Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-05-12 14:39:27

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Temic5577 Italy

1234.png

temic_5577_123.png

Anyone able to help this Italian guy solve this? Em4x password protected card.

PM on my website if you wish to stay unknown. smile

Offline

#2 2017-05-13 12:55:56

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Temic5577 Italy

How many fobs you have there? all behave similar? could it be a dead, password blocked  5577. Marshmellow has got some new SW tricks on 55x7, which could unlock things like this.

I think. a password protected fob should prevent only access for modification, not prevent reading it.

Offline

#3 2017-05-15 06:10:00

Dot.Com
Contributor
From: Hong Kong
Registered: 2016-10-05
Posts: 180
Website

Re: Temic5577 Italy

I ran a bruteforce, didnt work out very well.

I will test them again later in 2 hours time. I will repatch the firmware to make sure it is not the firmware fault on it.

Marshmellow if you are there, please drop some hints.

Offline

#4 2017-05-15 08:52:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Temic5577 Italy

You might try the  "resetread",   
you might try the  "recoverpwd" (icemanfork)
you might try the  default_pwd.dic  (w bruteforce)

Offline

#5 2017-05-15 10:29:21

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Temic5577 Italy

the bruteforce method (try a combination and step up the guess) would take too long if you don't know howto reduce the key space
for example when starting under condition that user will use only low alphabet, upper alphabet, or only digit or you could guess user would use usual words like:
adminxxx , deadxxxx, beefxxxx, xxxxbeef, minexxx, myxxxxxx, 0123xxxx, etc you would have a smaller key space and you can bruteforce in reasonable time.
Apart from that That is only manageable  if you have large crew doing a distribute password cracking (hundred users at one time) each run limited keyspace testing on different type of guess one tests on word dictionary starting with 'a'; one tests word dictionary starting with 'z', then other with "b" with "m" etc remember you have also upper alphabet, digit only, then mix alphabet, mix numerical phabet  and mix numeric alphabet with special sign. (there was a time when hundred testers with each bring a hacking speed of 85000 key/s to some with nearly 0.6 million keys /s have joined force to resolve passwords from the link-in data leaked, in less then one month they have solved over 80 million passwords including even difficult PW upto 20 characters long)

Otherwise even by 8 characters long password assuming you use only digit 0..9 that is 10^8 combinations; by a speed of 50keys/s it still takes 100,000,000/50= 2,000,000s or 555days

You could use Graphic Processing Unit programing  tech to increase the password cracking speed by 10x or even 100x to 500k/s, 5000k/s to cut down the time needed. One example is pyrit the other is  GPU processing or Atom's technique from the Hash group ... (I have forgotten name of technique know)

Last edited by ntk (2017-05-15 10:42:00)

Offline

#6 2017-05-15 11:05:41

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Temic5577 Italy

there seems to some missunderstandings here.  I guess it comes from the name of the command "bruteforce",  which makes ppl here think we working with a pwd hash,  which can be targeted with offline hash-crackers like HashCat.

This is not the case with the password for a T55X7 tag

The bruteforce command is a online (ie have a proxmark3 quering the card) attack.  This is a very slow attack since it needs to try to read the block0 (configuration block) and decode it.  If it succeeds decoding, we assume the password is found.  A complete exhaust search of possible keyspace is never reasonable because of this.


In able to do bruteforce in parallell,  you would need multiple proxmark3 devices and cards configured with the same password.

Offline

Board footer

Powered by FluxBB