Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-07-07 18:48:29

M&S
Contributor
Registered: 2015-12-15
Posts: 44

Please help clone a t5577 fob

I come across this blue T55x7 fob of my friend. It looks like easy but I can not understand it. it shows different information in lf search and in lf t55 dump. and then the clone does not work at the reader at all. It recognize lit, but then blinks and does nothing else.


My current SW is

Prox/RFID mark3 RFID instrument          
bootrom: master/v3.0.1-28-g1cbb352-suspect 2017-07-01 13:28:51
os: master/v3.0.1-28-g1cbb352-suspect 2017-07-01 13:29:04
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
uC: AT91SAM7S256 Rev D          
Embedded Processor: ARM7TDMI          

when I ran search it says no tag found

proxmark3> lf search  u
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 1 repeating samples          
Too many errors found, clk: 16, invert: 0, numbits: 2155, errCnt: 280          
Valid T55xx Chip Found
Try lf t55xx ... commands
No Data Found!
proxmark3> 

Suspected it did read some thing so I ran

proxmark3> data pri x
DemodBuffer: E41336F5E41336F5E41336F5E41336F5E41336F5E41336F5E41336F5E4FFFFFFFFFFFFFFFFFFFF  

It looks like sending repeative pattern 1 data block of value E41336F5

restart system it shows the same repeating pattern.

But, cloning would be easy peasy because it is a T55x7 blue fob, so I check
lf t55 dec
lf t55 dump

proxmark3> lf t55xx detect
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 15 - RF/32          
Inverted   : No          
Offset     : 31          
Seq. Term. : No          
Block0     : 0x603E0000          
proxmark3> 
proxmark3> lf t55xx dump 
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | 603E0080 | 01100000001111100000000010000000          
  1 | 03F00FC0 | 00000011111100000000111111000000          
  2 | 6F9324D9 | 01101111100100110010010011011001          
  3 | 806C9378 | 10000000011011001001001101111000          
  4 | 813C689B | 10000001001111000110100010011011          
Reading Page 1:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | C07C0100 | 11000000011111000000000100000000          
  1 | E0150A5C | 11100000000101010000101001011100          
  2 | E0728D4B | 11100000011100101000110101001011          
proxmark3> 

seeing we have got some data.

I copy configuration block and 4 data blocks. and run my check on the clone

proxmark3> lf t55xx detect
Chip Type  : T55x7          
Modulation : DIRECT/NRZ          
Bit Rate   : 15 - RF/32          
Inverted   : No          
Offset     : 30          
Seq. Term. : No          
Block0     : 0x603E0080          
proxmark3> 
proxmark3> lf t55xx dump 
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | 603E0080 | 01100000001111100000000010000000          
  1 | 0E1C0E1C | 00001110000111000000111000011100          
  2 | 6F9324D9 | 01101111100100110010010011011001          
  3 | 806C9378 | 10000000011011001001001101111000          
  4 | 813C689B | 10000001001111000110100010011011          
Reading Page 1:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | 603E0080 | 01100000001111100000000010000000          
  1 | E0150A61 | 11100000000101010000101001100001          
  2 | 0C431158 | 00001100010000110001000101011000          
proxmark3> 

Oh dear, why it looks very different, and worse news is: The clone does not work on the real reader.

Please help.
What did I do wrong.?
why I write in the t5577 and read back without moving the fob but result is different. Is it normal? I have elec house and I have try different distance I did repeat the writing several times, but each time  the clone's reading is different

Last edited by M&S (2017-07-07 18:51:14)

Offline

#2 2017-07-08 03:45:01

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Please help clone a t5577 fob

You'll want to verify the t55xx dump with a demod of the repeating output by running
lf read
data rawdemod nr
data printd x
(Try other offsets too ... data printd x o 1)

You should see something similar to the t55xx dump of blocks 1 to 4.

But The block read of t55xx has trouble knowing exactly what bit to start at and can be off for many configurations.

Offline

#3 2017-07-08 14:25:30

M&S
Contributor
Registered: 2015-12-15
Posts: 44

Re: Please help clone a t5577 fob

Thank you Mashmellow. I have forgotten to check with offsets. I do see the piece of the data now in offset = 1 or 5 .

proxmark3> data printd x o 1
DemodBuffer: 1806C9378813C689B 
03F00FC06F9324D9806C9378813C689B
03F00FC06F9324D9806C9378813C689B
03F00FC06F9324D9806C9378813C689B
03F00FC06F9324D

proxmark3> data printd x o 5
DemodBuffer: 806C9378813C689B
03F00FC06F9324D9806C9378813C689B
03F00FC06F9324D9806C9378813C689B
03F00FC
06F9324D9806C9378813C689B03F00FC06F9324D9

which means the dump of the clone did show the data what the original fob should have. So why the fob is not working at the reader?


Sorry I haven't kept the trace file of the original fob, it appeared as an too easy job

I just discover something odd: Block0 in "lf t55 det" shown the value  0x603E0000 , but in "lf t55 dum" Block0 was 603E0080. I think I did copy the block0 data and the data of block 1 to 4

Offline

#4 2017-07-08 14:40:43

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Please help clone a t5577 fob

Looks like the block 1 didn't take on your clone.  Sometimes you have to try to write twice.

Offline

#5 2017-07-09 10:40:36

M&S
Contributor
Registered: 2015-12-15
Posts: 44

Re: Please help clone a t5577 fob

I see now the mistake in original block1 is 03F00FC0. but in clone it is 0E1C0E1C.

thank you. it was odd because I double write the order block 0 to block 4 always. This time after write block 0 to block 4, I then write block1 twice more and now I check I do get 03F00FC0... So it should work on the real reader, right?

It is still weird...

Anyway, thank you for pointing out that fault.

Offline

Board footer

Powered by FluxBB