Proxmark3 community

Blackhawks

Contributor

Registered: 2017-09-20

Posts: 21

[SOLVED] How do I use the LF T55XX WRITE command?

I am trying to clone my 40 bit AWID card.

I used the "lf t55 dump" command and got:

proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 00107060 | 00000000000100000111000001100000
  1 | 01242422 | 00000001001001000010010000100010
  2 | BA3A3B1B | 10111010001110100011101100011011
  3 | 48111111 | 01001000000100010001000100010001
  4 | 00000000 | 00000000000000000000000000000000
  5 | 00000000 | 00000000000000000000000000000000
  6 | 00000000 | 00000000000000000000000000000000
  7 | 00000000 | 00000000000000000000000000000000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
  0 | 00107060 | 00000000000100000111000001100000
  1 | C02A02AD | 11000000001010100000001010101101
  2 | 138330A5 | 00010011100000110011000010100101
  3 | 00000000 | 00000000000000000000000000000000

Which series of blocks from above are the correct ones: the ones on Page 0 or ones on Page 1?

After I determine what are the correct blocks, how do I use the LF T55XX WRITE command? Do I use this 4 times for each block 0-3?

For example, using the Page 0 data, do I:

proxmark3> lf t55xx write 0 00107060 <enter>
proxmark3> lf t55xx write 1 01242422 <enter>
proxmark3> lf t55xx write 2 BA3A3B1B <enter>
proxmark3> lf t55xx write 3 48111111 <enter>

As I said in my other post, I am a newbie with very little experience programming and code. I apologize if I have offended anyone with my dumb questions but am just trying to learn and complete this AWID card clone as quick as possible so the wife stops nagging me!

Thanks,
B.

Last edited by Blackhawks (2017-10-19 03:44:42)

Blackhawks

Contributor

Registered: 2017-09-20

Posts: 21

Re: [SOLVED] How do I use the LF T55XX WRITE command?

STRIKE 1!!! Here is what I done:

proxmark3> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:

AWID Found - BitLength: 40 -unknown BitLength- (13514) - Wiegand: a276186994, Raw: 01242422dd1d1d8d48111111

Valid AWID ID Found!
proxmark3> lf t55 det
Chip Type  : T55x7
Modulation : FSK2a
Bit Rate   : 4 - RF/50
Inverted   : Yes
Offset     : 32
Seq. Term. : No
Block0     : 0x00107060

proxmark3> lf t55 inf

-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key                 : 0
reserved                  : 0
Data bit rate             : 4 - RF/50
eXtended mode             : No
Modulation                : 7 - FSK 2a RF/10  RF/8
PSK clock frequency       : 0
AOR - Answer on Request   : No
OTP - One Time Pad        : No
Max block                 : 3
Password mode             : No
Sequence Start Terminator : No
Fast Write                : No
Inverse data              : No
POR-Delay                 : No
-------------------------------------------------------------
Raw Data - Page 0
     Block 0  : 0x00107060  00000000000100000111000001100000
-------------------------------------------------------------
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 00107060 | 00000000000100000111000001100000
  1 | 01242422 | 00000001001001000010010000100010
  2 | BA3A3B1B | 10111010001110100011101100011011
  3 | 48111111 | 01001000000100010001000100010001
  4 | 00000000 | 00000000000000000000000000000000
  5 | 00000000 | 00000000000000000000000000000000
  6 | 00000000 | 00000000000000000000000000000000
  7 | 00000000 | 00000000000000000000000000000000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
  0 | 00107060 | 00000000000100000111000001100000
  1 | C02A02AD | 11000000001010100000001010101101
  2 | 138330A5 | 00010011100000110011000010100101
  3 | 00000000 | 00000000000000000000000000000000

Everything looked similar to App-Get's post (http://www.proxmark.org/forum/viewtopic.php?id=4679) so tried to write my blocks:

proxmark3> lf t55x wr b 0 d 00107060
Writing page 0  block: 00  data: 0x00107060
proxmark3> lf t55x wr b 1 d 01242422
Writing page 0  block: 01  data: 0x01242422
proxmark3> lf t55x wr b 2 d BA3A3B1B
Writing page 0  block: 02  data: 0xBA3A3B1B
proxmark3> lf t55x wr b 3 d 48111111
Writing page 0  block: 03  data: 0x48111111

My LF SEARCH did not show positive results:

proxmark3> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!

So I redid the LF T55 commands and got this:

proxmark3> lf t55 det
Chip Type  : T55x7
Modulation : FSK2a
Bit Rate   : 4 - RF/50
Inverted   : Yes
Offset     : 31
Seq. Term. : No
Block0     : 0x00107060

proxmark3> lf t55 inf

-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key                 : 0
reserved                  : 0
Data bit rate             : 4 - RF/50
eXtended mode             : No
Modulation                : 7 - FSK 2a RF/10  RF/8
PSK clock frequency       : 0
AOR - Answer on Request   : No
OTP - One Time Pad        : No
Max block                 : 3
Password mode             : No
Sequence Start Terminator : No
Fast Write                : No
Inverse data              : No
POR-Delay                 : No
-------------------------------------------------------------
Raw Data - Page 0
     Block 0  : 0x00107060  00000000000100000111000001100000
-------------------------------------------------------------
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 00107060 | 00000000000100000111000001100000
  1 | 01242422 | 00000001001001000010010000100010
  2 | DD1D1D8D | 11011101000111010001110110001101
  3 | A4088888 | 10100100000010001000100010001000
  4 | 00000000 | 00000000000000000000000000000000
  5 | 00000000 | 00000000000000000000000000000000
  6 | 00000000 | 00000000000000000000000000000000
  7 | 00000000 | 00000000000000000000000000000000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
  0 | 00107060 | 00000000000100000111000001100000
  1 | E03900D0 | 11100000001110010000000011010000
  2 | 17309C4E | 00010111001100001001110001001110
  3 | 80500001 | 10000000010100000000000000000001
proxmark3>

QUESTIONS:
1) Did I use the WRITE command properly?
2) What happened to Blocks 1, 2, 3 ... are they inverted or something?
3) Is my T55 card toast? Or can I erase the data on it, and if so, how?

I have had enough for this weekend. My wife is nagging me again ...

Any help would be much appreciated.

Thanks,
B.

Blackhawks

Contributor

Registered: 2017-09-20

Posts: 21

Re: [SOLVED] How do I use the LF T55XX WRITE command?

After closer look, it appears Block 1 was written correct. Block 2-3 appear not.

Questions:

1) Whats going on with Blocks 2 and 3?
2) Why does the LF T55XX DET command on my original AWID show Inverse=YES but the LF T55XX INFO command shows Inverse = No?
3) Why does my original AWID have OFFSET = 32 but mt T5577 card shows OFFSET = 31 after writing the 0-3 bocks?

B.

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: [SOLVED] How do I use the LF T55XX WRITE command?

It appears your firmware may not be the latest.  That said the t55 read/dump cmd is not perfect and often is off one or two bits (especially with older firmware)

I'd trust your output from lf search more.

iceman

Administrator

Registered: 2013-04-25

Posts: 9,537

Website

Re: [SOLVED] How do I use the LF T55XX WRITE command?

my experince with t5577 is that you need to run the commands a few times when writing.
Using a good antenna, and the tags/fobs also are different how they react.  Good behaving tags/fobs just need one write..
not to mention, if you use the tags/fobs with a lf cloner tool, like the blue gun,  it sets the password mode on your tag/fob.

Just update to the offical pm3 latest source,  compile/flash fullimage.  If not very few ppl will try to help you, since there is so many bugfixes between versions.   Latest version is all ppl here managed to answer questions about in order to sort out new potential bugs or not.

Blackhawks

Contributor

Registered: 2017-09-20

Posts: 21

Re: [SOLVED] How do I use the LF T55XX WRITE command?

Thanks for your help Iceman but I think I may have found my problem! Now that I am starting to have dreams ( or is that nightmares ) in hexadecimal, I re-looked at what I did. From above, I noticed the LF T55 DUMP command did not give me the same as the LF SEARCH raw as you guys were saying all along (I just didn't know what you were talking about before).

That is, the LF T55 DUMP gave me a Block 2 of BA3A3B1B while the LF SEARCH showed Block 2 dd1d1d8d. Stupid me wrote block 2 as BA3A3B1B which probably contributed why my Block 3 was a little off too. I'll give this a try tonight and see what happens.

But I do have a few more dumb questions (sorry):

When I did a LF SEARCH on the original AWID, I got this:
AWID Found - BitLength: 40 -unknown BitLength- (13514) - Wiegand: a276186994, Raw: 01242422dd1d1d8d48111111

1) What/where does the 13514 number come from? What does this number tell me? What tests can I do with it?
2) Similarly, what does the Wiegand a276186994 number tell me? What can I do with this number? What tests can I do with it?

Thanks again for your help and patience guys ... I'll update you tonight on my next try.

B.

Last edited by Blackhawks (2017-10-16 18:05:44)

Blackhawks

Contributor

Registered: 2017-09-20

Posts: 21

Re: [SOLVED] How do I use the LF T55XX WRITE command?

SOLVED!

See also post http://www.proxmark.org/forum/viewtopic.php?id=5189 for more info.

Thanks Marshmellow, Iceman and Dot.Com!

B.