Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-12-06 15:52:06

Galahad8
Contributor
Registered: 2018-12-04
Posts: 8

How can I use Proxmark to simulate a full function T5577 card?

Hi everyone.
I have a Chinese cloner has problem.
It will encrypt card data after clone a card.
I want to know the cloner pwd.
So I need to crack it.
I got idea is simulate a card and let it write by Chinese cloner.
Then I can read data from simulate card .
I mean not only tag number simulate.
I need it simulate all function.
Include Page0 and Page1,8 blocks to storage data.
The storage data should be able to read and bypass the encryption.
The block 7 should be able to read directly.
The simulation can read&write by Chinese cloner.
Anyone have idea to help me out?
Thank u.

Offline

#2 2018-12-06 18:04:51

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: How can I use Proxmark to simulate a full function T5577 card?

The password is probably in this file: https://github.com/Proxmark/proxmark3/blob/master/client/default_pwd.dic

Offline

#3 2018-12-06 18:17:09

Galahad8
Contributor
Registered: 2018-12-04
Posts: 8

Re: How can I use Proxmark to simulate a full function T5577 card?

Spyder wrote:

The password is probably in this file: https://github.com/Proxmark/proxmark3/blob/master/client/default_pwd.dic

That default dic all checked..Not found anything....

Offline

#4 2018-12-08 17:24:45

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: How can I use Proxmark to simulate a full function T5577 card?

Programming the PM3 to do complete low-level simulation of the card may be possible, but it's a major undertaking. If all you're looking for is the password being provided by the cloner, please look into the documentation on the LF snoop function. I have used this and the T55xx datasheet to "decode" the data being sent to a card. In one of the initial transactions, the password will be present in the snooped data.

For reference, I have placed the PM3 directly behind a T55xx tag, set the threshold to 64, and run the snoop command. The data in the first few exchanges was present in the buffer and could be read directly on the view from the client software.

Thankfully, the T55xx write transaction is relatively easy to read. You need to figure out the different pulse widths to identify 1 from 0, and since it's roughly a 100% width difference between bit values, it's fairly easy to see. Ignore the oddities in amplitude overall; A lot of the Chinese cloners don't hold the full amplitude across the entire bit, so the trailing half will often appear as a slope.

Offline

#5 2018-12-08 19:01:52

Galahad8
Contributor
Registered: 2018-12-04
Posts: 8

Re: How can I use Proxmark to simulate a full function T5577 card?

grauerfuchs wrote:

Programming the PM3 to do complete low-level simulation of the card may be possible, but it's a major undertaking. If all you're looking for is the password being provided by the cloner, please look into the documentation on the LF snoop function. I have used this and the T55xx datasheet to "decode" the data being sent to a card. In one of the initial transactions, the password will be present in the snooped data.

For reference, I have placed the PM3 directly behind a T55xx tag, set the threshold to 64, and run the snoop command. The data in the first few exchanges was present in the buffer and could be read directly on the view from the client software.

Thankfully, the T55xx write transaction is relatively easy to read. You need to figure out the different pulse widths to identify 1 from 0, and since it's roughly a 100% width difference between bit values, it's fairly easy to see. Ignore the oddities in amplitude overall; A lot of the Chinese cloners don't hold the full amplitude across the entire bit, so the trailing half will often appear as a slope.

Thanks for your help.

As you said. I try this way on my device PM3.My device firmware&soft ver 20180118.
Look like it doesn't work well.

The data plot and buffer get signal well. I using "data undec" and "data rawdemod am" translate it to bit format.
When I read result by T5577 datasheet define. The data is tag number. Not include my cloner send data.

Does there have something I missed?
My step :
1.Put tag on pm3 lf ant
2.Input lf snoop command into software screen.
3.Set a tag number on my cloner.
4.Press Enter to effect PM3 snoop.
5.Press Write button on my cloner.
6.Use Data series command to decode snoop samples.

BTW I didn't see any command about review the lf snoop samples in LF command list. But HF command list have "list" to review the transaction details.In fact I am not sure my decode method is right. Even I read tag number from my work result. LOL.

Offline

#6 2018-12-09 17:27:29

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: How can I use Proxmark to simulate a full function T5577 card?

6: You wouldn't have a transaction on the PM3 because it's only snooping. You'll be using the "data plot" command, and you would manually read the data from the way it looks on the scope. The PM3 does not yet have the code to translate this data into bits.

Offline

#7 2018-12-10 16:44:08

Galahad8
Contributor
Registered: 2018-12-04
Posts: 8

Re: How can I use Proxmark to simulate a full function T5577 card?

grauerfuchs wrote:

6: You wouldn't have a transaction on the PM3 because it's only snooping. You'll be using the "data plot" command, and you would manually read the data from the way it looks on the scope. The PM3 does not yet have the code to translate this data into bits.

Hi grauerfuchs.
I got a t5557 datasheet file and I read it. Understand there have 32 bit pwd in the snoop track.
But the datasheet file didn't tell me how to read plot window wave shape.

In the file just have data formats and write data protocol.

Do you have any pic about how to read it from plot window?
Show me some sample pic please.
I really need it.

If you need my track file, let me know pls. I will sent it to you.


Best Regards.

Galahad

Offline

#8 2018-12-13 20:12:12

anybody
Contributor
Registered: 2016-12-20
Posts: 36

Re: How can I use Proxmark to simulate a full function T5577 card?

Galahad8, can you attach track file from your Chinese reader?

Offline

#9 2018-12-14 10:27:37

Galahad8
Contributor
Registered: 2018-12-04
Posts: 8

Re: How can I use Proxmark to simulate a full function T5577 card?

anybody wrote:

Galahad8, can you attach track file from your Chinese reader?

Yes..I send it to a netdisk web..
Here is the link:

https://www9.zippyshare.com/v/FBqwi9bv/file.html
https://www9.zippyshare.com/v/ZGyaEGEe/file.html

You can download it from website.
I dump the track twice to make sure nothing missed.

I try to using fsk mode to decode the track.
here is the softerware decode result.
1.   
0000000011010111
1110000000000000
0000000001111111
1111000000000000
0000001101011111
1001000001111111
1000000000000000
1010111111001111
1001111100000000
0000000000001101
0111111001111111
1111000000000000
0101011111100100


2.

0000000011010111
1110000000000000
0000000011111111
1111000000000000
0000001101011111
1001000001111111
1000000000000001
0101111110011111
0010011100000000
0000000000001101
0111111001111111
1111000000000000
0101011111100100
0001111111100000
0000000000101011
1111001111100

How ever the result not fit the datasheet file digital format & protocol.
If you could help me . thanks.

Offline

#10 2018-12-18 10:12:46

anybody
Contributor
Registered: 2016-12-20
Posts: 36

Re: How can I use Proxmark to simulate a full function T5577 card?

Galahad8,
Try pwd 19 92 04 27

Offline

#11 2018-12-19 17:04:13

Galahad8
Contributor
Registered: 2018-12-04
Posts: 8

Re: How can I use Proxmark to simulate a full function T5577 card?

proxmark3> lf t55xx read b 0 p 19920427
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Safety Check: Could not detect if PWD bit is set in config block. Exits.
proxmark3>

No offense.But not worked. In fact I tried all the password which is I found in this forum.
I appreciate everything you did for me.

Offline

#12 2018-12-19 18:22:22

anybody
Contributor
Registered: 2016-12-20
Posts: 36

Re: How can I use Proxmark to simulate a full function T5577 card?

Galahad8, your track files consist of
write commands for:
blk7 - pwd: 19 92 04 27
blk0 - cfg: 00 14 80 50
blk1, blk2 - em4100: 00 00 00 00 FF (track0)
blk1, blk2 - em4100: 00 00 00 01 90 (track1)

Last edited by anybody (2018-12-25 08:25:20)

Offline

#13 2018-12-20 02:05:16

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: How can I use Proxmark to simulate a full function T5577 card?

Unfortunately, I can't post a picture of an annotated trace at the moment. What you're looking for is a spot where the signal starts and stops frequently. In a write operation, the 1s and 0s are encoded in the length of time the oscillator outputs a signal as counted from the points where the output drops to very low values. The datasheet does have a very basic diagram of this, but it doesn't show the waveform itself- only the fact that the signal is dropped between bits. When I read the scope for this signal, I tend to read it in the raw. The demod functions may or may not work reliably.

Some of these devices will have long "off" periods between groups. The plot window will often show a long slope when it tries to autoselect the amplitude range it is displaying. Just compress the display until you get a section where the overall amplitude is fairly consistent and start looking for the signal there.

Offline

Board footer

Powered by FluxBB