Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-01-10 08:53:41

Zeushn
Contributor
Registered: 2019-01-10
Posts: 8

LF T55xx Chinese unknown card

I am trying to decode/clone my chinese office access card.
I have used "lf search" and no results and "lf search u" gives the following result:

proxmark3> lf search u
NOTE: some demods output possible binary
  if it finds something that looks like a tag         
False Positives ARE possible
         

Checking for known tags:
         

No Known Tags Found!
         

Checking for Unknown tags:
         
Possible Auto Correlation of 5248 repeating samples         

Found Sequence Terminator - First one is shown by orange and blue graph markers         

Using Clock:32, Invert:0, Bits Found:513         
ASK/Manchester - Clock: 32 - Decoded bitstream:         
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001
         

Unknown ASK Modulated and Manchester encoded Tag Found!         

if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'         

Valid T55xx Chip Found
Try lf t55xx ... commands




then I tried " data rawdemod am" but the results dont seems correct:

data rawdemod am

Using Clock:32, Invert:0, Bits Found:513         
ASK/Manchester - Clock: 32 - Decoded bitstream:         
0110110110001111
0001110000100100
0001100000001000
0011101100011100
1001011010010010
0100010100001100
1001100000000011
0011001100110110
1001001111000177
1001001011001100
0101101101100011
1100011100001001
0000011000000010
0000111011000111
0010010110100100
1001000101000011
0010011000000000
1100110011001101
1010010011110001
7710010010110011
0001011011011000
1111000111000010
0100000110000000
1000001110110001
1100100101101001
0010010001010000
1100100110000000
0011001100110011
0110100100111100
0177100100101100
1100010110110110
0011110001110000

hw version and hw tune output:

hw version
\Prox/RFID mark3 RFID instrument         
bootrom: master/v3.1.0-41-g786ad91-dirty-suspect 2019-01-09 05:07:17
os: master/v3.1.0-41-g786ad91-dirty-suspect 2019-01-09 05:07:38
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/09/12 at 15:18:46
SmartCard Slot: not available
         
uC: AT91SAM7S256 Rev B         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes. Used: 198864 bytes (76%). Free: 63280 bytes (24%).         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory

hw tune

Measuring antenna characteristics, please wait.........         
# LF antenna: 24.06 V @   125.00 kHz         
# LF antenna: 19.80 V @   134.00 kHz         
# LF optimal: 23.65 V @   123.71 kHz         
# HF antenna: 24.78 V @    13.56 MHz         
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.


Im not an expert on pm3 and trying to learn get this to work, I will appreciate the help..

Thank you.

Offline

#2 2019-01-11 02:55:43

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: LF T55xx Chinese unknown card

The good news is you found a T55xx chip. Have you tried 'lf t55 detect' followed by 'lf t55 dump'? If it can read the raw blocks, you'll still be able to clone it even if you can't decode it yet. Additionally, the dumped result will provide a simpler starting point for decoding.

Next, does the card have any number written on it? Many access cards have the card number and/or batch number printed on them (not including the image added by your company if any).

Offline

#3 2019-01-11 03:59:38

Zeushn
Contributor
Registered: 2019-01-10
Posts: 8

Re: LF T55xx Chinese unknown card

I have tried before and there is no data coming up with those commands.

proxmark3> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'         
proxmark3> lf t55xx dump
Reading Page 0:         
blk | hex data | binary         
----+----------+---------------------------------         
Reading Page 1:         
blk | hex data | binary         
----+----------+---------------------------------         
proxmark3>

Offline

#4 2019-01-11 21:08:31

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: LF T55xx Chinese unknown card

All that means is that the configuration couldn't automatically be detected. Since your above 'lf search u' results reported something, let's start there. You can configure the t55 decoding modes, and with it set, try the 'lf t55 dump' again. For instance, your search results suggest issuing the following command:

lf t55 config d ASK b 32 i 0

That command translates to:
   * Use ASK demodulation
   * Use Clock / 32 bit rate
   * Data is not inverted

Once that command is issued, try the 'lf t55 dump' command again.

Offline

#5 2019-01-14 03:14:02

Zeushn
Contributor
Registered: 2019-01-10
Posts: 8

Re: LF T55xx Chinese unknown card

Thanks , Seems that worked, but as far as I know binaries should not return "7's" maybe I got something wrong :

Reading Page 0:         
blk | hex data | binary         
----+----------+---------------------------------         
  0 | E4B316D8 | 77100100101100110001011011011000         
  1 | E4B316D8 | 77100100101100110001011011011000         
  2 | E4B316D8 | 77100100101100110001011011011000         
  3 | E4B316D8 | 77100100101100110001011011011000         
  4 | E4B316D8 | 77100100101100110001011011011000         
  5 | E4B316D8 | 77100100101100110001011011011000         
  6 | E4B316D8 | 77100100101100110001011011011000         
  7 | E4B316D8 | 77100100101100110001011011011000         
Reading Page 1:         
blk | hex data | binary         
----+----------+---------------------------------         
  0 | F00A852C | 77110000000010101000010100101100         
  1 | F00A852C | 77110000000010101000010100101100         
  2 | F00A852C | 77110000000010101000010100101100         
  3 | F00A852C | 77110000000010101000010100101100

Last edited by Zeushn (2019-01-14 03:14:50)

Offline

#6 2019-01-14 07:56:20

Zeushn
Contributor
Registered: 2019-01-10
Posts: 8

Re: LF T55xx Chinese unknown card

I have followed the steps in here http://proxmark.org/forum/viewtopic.php?id=2795
with these results:

11100011100001001000001100000001      E3848301
00000111011000111001001011010010      76392D2
01001000101000011001001100000000     48A19300
01100110011001101101001001111000       6666D278

adding

as block 0     00088088

still no good results...

Offline

#7 2019-01-17 06:30:45

Zeushn
Contributor
Registered: 2019-01-10
Posts: 8

Re: LF T55xx Chinese unknown card

I have been reading the ATA5577C_Datasheet and now I understand much more the block 0, so having the below data from lf T55xx info, I'm trying to get the block 0 right but I dont understand the data bit rate part, help will be very appreciated guys


-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key                     : 62
reserved                      : 37
Data bit rate                 : 4 - RF/10
eXtended mode             : Yes - Warning
Modulation                    : 17 - Reserved
PSK clock frequency        : 1
AOR - Answer on Request : Yes
OTP - One Time Pad        : No
Max block                      : 6
Password mode               : Yes
Sequence Start Terminator : Yes
Fast Write                      : No
Inverse data                   : No
POR-Delay                      : No
-------------------------------------------------------------
Raw Data - Page 0
     Block 0  : 0xE4B316D8  77100100101100110001011011011000
-------------------------------------------------------------

my guess is that block 0 is 00000000001010101000011011011000
but still not working,

Offline

#8 2019-01-17 18:29:09

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: LF T55xx Chinese unknown card

The data bit rate is how fast the card transmits the data in normal read mode. For instance, RF/10 means that one bit is transmitted over ten cycles of the carrier. RF/32 means that one bit is transmitted over 32 cycles of the carrier.

Since the carrier is roughly 125kHz, this means that the encoded data would be sent at (125kHz / 10 == 12.5kHz) speed.

Offline

#9 2019-01-18 02:41:33

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: LF T55xx Chinese unknown card

@Zeushn, notice the 77 in your binary read.  That indicates a read error.  Try a different distance to your tag, or just try another time.

Offline

#10 2019-01-18 02:55:05

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: LF T55xx Chinese unknown card

Working with a t55xx chip with the sequence terminator requires a very good antenna currently. 

It looks like yours is boarderline for this operation.   

That said, in the case of you're tag I don't think the t55xx cmds are going to help a lot as your dump (while partially not demodded correctly) indicates that your tag is password protected.

unless you can snoop the reader reading the card to get the pwd, you won't be able to read it completely.

You do seem to have the full 4 blocks it outputs in your first post though, so you could attempt a clone (and see if the reader just gets the streamed data or accesses more pwd protected data.)

Offline

#11 2019-01-20 06:36:49

Zeushn
Contributor
Registered: 2019-01-10
Posts: 8

Re: LF T55xx Chinese unknown card

Thanks mashmellow, seems that my antenna is somehow not working good, I cant write in another t55xx cards of fobs, i'll try to snoop the reader tomorrow at the office and bring the output.

Offline

#12 2019-01-31 03:13:34

Zeushn
Contributor
Registered: 2019-01-10
Posts: 8

Re: LF T55xx Chinese unknown card

Found the first problem, my T55 empty cards were damaged , thats why didnt write anything. I have been trying to snoop the reader and the card(like a sandwich) but no output of the command, the data is stored somewhere???

Offline

#13 2019-02-01 13:32:57

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: LF T55xx Chinese unknown card

Go back to the first thing you did before using random commands:

Zeushn wrote:

         
Possible Auto Correlation of 5248 repeating samples         

Found Sequence Terminator - First one is shown by orange and blue graph markers         

Using Clock:32, Invert:0, Bits Found:513         
ASK/Manchester - Clock: 32 - Decoded bitstream:         
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001

1111001.png
There is a pattern here, do you see it?

It does not matter if your "T55 empty cards" is damaged as long as you keep trying to write wrong data on it...

Offline

Board footer

Powered by FluxBB