Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-03-17 23:31:15

jeroen
Contributor
Registered: 2009-06-08
Posts: 10

T5577 issue

Hi,

I own a number of T5577 cards. They seem to work fine:

//--------------------------------------------------------------------------

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 844 2014-02-06 22:03:08                 
#db# os: svn 848 2014-03-17 23:06:49                 
#db# FPGA image built on 2014/02/25 at 07:43:59                 
uC: AT91SAM7S256 Rev B         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory   
<EM410x tag placed on antenna>
proxmark3> lf em4x em410xread
Auto-detected clock rate: 64         
EM410x Tag ID: 04120d6ed4     
<T557 card placed on antenna>     
proxmark3> lf em4x em410xwrite 04120d6ed4 1
Writing T55x7 tag with UID 0x04120d6ed4 (clock rate: 64)         
#db# Started writing T55x7 tag ...                 
#db# Clock rate: 64                 
#db# Tag T55x7 written with 0xff81232836ceed36
<T557 card still placed on antenna>                     
proxmark3> lf em4x em410xread
Auto-detected clock rate: 64         
EM410x Tag ID: 04120d6ed4

//--------------------------------------------------------------------------

However using the T5577 as a HID prox is not working:

//--------------------------------------------------------------------------

proxmark3> lf hid clone 0123456789
Cloning tag with ID 123456789         
proxmark3> lf hid fskdemod
proxmark3>

//--------------------------------------------------------------------------

Do you have a clue about what's going on? Reading a (real) HID prox with 'lf hid fskdemod' works just fine. Do I need to initialize the T5577 first? Something else? Thanks for your help!

Cheers,

Jeroen

Offline

#2 2014-03-18 03:43:54

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: T5577 issue

You should first learn about HID site and facility codes. Read the proxcard2 datasheet

Offline

#3 2014-03-18 10:31:38

jeroen
Contributor
Registered: 2009-06-08
Posts: 10

Re: T5577 issue

vivat wrote:

You should first learn about HID site and facility codes. Read the proxcard2 datasheet

The ID 0123456789 is just an example. If I read an actual valid ID from a real card (which I don't want to post here wink and try to clone it, the outcome is the same.

Cheers,

Jeroen

Offline

#4 2014-03-18 14:56:23

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: T5577 issue

Are you sure that the code that you are using is a valid 44-bit code?
If the format information contained in the front part of the code is wrong then the HID reader will not recognize it as a valid card.
Here are a few examples. Can you get any of these to work?

44-bit Code      FC    Card#
02006F764DD  123  45678
02006020002   001  00001
0200603FFFF    001  65535
02005FFFFFF    255  65535

Offline

#5 2014-03-18 22:15:02

jeroen
Contributor
Registered: 2009-06-08
Posts: 10

Re: T5577 issue

carl55 wrote:

Are you sure that the code that you are using is a valid 44-bit code?
If the format information contained in the front part of the code is wrong then the HID reader will not recognize it as a valid card.
Here are a few examples. Can you get any of these to work?

44-bit Code      FC    Card#
02006F764DD  123  45678
02006020002   001  00001
0200603FFFF    001  65535
02005FFFFFF    255  65535

proxmark3> lf hid clone 02006F764DD
Cloning tag with ID 2006f764dd         
#db# DONE!                 
proxmark3> lf hid fskdemod
<nothing happens>
<reset>
lf hid clone 02006020002
#db# DONE!                 
proxmark3> lf hid fskdemod
<nothing happens>

Offline

#6 2014-03-21 17:51:58

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: T5577 issue

are you doing an lf read before the lf hid fskdemod?

Offline

#7 2014-03-21 17:57:00

jeroen
Contributor
Registered: 2009-06-08
Posts: 10

Re: T5577 issue

marshmellow wrote:

are you doing an lf read before the lf hid fskdemod?

Doesn't matter: the result is the same sad

Offline

#8 2014-03-21 18:01:53

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: T5577 issue

3 commands to read a prox should look like:
lf read
data samples 16000
lf hid demod

Last edited by marshmellow (2014-03-21 18:04:46)

Offline

#9 2014-03-21 18:04:35

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: T5577 issue

make that: lf hid demod

Offline

#10 2014-10-15 20:30:58

jeroen
Contributor
Registered: 2009-06-08
Posts: 10

Re: T5577 issue

Ok new try:

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: master/v1.1.0-24-g92d255d-suspect 2014-10-14 21:38:36             
#db# os: master/v1.1.0-24-g92d255d-suspect 2014-10-14 21:38:38
#db# LF FPGA image built on 2014/ 6/23 at  9:25:13
<real HID Prox placed on antenna, data obfuscated>
proxmark3> lf hid fskdemod
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
<pm3 button pressed>
#db# Stopped
<T5577 placed on antenna>
proxmark3> lf hid clone 2e********
Cloning tag with ID 2e********
#db# DONE!
proxmark3> lf hid fskdemod
<T5577 removed and placed on antenna>
<nothing>
<T5577 removed, original HID Prox placed on antenna>
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
..

So it seems that the T5577 is not detected / recognized? Any clues?

Tags are for sure writable, checked with simple LF cloner device. I've tried two types of T5577's.

Last edited by jeroen (2014-10-15 20:36:36)

Offline

#11 2014-10-16 04:23:18

gbhuk
Contributor
Registered: 2012-09-20
Posts: 33

Re: T5577 issue

I think the clue is that you've used a 'simple cloner device' on the cards.

These tend to password-protect them making them writeable only by the same cloner from that point in time onwards.

However it is possible to reset passwords with the PM3 - take a look at this thread:  http://proxmark.org/forum/viewtopic.php?pid=11778#p11778

If the cloner is a little blue handheld one then try writing to the card with the command: lf t55xx writeblockPWD 00148041 0 51243648 - it just may get your cards up and running again for HID cloning.

If it's a little white multi-frequency cloner then user diaconom decoded the password for it and the command would be: lf t55xx writeblockPWD 00148041 0 000D8787

Last edited by gbhuk (2014-10-16 04:28:06)

Offline

Board footer

Powered by FluxBB