Temic5577 Italy

Dot.Com · 2017-05-12 14:39:27

Anyone able to help this Italian guy solve this? Em4x password protected card.

PM on my website if you wish to stay unknown.

ntk · 2017-05-13 12:55:56

How many fobs you have there? all behave similar? could it be a dead, password blocked 5577. Marshmellow has got some new SW tricks on 55x7, which could unlock things like this.

I think. a password protected fob should prevent only access for modification, not prevent reading it.

Dot.Com · 2017-05-15 06:10:00

I ran a bruteforce, didnt work out very well.

I will test them again later in 2 hours time. I will repatch the firmware to make sure it is not the firmware fault on it.

Marshmellow if you are there, please drop some hints.

iceman · 2017-05-15 08:52:42

You might try the "resetread",
you might try the "recoverpwd" (icemanfork)
you might try the default_pwd.dic (w bruteforce)

ntk · 2017-05-15 10:29:21

the bruteforce method (try a combination and step up the guess) would take too long if you don't know howto reduce the key space
for example when starting under condition that user will use only low alphabet, upper alphabet, or only digit or you could guess user would use usual words like:
adminxxx , deadxxxx, beefxxxx, xxxxbeef, minexxx, myxxxxxx, 0123xxxx, etc you would have a smaller key space and you can bruteforce in reasonable time.
Apart from that That is only manageable if you have large crew doing a distribute password cracking (hundred users at one time) each run limited keyspace testing on different type of guess one tests on word dictionary starting with 'a'; one tests word dictionary starting with 'z', then other with "b" with "m" etc remember you have also upper alphabet, digit only, then mix alphabet, mix numerical phabet and mix numeric alphabet with special sign. (there was a time when hundred testers with each bring a hacking speed of 85000 key/s to some with nearly 0.6 million keys /s have joined force to resolve passwords from the link-in data leaked, in less then one month they have solved over 80 million passwords including even difficult PW upto 20 characters long)

Otherwise even by 8 characters long password assuming you use only digit 0..9 that is 10^8 combinations; by a speed of 50keys/s it still takes 100,000,000/50= 2,000,000s or 555days

You could use Graphic Processing Unit programing tech to increase the password cracking speed by 10x or even 100x to 500k/s, 5000k/s to cut down the time needed. One example is pyrit the other is GPU processing or Atom's technique from the Hash group ... (I have forgotten name of technique know)

Last edited by ntk (2017-05-15 10:42:00)

iceman · 2017-05-15 11:05:41

there seems to some missunderstandings here. I guess it comes from the name of the command "bruteforce", which makes ppl here think we working with a pwd hash, which can be targeted with offline hash-crackers like HashCat.

This is not the case with the password for a T55X7 tag

The bruteforce command is a online (ie have a proxmark3 quering the card) attack. This is a very slow attack since it needs to try to read the block0 (configuration block) and decode it. If it succeeds decoding, we assume the password is found. A complete exhaust search of possible keyspace is never reasonable because of this.

In able to do bruteforce in parallell, you would need multiple proxmark3 devices and cards configured with the same password.

Proxmark3 community

Announcement

#1 2017-05-12 14:39:27

Temic5577 Italy

#2 2017-05-13 12:55:56

Re: Temic5577 Italy

#3 2017-05-15 06:10:00

Re: Temic5577 Italy

#4 2017-05-15 08:52:42

Re: Temic5577 Italy

#5 2017-05-15 10:29:21

Re: Temic5577 Italy

#6 2017-05-15 11:05:41

Re: Temic5577 Italy

Board footer