The config/data looks OK, nothing that should prevent it from working.
Lets run a quick test to see if the card is a real T5577 or a clone
The clones I have seen don't support the other downlink modes, so buy trying to set on and checking it applies should help confirm it.(in the rrg repo, the command would be)
lf t55 write -b 3 --pg1 -d 90000800then, re-detect (lf t55 det)
and check the downlink status
If its a real t5577 it should be : [=] Downlink mode..... leading zero reference
to clear it, just set it back to 00'slf t55 write -b 3 --pg1 -d 00000000
[usb] pm3 --> lf t55x det
[=] Chip type......... T55x7
[=] Modulation........ ASK
[=] Bit rate.......... 2 - RF/32
[=] Inverted.......... No
[=] Offset............ 32
[=] Seq. terminator... Yes
[=] Block0............ 000880E8 (auto detect)
[=] Downlink mode..... default/fixed bit length
[=] Password set...... No
[usb] pm3 --> lf t55 write -b 3 --pg1 -d 90000800
[=] Writing page 1 block: 03 data: 0x90000800
[usb] pm3 --> lf t55x det
[=] Chip type......... T55x7
[=] Modulation........ ASK
[=] Bit rate.......... 2 - RF/32
[=] Inverted.......... No
[=] Offset............ 32
[=] Seq. terminator... Yes
[=] Block0............ 000880E8 (auto detect)
[=] Downlink mode..... default/fixed bit length
[=] Password set...... No
So according to this I think this is a clone not original one. what are your thoughts?
]]>(in the rrg repo, the command would be)
lf t55 write -b 3 --pg1 -d 90000800
then, re-detect (lf t55 det)
and check the downlink status
If its a real t5577 it should be : [=] Downlink mode..... leading zero reference
to clear it, just set it back to 00's
lf t55 write -b 3 --pg1 -d 00000000
]]>It is possible that the card is not a real t5577 thus does not support test mode. The vendor could have set and locked the traceability data (blocks 1 and 2 page 1).
The other thing that could block it is the actual config. i.e. test mode can be turned off.
Keep in mind a way to test if the card is a real T5577 is to change its downlink mode. the clones (also) don't support the page 1 block 3 config (see the T5577 datasheet)
Can you supply a dump of the card for review ?
Sure
[usb] pm3 --> lf t55x detect
[=] Chip type......... T55x7
[=] Modulation........ ASK
[=] Bit rate.......... 2 - RF/32
[=] Inverted.......... No
[=] Offset............ 32
[=] Seq. terminator... Yes
[=] Block0............ 000880E8 (auto detect)
[=] Downlink mode..... default/fixed bit length
[=] Password set...... No
[usb] pm3 --> lf t55x dump
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 000880E8 | 00000000000010001000000011101000 | ....
[+] 01 | 01DEE272 | 00000001110111101110001001110010 | ...r
[+] 02 | 6263F224 | 01100010011000111111001000100100 | bc.$
[+] 03 | 26D4CC20 | 00100110110101001100110000100000 | &..
[+] 04 | 99625FF5 | 10011001011000100101111111110101 | .b_.
[+] 05 | 50BE706A | 01010000101111100111000001101010 | P.pj
[+] 06 | 7681A1A1 | 01110110100000011010000110100001 | v...
[+] 07 | 03B446B7 | 00000011101101000100011010110111 | ..F.
[+] Reading Page 1:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 000880E8 | 00000000000010001000000011101000 | ....
[+] 01 | E01500D0 | 11100000000101010000000011010000 | ....
[+] 02 | C8013966 | 11001000000000010011100101100110 | ..9f
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
[+] saved to json file lf-t55xx-01DEE272-6263F224-26D4CC20-99625FF5-50BE706A-7681A1A1-03B446B7-dump.json
[+] saved 12 blocks to text file lf-t55xx-01DEE272-6263F224-26D4CC20-99625FF5-50BE706A-7681A1A1-03B446B7-dump.eml
[+] saved 48 bytes to binary file lf-t55xx-01DEE272-6263F224-26D4CC20-99625FF5-50BE706A-7681A1A1-03B446B7-dump.bin
5200 can modify the anti-counterfeiting traceability code of t55x7 series,My supplier has this chip.
Thanks for the feedback.
I have same "original" T5577 and the traceability blocks are locked by atmel. BUT if you write using the test mode, it will clear the lock bits and can then set/use as any other block.
I have some, so called "T5200" or that is what the seller told me.
These card look like the T5577 but the traceability blocks were not locked, as you stated.
BUT these chips DONT support the test mode, they also dont support the AFE Config block 3 page 1I was hoping the T5200 was a different chip, as I have some fobs/cards that come with the cloner that I cant ID.
The cloner writes the EM4100 id, which you can search, but I cant read the data blocks at all. I can work with the cloner made 5200, 5577, EM4305, but not these.I thought they MAY have been the T5200 as that was a chip ID on the cloners website.
So the search continue for what they are.
Hello, today I got t5577 and I restored them using lf t55x restore commands but as you said traceability blocks are locked. I tried to write to these blocks using test mode and still no success or maybe couldn't I use test mode correctly? any suggestion? Thanks,
]]>Lots of unknowns.
But, logic says the decode is correct and a high chance its whats needed for the "unknwon" tag.
- The blue cloner ONLY sends 3 types of packets. The T55x7, the EM4305 and the unknown.
- If I use a known em4305, i can fully access and control the card (after a clone)
- If I use a known T5577, i can fully access and control the card (after a clone)
- If I use the unknown tag, the em4305 and T5577 commands do nothing.
the only other option I can see is that if is getting programmed by the T5577 and EM4305 commands, BUT must be done before it times out and starts transmitting its ID.
So, given the lack of actual knowns.... I am trying to see if I can shortened the gap between the power up and sending the command to match the sampled data.
The great unknown Tag.
To recap:
I have 2 blue cloners and 1 white one with the LCD screen. When you write an EM4100 tag, you can see there are three different types of output, T55x7, EM4305 and the unknown. Since i know the fobs are not T55x7 nor EM4305, what ever they are must respond to the last set of packets.
For those interested in doing their own traces, you may need to make a few captures at different skip offsets to get all of the packets.
(thanks again to marshmallow for adding that)
A little bit more information.
This time i looked at the packets from the white cloner (side note: the white cloner set different passwords on the T55x7 that changed as the EM4100 id changed). In the trace files from the white cloner I can see that they are 16 bits longer, and also sent more packets then the blue cloners.
the following is the decoded data with some comments.
Note: the blue cloner did have a different EM4100 ID (but very happy the EM4100 Data is 100% correct.
blue
0100(0) 01000101 00000000 - 00000000 00000000 00000000 00000000 - 00000000 00000000 00000000 00000000 - 00000000
0100(0) 00001010 00000000 - 11111111 10000011 01100000 00000010 <- EM4100 Data
0100(0) 00001010 10000000 - 01001100 01101100 00100100 11000100 <- EM4100 Data
0100(0) 00001010 11111111 - 00000101 00000000 00000000 00000000
white (blank password)
0100(1) 01000101 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 11001110 10101110
0100(1) 00001010 00000000 11111111 10000000 00000000 00000000 <- EM4100 Data 01001110 10011010
0100(1) 00001010 10000000 00000000 01100000 00011010 01010010 <- EM4100 Data 00010001 11010111
0100(1) 00001010 11111111 00000101 00000000 00000000 00000000 <- Config ?? 11011000 10001001
0100(1) 00001010 01111111 11100010 00010101 10101100 10000100 (set password) 00001110 00010010
(white with password : E215AC84) Password
0100(1) 01000101 00000000 00000000 00000000 00000000 00000000 00000000 [11100010 00010101 10101100 10000100] 10000110 10100000
0100(1) 00001010 00000000 11111111 10000000 00000000 00000000 01001110 10011010
0100(1) 00001010 10000000 00000000 01100000 00011010 01010010 00010001 11010111
... more data would follow if I skipped some more samples...
The blue as included as a reference to the original tests.
The two white ones come from the same write, so first group a write to a "blank" card / default 00000000 password (similar to the blue)
But note how the 5th bit was 0 on the blue and no trailing bits, but a 1 on the white, where it seems to have an extra 16 bits.
So at a guess I assume the 5th bit is a flag to using a check or signature of some sort.
Next, we can see that the data set in the 5th write in group 1 was then supplied in the 1st packet of group 2. As such, I think this is the password, and that the 1st packet is a logon commend (still guess work)
]]>Note, the "T5200" that I have, I can clone an EM4100 id to them with a Blue or White cloner and then fully recover them with the proxmark.
I can re-clone a different em4100 id and all works.
I can also protect with a password and the cloners cant use them (as they dont know the password that I set)
So if there is a LF card used by the cloners that encrypts, I would like to know more.
]]>5200 can modify the anti-counterfeiting traceability code of t55x7 series,My supplier has this chip.
Thanks for the feedback.
I have same "original" T5577 and the traceability blocks are locked by atmel. BUT if you write using the test mode, it will clear the lock bits and can then set/use as any other block.
I have some, so called "T5200" or that is what the seller told me.
These card look like the T5577 but the traceability blocks were not locked, as you stated.
BUT these chips DONT support the test mode, they also dont support the AFE Config block 3 page 1
I was hoping the T5200 was a different chip, as I have some fobs/cards that come with the cloner that I cant ID.
The cloner writes the EM4100 id, which you can search, but I cant read the data blocks at all. I can work with the cloner made 5200, 5577, EM4305, but not these.
I thought they MAY have been the T5200 as that was a chip ID on the cloners website.
So the search continue for what they are.
]]>I found that the T5200 named cards I got sent ended up looking like a T5577 but not 100% the same.
The fob is still resisting, so different chip again (???) and I still really want to know what that command set is
The T5200 named cards I got sent:
The first 2 i used/tested were not the same as the rest (used maybe??), they had a password that I missed (normal blue password), and once cleared did show up as a T5577 and commands seem to work, the remainder of the pack was pre-programmed as EM4100 tags, but no password.
The interesting bit:
The Block 3 Page 1 config was 00A00003 on all of them (note, for that to be active first nibble should be 6 or 9, and the last 2 bits are set to 3 where the t5577 doc states 00, reserved.
I then set that to a valid page 1 config to setup leading 0 and it did NOT apply.
I tried 1 of 4 and again it did not apply
It did write the data and I could read the data, just not applied as the analog front end config.
So these cards while looking like a T5577 are a clone(?) and not fully featured, so I tend to believe these are the named T5200 chips.
The original fob I got still is not responding to anything i do yet, so will keep looking into that and see what I can find.
]]>