BA	52
040003BC	03
040003BF	6D
040003C1	06
040003C2	68
040003C4	39
040003C7	57
040003C8	16
040003CB	78
040003CD	29
040003CE	2A
040003D0	49
040003D3	4A
040003D5	76
040003D6	18
040003D9	59
040003DA	37
040003DC	66
040003DF	08
040003E0	7B
040003E3	15
040003E6	2A
040003E9	2B
040003EA	05
040003EC	54
040003EF	3A
040003F1	34
040003F2	5A
040003F4	5B
040003F7	65
040003F8	24
040003FB	4A
040003FE	75
04000400	06
04000403	68
04000405	39
04000406	57
04000409	16
0400040A	78
0400040C	29
0400040F	47
04000412	27
04000414	76
04000417	18
04000418	59
0400041B	37
0400041D	66
0400041E	08
04000421	7B
04000422	15
04000424	44
04000427	2A
04000428	6B
0400042B	05
0400042D	54
0400042E	3A
04000430	34
04000433	5A
04000435	0B
04000436	65
04000439	24
0400043A	4A
0400043C	1B
0400043F	75
04000441	1E
04000442	70
04000444	21
04000447	4F
04000448	0E
0400044B	60
0400044D	31
0400044E	5F
04000450	51
04000453	3F
04000455	6E
04000456	00
04000459	41
0400045A	2F
0400045C	7E
0400045F	10
04000460	64
04000463	0D
04000465	5C
04000466	32
04000469	73
0400046A	1D
0400046C	4C
0400046F	22
04000471	2C
04000472	42
04000474	13
04000477	7D
04000478	3C
0400047B	52
0400047D	03
0400047E	6D
04000481	5D
04000482	33
04000484	62
04000487	0C
04000488	4D
0400048B	23
0400048D	72
0400048E	1C
04000490	12
04000493	7C
04000495	2D
04000496	43
04000499	02
0400049A	6C
0400049C	3D
0400049F	53
040004A0	20
040004A3	4E
040004A5	1F
040004A6	71
040004A9	30
040004AA	5E
040004AC	0F
040004AF	61
040004B1	6F
040004B2	01
040004B4	50
040004B7	3E
040004BB	7F
040004BD	40
040004BE	2E
040004C0	45
040004C3	2B
040004C6	14
040004C9	55
040004CA	3B
040004CC	6A
040004CF	04
040004D1	0A
040004D2	64
040004D4	35
040004D7	5B
040004D8	1A
040004DB	75
040004DD	25
040004DE	4B
040004E1	38
040004E2	56
040004E4	07
040004E7	69
040004E8	28
040004EB	46
040004ED	17
040004EE	79
040004F0	77
040004F3	19
040004F5	48
040004F6	26
040004F9	67
040004FA	09
040004FC	58
040004FF	36
04000501	08
04000502	66
04000504	37
04000507	59
04000508	18
0400050B	76
0400050D	27
0400050E	49
04000510	47
04000513	29
04000515	78
04000516	16
04000519	57
0400051A	3A
0400051C	68
0400051F	06
04000520	75
04000523	1B
04000525	4A
04000526	24
04000529	65
0400052A	0B
0400052C	5A
0400052F	34
04000531	3A
04000532	54
04000534	05
04000537	6B
04000538	2A
0400053B	44
0400053D	15
0400053E	7C
04000540	10
04000543	7E
04000545	2F
04000546	41
04000549	00
0400054A	6E
0400054C	3F
0400054F	51
04000551	5F
04000552	31
04000554	60
04000557	0E
04000558	4F
0400055B	21
0400055D	70
0400055E	1E
04000561	6D
04000562	03
04000564	52
04000567	3C
04000568	7D
0400056B	13
0400056D	42
0400056E	2C
04000570	22
04000573	4C
04000575	1D
04000576	74
04000579	32
0400057A	5C
0400057C	0D
0400057F	63
04000580	53
04000583	3D
04000585	6C
04000586	02
04000589	43
0400058A	2D
0400058C	7C
0400058F	12
04000591	1C
04000592	72
04000594	23
04000597	4D
04000598	0C
0400059B	62
0400059D	33
0400059E	5D
040005A1	2E
040005A2	40
040005A4	11
040005A8	7F
040005AB	50
040005AD	01
040005AE	6F
040005B0	61
040005B3	0F
040005B5	5E
040005B6	30
040005B9	71
040005BA	1F
040005BC	4E
040005BF	20
040005C1	4B
040005C2	25
040005C4	74
040005C7	1A
040005C8	5B
040005CB	35
040005CD	64
040005CE	0A
040005D0	04
040005D3	6A
040005D5	3B
040005D6	55
040005D9	14
040005DA	7A
040005DC	2B
040005DF	45
040005E0	36
040005E3	58
040005E5	09
040005E6	67
040005E9	26
040005EA	48
040005EC	19
040005EF	77
040005F1	79
040005F2	17
040005F4	46
040005F7	28
040005F8	69
040005FB	07
040005FD	56
040005FE	38
04000601	2E
04000602	40
04000604	12
04000608	7F
0400060B	50
0400060D	01

Offline

#46 2015-02-18 18:15:33

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

marshmellow wrote:

when you are testing CRC's are you removing the odd parity per byte first?
something like this (most leading zeros omitted):

Sir, I am not clear on your question.  The checksum byte that I provided includes the odd parity bit that is present at the LSB position.  The found checksum is the upper 7 bits of the byte provided.  I am sure that this is CRC8, but don't know what the original message is or the binomial that it's calculated with.

Offline

#47 2015-02-22 20:42:56

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

I'm pretty sure that the general method for computing the checksum in the Farpointe format is given in this patent number US 6411199 B1

Offline

#48 2015-03-01 19:06:59

Upgrade
Contributor
Registered: 2014-12-14
Posts: 36

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

hkplus,  thanks for your contributions.

Do you have ICQ where you can be contacted at?

Thanks!

Offline

#49 2015-03-01 20:52:49

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

14011746

Offline

#50 2015-03-02 22:30:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,536
Website

Re: Hacking on Farpointe/Pyramid 26 bit, need encoding help

Well, I tried it against these known 8bit crc,  none fits.

name="CRC-8/DVB-S2"
name="CRC-8/CDMA2000"
name="CRC-8/I-CODE"
name="CRC-8/ITU"
name="CRC-8"
name="CRC-8/WCDMA"
name="CRC-8/DARC"
name="CRC-8/MAXIM"
name="CRC-8/EBU"
name="CRC-8/ROHC"

Offline

Board footer

Powered by FluxBB