What can I do with RAW RFID data?

I am a new user, just got my Flipper Zero today.

I have two RFID tags/cards but neither of them work for any of the scanning modes except for 125khz RAW. I would like to be able to emulate them as a backup in case I lose my tag or card. Is there any way to do this with the RAW scan files?

Thanks.

1 Like

The plot thickens.

The raw reads of both the fob and the card produced two files each, one ASK and one PSK for each one.
3 of the 4 files have the same 20B of data which I believe represents a blank read.

The only file with any data was the PSK for the fob. I was later able to scan the fob as NFC as well but the scan took a long time. It was identified as a Mifare but even with a scan of the reader and using mfkey32v2 I wasn’t able to emulate it successfully. Weird that it would get a reading for 125kHz PSK and also for NFC though.

The card, which is a thick white card marked as INDALA doesn’t seem to show up on any type of scan. The raw read for it produced only the 20B blank files. I thought that Indala cards were 125kHz PSK but this one must be something different.

1 Like

I don’t know much about this function. I hope you continue to share what you learn. I haven’t run across any tags that required raw read just yet. I’ll be following this topic and see if I can find any docs. I have heard of cards that support NFC and 125kHz for cross compatibility. I’ve also seen manufactures recommend adding a 125kHz sticker to other badges. I think it’s pretty unusual though. It’s sounds like it’s the kind of thing a company does when they don’t want to upgrade everything and they are doing installs in house.

EDIT: I’ll let you in on a little mistake I made one time. I scanned a 125kHz card too close to my Yubikey and picked up NFC. Any chance you did something like that? As I said before a token with both is rare. As far as I can tell all Indala cards are 125kHz.

1 Like

I think you are right about the interference from another card. When I tried to scan the fob again raw it got blank files. There must have been a 125kHz card nearby that got read though the only other card I had nearby was the Indala which hasn’t read any other time.

I found some more information about the Indala based on the appearance of the reader. The reader looks like this one HID Indala Proximity Classic Readers 603 | HID Global which the specs say uses Flexsecur which apparently uses a password when it validates cards. https://www.hidglobal.de/sites/default/files/indala-flexsecur-wp-en.pdf. Maybe the card won’t answer unless it is hit with a request using the right password.

1 Like

I have no idea how or why but the Indala card suddenly worked when I scanned it. I must have tried 30 times before with no luck even on raw scan, moving the card around, keeping the card still, leaving it scanning for an hour, nothing worked, but it just worked with a standard scan and can emulate successfully. It shows up as an Indala26.

1 Like

I have just gotten quite a bit more information on our Indala system.

Our system has two levels, a campus level and a department level. The campus issues the cards and controls access to common facilities. The departments can add those cards to their system for access to department specific facilities. The department does not need to write to the cards, just add them in their card management software. I have managed to have a bit of a look at the department level management software and to scan a few other cards.

At the department level a common Facility Code needs to be entered for all the cards for that department along with a specific card number that is printed on the card.
When I scan the cards it comes up with a hex string of 4 two character hex values, FC: which I assume stands for Facility Code but which doesn’t correspond to the facility code of the department and which is different between scanned cards, Card: which doesn’t correspond to the card number printed on the card, Checksum: and W26 Parity: which can be + or - but different cards have different combinations of plus and minus.

I feel like this information should be useful but I am not quite sure what to make of the facility codes and card numbers not matching between scans and the management software.

1 Like

I have a few thoughts and these are purely speculation. Read my ramblings at your own risk because I don’t have much information to work with! It’s possible the facility code is used to segment groups instead of a facility. That would be very useful if you wanted to revoke the cards of a single group. Class of 2023 graduated, second shift laid off, only maintenance coming in.

Alternatively(or in addition) maybe their facility code numbers work like Linux permissions. For the sake of argument let’s say there are 3 buildings.

  1. Is no access
  2. Execute building
  3. Write Building
  4. Read Building

If you only have access to the Execute building you get FC1.
If you only have access to the Write building you have FC2.
If you have access to Execute and Wright buildings FC3. 1+2=3
If you have access to all buildings FC7. 1+2+4=7
Any combination creates a unique number that represents all of the buildings. Networking uses a similar system for calculating subnets.

If I were to apply this to Hex I believe the pattern would look like this
0, 1, 2, 4, 8, F
Then you could have up to 12 facility codes for 00-FF that represents any combination of access to 10 unique facilities or groups.