Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I've problem with ict tag with print id Gt 081 15810,I found the answer from a forum,seem to be lack of
info to decoding and write a blocks to a t5577 tag,since I am a still newbie,can some one show me how to decode and clone for ict tag step by step,I will show what i did below for 2 different ict tag..
pm3 lf se u
pm3 data raw demod
Checking for known tags:
No Known Tags Found!
#db# LF Sampling config:
#db# q divisor: 95
#db# b bps: 8
#db# d decimation: 1
#db# a averaging: 1
#db# t trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 58 2f 0b 17 9c e3 bd 89 ...
Usage: lf snoop
Options:
h This help
This function takes no arguments.
Use 'lf config' to set parameters.
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 11200 repeating samples
Using Clock:50, invert:0, fchigh:10, fclow:8
FSK2 decoded bitstream:
Last edited by seanedu (2017-04-14 18:15:57)
Offline
would be easier if you could drop the trace
Offline
Hi,ntk,I am glad that you are here to help me out,remember that you helped me a lot to resolve to update my win32 gui interface,still no luck though..I did not get the trace of ict,I also reviewed previous forum of same issue of mine,i could not understand the procedure..hoping is there any upgrade version of soft ware available for unknown tag to get uid or easy way rather than decode and write block,also can you tell me what block 0 for ict tag...
Last edited by seanedu (2017-04-12 17:17:24)
Offline
ICT on this forum? the ICT configuration block 0 it would depend on the modulation schema, frequency, data blocks, have you got the T55x7.pdf documentation already should be in files section ob Promark3.org?
Offline
found from discussion between Lenox and Marshmellow
"As far as cloning, it should be possible with the repeating bits you have. As is you would configure all 7 blocks of a ata55x7 to output the repeating binary value with fsk2 modulation and RF/50."
Edit:
There was Gt 081 17xxx
yours is Gt 081 15xxx
Last edited by ntk (2017-04-14 11:28:26)
Offline
Hi,ntk,to me it seemed lack of information there in forum to get block 0 to block 7 to write to t5577 tag to clone,I like to know how to figure out from raw of binary data,don't even know starting block to write from binary...
Last edited by seanedu (2017-04-12 20:26:00)
Offline
Your T55x7 configuration for block 0 would be
00000000000100000101000011100000 (just lay it on the bits map and you can see where what option is checked)
or in HEX 001050E0
You should remember the menu command "Investigate" in LF sector.
Edit:
@Seanedu, Sorry I have made a mistake in previous configuration block data 0001070E.Have edited the post now.
DO NOT USE HEX 0001070E (that is RF/8; BI phase;PSK-CF is chosen as RF/4;max =2;no password; no ST; the rest are default)
According to Marshmellow: "As is you would configure all 7 blocks of a ata55x7 to output the repeating binary value with fsk2 modulation and RF/50", then with RF/50;FSK2;PSK-CF is chosen as RF/2 default;max block =7;the rest are default, SO Block 0 configuration block should be 001050E0
I have re-checked bit maps, definitively 001050E0 if using FSK2.
If FSK2 causes problem, try also 001070E0, that is Demodulation FSK2a.
If you are able to test on reader, then seal which demodulation type is correct for ICT card type.
Last edited by ntk (2017-04-15 10:27:59)
Offline
"Hi,ntk,to me it seemed lack of information there in forum to get block 0 to block 7 to write to t5577 tag to clone,I like to know how to figure out from raw of binary data,don't even know starting block to write from binary..."
That is not a fully correct statement.
Marshmellow did advised you to look at the data sheet of 55x7. That was the instruction to build the configuration block 0 is in Tab 5.x It is like the alphabet, we all use it, and nobody can explain different than what is already there.
it is in the document section (ooops I ve just checked, I don't see it there anymore. Only the Q5b.pdf left, Q5 fullfil similar purpose but data mapping is slightly different than T55x7 chip)
Never mind, you just google for data sheet and chip type pdf you would get this document too
AT55x7 data sheet. -s the instruction to build the configuration block 0 is in Tab 5.x-
Maybe one admin can put this document back in the document section for all new users to examine.
and also helpful is
the converter.
data block 0 is AT55x7 configuration data
data to be written in block 1 to data block 7 are what you have got from demodulation your raw data.
Last edited by ntk (2017-04-12 21:39:14)
Offline
Hi,ntk,thanks for your help,I wil try to look for datasheet of t5577,will study more..
just to want ask though,how did you figure it out of block 0 for ict tag above 0001070E..
how can I find out rest of block to write on to t5577 tag to clone...
Thanks for you time..
Offline
"just to want ask though,how did you figure it out of block 0 for ict tag above 0001070E.." I said already in document t55x7,. part table 5.x, our alphabet, not past that one you can not work confidently with T55x7.
"how can I find out rest of block to write on to t5577 tag to clone..." that is the part where something need to be said:
Firstly you should always save a good trace, put a download links to your trace up, so anyone can help you,
Secondly, never open up a window and paste loads of numbers in it, lot of numbers on a blank wall is not only bland and boring, worse many of us lurking around have no MAC, nor latest laptop technology, when step over your bland windows of numbers, our PCs crashed. Do that, and how long until one prepares to help you you can work out yourself.
Some of us still work with pencil and paper so pls don't expect magic and wonder here, have pity with our older generation and techno and gadgets.
Last edited by ntk (2017-04-13 02:11:14)
Offline
To your question ""how can I find out rest of block to write on to t5577 tag to clone..."", because there is no trace I answer theoretically.
search the forum for ICT, you found under some threads the most details in
Decoding & ICT Key Fob
marked the words in post #2 Marshmellow said:
"the binary you received is the correct demod - 224 total bits (11200/50 [clock])
the bits appear inverted, probably meaning FSK2a, so an invert would likely be more accurate. looks like 4 0's (or 1's once inverted) is the start pattern. then possibly manchester encoded bits after that for 152 bits (76 decoded bits)"
following that you should do demodulation, inverted
data rawdemod fsk2a -1 to get the 0 and 1 bit
convert the o and 1 bits into HEX manually using the conversion web page or in PM3 "data print x" then youu have long string of HEX. Here you can see if the pattern repeat.
When Marshmellow said there is a repeating pattern, then you can believe there is it.
Remember that
1111 ----converted to -------->F
so the long interesting wand of 0 and 1s turned into
D4D34D2B54AFFFFFFFFFFFFFFFFF8554D4CD5355554D3554CD553554D4D34D2B54AFFFFFFFFFFFFF
Now you look at it, it takes sometime you see where the pattern begin to repeat
D4D34D2B54AFFFFFFFFFFFFFFFFF8554D4CD5355554D3554CD553554 (.... here it repeats....) D4D34D2B54AFFFFFFFFFFFFF etc...
(how could we see it? you just have to train your eyes: look at it twice in one hour, 7 times a day, each day in the week, and after 3 months, some one can say "You could see the repeating pattern with closing eyes." Don't believe it, there is no magic no wonder here, believe me you still have to open your eyes and look hard at the string to see the pattern, even Marshmellow can not see the pattern with closing eyes.)
D4D34D2B54AFFFFFFFFFFFFFFFFF8554D4CD5355554D3554CD553554
into niples of 8 HEXs
D4D34D2B
54AFFFFF
FFFFFFFF
FFFF8554
D4CD5355
554D3554
CD553554
now numbering them line by line... according to the pattern "block x data ...." What can you see:
b 1 d D4D34D2B
b 2 d 54AFFFFF
b 3 d FFFFFFFF
b 4 d FFFF8554
b 5 d D4CD5355
b 6 d 554D3554
b 7 d CD553554
Tara... Those are your "quasi" seven blocks of data.
But, do remember the data blocks come form Lenox' trace.
Work after this method with your own trace. You should come on the repeating pattern in your trace too.
Last word:
Please,
do remember to remove your windows with loads of number, put up a link to your trace only is enough. I ran over your bland and boring window and my PC seized & crashed. Have pity, not everyone has a MAC
Last edited by ntk (2017-04-14 11:23:20)
Offline
looks like the signal in inverted.
Offline
There you have confirmation. Pls let us know the test result.
Last edited by ntk (2017-04-14 11:27:21)
Offline
Thanks for that ntk,all the detailed info how i can figure it out all 7 blocks,I will try to see if I can decode of mine..
Thanks again
Offline
Hi,ntk,I finally got the 7 blocks for ict tags,please correct me if I make any mistake..
First here is Hexs that I converted from binary..
ECFFFEFEFEFEFEFEFEFEFEFEB56164F4ECBFFFBFBFBFBFBFBFAFEFEFEB56164F4ECFFFEFEBFBFBFBFBFBFBFBFAD56164F4ECFFFEBFBFBFBFBFBFBFBFBFAD5859
I think that repeating pattern are..
56164F4ECFFFEFBFBFBFBFBFBFBFBFAD
BLOCK 1X56164F4E
BLOCK 2XCFFFEFEB
BLOCK 3XFBFBFBFB
BLOCK 4XFBFBFBFA
Is this right?
Offline
try to invert that demod. It looks wrong.
Offline
Hi,iceman,thanks for pointing out,but I don't know how to invert the demod,do you mind showing me how to do that,I noticed that I made a mistake cuz I could not find out repeating patterns to get all 7 blocks,I just end up getting 4 blocks instead..
Thanks
Offline
i can't tell the command you need to run from no tag info on this thread. but look into the data rawdemod commands.
use the h options to learn how to use them (each sub command / modulation type has it's own h help)
Offline
Hi,marshmellow,thanks for pointing that out I will give another try,see what I can get for correct raw data..
Thanks again
Last edited by seanedu (2017-04-15 20:00:52)
Offline
Not sure you have tested trial the version of command structure I released Sep 2016 in dropbox, if you use
data
rawdemod
it is very intuitive for use in there
Last edited by ntk (2017-04-16 00:13:21)
Offline
Feel free to update the wiki with any additional documentation of the pm3 commands and uses.
Offline