Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-06-01 03:40:52

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Q5 tag programming

I've heard a few comments like "I switched back to firmware 0.0.7, for some reason 2.0.0 wont program my Q5 tags".  is there anyone out there that has some (or 1) Q5 tag that is willing to help me with some testing?  i have a feeling some streamlined timings for the ata55x7s has broken the code's compatibility with the older tag.

Offline

#2 2015-06-01 09:51:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,491
Website

Re: Q5 tag programming

Could be timings, there is some changes I did in the lfops.c  #defines   which was tighten up.  Could be them.
Wouldn't harm to revert those and see it the Q5 became better

Offline

#3 2015-06-01 15:23:15

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Q5 tag programming

that is what i expect, but i need someone with a Q5 to help verify.

Last edited by marshmellow (2015-06-01 15:23:36)

Offline

#4 2015-06-01 18:42:58

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Q5 tag programming

I am very new here and will not complete my learning in LF and HF very soon, hence I have more questions, than advices or supporting ideas.

But recently with very warm-welcome collegial support on this for um I have learnt in  project howto read a tag, to check using lf search; lf autodetect; to use lf read; to data samples; data save; data load, data rawdemod nr x; lf lf t55xx wr, I use commands send to serial port, and also the GUI. We have successfully completed that project with the step that pressing that copy to the reader the door, not my door but a friend apartment block, opened..

from that project it clear my intention is to learn to have profit for myself because I have now a working copy of the mysterious tag.

But I intend to do more than that.

I offer that I will use what I have learnt on this tag, to help the Proxmark group with regression work of every beta SW before release. In this way everyone would be informed if any irregularity come into any new SW

I hope in the long run, more people would join me when each newbies chip in a little bit of time, and when you fix the problem with the github's SW release revision number, then we can provide for each BETA SW release very clear test results table, which would be useful for everyone, professional or newbies.

Next I will learn about investigate and copying of EM fob to EM fob;.using Q5 to clone key/tag/fob to Q5 (I  have problem here who to confirm that what I created also 100% working)

by using send serial port and GUI in the last few days also I have some ideas I would like to see an area speak out, hopefully some of it may find a way to the SW to improve it.

@Marshmellow, If I had a Q5 and had done work on cloning to Q5 you will see with each beta release and final release the regression result, you cn see where it had starts or wehere the question is simply not necessary

Appropos at the moment

you seem to have problem with
1/ some GUI command in LF, like lf config is not OK
2/ I still don't understand enough but LF snoop from the GUI seems not to work, I need to do ore to tell what is wrong
3/ tune has a bug, I can reproduce it

if we have a regression table we can know immediately with certainty. which release has problem with certain command, who has tested, when we start to have  problem with a certain command

Offline

#5 2015-06-01 18:50:51

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Q5 tag programming

LF config works well here.  As does the LF snoop and tune.
...
While I appreciate your enthusiasm and willingness to offer help, this thread is not the place to discuss such items.  Please start your own thread.

Offline

#6 2015-06-01 22:44:40

en4rab
Contributor
Registered: 2013-04-22
Posts: 36

Re: Q5 tag programming

I had a play with timings whist trying to figure out what was wrong, whilst i didnt reset them to their old values i did change them in that direction, in particular START_GAP seemed excessive at 50 field clocks which the Q5 data sheet suggests is the maximum allowable value, but i did not have any sucess.
Im off work tue and wed i will try to figure out whats going on and try the original values in the new code.

Offline

#7 2015-06-02 08:08:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,491
Website

Re: Q5 tag programming

Not hard to change those values.  The old values should be there also commented out.

Offline

#8 2015-06-03 13:08:34

en4rab
Contributor
Registered: 2013-04-22
Posts: 36

Re: Q5 tag programming

I have had another poke at the timings and got my Q5 tags working again by reverting the timings to to the old values, or for start gap as close as i could get to the old value while expressing it as field clocks of 8us.
The values i used were:
#define START_GAP 31*8 // 10 - 50fc 250
#define WRITE_GAP 20*8 //    - 30fc 160
#define WRITE_0   18*8 // 16 - 63fc 54fc 144
#define WRITE_1   50*8 // 48 - 63fc 54fc 432 for T55x7; 448 for E5550 //400

and this seems to have fixed the issue for me, If you'd like me to try some other timings id be happy to but as these are basically the old values which seemed to have worked before reverting to these shouldnt cause problems

Offline

#9 2015-06-03 13:16:58

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Q5 tag programming

Thanks!  I'll verify the ata5577 works good with those timings (should) and commit.

Offline

#10 2015-06-03 13:30:56

iceman
Administrator
Registered: 2013-04-25
Posts: 9,491
Website

Re: Q5 tag programming

great,
I change to new timings when the lf t55xx commands didnt work so well.
But after the remake and @marshmellows new demodulation functions it should not be needed.

Offline

#11 2015-06-04 10:43:24

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Q5 tag programming

@Marshmellow Could you pls look into post #2
http://www.proxmark.org/forum/viewtopic.php?id=2498
I have tried to construct a configuration for block 0 of Q5 tag. Is 0008078 for direct mod, clock 32, RF/2, 4 blocks of data, no inverse and not using Pasword?

a few things are not clear so I leave the setting to 0. I have no Q5 yet. but maybe soon. I like to understand correctly before their arriving.

Pls let us know also this SW for good operation with both Q5 and also T55x7, you iceman and Nezrab fishined with checking, and testing now, is which one in github. Howto get down this Sw with thid modification from Git??

thanks

Last edited by ntk (2015-06-04 15:26:03)

Offline

#12 2015-06-09 05:56:40

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Q5 tag programming

I have checked out the sw on 07/06/2015, using this Sw version Q5 writing should have no more problem, but It seems I can not change config on Q5
lf t55xx wr 0 00008078. No error reported.

But when I use lf t55xx config
it still shows the previous value "Block0     : 0x00080080 "

Do I make mistake here?
00008078 is telling Q5 to emulate for the case nz/32, 4 data blocks.

Offline

#13 2015-06-09 12:08:31

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Q5 tag programming

The q5 timings have not been fixed yet.  Go back in time before the t55xx update.

Offline

#14 2015-06-09 12:14:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,491
Website

Re: Q5 tag programming

or change the sourcecode...  the old values are there, next to the new ones.

Offline

#15 2015-06-09 15:32:08

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Q5 tag programming

thnaks Iceman and Marshmellow.

I saw a new merge from Piwi recently, so I thought that is the part he fix with you on this thread.

Will do the method "hange the sourcecode...  the old values are there, next to the new ones.". Apropos if you do a  "make all  flash-all", do you still have to hold the button on PM3 pressed?

Offline

Board footer

Powered by FluxBB