Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#51 2015-06-21 09:07:28

kristian1991
Member
Registered: 2015-06-21
Posts: 8

Re: T55x7 and Tags Emulation

I need some help with the data that i need to program T5557 with.

I have the below, can anyone assist

proxmark3> data fskawiddemod
AWID Found - BitLength: 50 -unknown BitLength- (24432) - Wiegand: 1f400016bee1, Raw: 0128817e4111114dbebd1811

Best regards,

Offline

#52 2015-06-21 13:41:44

meccan
Contributor
Registered: 2014-02-10
Posts: 23

Re: T55x7 and Tags Emulation

Hi,

Trying to program a t5577 key fob to a HID prox with lf hid clone 2006bxxxxx. I previously successfully done indalaclone  on the same t5577 key fob.Now after doing a lf hid clone, the  lf hid fskdemod is not working on the t5577. When doing a lf search I get Indala UID=0000000000000000000000000000000000000000000000000000000010001001 (000000089). I also do not seem to be able to do lf indalaclone again on the same key fob. What is going on here?


#db# bootrom: master/v2.0.0-133-g9f9b6b7-suspect 2015-06-19 05:14:06                 
#db# os: master/v2.0.0-133-g9f9b6b7-suspect 2015-06-19 05:14:07                 
#db# LF FPGA image built on 2015/03/06 at 07:38:04


proxmark3> lf t55xx dump
[0] 0xF0000000  11110000000000000000000000000000         
[1] 0xF0000000  11110000000000000000000000000000         
[2] 0xF0000000  11110000000000000000000000000000         
[3] 0xF0000000  11110000000000000000000000000000         
[4] 0xFFFFFFFF  11111111111111111111111111111111         
[5] 0xF0000000  11110000000000000000000000000000         
[6] 0xF0000000  11110000000000000000000000000000         
[7] 0xF0000000  11110000000000000000000000000000

Last edited by meccan (2015-06-22 02:11:18)

Offline

#53 2015-06-21 16:07:37

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,234

Re: T55x7 and Tags Emulation

try the code changes that are pending:
https://github.com/marshmellow42/proxma … 7b9e5e25c4

Offline

#54 2015-06-22 01:29:30

meccan
Contributor
Registered: 2014-02-10
Posts: 23

Re: T55x7 and Tags Emulation

marshmellow, wow that worked perfectly! Thanks a lot!

Offline

#55 2015-06-22 01:38:12

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,234

Re: T55x7 and Tags Emulation

Thx for the feedback, I'll see if we can get that code in the next release.

Offline

#56 2015-10-02 08:52:03

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: T55x7 and Tags Emulation

Hi, I am wonder, if is there a way to program T55x7 to 13.56Mhz only UID (hardcode) ?

Offline

#57 2015-10-02 09:01:46

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

No.  Hardware limitations. ie antenna built for 125khz. processor doesn't speak "iso14443a" protocol etc etc..


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#58 2015-10-02 09:19:44

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: T55x7 and Tags Emulation

@iceman, thank you I agree with u, some how penturalabs.wordpress.com website said it could be done.

Offline

#59 2015-10-02 11:07:32

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

Do you have a link to that blog/article?


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#60 2015-10-02 17:03:51

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: T55x7 and Tags Emulation

https://penturalabs.wordpress.com/2013/07/15/access-control-part-2-mifare-attacks/

Offline

#61 2015-10-02 19:55:43

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,234

Re: T55x7 and Tags Emulation

looks to me like a copy paste of their HID write up and forgot to edit that section.  while cloning a mifare uid is possible with uid changeable cards it IS NOT with a t5557 chip.

Offline

#62 2015-10-02 19:58:14

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

That article deals with Mifare tags, not t55x7,   the only reference to t55x7 is this line: 

pentura wrote:

T5557 cards can potentially clone hardcoded UID

So no,  Pentura didn't say it could be done,  that is a mixup.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#63 2015-12-02 21:35:36

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 96

Re: T55x7 and Tags Emulation

need excel sheet for all of this ... please sad


ModHex(hfdudthbfchtiehuduhehvht)

Offline

#64 2015-12-02 22:22:15

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

Have you looked at the files section on the proxmark site?!?  Start there.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#65 2016-01-05 13:11:34

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: T55x7 and Tags Emulation

Hi, I am trying a way to add this feature on PM3. This converts SC and CN into Hex number for HID 26(tested), 34 (tested) and 37 standard (not test). Can someone help to test it please. smile
All credits to the original author(s)

Last edited by Go_tus (2016-01-07 12:57:13)

Offline

#66 2016-01-08 15:24:24

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

@go_tus  , I added your wiegand generation code (with changes)  its not done, but you can test it in my fork


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#67 2016-01-09 10:31:27

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: T55x7 and Tags Emulation

Impressive smile

Offline

#68 2016-01-09 10:32:30

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

you did the most,  but the next step is more interesting wink


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#69 2016-02-08 19:49:39

kwx
Contributor
Registered: 2013-11-26
Posts: 44

Re: T55x7 and Tags Emulation

So it's in a logical thread.

Viking Badges (26-bit Weigand Format)
Typically a white / grey badge with their ID code stamped on them.

Block 0 Format is: 00088040

Offline

#70 2016-02-08 20:43:31

kwx
Contributor
Registered: 2013-11-26
Posts: 44

Re: T55x7 and Tags Emulation

NOP

Last edited by kwx (2016-02-09 08:53:58)

Offline

#71 2016-02-09 08:03:36

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

if you need to compile my fork on linux, use the extra parameter:

make clean && make all UBUNTU_1404_QT4=1

And as @marshmellow says here:  http://www.proxmark.org/forum/viewtopic … 824#p18824

Last edited by iceman (2016-02-09 08:16:20)


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#72 2016-02-09 08:55:52

kwx
Contributor
Registered: 2013-11-26
Posts: 44

Re: T55x7 and Tags Emulation

iceman wrote:

if you need to compile my fork on linux, use the extra parameter:

make clean && make all UBUNTU_1404_QT4=1

And as @marshmellow says here:  http://www.proxmark.org/forum/viewtopic … 824#p18824

Thank you.
I got the 'calculator' from the hex ID to raw ID working too.
What is strange is that when using the viking clone command, the tag does not work ( the proxmark won't recognise it)
When I write it manually, it works..

I'll have to dig around in marshmellow's code to see why..

Offline

#73 2016-02-09 11:19:51

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

"lf viking clone"  takes your printed id,
adds a  0xF2 in the beginning,
adds a checksum in the end,
and sends it to device side,  where it write to a t55x7 (or q5)  configblock and block1, 2...

quite simple.

Question is if you were using a raw id from another lf read or you used the printed id...


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#74 2016-02-09 11:28:42

kwx
Contributor
Registered: 2013-11-26
Posts: 44

Re: T55x7 and Tags Emulation

iceman wrote:

"lf viking clone"  takes your printed id,
adds a  0xF2 in the beginning,
adds a checksum in the end,
and sends it to device side,  where it write to a t55x7 (or q5)  configblock and block1, 2...

quite simple.

Question is if you were using a raw id from another lf read or you used the printed id...

I was using the printed ID - which is why I found it weird that it wouldn't work.

Offline

#75 2016-02-09 12:09:30

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

now that is odd..

Can you dump the t55x7 tag when its written by the clone command,  and when you did it manually and share it here?


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#76 2016-02-09 15:42:14

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,234

Re: T55x7 and Tags Emulation

might be better in a new thread or in the viking thread.

i'm not aware of any bugs there, but i didn't make the original clone routine.

Offline

#77 2016-02-09 15:56:15

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

Yes,  I agree with  @marshmellow,   start a new thread so we keep it clean and easy to find.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#78 2016-02-09 19:35:25

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,234

Re: T55x7 and Tags Emulation

not sure where it came from but the bug is the mask of line 77 applied to rawID.  should be 0xFFFFFFFF not 0xFFFF.

Offline

#79 2016-02-13 13:21:16

kwx
Contributor
Registered: 2013-11-26
Posts: 44

Re: T55x7 and Tags Emulation

marshmellow wrote:

not sure where it came from but the bug is the mask of line 77 applied to rawID.  should be 0xFFFFFFFF not 0xFFFF.

I see you made a PR for this - thanks kindly!

Offline

#80 2016-05-12 19:55:24

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

C15001 Keyscan HID 36bits

thanks @mnelson for the sample.  Without it we wouldn't know.

RAW 3708b43459

preamble 0x3  =  bin 11
a) OEM 900   10bits
f) FC 90     8bits
c) CN 6700   16bits

e) even parity bits
o) odd parity bits


   E                                         O 
   P aaaaaaaaaa ffffffff cccc cccc cccc cccc P
11 0 1110000100 01011010 0001 1010 0010 1100 1
     eeeeeeeeee eeeeeeeo oooo oooo oooo oooo

冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#81 2016-07-03 17:09:17

blogfish
Contributor
Registered: 2013-06-05
Posts: 16

Re: T55x7 and Tags Emulation

I know how to write em ids to t55xx tags with the 'lf em4x em410xwrite xxxxxxx 1'. But how would I do this 1 block at a time with the 'lf t55xx writeblock' commands? I want to understand this format at a lower level.

Does anyone have an example of writing a em format to t55xx tag with block commands?

Offline

#82 2016-07-03 17:25:05

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

You need to understand T55XX datasheet and you will need to understand the EM410xx datasheet, if you want to learn the protocol and how to program a t55xx tag.

Another source of information is to read the code,  but that is a longer way of to understanding.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#83 2016-07-03 20:43:44

blogfish
Contributor
Registered: 2013-06-05
Posts: 16

Re: T55x7 and Tags Emulation

Thanks Iceman. So I understand the em format parities and I end up with a 64 bit binary string. I convert that to a manchester string now its 128 bits long. That is 4 blocks on a t55xx.

The 'EM4102 1.pm3 Walkthrough' on the wiki says em format is ASK encoded underneath the manchester encoding. Does the t55xx config string for manchester take care of the ASK encoding?

Here is what I have so far for the config block:
0x00148080
64 bit
manchester
4 blocks

Offline

#84 2016-07-03 20:59:31

iceman
Administrator
Registered: 2013-04-25
Posts: 4,880
Website

Re: T55x7 and Tags Emulation

there is a excel sheet for t55xx configuration,  so you can easily see which configuration you're entered.
the tag will take care of ask,fsk,psk  modulation,  the rest is up to you in the data blocks.


冰人

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#85 2016-07-04 02:24:00

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,234

Re: T55x7 and Tags Emulation

With the t55xx Manchester stands for ask/Manchester so the Manchester encoding is done by the chip config, no need to have it part of the binary.

Last edited by marshmellow (2016-07-04 02:24:24)

Offline

#86 2016-07-04 02:55:18

blogfish
Contributor
Registered: 2013-06-05
Posts: 16

Re: T55x7 and Tags Emulation

Thanks marshmellow. I saw your earlier post with the correct config hex.

Offline

#87 2016-07-04 03:45:31

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,234

Re: T55x7 and Tags Emulation

You can also write one tag using the em command then read back with the t55xx commands (after t55xx detect) to see what it programmed on blocks 1 and 2 for the em Id.

Offline

#88 2018-10-09 11:18:32

MrOler
Contributor
Registered: 2018-10-09
Posts: 4

Re: T55x7 and Tags Emulation

iceman wrote:

Have you looked at the files section on the proxmark site?!?  Start there.

iceman wrote:

there is a excel sheet for t55xx configuration,  so you can easily see which configuration you're entered.
the tag will take care of ask,fsk,psk  modulation,  the rest is up to you in the data blocks.

Is this file still up at http://www.proxmark.org/files?
I can't find it for the life of me

Offline

Board footer

Powered by FluxBB