Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-05-28 11:07:10

Erictsk
Contributor
Registered: 2015-05-22
Posts: 39

Re-formating of T55x7 Card.

I have successfully clone a HID card to a T55x7. Is it possible to "re-format" the cloned T55x7 card because I want to make use of that T55x7 card to clone a EM410x card. Since the 2 cards are using different kind of modulation techniques, is this possible?

Is there a command or script being written that can perform the above mentioned?

Offline

#2 2015-05-28 12:25:23

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Re-formating of T55x7 Card.

Just send new write commands to it.  No need to wipe it.

Offline

#3 2015-05-31 19:15:00

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Re-formating of T55x7 Card.

indeed,  the t55x7 is very easy,..  just write to it, even if the config block is screwed up.

Offline

#4 2015-12-30 13:01:39

broken_bad
Contributor
From: EU
Registered: 2015-04-07
Posts: 25

Re: Re-formating of T55x7 Card.

I have three cards that are somewhat broken - they don't react to any read or write command, the only thing I can do is to read Traceability block (64 bits in page 1) - data are correct and all parities are good. Any ideas how to make those cards working again? Even if I try to write factory-defaults to block 0 it doesn't wake up. Every command ends up with no data:

lf t55xx read b 0

1451476822_dead-card.jpg

These are Q5Bs, maybe not 100% compatible to T55xx, but I still don't get the fact it can be broken like this by writing (any) specific configuration.

Offline

#5 2015-12-30 17:06:04

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Re-formating of T55x7 Card.

if you wrote an invalid block 0 then it is possible you permanently locked it, and no fix is possible.  (lock bit set) (or sent a read command with password when the tag wasn't configured with a password....)

that seems to be the case if you cannot overwrite it.

Offline

#6 2015-12-31 08:50:45

broken_bad
Contributor
From: EU
Registered: 2015-04-07
Posts: 25

Re: Re-formating of T55x7 Card.

Actually I am pretty sure what has done that. I have activated only Page select bit. Everything else corresponds to card's factory defaults. I am using Q5S, so the config word that destroyed the card was definitely 60 09 F0 04 (at least this is what was meant to be sent, I didn't scan the RF communication which could differ).

Writing factory defaults (60 01 F0 04) didn't have any effect.

Last edited by broken_bad (2015-12-31 19:43:24)

Offline

#7 2015-12-31 16:41:47

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: Re-formating of T55x7 Card.

write this,

lf t55 wr 0 00148040 00000000

then rewrite  big_smile

most welcome but am pretty sure the credit for Iceman for this ..

Offline

#8 2016-01-02 18:33:53

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Re-formating of T55x7 Card.

Not sure what the page select mode is, but we only use blockread in the source code.

try rewrite a default block with a direct write.

Last edited by iceman (2016-01-03 14:06:53)

Offline

#9 2016-01-03 14:08:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Re-formating of T55x7 Card.

If you use the fork from @marshmellow or mine,  the latest fixes for Q5 is there.  I don't think @marshmellow pushed a PR for his changes yet to PM3 master. Maybe time for a new release afterwards.

Offline

#10 2016-01-06 21:17:04

broken_bad
Contributor
From: EU
Registered: 2015-04-07
Posts: 25

Re: Re-formating of T55x7 Card.

Yes, it did the trick! My Q5Bs are back!

lf t55xx wr b 0 d 00148040 p 00000000

Offline

#11 2016-01-06 21:22:24

broken_bad
Contributor
From: EU
Registered: 2015-04-07
Posts: 25

Re: Re-formating of T55x7 Card.

iceman wrote:

Not sure what the page select mode is, but we only use blockread in the source code.

Q5B specification:

The data rate is binary programmable to operate
at any bit rate between RF/2 and RF/128. If
the “page select” bit is set, the data encoding
and bit rate is fixed to Manchester RF/64

Offline

#12 2016-01-06 23:39:26

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Re-formating of T55x7 Card.

aha,  I see,  thanks for the info,  it was not what I thought it meant.

Offline

#13 2016-01-06 23:47:32

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: Re-formating of T55x7 Card.

broken_bad wrote:

Yes, it did the trick! My Q5Bs are back!

lf t55xx wr b 0 d 00148040 p 00000000


Glad it worked, t55 = t55xx , which version you are using ? (win 2.5?) smile

Offline

#14 2016-01-07 03:34:10

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Re-formating of T55x7 Card.

if writing your block 0 to 00148040 worked then your tag is not a Q5, but a T55x7.

Offline

#15 2016-01-07 09:19:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Re-formating of T55x7 Card.

I wonder if 00148040 is a working configblock for Q5 and if the detection code would detect it as Q5.  The default ones I've seen starts with 60..

Offline

Board footer

Powered by FluxBB