lf t55 chk -h
lf t55 sniff
Could there be an unknown password required?
]]>Regarding your tag remember, you always need to run detect first before trying any other t55xx command.
lf t55xx detect
Here's HW ver, status, and tune:
[usb] pm3 --> hw version
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.9237-2904-g4d2d65a0c 2021-01-23 15:34:18
compiled with GCC 8.3.0 OS:Linux ARCH:arm
[ PROXMARK3 ]
firmware.................. PM3RDV4
external flash............ present
smartcard reader.......... present
FPC USART for BT add-on... absent
[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-2904-g4d2d65a0c 2021-01-23 15:35:39
os: RRG/Iceman/master/v4.9237-2904-g4d2d65a0c 2021-01-23 15:36:29
compiled with GCC 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907]
[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 309986 bytes (59%) Free: 214302 bytes (41%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 --> hw status
[#] Memory
[#] BigBuf_size.............42352
[#] Available memory........42296
[#] Tracing
[#] tracing ................1
[#] traceLen ...............0
[#] dma8 memory.............-2111816
[#] dma16 memory............-2111816
[#] toSend memory...........-2111816
[#] Current FPGA image
[#] mode.................... HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
[#] Flash memory
[#] Baudrate................24 MHz
[#] Init....................OK
[#] Memory size.............2 mbits / 256 kb
[#] Unique ID...............0xD5697C309773D825
[#] Smart card module (ISO 7816)
[#] version.................v3.11
[#] LF Sampling config
[#] [q] divisor.............95 ( 125.00 kHz )
[#] [b] bits per sample.....8
[#] [d] decimation..........1
[#] [a] averaging...........Yes
[#] [t] trigger threshold...0
[#] [s] samples to skip.....0
[#] LF Sampling Stack
[#] Max stack usage.........3960 / 8480 bytes
[#] LF T55XX config
[#] [r] [a] [b] [c] [d] [e] [f] [g]
[#] mode |start|write|write|write| read|write|write
[#] | gap | gap | 0 | 1 | gap | 2 | 3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | N/A | N/A |
[#] long leading reference | 29 | 17 | 18 | 50 | 15 | N/A | N/A |
[#] leading zero | 29 | 17 | 18 | 40 | 15 | N/A | N/A |
[#] 1 of 4 coding reference | 29 | 17 | 15 | 31 | 15 | 47 | 63 |
[#]
[#] HF 14a config
[#] [a] Anticol override....std : follow standard
[#] [b] BCC override........std : follow standard
[#] [2] CL2 override........std : follow standard
[#] [3] CL3 override........std : follow standard
[#] [r] RATS override.......std : follow standard
[#] Transfer Speed
[#] Sending packets to client...
h[#] Time elapsed............500ms
[#] Bytes transferred.......297984
[#] Transfer Speed PM3 -> Client = 595968 bytes/s
[#] Various
[#] Max stack usage.........4104 / 8480 bytes
[#] DBGLEVEL................1 ( ERROR )
[#] ToSendMax...............-1
[#] ToSend BUFFERSIZE.......2308
[#] Slow clock..............33764 Hz
[#] Installed StandAlone Mode
[#] HF - Reading Visa cards & Emulating a Visa MSD Transaction(ISO14443) - (Salvador Mendoza)
[#] Flash memory dictionary loaded
[#] Mifare..................1013 keys
[#] T55x7...................112 keys
[#] iClass..................9 keys
[usb] pm3 --> hw tune
[=] REMINDER: 'hw tune' doesn't actively tune your antennas, it's only informative
[=] Measuring antenna characteristics, please wait...
? 9
[=] ---------- LF Antenna ----------
[+] LF antenna: 36.29 V - 125.00 kHz
[+] LF antenna: 26.85 V - 134.83 kHz
[+] LF optimal: 36.02 V - 123.71 kHz
[+] Approx. Q factor (*): 5.4 by frequency bandwidth measurement
[+] Approx. Q factor (*): 6.3 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 48.18 V - 13.56 MHz
[+] Approx. Q factor (*): 8.4 by peak voltage measurement
[+] HF antenna is OK
I can interact with the T5200:
[usb] pm3 --> lf t5 info
--- T55x7 Configuration & Information ---------
-------------------------------------------------------------
Safer key : 0
reserved : 0
Data bit rate : 0 - RF/8
eXtended mode : No
Modulation : 0 - DIRECT (ASK/NRZ)
PSK clock frequency : 0 - RF/2
AOR - Answer on Request : No
OTP - One Time Pad : No
Max block : 0
Password mode : No
Sequence Terminator : No
Fast Write : Yes - Warning
Inverse data : Yes - Warning
POR-Delay : Yes
-------------------------------------------------------------
Raw Data - Page 0, block 0
0x00000007 00000000000000000000000000000111
-------------------------------------------------------------
But writing to it has no effect:
[usb] pm3 --> lf t5 write b 0 d 00088040 t
[=] Writing page 0 block: 00 data: 0x00088040
[#] Using Test Mode
[usb] pm3 --> lf t5 dump
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00000007 | 00000000000000000000000000000111 | ....
[+] 01 | 00000007 | 00000000000000000000000000000111 | ....
[+] 02 | 00000007 | 00000000000000000000000000000111 | ....
[+] 03 | 0000000F | 00000000000000000000000000001111 | ....
[+] 04 | 00000007 | 00000000000000000000000000000111 | ....
[+] 05 | 0000000F | 00000000000000000000000000001111 | ....
[+] 06 | 0000000F | 00000000000000000000000000001111 | ....
[+] 07 | 0000000F | 00000000000000000000000000001111 | ....
[+] Reading Page 1:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00000007 | 00000000000000000000000000000111 | ....
[+] 01 | 0000000F | 00000000000000000000000000001111 | ....
[+] 02 | 0000000F | 00000000000000000000000000001111 | ....
[+] 03 | 0000000F | 00000000000000000000000000001111 | ....
By the way, this is on a "cleared" tag (do a write with the blue cloner without a valid read).
Am I missing something?
]]>I recently picked up a PM3 RVD4, and just learning. I also picked up a blue cloner and white cloner to play with. I now have what I believe are 20 of these unknown tags (5 white badge style all tagged "EM 410x ID 3D00D51E2C" and 15 blue fob style all tagged "EM 410x ID 0000002049"). I have one real T5577 that came with the pm3, but trying to see whether I can do anything with these cloner tags other than use them with the cloner. Just learning and trying to figure things out. I've read a bunch of existing posts, and saw a recent update that we haven't been able to locate the data sheet on these yet.
What I've done so far:
* I have sent the reset code "lf t55xx write b 0 d 00148040", and "lf t55xx write b 0 d 00088040", and both with and without the default password (51243648), and it's had no effect on the card. Does this mean they are the "T5200" card?
* I confirmed that both my blue cloner and white cloner can write to these cards. The blue cloner can also "erase" the cards when writing without reading anything first. The white cloner will not write without a valid read first.
* I've tried the "lf t5 chk" and "lf em xxxx chk" commands and nothing found consistently. It sometimes throws a "password found" result - but I think it's garbage output as it's not repeatable.
Has anyone found a way to unlock these cards and write to them with pm3?
]]>The first group are clearly 5577 commands (not shown here). The second group is clearly 4x05 (4305) commands (not shown here).
The third group is the interesting one.
The encoding/modulation seems to be similar to the 5577 where a narrow width pulse is a 0 and a wide pulse is a 1
the initial 01 has a wider "1" pulse, so may be a sync pulse.
Lines 2 and 3 are clearly the EM4100 data as it decoded 100% to the tag ID I cloned.
The tailing "1" could just be an end of packet decay.
(it may have a few bit errors, I had 1 error in the em data, but corrected)
The 4 packet streams are very clearly sent as the group shown below, spaces added where i believe needed for sync, command/addr, data and tail.
01 0000100010100000100 000000000000100000000000000000000000000001000000000000000000000000000000 1 <- ? clear ?
01 0000000101000000000 11111111100000110110000000000010 1 <- EM4100 Data
01 0000000101010000000 01001100011011000010010011001100 1 <- EM4100 Data
01 0000000101011111111 00010101000000000001000000000000 1 <- ? Config ?
Has anyone seen anything that looks like the above i.e. 19(?) bits then data with a modulation like the 5577 ?
]]>So time to step up and learn some more.
What I want to do next is learn to use the play pack "lf sim" correctly and work out its challenges and how to best use it. i.e. lf sim with know things first (send commands to a t5577) and make sure they work, then test again to the 4305.
Next I am going to slice up the lf snoop data and play back the unknown part(s). e.g. I know the T5577 packets, so remove those. If that changes the EM4100 id on my unkown fob, then I know the command is in that reaming group. If it does not, then either its not in the group or a challenge with the data to send with the sim.
So, split that into groups that look like the same modulation/encoding. and play back each (re-setting the EM ID on the fob each time).
So all going well, what I expect to end up with is a group of wave forms that actually write to the fob.
Then I can focus on that to see what it is.
Challenges I expect along the way.
1. Me not doing something correctly New Skills to learn - thats why I'm here.
2. fob an antenna coupling challenges (so will work out the best way to hold the fob in the best place)
3. the snooped data not at the correct levels, so back to item 1 and learn about that.
This is where marshmellow's new snoop option will kick in, get a good 1:1 of the data.
]]>If you reset a T5577 or 4305 and try to clone it to the unknown chip blue fob, does anything interesting happen? I would suspect the cloner wouldn't read anything from the reset T5577 or 4305, but just a bit of curiosity from my end...
Thanks!
]]>My 4305 units arrived. I have had a very quick play to see how the behave compared to the unknown chips.
Using the same blue cloner,
- I can read a real 4100 and write to the t5577 and read/recover (already covered)
- I can then clone the some 4100 to the 4305 and read the 4305 blocks (write protect bit set)
- I can reset both the 5577 and 4305 with the blue cloner (turn on and NOT read, just write) and both cards have the passwords cleared and config lock cleared.
- I can clone a real 4100 to the unknown fob and change the ID with the same blue cloner, yet the power on write does not put it into a state that can be used (read or write outside of the emulated 4100 tag)
So, at this point I still don't believe they are 5577 or an 4305 as I would expect the some procedure used on the known chips would have worked on the unknown chip.
]]>i confirmed the lf em 4x05protect command works in my fork, but you cannot change the protection for block 1
pre protect command through protect cmd:
Lock Address 14 | 00008002 Lock Address 15 | 00000000 proxmark3> lf em 4x05protect d 0 Writing Protect data 00000000 Protect Verified proxmark3> lf em 4x05dump Got Address 00 | 00040072 Got Address 01 | 3F8DAD59 PWD Address 02 | cannot read Got Address 03 | 0000D5C3 ... Got Address 13 | 00000000 Lock Address 14 | 00000000 Lock Address 15 | 00008002
@marshmellow, is protection bit can be set to 1 and to 0? Or only to 1?
]]>Thx, untested code is fun... sorry about that.
I believe we should set the if compare to > -1
and change the default to -1 so 0 skipped samples could be setI'll adjust my fork in a bit
And sorry we have drifted from topic
Happy to have my posts removed/moved as needed to keep things clean (as we are off topic a little)
No issues, all good work. You did make it clear "untested" and I did offer to test so no issue at all. I was impressed with the rapid turn-around.
I did some more detailed testing... so 2 changes needed (then more testing), but looking good
Both in the file : lfsampling.c
first one is to bring the data type inline int to uint32
change:
Old: uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after, int samples_to_skip)
New: uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after, uint32_t samples_to_skip)
And the compare needs the switching
old
if (samples_to_skip < samples_skipped) {
samples_skipped++;
continue;
}
new
if (samples_to_skip > samples_skipped) {
samples_skipped++;
continue;
}
After that it seems to be done.
]]>I believe we should set the if compare to > -1
and change the default to -1 so 0 skipped samples could be set
I'll adjust my fork in a bit
And sorry we have drifted from topic
]]>