Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hey all
Has anyone ever experienced this? I cloned a basic clamshell indala card to a t5577 card with the following commands on the proxmark3:
lf read
data sample 4000
lf indalademod
lf indalaclone <tag_id>
The T5577 card is read on my company printer reader successfully however when I put it to the HID multiclass SE Reader it does not read at all. No beeps, No nothing. The original indala card will atleast get a beep from the multiclass SE reader but the cloned t5577 will not.
Strangely I simulated the indala card and placed the proxmark3 antenna to both the printer and multiclass SE Readers and they both recognized successfully.
Anyone have an ideas?
Last edited by Dmanufacturer (2017-08-23 02:50:07)
Offline
on your t5577 try:
lf t55xx write b 1 A0000000
lf t55xx write b 2 800130a1
lf t55xx write b 0 903E1042
test on readers
then try
lf t55xx write b 0 00081040
let me know if the reader beeps after either (or both) the write b 0 cmds.
Offline
on your t5577 try:
lf t55xx write b 1 A0000000
lf t55xx write b 2 800130a1
lf t55xx write b 0 903E1042test on readers
then try
lf t55xx write b 0 00081040let me know if the reader beeps after either (or both) the write b 0 cmds.
Thanks marshmellow, writing blocks 1,2,0 worked. It is now being recognised by all readers.
I had done a lf t55 wipe and obviously cleared all the blocks, Where did you get those values from?
I ran these and found it interesting
proxmark3> lf t55 config
Modulation : ASK
Bit Rate : 0 - RF/8
Inverted : No
Offset : 0
Block0 : 0x00000000
proxmark3> lf t55 detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
Offline
Did you try the same blocks 1 and 2 with the second block 0?
I'm not sure you understand the use of lf t55xx config, and the detect failed indicating either your antenna is not quite strong enough for psk t55xx detection or you are running an older firmware.
I believe this reader problem has been discussed before. I'll see if I can find it.
Edit... Found it http://www.proxmark.org/forum/viewtopic.php?id=2907
Offline
Did you try the same blocks 1 and 2 with the second block 0?
I'm not sure you understand the use of lf t55xx config, and the detect failed indicating either your antenna is not quite strong enough for psk t55xx detection or you are running an older firmware.
I believe this reader problem has been discussed before. I'll see if I can find it.
Edit... Found it http://www.proxmark.org/forum/viewtopic.php?id=2907
I'm not sure what you mean by did you try the same blocks 1 and 2 with the second block 0?
I literrally ran the 3 commands as you descrbied (tweaked for newer version syntax)..then tested on readers and it was recognised.
You're right for the lf t55 detect failure, I guess I didn't hold the tag close enough.. I just re-ran it and it gave the following
proxmark3> lf t55 detect
Chip Type : T55x7
Modulation : PSK1
Bit Rate : 15 - RF/32
Inverted : No
Offset : 57
Seq. Term. : No
Block0 : 0x903E1042
Unrelated, do you know if it's possible to dump indala cards for offline cloning/simulating later?
Appreciate the help
Offline
The part where I said "then try...."
For indala, all you need is the id number. But if you'd like you can save a trace with
data save filename
after reading the tag of course.
Offline
The part where I said "then try...."
For indala, all you need is the id number. But if you'd like you can save a trace with
data save filename
after reading the tag of course.
Oh I undertand now.
Test1
----------------------------------------------------------------------
lf t55xx wr b 1 d A0000000
lf t55xx wr b 2 d 800130a1
lf t55xx wr b 0 d 903E1042
----------------------------------------------------------------------
Test2
----------------------------------------------------------------------
lf t55xx wr b 1 d A0000000
lf t55xx wr b 2 d 800130a1
lf t55xx wr b 0 d 00081040
----------------------------------------------------------------------
They were both read successfully by the printer reader and multiclass reader.
Interesting you say you only need the card number for indala as I've tried just running the indala clone command with the demodulated id and doesn't work. The proxmark will recognize the card with the id I just set but the printer reader and multiclass reader will not even beep.
After running the commands above, I ran the following:
lf indalaclone 61a313172
No luck.. what am I doing wrong?
Offline
That id doesn't look like a valid indala id
Save a trace, it gives you more options.
Until someone adjusts the indala cmds to get the correct starting point you can read your tag (or load your trace) and then do
data rawdemod p1 32
data printdemod x o 1
data printdemod x o 2
data printdemod x o 3
data printdemod x o 4
Note that sometimes you will need a " 1" after the 32 to invert the bits to get the correct look. (Should have a long string of 0s in the binary not 1s)
One of the printouts with different offsets should have in the data an A0000000 in it - that is the correct block 1. Block 2 will follow.
Offline
Here is the command dump I ran:
If I understand correctly, block 1 and 2 are in this line?
proxmark3> data printdemod x o 1
DemodBuffer: C1A0000000C2C436C1A0000000C2C436C1A0000000C2C436C1A0000000C2C436C1A0000000C2C436C1A0000000C2C436C1A0000000C2C436C1A0000000C2C436
Offline
Correct.
Offline
Is the point to get these numbers and write to the t5577? I guess I'm not fully grasping what's going on here.
lf t55xx wr b 1 d A0000000
lf t55xx wr b 2 d C2C436C1
Am I on the right track there?
I also found that loading the card dump will only work on the printer reader and not the multiclass reader for whatever reason. I ran the following commands
Test
----------------------------------------------------------------------
lf read
data samples 16000
data save filename
data load filename
-> loaded 16000 samples
lf indala demod
-> Bitlen: 64
-> Indala UID=000000000000000
-> XXXXXXXXXXXXXX
-> XXXXXXXXXXXXXX
-> XXXXXXXXXXXXXX
-> (67d64f905)
lf indala clone 67d64f905
-> Cloning 64bit tag with UID 67d64f905
-> #db# DONE!
----------------------------------------------------------------------
After running those commands the printer reader is able to read the card but the multiclass reader is NOT able to read it at all (no beeps).
Suggestions?
Offline
Is the point to get these numbers and write to the t5577? I guess I'm not fully grasping what's going on here.
lf t55xx wr b 1 d A0000000
lf t55xx wr b 2 d C2C436C1Am I on the right track there?
Yes. As the current indala implementation doesn't use this bit order but your multicast reader needs it. So use those blocks instead of the indala clone cmd.
Offline
Dmanufacturer wrote:Is the point to get these numbers and write to the t5577? I guess I'm not fully grasping what's going on here.
lf t55xx wr b 1 d A0000000
lf t55xx wr b 2 d C2C436C1Am I on the right track there?
Yes. As the current indala implementation doesn't use this bit order but your multicast reader needs it. So use those blocks instead of the indala clone cmd.
Great, how many blocks are needed to write to? Just blocks 1 and 2? what would block 0 be?
Offline
Block 0 would be either of the earlier block zero (sets config of the tag)
Other blocks don't matter (aren't used)
Offline
I'll try it out tomorrow and report. Thanks mate
Offline
just saw this thread:
"the printer reader is able to read the card" is that a mistake?
Offline
Block 0 would be either of the earlier block zero (sets config of the tag)
Other blocks don't matter (aren't used)
Ok so I tested this method and it worked but noticed something odd.
Test1
----------------------------------------------------------------------
load a dumped indala card -> run rawdemod inverse -> run printdemod -> write block 1,2,0 to t5577.
----------------------------------------------------------------------
I tried the card on the elevator and multiple multiclass SE readers, It managed to open the door for everything except a single multiclass SE reader. Have you ever heard of this before? There are 2 doors on opposite sides when you step out of the elevator to get into the office, 1 worked and 1 didn't. Found that interesting.
Test2
----------------------------------------------------------------------
load a dumped indala card from another building -> run rawdemod inverse -> run printdemod -> write block 1,2,0 to t5577.
----------------------------------------------------------------------
I ran the same commands on another indala card that belongs to a different building. The multiclass readers didn't even beep.. Strange?
just saw this thread:
"the printer reader is able to read the card" is that a mistake?
Nope. There is a lf/hf reader on my company printer where employees can scan their pass to print.
Offline
What size tags are you programming? Keyfobs have been known to be too weak for some readers sometimes.
Offline
Or that building only accepts iclass credentials and your original tag is a duel technology tag.
Offline
Indala Clamshell cloning to a T5577.
The building has a few tenants so it uses both the LF Indala clamshell and the HF Iclass.. hence the multiclass readers. which is why I was able to use the T5577 clone of the indala card to open the door.. It was just odd that only a single reader didn't accept the card (beeped but didn't open).
I placed the indala card belonging to another building onto my building reader and it beeped so there shouldn't be a reason why the cloned t5577 of the other building card couldn't be read.
Might make a lua script and upload, going to read the indala clone command and see how that works and why it doesn't work.
Last edited by Dmanufacturer (2017-08-25 13:52:44)
Offline
there is a pull request open on github to fix the indala commands and their incorrect binary offset. pull that or pull my fork to test the commands.
also t5577's come in many many shapes and sizes, so what size is it?
the multiclass readers can each be configured differently and can have technologies turned off. normally upon deployment they are always configured the same, but depending on who did it... ...
Offline
there is a pull request open on github to fix the indala commands and their incorrect binary offset. pull that or pull my fork to test the commands.
also t5577's come in many many shapes and sizes, so what size is it?
the multiclass readers can each be configured differently and can have technologies turned off. normally upon deployment they are always configured the same, but depending on who did it... ...
Cool, I'll check it out.
The t5577 came from the ELECHOUSE Proxmark3 V2 kit.
You're probably right about the configuration, that's interesting.
Offline
marshmellow, your latest commit is confirmed working, it displays block 1 and 2 when doing the lf search.
Just a simple lf indala clone will now work as expected.
Great work, Cheers.
Offline
Dear marshmellow,
In this thread, you indicated block zero is 0x903E1042. But I'm missing 'how to ' build B1/B2/B3 from the FC and UC of Indala.
I have developed my own prog bench for 26 bits/35/37 bits for HID emualtion, and need to add Indala for a new - but old - facility my company has bought.
Could you please help ?
Thanks a lot.
John.
Offline
Dear marshmellow,
In this thread, you indicated block zero is 0x903E1042. But I'm missing 'how to ' build B1/B2/B3 from the FC and UC of Indala.
I have developed my own prog bench for 26 bits/35/37 bits for HID emualtion, and need to add Indala for a new - but old - facility my company has bought.
Could you please help ?
Thanks a lot.
John.
Hi John,
did you manage to find an encoding order for the bits ? I need to do the same, given a FC and UC, program a card to give those out. We are looking to do batches of 100 at a time to issue to new users, with T5577 as this is much cheaper for our door access system than getting the 'proper' Indala cards/fobs issued.
On other posts you mentioned having an excel spreadsheet, is this available ?
Many thanks for any help
Nigel
Offline