Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#51 2019-06-12 02:48:20

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,296

Re: Possible T55xx Tag & Chinese Cloner

But if it needed the login it should have rejected the cmd

I'd suggest the login requirement is mentioned only in the context of
"When the Write Login bit is set to logic 1"

Last edited by marshmellow (2019-06-12 02:54:56)

Offline

#52 2019-06-12 03:12:22

mwalker
Contributor
Registered: 2019-05-11
Posts: 144

Re: Possible T55xx Tag & Chinese Cloner

Thanks.  I wont have a chance to play until my cards arrive.  So was just doing some high level re-con smile

Offline

#53 2019-06-12 03:19:32

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,296

Re: Possible T55xx Tag & Chinese Cloner

gjuny wrote:
marshmellow wrote:

i confirmed the lf em 4x05protect command works in my fork, but you cannot change the protection for block 1

...

@marshmellow, I think you meant this post http://www.proxmark.org/forum/viewtopic.php?id=6542 wink

You are correct!.  i get in trouble sometimes with my phone (sorry).  i'd move these posts around but i don't have access currently.

Offline

#54 2019-06-12 03:28:40

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,296

Re: Possible T55xx Tag & Chinese Cloner

more about this topic however, also in my lastest fork repo is a Samples_To_Skip parameter for the lf config that allows you to skip x samples after the threshold is satisfied on an lf snoop..

this should allow the capturing of every command a cloner sends (with a couple trace captures)

to test this you'd need to compile my github fork of the proxmark3 repo, flash and then set lf config

example:

lf config d 2 t 80 s 40000
lf snoop

disclaimer, i have not fully tested this functionality yet..

Last edited by marshmellow (2019-06-12 03:39:26)

Offline

#55 2019-06-12 03:45:31

mwalker
Contributor
Registered: 2019-05-11
Posts: 144

Re: Possible T55xx Tag & Chinese Cloner

Sorry if this is posted somewhere.  Do you have a link to the git for your fork ?
At the moment if I have been rrg on the RDv4 and the stock (with some of my mods) on the easy. 
Once I have it, I will give the snoop skip a good work out and testing.
Thanks

Offline

#56 2019-06-12 03:59:04

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,296

Re: Possible T55xx Tag & Chinese Cloner

https://github.com/marshmellow42/proxmark3

once i've been able to test the commands out i will submit them to the official master repo.

Last edited by marshmellow (2019-06-12 04:04:55)

Offline

#57 2019-06-12 11:35:03

mwalker
Contributor
Registered: 2019-05-11
Posts: 144

Re: Possible T55xx Tag & Chinese Cloner

marshmellow wrote:

more about this topic however, also in my lastest fork repo is a Samples_To_Skip parameter for the lf config that allows you to skip x samples after the threshold is satisfied on an lf snoop..

this should allow the capturing of every command a cloner sends (with a couple trace captures)

to test this you'd need to compile my github fork of the proxmark3 repo, flash and then set lf config

example:

lf config d 2 t 80 s 40000
lf snoop

disclaimer, i have not fully tested this functionality yet..


Side topic.
First up and most important, thanks for all the work.  looking good.

Hope this saves you a little time.

I download the git files and compiled.  In my download one little line was missing smile

The last line in the code snippet below.  i.e. The client had the option and the arm code had the data structures, but the copy of the samples to skip into the config data structure was missing, so the client always reported 0 and no offset.  As soon as I added that line, bingo command showed the value and a very quick test showed it did offset.  I will do some more detailed testing.

src file : lfsampling.c

void setSamplingConfig(sample_config *sc)
{
	if(sc->divisor != 0) config.divisor = sc->divisor;
	if(sc->bits_per_sample!= 0) config.bits_per_sample= sc->bits_per_sample;
	if(sc->decimation!= 0) config.decimation= sc->decimation;
	if(sc->trigger_threshold != -1) config.trigger_threshold= sc->trigger_threshold;

	if(sc->samples_to_skip != 0) config.samples_to_skip = sc->samples_to_skip;

......

Offline

#58 2019-06-12 12:30:52

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,296

Re: Possible T55xx Tag & Chinese Cloner

Thx, untested code is fun...  sorry about that.

I believe we should set the if compare to > -1
and change the default to -1 so 0 skipped samples could be set

I'll adjust my fork in a bit

And sorry we have drifted from topic

Last edited by marshmellow (2019-06-12 12:36:51)

Offline

#59 2019-06-12 12:35:36

gjuny
Contributor
From: Brazil
Registered: 2019-06-04
Posts: 18

Re: Possible T55xx Tag & Chinese Cloner

@marshmellow, great stuff! Further poking the Chinese cloners will be possible!


He who controls the past, commands the future.
He who commands the future, conquers the past.
-- Kane (Command & Conquer Series)

Offline

#60 2019-06-12 12:45:10

mwalker
Contributor
Registered: 2019-05-11
Posts: 144

Re: Possible T55xx Tag & Chinese Cloner

marshmellow wrote:

Thx, untested code is fun...  sorry about that.

I believe we should set the if compare to > -1
and change the default to -1 so 0 skipped samples could be set

I'll adjust my fork in a bit

And sorry we have drifted from topic

Happy to have my posts removed/moved as needed to keep things clean (as we are off topic a little)

No issues, all good work.  You did make it clear "untested" and I did offer to test smile  so no issue at all.  I was impressed with the rapid turn-around.

I did some more detailed testing... so 2 changes needed (then more testing), but looking good smile

Both in the file : lfsampling.c

first one is to bring the data type inline  int to uint32
change:

Old: uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after, int samples_to_skip)
New: uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after, uint32_t samples_to_skip)

And the compare needs the switching

old
if (samples_to_skip < samples_skipped) {
				samples_skipped++;
				continue;
			}

new
if (samples_to_skip > samples_skipped) {
				samples_skipped++;
				continue;
			}

After that it seems to be done.

Offline

#61 2019-06-12 15:24:13

anybody
Contributor
Registered: 2016-12-20
Posts: 30

Re: Possible T55xx Tag & Chinese Cloner

marshmellow wrote:

i confirmed the lf em 4x05protect command works in my fork, but you cannot change the protection for block 1

pre protect command through protect cmd:

Lock Address 14 | 00008002
Lock Address 15 | 00000000
proxmark3> lf em 4x05protect d 0
Writing Protect data 00000000
Protect Verified
proxmark3> lf em 4x05dump
 Got Address 00 | 00040072
 Got Address 01 | 3F8DAD59
 PWD Address 02 | cannot read
 Got Address 03 | 0000D5C3
...
 Got Address 13 | 00000000
Lock Address 14 | 00000000
Lock Address 15 | 00008002

@marshmellow, is protection bit can be set to 1 and to 0? Or only to 1?

Offline

#62 2019-06-12 15:26:37

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,296

Re: Possible T55xx Tag & Chinese Cloner

pull request created for master, any further discussion should be there for that command, so we don't confuse this topic further
https://github.com/Proxmark/proxmark3/pull/833

Last edited by marshmellow (2019-06-12 15:27:47)

Offline

#63 2019-06-23 08:55:23

mwalker
Contributor
Registered: 2019-05-11
Posts: 144

Re: Possible T55xx Tag & Chinese Cloner

Quick Update.

My 4305 units arrived.  I have had a very quick play to see how the behave compared to the unknown chips.
Using the same blue cloner,
- I can read a real 4100 and write to the t5577 and read/recover (already covered)
- I can then clone the some 4100 to the 4305 and read the 4305 blocks (write protect bit set)
- I can reset both the 5577 and 4305 with the blue cloner (turn on and NOT read, just write) and both cards have the passwords cleared and config lock cleared.
- I can clone a real 4100 to the unknown fob and change the ID with the same blue cloner, yet the power on write does not put it into a state that can be used (read or write outside of the emulated 4100 tag)

So, at this point I still don't believe they are  5577 or an 4305 as I would expect the some procedure used on the known chips would have worked on the unknown chip.

Offline

#64 2019-06-23 21:34:45

gjuny
Contributor
From: Brazil
Registered: 2019-06-04
Posts: 18

Re: Possible T55xx Tag & Chinese Cloner

Thanks for the update @mwalker! Good stuff. I didn't know about the "reset feature" of the cloner. I will try it with my blue fob and see what happens around mid this week, since I'm traveling.

If you reset a T5577 or 4305 and try to clone it to the unknown chip blue fob, does anything interesting happen? I would suspect the cloner wouldn't read anything from the reset T5577 or 4305, but just a bit of curiosity from my end...

Thanks!


He who controls the past, commands the future.
He who commands the future, conquers the past.
-- Kane (Command & Conquer Series)

Offline

#65 2019-06-24 02:50:49

mwalker
Contributor
Registered: 2019-05-11
Posts: 144

Re: Possible T55xx Tag & Chinese Cloner

I have a few things on the go as well (like most of us).  All good.
What i was trying to do is work out (the easy stuff first) what works and does not work.  To try to prove (or at least support) what it could or could not be.
I would need to check as I only did quick tests and did not take too much note.  But I am fairly sure if I take a new (blank) 5577 or 4305, the cloner read fails.  i.e. they are expecting a RFID tag so they know what they are trying to clone.
What I thought was also interesting.  I read a HID proxcard ii  with the cloner that can clone them.  I could write that to the 5577, but not the unknown fob. (I have not tried to write to the EM4305 yet, but suspect it will work).   The way I was looking at this was, a T5577 and EM4305 are generic cards that can be told to store X amount of data and modulate at needed rates and encoding, then on power-up they send out the data from block x to y, then repeat.  So IF a chip can be told to store the data (enough storage) and can support the correct config and the cloner can write EM4100 tag but not a HID tag to the unknown chip, then the chip is not one I know and use (rule those out) and (at some level) cant support the HID format (in this example) for some reason (cloner or chip limitation).

So time to step up and learn some more.
What I want to do next is learn to use the play pack "lf sim" correctly and work out its challenges and how to best use it. i.e. lf sim with know things first (send commands to a t5577) and make sure they work, then test again to the 4305.
Next I am going to slice up the lf snoop data and play back the unknown part(s).  e.g. I know the T5577 packets, so remove those.  If that changes the EM4100 id on my unkown fob, then I know the command is in that reaming group.  If it does not, then either its not in the group or a challenge with the data to send with the sim.
So, split that into groups that look like the same modulation/encoding. and play back each (re-setting the EM ID on the fob each time).
So all going well, what I expect to end up with is a group of wave forms that actually write to the fob.
Then I can focus on that to see what it is.

Challenges I expect along the way.
1. Me not doing something correctly smile New Skills to learn - thats why I'm here.
2. fob an antenna coupling challenges (so will work out the best way to hold the fob in the best place)
3. the snooped data not at the correct levels, so back to item 1 and learn about that.

This is where marshmellow's new snoop option will kick in, get a good 1:1 of the data.

Offline

#66 2019-07-03 13:35:55

mwalker
Contributor
Registered: 2019-05-11
Posts: 144

Re: Possible T55xx Tag & Chinese Cloner

I have dumped all downlink/write packets from the blue cloner for an EM4100 ID write/clone (thanks to marshmellow's skip option).

The first group are clearly 5577 commands (not shown here).  The second group is clearly 4x05 (4305) commands (not shown here).

The third group is the interesting one.
The encoding/modulation seems to be similar to the 5577 where a narrow width pulse is a 0 and a wide pulse is a 1
the initial 01 has a wider "1" pulse, so may be a sync pulse.
Lines 2 and 3 are clearly the EM4100 data as it decoded 100% to the tag ID I cloned.
The tailing "1" could just be an end of packet decay.
(it may have a few bit errors, I had 1 error in the em data, but corrected)
The 4 packet streams are very clearly sent as the group shown below, spaces added where i believe needed for sync, command/addr, data and tail.

01 0000100010100000100 000000000000100000000000000000000000000001000000000000000000000000000000 1   <- ? clear ?             
01 0000000101000000000 11111111100000110110000000000010 1 <- EM4100 Data
01 0000000101010000000 01001100011011000010010011001100 1 <- EM4100 Data
01 0000000101011111111 00010101000000000001000000000000 1 <- ? Config ?

Has anyone seen anything that looks like the above i.e. 19(?) bits then data with a modulation like the 5577 ?

Offline

Board footer

Powered by FluxBB