lf demodulation walk through with the new graph
LF Modulations: FSK, ASK, ASK/Manchester, ASK/Biphase, ASK/Diphase, NRZ, PSK1, PSK2.
what do they mean?
how does it work?
learn for yourself using the proxmark3's new graphing functions.
this walk through will take a simple HID tag and examine the FSK2a waveform in the new graph.
first, place your tag on the antenna and issue a lf search command:
proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
HID Prox TAG ID: 2006020002 (1) - Format Len: 26bit - FC: 1 - Card: 1
Valid HID Prox ID Found!
Valid T55xx Chip Found
Try lf t55xx ... commands
next let's see the full raw binary for the tag we just read, so issue a data printdemod
proxmark3> data printdemod
DemodBuffer:
0001110101010101
0101100101010101
0101010101101001
0101010101011001
0101010101010101
0101010101011001
then do a data plot to open the graph
proxmark3> data plot
move around in the graph with the arrow keys until you find the blue lined section (where the demod got it's data within the repeating waveform) results:
now the binary we got from the data printdemod matches the binary in blue on the graph.
looking at the graph and the how waves translate to 1s and 0s we notice quickly that for this FSK2a modulation wider spaced waves (often taller too) translate into a 1 bit while narrower spaced waves (often shorter) translate into a 0 bit. that is the frequency changing, thus FSK = frequency shifting key.
that along with the note at the bottom of the screen that tells you that the gridX is 50 (or data rate = RF/50 or 50 samples at 125khz equals one binary bit) we learn all we need to know to be able to manually demodulate this type of tag from the graph in the future. (granted we have automatic tools for this particular tag type)
now try other modulations!