Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-09-10 11:09:48

lonewolf
Contributor
Registered: 2016-09-03
Posts: 37

T5577 set to em4x mode has password issue

So, I set a password on my T5577 and it promptly stopped letting me access the configuration.  After several hours of digging I think it's a bug in the client.

Using latest git:

proxmark3> hw ver
[[[ Cached information ]]]

Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: master/v2.2.0-227-g51b4267-suspect 2016-09-04 23:48:18
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 185644 bytes (35%). Free: 338644 bytes (65%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

New card, 'detect' works fine:

proxmark3> lf t55xx detect
Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 2 - RF/32
Inverted   : No
Offset     : 32
Seq. Term. : Yes
Block0     : 0x000880E8

Writing EM4x data works:

proxmark3> lf em4x em410xwrite 181507BA4D 1 64
Writing T55x7 tag with UID 0x181507ba4d (clock rate: 64)
#db# Started writing T55x7 tag ...
#db# Clock rate: 64
#db# Tag T55x7 written with 0xff8e23501f7a2764

Locking it down:

proxmark3> lf t55xx write b 7 d DEADBEEF
Writing page 0  block: 07  data: 0xDEADBEEF
proxmark3> lf t55xx write b 0 d 00148050
Writing page 0  block: 00  data: 0x00148050

However, now 'detect' fails and 'info' returns garbage:

proxmark3> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'          
proxmark3> lf t55xx info
          
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 1          
 reserved                  : 123          
 Data bit rate             : 6 - RF/100          
 eXtended mode             : Yes - Warning          
 Modulation                : 2 - PSK 2 phase change on bitclk if input high          
 PSK clock frequency       : 1          
 AOR - Answer on Request   : Yes          
 OTP - One Time Pad        : Yes - Warning          
 Max block                 : 3          
 Password mode             : No          
 Sequence Start Terminator : No          
 Fast Write                : Yes          
 Inverse data              : No
 POR-Delay                 : No
-------------------------------------------------------------
 Raw Data - Page 0
     Block 0  : 0x1F7A2764  00011111011110100010011101100100
-------------------------------------------------------------

However, since I set the password, I know it.  Providing it to 'detect' works:

proxmark3> lf t55 detect p deadbeef
Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 5 - RF/64
Inverted   : No
Offset     : 33
Seq. Term. : Yes
Block0     : 0x00148050

But 'read' or 'write' fails:

proxmark3> lf t55xx read b 1 p deadbeef
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Safety Check: Could not detect if PWD bit is set in config block. Exits.

After some "Use the source, Luke!" I discovered the "override" flag.  Using it allows read/write to work:

proxmark3> lf t55xx read b 1 p deadbeef o
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Safety Check Overriden - proceeding despite risk
  1 | FF8E2350 | 11111111100011100010001101010000

So, why do I need to force an override when reading/writing?

Offline

#2 2016-09-11 05:41:03

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: T5577 set to em4x mode has password issue

If you provide a password on a read to a chip not configured for a password it can write and lock the tag permanently.

Offline

#3 2016-09-11 15:24:22

lonewolf
Contributor
Registered: 2016-09-03
Posts: 37

Re: T5577 set to em4x mode has password issue

Ok, but always requiring the "override" flag when reading/writing chips which are password protected doesn't help at all as it gets put right next to the password (there's no point in providing a password without it).

Last edited by lonewolf (2016-09-11 15:25:00)

Offline

#4 2016-09-11 15:44:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: T5577 set to em4x mode has password issue

The logic is like this:

A) "p deadbeef"   --  Try detect in config block if pwdmode bit is set.  if set,  allow to read.

B) "p deadbeef o"  -- never mind trying to detect in configblock,  just read it, I know what I am doing..   


For us,  A) means that users who thinks the pwd bit is set and tries it because they actually don't know what they are doing,  does have the chance of perma locking,  like @marshmellow said.

The option B) is go a head,  you are on your own now.

We felt this gives safety and flexibility to everyone,  but if you don't like it just change it for your own taste.  It will however not come into the PM3 Master.  For that you will need to convince @marshmellow and me.

Offline

#5 2016-09-11 16:14:16

lonewolf
Contributor
Registered: 2016-09-03
Posts: 37

Re: T5577 set to em4x mode has password issue

My original point was your "A" case fails and it is not detecting the config block when a password is set.  This means I must always provide the "o" when providing a password.

If using a password is so dangerous, why does "detect" not need the override flag?

Offline

#6 2016-09-11 17:31:18

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: T5577 set to em4x mode has password issue

Because I'vent gotten around to implement it.  @marshmellow thinks more of users than I do.  If you use the password option, you should know what you are doing. Thats my philosophy.  If you want to brick your tag, thats fine with me.

However the question you should be asking is why does the detection fail in case A if the "lf t55 detect" finds the pwd bit set...

Offline

#7 2016-09-11 18:05:41

lonewolf
Contributor
Registered: 2016-09-03
Posts: 37

Re: T5577 set to em4x mode has password issue

That's what I was trying to imply in my original question, sorry if that wasn't clear.

Offline

#8 2016-09-11 18:43:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: T5577 set to em4x mode has password issue

Funny thing when looking at the code,  it can't detect the pwd-bit because it can't read configurationblock without password.

"The chicken or the egg"

Offline

Board footer

Powered by FluxBB