Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-08-14 08:53:49

lockakey
Contributor
Registered: 2015-10-10
Posts: 22

lockakey - Hello forum!

Hello there, my name is lockakey I've been learning from these forums for quite some time.
I am now the proud owner of both an original pm3 and and now an "elechouse RDV" version.

It is an invaluable tool. Many thanks to all the developers and this community
I'm asking for forum access because I'd like to post a topic in the LF/125khz section.

I recently purchased a Chinese reader-writer from the online.
Fortunately, the reader-writer works great.
Unfortunately, the Chinese writer locked my tags (20 of them) after writing to them.
If I use the Chinese writer to write a different ID it works fine. (Its not that bad, I just cant write to them with the pm3)
Which leads me to believe that the Chinese reader sets a password during write.

Is there a way to snoop the Chinese reader-writer's transmission with my pm3 antennae to try to figure out the password?
I guess I would:
Take my Chinese reader-writer on one laptop and put the PM3 on another laptop. 
then I would try to synchronize my timing so I could write the tag AND take a "data samples 20000" at the same time.
Does that sound possible? Im afraid to ruin my hardware... Oh, wait... This is an intro.

Hello everyone :-)
-lockakey

Offline

#2 2016-08-14 09:03:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: lockakey - Hello forum!

Welcome to the forums!

Its known that chinese cloner tools sets the password on your t55x7 tag when used.
Two of them is found, so you can try using those and rewrite your tags.

Its also known that the cloner tools can make a bad "write",  and flip a bit during writing pwd or data.

For this, there is the bruteforce command and the recoverpwd in my fork to use.  Also a default pwd list with the cloner pwds.

Offline

#3 2016-08-14 22:56:26

lockakey
Contributor
Registered: 2015-10-10
Posts: 22

Re: lockakey - Hello forum!

I read through about 20 pages of posts just now..
I just downloaded your iceman fork. Ill try to load it tomorrow night and test the brutforce and recoverypwd functions.

I tried searching to find more information on the Chinese writer password until I can use the new functions.
The cards are common/standard 26 bit

I found a few posts, most notably http://www.proxmark.org/forum/viewtopic.php?id=3465
They mention 2 passwords 51243648 and 000D8787

Unfortunately trying to write blocks using those passwords does not change the value of the tag, leading me to believe the password is still set. Or the password is different. Or a lockbit flipped.

I saw mention of reading the writer, but I could not find the post about it.
Could this work?

(Place a 26 bit tag on the pm3)
lf read
data samples 16000
data fskhiddemod
(that would give me the tag sequence)

(Place the Chinese writer on the reader.)
While writing a tag on the Chinese writer, read at the same time:
data samples 16000
data rawdemod fs
data manrawdecode

compare the results with the previous demod.
Although because of the demod. I believe I would need the raw transmission for the password.
Im guessing that would be:
data rawdemod ps ?

The password should be somewhere in the write transmission, correct?
I'm afraid of killing my PM3. Is it dangerous to read a writer with the pm3 during a write ?

-lockakey

Last edited by lockakey (2016-08-15 07:00:21)

Offline

#4 2016-08-15 07:02:42

lockakey
Contributor
Registered: 2015-10-10
Posts: 22

Re: lockakey - Hello forum!

I tried a few minutes ago, for some reason I couldn't get it to work.
I'm getting really wierd samples reading the writer...

Kinda stuck, gonna start experimenting
If anyone gets any bright ideas i'll be around for the next little while trying to pull that code.

Offline

#5 2016-08-15 07:24:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: lockakey - Hello forum!

try the "lf t55" commands on your tag

lf t55 detect
lf t55 info

if the output from 'info' tells you that the password bit is set,  try using those pwds while reading or dump tag

Offline

#6 2016-08-15 07:54:55

lockakey
Contributor
Registered: 2015-10-10
Posts: 22

Re: lockakey - Hello forum!

Woah. Thanks for that "t55xx info" command. Discovering new things daily.
So about 12 of my tags had a bad Block 0.
I fixed that quickly, now those are usable.

The other 8 say "Password mode: Yes"

That was great advice. Got anything next?

Offline

Board footer

Powered by FluxBB