Pigeon

egon2 · 2017-03-04 23:02:15

sorry for my angielski.have proxmark3 5 days I am looking for possibilities of change em tag id.Not clone.I know that doing.I do not know whether it PM3.this possible?

I am green.so much from one chip.

-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key : 3
reserved : 97
Data bit rate : 7 - RF/128
eXtended mode : No
Modulation : 3 - PSK 3 phase change on rising edge of input
PSK clock frequency : 3
AOR - Answer on Request : Yes
OTP - One Time Pad : Yes - Warning
Max block : 6
Password mode : No
Sequence Start Terminator : No
Fast Write : No
Inverse data : No
POR-Delay : No
-------------------------------------------------------------
Raw Data - Page 0
Block 0 : 0x3C3C3FC0 0011110000111100001111111100000
-------------------------------------------------------------
proxmark3>

----------------------------------------------------------
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 78787F80 | 0111100001111000011111111000000
1 | 3C3C3FC0 | 0011110000111100001111111100000
2 | 3C3C3FC0 | 0011110000111100001111111100000
3 | 87F807F8 | 1000011111111000000001111111100
4 | 3C3C3FC0 | 0011110000111100001111111100000
5 | C3FC03FC | 1100001111111100000000111111110
6 | C3FC03FC | 1100001111111100000000111111110
7 | 87F807F8 | 1000011111111000000001111111100
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 3C3C3FC0 | 0011110000111100001111111100000
1 | C3FC03FC | 1100001111111100000000111111110
2 | 87F807F8 | 1000011111111000000001111111100
3 | 87F807F8 | 1000011111111000000001111111100
proxmark3>

one chip

proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 3C3C3FC0 | 0011110000111100001111111100000
1 | E1FE01FE | 1110000111111110000000011111111
2 | 1E1E1FE0 | 0001111000011110000111111110000
3 | E1FE01FE | 1110000111111110000000011111111
4 | E00001FE | 1110000000000000000000011111111
5 | E00001FE | 1110000000000000000000011111111
6 | E00001FE | 1110000000000000000000011111111
7 | E1FE01FE | 1110000111111110000000011111111
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | E1FE01FE | 1110000111111110000000011111111
1 | E1FE01FE | 1110000111111110000000011111111
2 | E1FE01FE | 1110000111111110000000011111111
3 | C00003FC | 1100000000000000000000111111110

also this chip

proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 01FE01FE | 0000000111111110000000011111111
1 | E00001FE | 1110000000000000000000011111111
2 | E00001FE | 1110000000000000000000011111111
3 | E00001FE | 1110000000000000000000011111111
4 | E1FC03FC | 1110000111111100000000111111110
5 | 000001FE | 0000000000000000000000011111111
6 | 00FF00FF | 0000000011111111000000001111111
7 | FE1E1E1E | 1111111000011110000111100001111
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | E1FE01FE | 1110000111111110000000011111111
1 | 000001FE | 0000000000000000000000011111111
2 | 000001FC | 0000000000000000000000011111110
3 | E0000000 | 1110000000000000000000000000000
proxmark3>

Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
proxmark3> lf t55 det
Chip Type : T55x7
Modulation : DIRECT/NRZ
Bit Rate : 0 - RF/8
Inverted : No
Offset : 51
Seq. Term. : No
Block0 : 0xF00001FE

proxmark3>

proxmark3> lf se
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

EM410x pattern found:

EM TAG ID : C77B38773C

Possible de-scramble patterns
Unique TAG ID : E3DE1CEE3C
HoneyWell IdentKey {
DEZ 8 : 03700540
DEZ 10 : 2067298108
DEZ 5.5 : 31544.30524
DEZ 3.5A : 199.30524
DEZ 3.5B : 123.30524
DEZ 3.5C : 056.30524
DEZ 14/IK2 : 00856765790012
DEZ 15/IK3 : 000978684014140
DEZ 20/ZK : 14031314011214140312
}
Other : 30524_056_03700540
Pattern Paxton : 3343693116 [0xC74CB53C]
Pattern 1 : 5561502 [0x54DC9E]
Pattern Sebury : 30524 56 3700540 [0x773C 0x38 0x38773C]

Valid EM410x ID Found!
proxmark3>

please suggestions

egon2 · 2017-03-04 23:31:52

This chip is pigeon racing.sorry for my englisch. hitag?100%?

iceman · 2017-03-05 09:40:34

Either you have the wrong config for t55x7, or your tag is not t55x7. All that data is wrong.

Your tag could be em4x05, try those commands instead. They are under lf em

egon2 · 2017-03-05 16:21:20

Thanks for your fast answer. I tried many times and nothing worked so far. May it be HITAG? I tried commands for hitag - no results. Are there any scripts you can recommend for hitag?

egon2 · 2017-03-05 19:11:46

I also tried to do this using your fork.

Producer says it's hitag2.
No hitag2 function is working (any fork).
I've got proxmark v3, maybe antenna is too weak.
Spits some shit on tt55.

iceman · 2017-03-05 19:17:49

the hitag2 code is PoC, but should work both in PM3 Master and in my fork. You always need a good antenna.

Onisan · 2017-03-06 15:43:31

I don't think this is Hitag2 Tag as Page 1 would be the Password and you need to log into the tag before you can read it.
Also page three would need to start With one of the following:
06 - Password Mode
0E - Crypto Mode
02 - Public Mode A
00 - Public Mode B
04 - Public Mode C

Last edited by Onisan (2017-03-06 15:57:57)

egon2 · 2017-03-08 13:50:01

proxmark3> hw tune
pm3 ~$ ./client/proxmark3.exe com8
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2017-03-01 13:17:16
os: /-suspect 2017-03-01 13:17:17
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8

uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 192467 bytes (73%). Free: 69677 byt
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune

Measuring antenna characteristics, please wait........#db# DownloadFPGA(len: 42096)
.
# LF antenna: 30.52 V @ 125.00 kHz
# LF antenna: 31.35 V @ 134.00 kHz
# LF optimal: 36.85 V @ 129.03 kHz
# HF antenna: 29.21 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

/\
Is it correct?

Something is wrong: i cant make a dump of card t5577 original without password . It reads her similiar to data in post #1 - no results. With hitag command it doesnt work at all. What should i change and check? Using HF everything works.

Last edited by egon2 (2017-03-08 13:53:53)

marshmellow · 2017-03-08 23:50:47

your lf antenna is fine voltage wise, though small tags require small antennas. so if you are working with a tag that is keyfob or smaller in size you may need a smaller antenna than is shipped with any pm3.

also t55xx commands require a t55xx detect or config that is successful and accurate before any other t55xx commands will output anything useful. they also can be finicky and depend on precise distance from the antenna. (and they only work on t55xx compatible chips)

if it is a hitag2 then it must be configured to public-mode A to output an em410x ID. read up on the datasheets and command help docs.

Proxmark3 community

Announcement

#1 2017-03-04 23:02:15

Pigeon

#2 2017-03-04 23:31:52

Re: Pigeon

#3 2017-03-05 09:40:34

Re: Pigeon

#4 2017-03-05 16:21:20

Re: Pigeon

#5 2017-03-05 19:11:46

Re: Pigeon

#6 2017-03-05 19:17:49

Re: Pigeon

#7 2017-03-06 15:43:31

Re: Pigeon

#8 2017-03-08 13:50:01

Re: Pigeon

#9 2017-03-08 23:50:47

Re: Pigeon

Board footer