Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-02-25 00:49:36

TelxonHacker
Contributor
From: Central US
Registered: 2020-02-19
Posts: 34

Cloner won't read T55X7 work badge [solved]

My badge for work was unable to be detected by a blue Chinese cloner (the HID/EM version), so I figured it was a more exotic type. On examination with my PM3, it is a T55X7 configured as an EM401X.
I tried cloning the card, but accidentally wrote to it instead. I had saved a copy of the dump, so I just rewrote that back to my badge, problem was, it no longer works at work!

Reading the T5577 data sheet, it looks like the password is only for writing, not reading, so why wouldn't a cloner be able to read it? (cloner is for EM, HID and AWID, and works on my other EM410X cards.

After writing the badge, it's now detected by the cloner, even though the original data is the same, but still won't open the gate at work.
What did I break?

I can read the password protected T55X that the cloner makes, as well as remove the password, or change it. Did my work badge have some special authentication?


Here's the info from t55x search

 
Chip Type      : T55x7          
    Modulation     : ASK          
    Bit Rate       : 5 - RF/64           
    Inverted       : No          
    Offset         : 32          
    Seq. Term.     : Yes           
    Block0         : 0x00148040          
    Downlink Mode  : default/fixed bit length          
    Password Set   : No          

Edited for clarity and with updated info

Last edited by TelxonHacker (2020-02-29 14:09:09)

Offline

#2 2020-02-25 10:52:49

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Cloner won't read T55X7 work badge [solved]

After you wrote the dump back to the card did the pm3 show it as the same card ?
Not sure if its a typo but you said it was detected as  EM401X. then as a EM410X (i would expect it was a EM4100 id card).
If they were in fact different, then that may be the issue.

The blue cloners tend to read the emulated card data (e.g. 4100) and not the T55xx card data, so any password should not stop it reading the emulated data.

Any chance we can see page 0 block 0 (that will be the card config)
Also if you have it page 1 block 3 (that will be the AFE config)

Offline

#3 2020-02-25 19:08:19

TelxonHacker
Contributor
From: Central US
Registered: 2020-02-19
Posts: 34

Re: Cloner won't read T55X7 work badge [solved]

Yes, exactly the same, and I did mean EM410X.

That's what I was reading on the T55XX datasheets is the password is only to write protect. I still don't know why the cloner failed to initially read it.

The ID doesn't reflect my employee ID, and I'm getting a new badge anyway, so I have no issue sharing.

Data from block 0 :

[usb] pm3 --> lf t55X read b 0 
[+] Reading Page 0:          
[+] blk | hex data | binary                           | ascii          
[+] ----+----------+----------------------------------+-------          
[+]  00 | 00148040 | 00000000000101001000000001000000 | ...@     


Here's b3 p1 results

usb] pm3 --> lf t55X read b 3 1
[+] Reading Page 1:          
[+] blk | hex data | binary                           | ascii          
[+] ----+----------+----------------------------------+-------          
[+]  03 | 6DD00000 | 01101101110100000000000000000000 | m...    

And here's the Em410X data

[usb] pm3 --> lf em 410x_read
[+] EM410x pattern found          

EM TAG ID      : 12FF003492           

Possible de-scramble patterns
          
Unique TAG ID  : 48FF002C49          
HoneyWell IdentKey {          
DEZ 8          : 00013458          
DEZ 10         : 4278203538          
DEZ 5.5        : 65280.13458          
DEZ 3.5A       : 018.13458          
DEZ 3.5B       : 255.13458          
DEZ 3.5C       : 000.13458          
DEZ 14/IK2     : 00081587614866          
DEZ 15/IK3     : 000313515846729          
DEZ 20/ZK      : 04081515000002120409          
}
Other          : 13458_000_00013458          
Pattern Paxton : 303329938 [0x12147292]          
Pattern 1      : 20525 [0x502D]          
Pattern Sebury : 13458 0 13458  [0x3492 0x0 0x3492]  

Offline

#4 2020-02-26 01:01:56

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Cloner won't read T55X7 work badge [solved]

Given that the default for p1 b3 config is 0x00000000, did the new card get the same p1 b3 data when cloned?

decoded from the data sheet

0110 	Option			: 6 - Front End settings active and Test mode deactivated.
110	Soft Modulation 	: Two pulses (default off) 
11	Clamp Voltage   	: 8Vp (default 6Vp)
10	Modulation Voltage	: 1Vp (default 2Vp) 
10	Clock detection 	: RFU (default 550mVp)

The remainder all 0 so defaults.

From Tech Sheet :
If Option Key is 6 or 9, the front end options are activated; for all other values they take on the default state (all 0). If Option
Key is 6 then the complete page 1 (i.e., option register and traceability data) cannot be overwritten by any Test Write Command.
This means, if the Lock bits of the three blocks of page 1 are set and the Option Key is 6, then all of page 1’s blocks
are locked against change.

Offline

#5 2020-02-26 02:15:38

TelxonHacker
Contributor
From: Central US
Registered: 2020-02-19
Posts: 34

Re: Cloner won't read T55X7 work badge [solved]

It likely didn't. So once these options are set, even the PM3 can't change it? If that's the case, why did my original badge stop working, and why wouldn't the Chinese cloner detect it until after I rewrote it?

I'm wondering if there's a way for the reader at work to detect a cloned card and blacklist the id completely, if all the blocks match the original? Since they are both t55X chips, what would the reader look for?

I'm down the rabbit hole now, I'm going to solve this mystery!

Offline

#6 2020-02-26 02:43:18

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Cloner won't read T55X7 work badge [solved]

My views is any security system can be setup to do what every they like within the constraints of the tech used.
I have heard some systems try to detect clone cards in a few ways.

Side note, I just setup a t5577 with that page 1 block 3 config and an em4100 tag id.  my blue cloners (2 of) and my white cloner could still read it (but I know not all blue cloners are equal.)

For the card not working, one thing you could try would be to ensure page 0 block 1 and 2 data is copied to page 1 block 1 and 2
I have seen that stop some readers use the card.
You can also change the downlink mode, so if they try the t55xx command but not use the d/l mode it will fail and just spit out the card ID.

Side note:  Using that settings does not mean you CANT change the data or even reset it.  It means that IF you set the lock bit (and the pm3 code does its best to  not let you, but it still could happen) then you cant undo that.  If the lock bit has not been set, you can simply change the config to remove it then the test write command will be re-activated.
If the lockbit has been set AND test mode disabled, then the card should now be locked from change. 
If the lockbit has been set and test mode is still enabled, then you can recover a T5577 via the use of the test mode write.
Note: The T5200 (sometimes sold as T5577 by the cheap sellers) dont support test mode or the config on page 1.

Offline

#7 2020-02-26 16:20:39

TelxonHacker
Contributor
From: Central US
Registered: 2020-02-19
Posts: 34

Re: Cloner won't read T55X7 work badge [solved]

When I get my new badge, I'll look at the t55X settings and make a copy using what it has and put it in the fob.

I have a RFIDeas pcprox usb reader coming, which I've read on here is better at narrowing down some card formats, I'll see what it says with the new badge.

I also tried to copy my badge at one of those key copying kiosks that also copy fobs, (this was before I messed with my badge with the PM3) and their reader wouldn't even detect it.  I wonder if this badge is based on a standard that's built off of EM410X, but doesn't adhere to the same standards. How could I narrow it down?

Do the blue cloners clone all of the block/page settings to the new card/fob?

FWIW, the readers at work are made by Lenel, and apparently support most common prox formats, plus 2 of their own, Lenelprox and openprox

Offline

#8 2020-02-27 03:45:31

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Cloner won't read T55X7 work badge [solved]

Do the blue cloners clone all of the block/page settings to the new card/fob?

No, the cloners create a clone of the card format as need to suit the target card.

An em4100 is a readonly card that will send out 64bits of raw data in a loop when energized.  It will do that using the speed, modulation etc that it has be hard coded to it.

Cards like the T55xx can emulate many cards, so you have the page 0 block 1 for the main config (set the speed, modulation, use password etc).  Then you have blocks 1-7 inclusive to store data.  If you need to use a password then the T55xx will store that in block 7, leaving blocks 1-6 for the card data.
Since the EM4100 needs 64bits of raw data to send out and the T55xx has 32bit blocks, we need two blocks.  The blocks we use always start at block 1, so we store that data in blocks 1 and 2.  We then tell the T55xx config that max block is 2 so it will send block 1, then 2, then 1, then 2 and repeat.

When we send the T55xx commands to read/write to the T55xx blocks, we interrupt that transmit loop with the command.  If the command is valid then the T55xx will execute the command. 

When you have a password on the T55xx and its emulating an EM4100 then the card will still send out blocks 1 and 2, but not let you use the T55xx commands UNLESS you supply the correct password.  So the card works like the EM4100 and the password does not come into play.

When you clone with a cloner, it will read the raw 64 bits (or how many is needed for the card it is cloning), decode that, then send the commands to program the target card.  Depending on the cloner it may support different types of cards... The T55xx is common, the EM4305 could be supported, need to check your cloner.

Can you use the PM3 to sniff the comms and see what its sending.
My blue cloners when writing send the commands to clear the older "blue" password, then write the data to blocks 1 and 2 to both page 1 and 2, then send the new password.  ONE of them also sets the downlink mode to leading 0 (set in page 1 block 3).

Key Point.  You need to think of the ID Card and its normal use differently from how a generic card (e.g. T55xx) works.
They both can emulate the ID Card, but the generic card can do so much more.

Offline

#9 2020-02-29 04:53:16

TelxonHacker
Contributor
From: Central US
Registered: 2020-02-19
Posts: 34

Re: Cloner won't read T55X7 work badge [solved]

Looks like the site is having major issues, so I haven't been able to get on lately. Your explanation makes total sense, I've been reading more on the T55x docs, and it seems pretty straightforward.

Now for the interesting bit! I now have an RFIDeas PCProx usb reader, it's software has a card analyzer that can ID about 30-40 common prox cards. It identifies my new unmodified badge as Casi-Rusco, NOT EM410x. The ID it spits out also matches what's on the back of my card. This also explains why the blue cloner couldn't read it.

Being it's a T55X emulating a casi rusco, I should be able to read the t55x info on the unmodified badge and use that to make an exact copy, right?

Last edited by TelxonHacker (2020-02-29 04:55:03)

Offline

#10 2020-02-29 07:00:17

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Cloner won't read T55X7 work badge [solved]

With most of the lf cards, they simply spit out a stream of data in a loop while energized.
So even if it was not on a T55xx card you could "read" the card and work out the modulation.  Once you know the modulation and speed you could build the config block (from the tech sheet), then write the "data stream" to blocks 1 to x as needed (you may find someone already knows the t55xx config block for them).

If it is on a t55xx and its not password protected (or you know the password) you should be able to dump the card and clone that way.

There can be times when this may not be 100%, but if you hit that, then with a bit more work you should be able to work it out.
e.g. lf read ... then manual decode, then extract the repeating bit stream (that will be the data needed for the card)

But try the easy way first smile

Note: A very quick internet search seems to say it could be 40 bits with 38 bits of data for the ID.

Offline

#11 2020-02-29 14:08:45

TelxonHacker
Contributor
From: Central US
Registered: 2020-02-19
Posts: 34

Re: Cloner won't read T55X7 work badge [solved]

I got it!
I was reading a bit more after my last post, and I found this post: http://www.proxmark.org/forum/viewtopic.php?id=5969
If you just clone the ID, the default clock rate is set at 64, but it seems Casi Rusco needs it set at 32, so I wrote the ID with a clock of 32, and the PCProx sees the clone now as a Casi Rusco with the same ID as the original.  It is indeed a 40 bit ID.

I do understand what you are saying too, and that's one of the cool things about the PM3, is the raw power it has at showing you the intricate workings of a card, allowing you to reverse engineer it pretty easily, with a little patience.

What helped me is I'm not new to RFID, but I mainly used standard readers hooked to a PC or even smartphone apps, getting the PM3 has opened up so much more potential than just reading an ID.

Thank you for your help with this, I'm going to mark it as solved!

Update: the clone works as it should!

Last edited by TelxonHacker (2020-03-02 16:54:30)

Offline

Board footer

Powered by FluxBB