Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-08-19 15:23:59

wh201906
Contributor
Registered: 2020-04-29
Posts: 39

Extract the write command from the blue cloner

I'm trying to demodulate the write command from the blue cloner but I got stuck into some steps.
There are the trace files I collected from "lf snoop"
lf config d 1
lf config d 2
lf config d 3
(I found that if I set the decimation to a larger number, I can get the whole command sequence more easily with the loss of some data, so I tried from 1~3)
I chose a part of data in cloner_d1_1.trc(the decimation is set to 1, the default value) and tried "data detectclock" and "data rawdemod am 50", but I got many errors in it.
part.png
clockdetect.png
rawdemod.png

I'm still a rookie and I haven't learnt a lot about the RFID. Would anyone like to help me?
Thx!

Offline

#2 2020-08-20 00:01:56

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Extract the write command from the blue cloner

A little background to my approach.
- I like to learn how it works, as such I dont always use the tools supplied to the extent they can help, if do thing by hand (at least first) then it helps me learn about how it really works.
- The actual commands may vary a little between original proxmark firmware and rrg (I am using RRG) but the ability to do what I do should be in both.
- Only once I think I understand, do I then look for tools to help automate things.

I have two blue cloners and 1 white (lcd) cloner  the all will clone an EM4100 tag ID to a T55xx, EM4305 and a 3rd Chip not yet known (to me).

The following work is based on existing threads in this forum (so thank you to those that come before).

Please note: I am doing this on the fly, so feel free to query and correct anything.

OK, now on to the find the password.
One thing to remember is that writing to different cards CAN use different modulation.  Also the modulation used to write to the card can be different then that used to read from the card.
So, to help keep this a little cleaner, I will focus on the T55x7 card.

The T55x7 will use a form of OOK (On Off Keying).  This is a basis for a few things.  In short, it will encode something by either modulating or not modulating.  ASK (for me) is like the next level of OOK, in that it will change the level of the Amplitude of the wave (say from min volt swing to max volt swing).  ASK - Amplitude Shift Keying.  (side note, ASK could have more then one level, BUT in RFID 125Khz, it seems to be a binary swing).

Now when we look at the wave forms from your post, we can see that it sometimes we have long/wide pulses and sometimes we have short/narrow pulses.  (if you were to look at Manchester encoding it would not have that as such; it would be more a 01 and 10; or at the sample point does it transition from low to high OR high to low) to work out the bits.   So using Ask/Manchester would not correctly decode the write to the T5577.  With some more analysis you can learn how each of those work (e.g. write data to a t55x7 and set it to modulate using ASK then read and look at the waveforms).

Down to the actual doing - by hand.
Given that the cloner MAY send out the write command for different card/chip types, and each of these may be different, lets just start to collect some data from the samples we have.
When looking at the sample files, you will notice that it comes in "groups" i will call these groups a packets.

Key Point: For best results when collecting a sample from a cloner, perform the snoop/sniff WITHOUT a card.  this way the card does not interfere with the data we want.

For a  single packet, look at the "zero" line and focus on the width of the trace at the zero line when the trace data is positive (above the line/0 point).
Where its a narrow pulse write down a 0, when its a wider pulse write down a 1 (EM4305 is a little different, but atm we are looking for T55x7 commands)

so, from your fist image (and I may have errors)
1001010001001001000011011001001000001010001001001000011011001001000111
Assuming this is a T55x7 packet (check the data sheets for formats) **** I cant stress this enough... Read the Datasheets ****
we should be able to break up into its components.
Lets try a normal password write (seems long enough)

OC      Password Used to write      L            Data                  Adr
10 01010001001001000011011001001000 0 01010001001001000011011001001000 111

Seems to fit....
OC is the opcode 10 - Write
32 bit Password
L Lock bit not set
32 bit Data
Addr Block 7
Note: the T55x7 assumes its a password write v a non password write via the length of the command.

We also know (from the datasheet), that the password (if used) is stored in block 7. 
So its now looking good, correct length, correct format, correct address.
This does look like a password write to block 7 (set the password)
01010001001001000011011001001000 - 51243648 Hex
01010001001001000011011001001000 - 51243648 Hex
It seems that its setting the new password to be the same as the old one.

I will let that bit sink in... Keep in mind that there will be more writes some may have the password, some may not, some may use different downlink packet formats.

Offline

#3 2020-08-20 04:08:08

wh201906
Contributor
Registered: 2020-04-29
Posts: 39

Re: Extract the write command from the blue cloner

Great thanks for your guidance! I know how to get the password from the reader now.
But I cannot read the t5577 card by the extracted password. I tried "lf t55 config d ASK b 64 o 0" and "lf t55 config d ASK b 64 o 32" and attempt to read the card(which has been written by the cloner) with a password but failed. every block gives me the same out put.
I'm a little bit confused now.

Offline

#4 2020-08-20 04:14:17

wh201906
Contributor
Registered: 2020-04-29
Posts: 39

Re: Extract the write command from the blue cloner

And I tried "lf search" and "lf t55 read b 0 p 51243648 o", but the graphs from "data plot" are exactly the same.

Last edited by wh201906 (2020-08-22 16:19:58)

Offline

#5 2020-08-20 04:39:43

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Extract the write command from the blue cloner

Yep, onto part two...

This is all about the T55x7 cards.
they way they work.
1. When powered up they will simply look at that config and spit out blocks 1 to x in the modulation format as configured.
2. To "read/write" to the card you need to send a valid command.  If for any reason it thinks the command is not valid, back to step 1.
When sending commands to the card, there are 4 downlink modes (default, leading 0, 1 of 4 and long leading reference).
Some blue cloners will re-configure the card to leading 0
(If you repeat the above process on each packet sent you should be able to extract all the commands sent, which will give a good idea of how the card was configured by the cloner.

When using the proxmark to work with t5577 you should always start with the lf t55 detect and keep working with that until you get a valid detect.
Since by using a password when the card does not require a password CAN brick the card. we always start with commands that dont use the password, then if we have good reason to believe the card is using a password (from the logged data in this instance) then we can move onto use that.

I use RRG, in that code base, it will auto try all downlink modes with the detect; from memory the original repo, you need to tell it which mode (look at the help for the command)
so, if on RRG
lf t55 det
lf t55 det p <password>

from memory (original codebase)
lf t55 det
lf t55 det p <password>
lf t55 det p <password> r 1
lf t55 det p <password> r 2
lf t55 det p <password> r 3
where without r is the default, and r 1-3 is the other 3 down link modes to try.

Again, check the help as things may have changed.
You may be required to supply the o option to force using a password (for the brick reasons).
Once you have a valid detect, rrg will save that downlink mode for the auto use in the other commands.
On the original, you may still need to supply the found mode to the read/write commands.

Offline

#6 2020-08-22 16:15:51

wh201906
Contributor
Registered: 2020-04-29
Posts: 39

Re: Extract the write command from the blue cloner

I can operate the cloned t5577 card now. Thanks.
But I still have a question, what's the name of the modulation with long/wide pulses and short/narrow pulses? Is this called fsk?
BTW, I'm writing a small app to cut up/put together .trc files. Hope it will help you.

Offline

#7 2020-08-23 00:46:28

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Extract the write command from the blue cloner

pulse interval encoding

Offline

Board footer

Powered by FluxBB