Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I recently had an xEM tag from Dangerous Things installed in my hand. I was excited to reprogram it and in hindsight I should have moved a little slower. This tag is a T5577 compatible device.
When I first attempted to read it, "lf search" using my Proxmark3 Rdv4 (latest official PM3 fw), I didn't read anything. This is the first point I should have stopped and taken a look at what was going on. I then assumed that the tag was blank, though now I realize it should have had a EM4100 ID already programmed. I attempted a "lf t5 detect" and it seemed to be responding, so then I decided to try to program it to a HID key with "lf clone hid deadbeef", then a "lf search". It did not read at this point and I tried several other things including a "lf t5 wipe".
The end results is the tag doesn't respond at all. After the fact I attempted to read my buddies newly implanted tag and it read easily with a EM4100 tag. There are known issues in trying to effectively couple the the antenna to a RFID tag this small. So I am hoping someone can help me determine if the tag is recoverable or completely toasted. I attempted to capture some data that I thought would be useful:
Here is a screenshot of the data plot from an "lf read":
pm3 ~/proxmark3$ client/proxmark3 com3
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-389-g6a0915e-suspect 2018-08-12 17:40:34
os: master/v3.0.1-389-g6a0915e-suspect 2018-08-12 17:40:47
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2017/10/27 at 08:30:59
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 193749 bytes (37%). Free: 330539 bytes (63%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 70.81 V @ 125.00 kHz
# LF antenna: 39.87 V @ 134.00 kHz
# LF optimal: 71.22 V @ 126.32 kHz
# HF antenna: 36.26 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3> lf t5 detect
lf t5 detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
proxmark3> lf search
lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
proxmark3> lf read
lf read
#db# LF Sampling config:
#db# [q] divisor: 95
#db# [b] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 78 81 86 8c 8e 91 92 94 ...
Reading 39999 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
proxmark3> data save slack20180812.dat
data save slack20180812.dat
saved to 'slack20180812.dat'
proxmark3>
Here is the "data save"
Last edited by Slack (2021-02-05 08:47:52)
Offline
i highly doubt your implant is bricked. it looks like your tag took the t55xx wipe command just fine as the trace you uploaded shows a perfect blank tag in default settings. you now need to write something else to it.
being a small implant it may take several tries to get all blocks to write correctly (especially if the antenna isn't ideal for small tags)
safest bet is to write each block individually and try each block multiple times. (doing block 0 last)
Offline
Turns out some rdv4.0 have a problem writing to lf t55xx tags. Every now and then the tag hears it but not very often...
Last edited by marshmellow (2018-08-28 16:01:53)
Offline
Turns out the rdv4.0 has a serious problem writing to lf t55xx tags. Every now and then the tag hears it but not very often...
Who reached the conclusion that the RDV40 has a serious problem writing to lf t55xx tags? Personally I have never had any trouble. Additionally, we have also gone to the effort of testing multiple tags on multiple RDV40's to see if performance varies. The results are great!
Can you provide evidence backing this claim other than your own personal experience?
The only conclusion I have reached is that Proxmarks (not just the RDV40) have below average performance when communicating with implants.
Offline
you are correct that the tiny glass tags are problematic without a specialized antenna. and that likely is the OP's issue.
i apologize for the "sensational" verbiage of my comment, at the time i was frustrated with the rdv4.0 (still am) and all the information i have shows a problem with the hardware, just maybe not all the devices. and there were at least 2 people on the kickstarter comments noticing similar things.
i will continue the discussion of the issue on github. as this isn't the right place for it.
Offline
No problem marshmellow Thanks for the clarification.
Been there a few times myself with Proxmark devices over the years.
As for the xEM tag, I would suggest keeping a little spacing ~15mm between the antenna and the xEM. Antenna alignment can be fiddly.
Offline
my problem now is after i compile and i flash the proxmark rdv in linux is working fine there and in windows client with this rdv40-64-20201119-57eef7c5a9e90a4ad1f98c634be7651ed781130b ,i don know all commands to syntax in cmd from pm3 i prefer to use with older pm3-bin-2.4.0 with proxmark tool in windows is more practical but it has not communicate with com port anymore i try it in win7x64 and win10x32 i tri to copy the files Proxmark Tool.xml Proxmark Tool.exe and settings.xml in the C:\proxmark3\rdv40-64-20201119-57eef7c5a9e90a4ad1f98c634be7651ed781130b\win64\ to see if workin no is diferent the setings the code , did you know how ? is any program can use in graphical enviroment ? other wise i will flash again with pm3-bin-2.4.0 is more practical for me until i learn the cmd all commands , you are experts and more experiance can you help?
Last edited by zissilia (2020-11-22 21:58:41)
Offline
@zissilia , stop cross posting all over the board and hi-jack others threads. Consider this your first and only reminder.
Offline
i dont know to delete posts i tell me to dont spam i did cause the index has many topics and i had 2-3 problems i thought it was better searching and post according to different posts, how i am hijack others posts i am dont understand
Last edited by zissilia (2020-11-27 01:11:25)
Offline
@zissilia , stop cross posting all over the board and hi-jack others threads. Consider this your first and only reminder.
i dont know to delete posts what you mean spam? i post in 3 places if this is problem i did cause the index has many topics and i had 2-3 problems i thought it was better searching and post according to different posts, how i am hijack others posts i am dont understand , i must open new post ? every time is not allow to go to other posts and wright there ?
with all respect i sent you and email i dont know many things here am new so don be so strict with me please is better to speak with chat is posible ?
and i admire your work with rfid and everything with proxmark you do I also saw the video from the presentation
with love ilias
Offline
Since someone has raised my thread from the dead, lets breathe some life into it.
After having ignored this useless lump in my hand for a couple of year I decided I will take another stab at it. I have picked up the ProxLF antenna from Dangerous Things and was hoping it would magically solve my problems. It sure didn't right off the bat, but hopefully it will help.
I have upgraded my Proxmark3 RD4 to recent Iceman firmware.
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.9237-3004-g7034aa525 2021-02-04 14:38:20
compiled with MinGW-w64 10.2.0 OS:Windows (64b) ARCH:x86_64
[ PROXMARK3 ]
firmware.................. PM3RDV4
external flash............ present
smartcard reader.......... present
FPC USART for BT add-on... absent
[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-3004-g7034aa525 2021-02-04 14:38:08
os: RRG/Iceman/master/v4.9237-3004-g7034aa525 2021-02-04 14:38:15
compiled with GCC 8.4.0
[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 309545 bytes (59%) Free: 214743 bytes (41%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
Here is what happens when I do an "lf search". It thinks it is finding something, and is somewhat consistent. I believe some modulation is happening.
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[!] (em4x50) timeout while waiting for reply.
[+] Indala (len 232) Raw: 80000000000000000000000000000000000000000000000000000000
[+] Valid Indala ID found!
[!] (em4x50) timeout while waiting for reply.
I did an "lf t5 wipe" followed by a "lf search". Rinse, repeat. Results are the same.
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0
[=] Begin wiping...
[=] Writing page 0 block: 00 data: 0x000880E0
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] Indala (len 232) Raw: 80000000000000000000000000000000000000000000000000000000
[+] Valid Indala ID found!
Couldn't identify a chipset
A "lf t5 detect" doesn't help either.
[usb] pm3 --> lf t5 det
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 -->
Here are a couple pics of the "data plot" of the "lf search". If someone can suggest some parameters and command to better capture and save useful data I am open to suggestions. It looks like something is going on here.
Thanks for anyone and everyone who is willing to take a look at this!
- Slack
Offline
Well it looks like it solved. I was still having no luck and was reading random related info and decided to try the following:
lf t5 write b 0 d 00088040 t
Now I am back in business. I am pretty sure I tried the test mode "t" previously, but I think that was the trick I needed along with the DT ProxLF antenna to provide good coupling to the implant.
Offline
I've got a T5577 card from KSEC Labs that is exhibiting this same behavior. I can't seem to write to it at all, and any response I can get out of it is that same solid 'scream' that gets interpreted as that Indala 80000000000000000000000000. Can you think of anything else you might have done to get it responding?
Offline
Pages: 1