Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-12-06 15:52:06

Galahad8
Contributor
Registered: 2018-12-04
Posts: 6

How can I use Proxmark to simulate a full function T5577 card?

Hi everyone.
I have a Chinese cloner has problem.
It will encrypt card data after clone a card.
I want to know the cloner pwd.
So I need to crack it.
I got idea is simulate a card and let it write by Chinese cloner.
Then I can read data from simulate card .
I mean not only tag number simulate.
I need it simulate all function.
Include Page0 and Page1,8 blocks to storage data.
The storage data should be able to read and bypass the encryption.
The block 7 should be able to read directly.
The simulation can read&write by Chinese cloner.
Anyone have idea to help me out?
Thank u.

Offline

#2 2018-12-06 18:04:51

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: How can I use Proxmark to simulate a full function T5577 card?

The password is probably in this file: https://github.com/Proxmark/proxmark3/blob/master/client/default_pwd.dic

Offline

#3 2018-12-06 18:17:09

Galahad8
Contributor
Registered: 2018-12-04
Posts: 6

Re: How can I use Proxmark to simulate a full function T5577 card?

Spyder wrote:

The password is probably in this file: https://github.com/Proxmark/proxmark3/blob/master/client/default_pwd.dic

That default dic all checked..Not found anything....

Offline

#4 2018-12-08 17:24:45

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 26

Re: How can I use Proxmark to simulate a full function T5577 card?

Programming the PM3 to do complete low-level simulation of the card may be possible, but it's a major undertaking. If all you're looking for is the password being provided by the cloner, please look into the documentation on the LF snoop function. I have used this and the T55xx datasheet to "decode" the data being sent to a card. In one of the initial transactions, the password will be present in the snooped data.

For reference, I have placed the PM3 directly behind a T55xx tag, set the threshold to 64, and run the snoop command. The data in the first few exchanges was present in the buffer and could be read directly on the view from the client software.

Thankfully, the T55xx write transaction is relatively easy to read. You need to figure out the different pulse widths to identify 1 from 0, and since it's roughly a 100% width difference between bit values, it's fairly easy to see. Ignore the oddities in amplitude overall; A lot of the Chinese cloners don't hold the full amplitude across the entire bit, so the trailing half will often appear as a slope.

Offline

#5 2018-12-08 19:01:52

Galahad8
Contributor
Registered: 2018-12-04
Posts: 6

Re: How can I use Proxmark to simulate a full function T5577 card?

grauerfuchs wrote:

Programming the PM3 to do complete low-level simulation of the card may be possible, but it's a major undertaking. If all you're looking for is the password being provided by the cloner, please look into the documentation on the LF snoop function. I have used this and the T55xx datasheet to "decode" the data being sent to a card. In one of the initial transactions, the password will be present in the snooped data.

For reference, I have placed the PM3 directly behind a T55xx tag, set the threshold to 64, and run the snoop command. The data in the first few exchanges was present in the buffer and could be read directly on the view from the client software.

Thankfully, the T55xx write transaction is relatively easy to read. You need to figure out the different pulse widths to identify 1 from 0, and since it's roughly a 100% width difference between bit values, it's fairly easy to see. Ignore the oddities in amplitude overall; A lot of the Chinese cloners don't hold the full amplitude across the entire bit, so the trailing half will often appear as a slope.

Thanks for your help.

As you said. I try this way on my device PM3.My device firmware&soft ver 20180118.
Look like it doesn't work well.

The data plot and buffer get signal well. I using "data undec" and "data rawdemod am" translate it to bit format.
When I read result by T5577 datasheet define. The data is tag number. Not include my cloner send data.

Does there have something I missed?
My step :
1.Put tag on pm3 lf ant
2.Input lf snoop command into software screen.
3.Set a tag number on my cloner.
4.Press Enter to effect PM3 snoop.
5.Press Write button on my cloner.
6.Use Data series command to decode snoop samples.

BTW I didn't see any command about review the lf snoop samples in LF command list. But HF command list have "list" to review the transaction details.In fact I am not sure my decode method is right. Even I read tag number from my work result. LOL.

Offline

#6 2018-12-09 17:27:29

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 26

Re: How can I use Proxmark to simulate a full function T5577 card?

6: You wouldn't have a transaction on the PM3 because it's only snooping. You'll be using the "data plot" command, and you would manually read the data from the way it looks on the scope. The PM3 does not yet have the code to translate this data into bits.

Offline

#7 Yesterday 16:44:08

Galahad8
Contributor
Registered: 2018-12-04
Posts: 6

Re: How can I use Proxmark to simulate a full function T5577 card?

grauerfuchs wrote:

6: You wouldn't have a transaction on the PM3 because it's only snooping. You'll be using the "data plot" command, and you would manually read the data from the way it looks on the scope. The PM3 does not yet have the code to translate this data into bits.

Hi grauerfuchs.
I got a t5557 datasheet file and I read it. Understand there have 32 bit pwd in the snoop track.
But the datasheet file didn't tell me how to read plot window wave shape.

In the file just have data formats and write data protocol.

Do you have any pic about how to read it from plot window?
Show me some sample pic please.
I really need it.

If you need my track file, let me know pls. I will sent it to you.


Best Regards.

Galahad

Offline

Board footer

Powered by FluxBB