[Resolved] broken: LF T55xx commands.

iceman · 2014-10-15 12:17:33

Yes, replace the makefile in /client directory.

MilkThief · 2014-10-15 12:26:29

Iceman, if with your code I'll be able to recover my 60 T55xx locked tags, making them RW, you'll find a lot of prepaid beers in a lounge bar in Bergdalsgatan (near you!) where a old friend of mine works. Don't tell me you're non-drinker!

iceman · 2014-10-15 12:33:27

Are you stalking me?
But then, I never say no to free beer

I hope you'll have success with your tags. What was wrong with them? (i forgot, i'll re-read this thread)
Btw, there was another "clone" password found, mentioned in another thread. http://www.proxmark.org/forum/viewtopic.php?id=2022&p=3

MilkThief · 2014-10-15 12:42:47

No stalking, your internet site is in this thread. I never miss a promised beer!
Recompiled, reflashed, retested, the problem is still there. It exits as in the post #96...
I'll take some time to find an idea... :-)

(a chineese sent me 60 RW tags... but they are preprogrammed and I cannot write them with a PM3. He warranties that they are T55x7 compatible, so they are RW for me. I did not posted about this because I'm trying to do what I found on the forum. A second way would be to "lf snoop" the chinese cloner during the write process, but "lf snoop" is a ghost command)
Thank you!

iceman · 2014-10-15 12:51:06

Mail me instead, so we don't have to fudge this thread up.

You still get crash with "lf t55xx dump".. tried individual "lf t55xx rd 0" commands?

MilkThief · 2014-10-15 16:37:05

iceman wrote:

Mail me instead, so we don't have to fudge this thread up.

Absolutely correct. I'm looking for your email address on your forum profile. Nothing.
Is that caused by my forum (low) profile?

iceman wrote:

You still get crash with "lf t55xx dump".. tried individual "lf t55xx rd 0" commands?

I will try tonight and keep you updated.
Thank you!

iceman · 2014-10-15 16:47:04

start here: iceman at iuse se

iceman · 2014-10-15 21:26:36

I got some help on filtering the t55xx fsk signal

data plot
lf t55xx rd 0

lf t55xx fsk

data grid 50  0

marshmellow · 2014-10-15 21:54:19

looks pretty

iceman · 2014-10-16 10:59:16

Marshmellow, there is no ST detection in your config 0x00107060 right?

For FSK-2 and 000111 pattern I get, but it the "000111" exists in the binary I try to find (0x00107060) and it never comes back between the 32bits interval..

pm3 --> lf t55xx fsk
FIELD Length: 50
000111 position: 722
BIN: 
0000001100000
00000000000100001110000001100000
00000000000100001110000001100000
00000000000100001110000001100000
00000000000100001110000001100000
00000000000100001110000001100000
00000000000100001110000001100000
000000000001000

//Compare
hex:  0x00107060
bin:  00000000 00000000 100000111000001100000

I think that the data fsk demod will demod correct if there is an "000111" pattern and FSK-1

data fskdemod

iceman · 2014-10-16 11:20:54

..
nop, I tried:

0x000c40e8 (FSK1, r/40, sst) sst is really showing, failed demod
0x001040e8 (FSK1, r/50, sst) sst is really showing, failed demod

0x000c7060 (FSK2a, r/40) , success demod.
0x00107060 (FSK2a, r/50) , success demod.

marshmellow · 2014-10-16 11:22:21

there is no ST detection in your config 0x00107060 right?

correct.

Last edited by marshmellow (2014-10-16 11:22:43)

iceman · 2014-10-16 12:25:45

So many different options...

fsk1 r/40-r/50 (and inverse aka fsk1a) (4)
fsk2 r/40-r/50 (and inverse aka fsk2a) (4)

on top of that, the Sequence terminator marker...
I'm going nuts here. (well,almost) 4x4x2 = 32 different intpretations..

btw the "data fskdemod" tries fsk & manchester on top of that, thats why it doesn't work directly with t55xx tags...

iceman · 2014-10-16 13:18:10

MilkTheif, I guess your problems comes from a call to "free()"...
The only one that comes to my mind is in ui.c , around row 132 - free(bitStream);
try and remove that line and recompile the client.

ok?

iceman · 2014-10-16 21:23:28

Adde an option to use data from the Graphbuffer in the trace/info commands.
Useful if you have a trace from someone and don't want to decode it.

data load trace.tx

lf t55xx trace 1

lf t55xx info 1

iceman · 2014-10-23 20:23:59

and the "lf t55xx fsk" works now, decoding fsk2. However it only prints binary.. and it is not integrated with the other commads "info/trace/dump"..

Decoding Fsk2/a without starting markers is just guessing. I guess one way would to have n known settings configuration bytes and compare with the decoded bits to see if it matches.

app_o1 · 2015-03-12 15:38:17

I am interested in those sweet commands:
lf t55xx rd 0
lf t55xx dump
lf t55xx info

I am not able to use the last GitHub modification. So I tried the pm3-bin-0.0.7 by asper.
The t55xx commands included in the setting.xml does not seem to have been added to the client.
I only have these commands available:

proxmark3> lf t55xx
help             This help
readblock        <Block> -- Read T55xx block data (page 0)
readblockPWD     <Block> <Password> -- Read T55xx block data in password mode(page 0)

writeblock       <Data> <Block> -- Write T55xx block data (page 0)
writeblockPWD    <Data> <Block> <Password> -- Write T55xx block data in password mode(page 0)

readtrace        Read T55xx traceability data (page 1)

readblock and readtrace do not give any results even after issuing lf read + data samples

proxmark3> lf t55xx readblock 3
Reading block 3
#db# DONE!
proxmark3>

Last edited by app_o1 (2015-03-12 15:40:08)

iceman · 2015-03-12 16:04:56

yeah, those are not in the PM3 main trunc. I was thinking of it but then @Marshmellow started with a total remake of the LF demod commands which I realised was something I've been struggeling when trying to fix the t55x commands.

So right now, there is a minor issue of using the @marshmellows new demod's in the t55xx. If you want to help out, its in my fork.

For the old commands to work, you need

lf read
data samp
data plot
lf t55xx readblock 3

there were some timing issues in the lfops.c for the t55xx commands as well... So, yeah, well... just saying, that I kind of identified the issues but didnt pushed fix.

Last edited by iceman (2015-03-12 16:05:23)

app_o1 · 2015-03-12 16:21:31

I have never checked out your trunk! I will test that tomorrow.

iceman · 2015-03-13 18:36:01

I have pushed alot of changes to my fork regarding the remake of T55XX commands.

It seems to work quite well together with @marshmellows new demods.

However, it needs to be tested a bit.

Can anyone do that?

app_o1 · 2015-03-14 12:25:34

I am trying but I am getting a lot of errors due to QT. it is not linking properly.
Problems appears with proxguiqt.h proxgui.h (It is not finding "QApplication")

You said to use "QT 5.3.1"
mine is located here : C:\Qt\5.3\mingw482_32\include\QtWidgets
what did you use to install QT ? I used to have the Nokia SDK. I couldn't find it. So i am using qt-opensource-windows-x86-1.6.0-8-online

iceman · 2015-03-14 16:19:38

hm, did you add the /platforms folder under the client libarary? Which Qt5 needs.
The same folder where u put qwindows.dll and qwindowsd.dll ??

iceman · 2015-03-17 17:40:07

BIPHASE TEST: T55XX

--BIPHASE RF/8 (FAIL)

pm3 --> lf t55 wr 0 00010040
Writing to T55x7
block : 0
data  : 0x00010040
pm3 --> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

--BIPHASE RF/16 (FAIL)

pm3 --> lf t55 wr 0 00050040
Writing to T55x7
block : 0
data  : 0x00050040
pm3 --> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

--BIPHASE RF/32 (FAIL)

pm3 --> lf t55 wr 0 00090040
Writing to T55x7
block : 0
data  : 0x00090040
pm3 --> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

--BIPHASE RF/40

pm3 --> lf t55 wr 0 000D0040
Writing to T55x7
block : 0
data  : 0x000D0040
pm3 --> lf t55xx detect
Modulation : BIPHASE
Inverted   : No
Offset     : 0
Block0     : 0x000D0040
pm3 --> lf t55xx in

-- T55xx Configuration & Tag Information --------------------
-------------------------------------------------------------
 Safer key                 : 0
 reserved                  : 0
 Data bit rate             : 3 - RF/40
 eXtended mode             : No
 Modulation                : 16 - Biphase
 PSK clock frequency       : 0
 AOR - Answer on Request   : No
 OTP - One Time Pad        : No
 Max block                 : 2
 Password mode             : No
 Sequence Start Terminator : No
 Fast Write                : No
 Inverse data              : No
 POR-Delay                 : No
-------------------------------------------------------------
 Raw Data - Page 0
     Block 0  : 0x000D0040  00000000000011010000000001000000
-------------------------------------------------------------

--BIPHASE RF/50

pm3 --> lf t55 wr 0 00110040
Writing to T55x7
block : 0
data  : 0x00110040
pm3 --> lf t55xx detect
Modulation : BIPHASE
Inverted   : No
Offset     : 0
Block0     : 0x00110040
pm3 --> lf t55xx in

-- T55xx Configuration & Tag Information --------------------
-------------------------------------------------------------
 Safer key                 : 0
 reserved                  : 0
 Data bit rate             : 4 - RF/50
 eXtended mode             : No
 Modulation                : 16 - Biphase
 PSK clock frequency       : 0
 AOR - Answer on Request   : No
 OTP - One Time Pad        : No
 Max block                 : 2
 Password mode             : No
 Sequence Start Terminator : No
 Fast Write                : No
 Inverse data              : No
 POR-Delay                 : No
-------------------------------------------------------------
 Raw Data - Page 0
     Block 0  : 0x00110040  00000000000100010000000001000000
-------------------------------------------------------------

--BIPHASE RF/64

pm3 --> lf t55 wr 0 00150040
Writing to T55x7
block : 0
data  : 0x00150040
pm3 --> lf t55xx detect
Modulation : BIPHASE
Inverted   : No
Offset     : 0
Block0     : 0x00150040
pm3 --> lf t55xx in

-- T55xx Configuration & Tag Information --------------------
-------------------------------------------------------------
 Safer key                 : 0
 reserved                  : 0
 Data bit rate             : 5 - RF/64
 eXtended mode             : No
 Modulation                : 16 - Biphase
 PSK clock frequency       : 0
 AOR - Answer on Request   : No
 OTP - One Time Pad        : No
 Max block                 : 2
 Password mode             : No
 Sequence Start Terminator : No
 Fast Write                : No
 Inverse data              : No
 POR-Delay                 : No
-------------------------------------------------------------
 Raw Data - Page 0
     Block 0  : 0x00150040  00000000000101010000000001000000
-------------------------------------------------------------

--BIPHASE RF/100

pm3 --> lf t55 wr 0 00190040
Writing to T55x7
block : 0
data  : 0x00190040
pm3 --> lf t55xx detect
Modulation : BIPHASE
Inverted   : No
Offset     : 0
Block0     : 0x00190040
pm3 --> lf t55xx in

-- T55xx Configuration & Tag Information --------------------
-------------------------------------------------------------
 Safer key                 : 0
 reserved                  : 0
 Data bit rate             : 6 - RF/100
 eXtended mode             : No
 Modulation                : 16 - Biphase
 PSK clock frequency       : 0
 AOR - Answer on Request   : No
 OTP - One Time Pad        : No
 Max block                 : 2
 Password mode             : No
 Sequence Start Terminator : No
 Fast Write                : No
 Inverse data              : No
 POR-Delay                 : No
-------------------------------------------------------------
 Raw Data - Page 0
     Block 0  : 0x00190040  00000000000110010000000001000000
-------------------------------------------------------------

--BIPHASE RF/128 (FAIL)

pm3 --> lf t55 wr 0 001d0040
Writing to T55x7
block : 0
data  : 0x001D0040
pm3 --> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

iceman · 2015-03-17 17:44:29

Marshmellows new biphase gives a decent result:

Clock rates | outcome
40, 50, 64, 100 | pass
8, 16, 32, 128 | fail

app_o1 · 2015-03-18 11:37:29

iceman wrote:

hm, did you add the /platforms folder under the client libarary? Which Qt5 needs.
The same folder where u put qwindows.dll and qwindowsd.dll ??

Yes I did that. But no change.
Are you not on ICQ anymore?

iceman · 2015-03-18 12:37:46

App_o1,
I had a temp webicq, but I don't use it normally.

iceman · 2015-03-18 12:47:49

I can login on to the official IRC-channel

iceman · 2015-03-18 17:14:25

I enhanced the testsuite, we can now test ASK, FSK also.

The new detection detects all of them, but some error occures with RF/8, RF/16.

-- ASK --
http://pastebin.com/U7j8yvZu

-- FSK --
http://pastebin.com/DS3PFUeu

Last edited by iceman (2015-03-18 18:20:48)

marshmellow · 2015-03-24 12:23:01

In main trunk now

Proxmark3 community

Announcement

#101 2014-10-15 12:17:33

Re: [Resolved] broken: LF T55xx commands.

#102 2014-10-15 12:26:29

Re: [Resolved] broken: LF T55xx commands.

#103 2014-10-15 12:33:27

Re: [Resolved] broken: LF T55xx commands.

#104 2014-10-15 12:42:47

Re: [Resolved] broken: LF T55xx commands.

#105 2014-10-15 12:51:06

Re: [Resolved] broken: LF T55xx commands.

#106 2014-10-15 16:37:05

Re: [Resolved] broken: LF T55xx commands.

#107 2014-10-15 16:47:04

Re: [Resolved] broken: LF T55xx commands.

#108 2014-10-15 21:26:36

Re: [Resolved] broken: LF T55xx commands.

#109 2014-10-15 21:54:19

Re: [Resolved] broken: LF T55xx commands.

#110 2014-10-16 10:59:16

Re: [Resolved] broken: LF T55xx commands.

#111 2014-10-16 11:20:54

Re: [Resolved] broken: LF T55xx commands.

#112 2014-10-16 11:22:21

Re: [Resolved] broken: LF T55xx commands.

#113 2014-10-16 12:25:45

Re: [Resolved] broken: LF T55xx commands.

#114 2014-10-16 13:18:10

Re: [Resolved] broken: LF T55xx commands.

#115 2014-10-16 21:23:28

Re: [Resolved] broken: LF T55xx commands.

#116 2014-10-23 20:23:59

Re: [Resolved] broken: LF T55xx commands.

#117 2015-03-12 15:38:17

Re: [Resolved] broken: LF T55xx commands.

#118 2015-03-12 16:04:56

Re: [Resolved] broken: LF T55xx commands.

#119 2015-03-12 16:21:31

Re: [Resolved] broken: LF T55xx commands.

#120 2015-03-13 18:36:01

Re: [Resolved] broken: LF T55xx commands.

#121 2015-03-14 12:25:34

Re: [Resolved] broken: LF T55xx commands.

#122 2015-03-14 16:19:38

Re: [Resolved] broken: LF T55xx commands.

#123 2015-03-17 17:40:07

Re: [Resolved] broken: LF T55xx commands.

#124 2015-03-17 17:44:29

Re: [Resolved] broken: LF T55xx commands.

#125 2015-03-18 11:37:29

Re: [Resolved] broken: LF T55xx commands.

#126 2015-03-18 12:37:46

Re: [Resolved] broken: LF T55xx commands.

#127 2015-03-18 12:47:49

Re: [Resolved] broken: LF T55xx commands.

#128 2015-03-18 17:14:25

Re: [Resolved] broken: LF T55xx commands.

#129 2015-03-24 12:23:01

Re: [Resolved] broken: LF T55xx commands.

Board footer