Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2019-01-22 17:10:00
- patrick
- Contributor
- Registered: 2019-01-14
- Posts: 8
t5577 card not working
Hello,
I just received my proxmark RDV4 from Hackerwarehouse with 2 cards one t5577 card and the other GEN1A card from ProxGrind.
I cloned my em410 tag to the card t5577 which it worked perfectly, but when I try the card t5577 from proxgrind on the door reader of the building it doesn't work. The only thing that is different is the buffer samples.
Any help please? how can i copy also the buffer sample to be the same as the original fob.
Thank you
Steps:
1. EM410 fob:
pm3 --> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found
EM TAG ID : 12B003B841
Possible de-scramble patterns
Unique TAG ID : 480DC01D82
HoneyWell IdentKey {
DEZ 8 : 00243777
DEZ 10 : 2953033793
DEZ 5.5 : 45059.47169
DEZ 3.5A : 018.47169
DEZ 3.5B : 176.47169
DEZ 3.5C : 003.47169
DEZ 14/IK2 : 00080262445121
DEZ 15/IK3 : 000309468339586
DEZ 20/ZK : 04080013120001130802
}
Other : 47169_003_00243777
Pattern Paxton : 303560257 [0x1217F641]
Pattern 1 : 684864 [0xA7340]
Pattern Sebury : 47169 3 243777 [0xB841 0x3 0x3B841]
[+] Valid EM410x ID Found!
pm3 --> lf read
#db# LF Sampling config
#db# [q] divisor.............95 (125 KHz)
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 2a 2f 35 3a 3e 43 67 85 ...
Reading 39999 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1 2. t5577 after cloning (proxgrind cards):
lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found
EM TAG ID : 12B003B841
Possible de-scramble patterns
Unique TAG ID : 480DC01D82
HoneyWell IdentKey {
DEZ 8 : 00243777
DEZ 10 : 2953033793
DEZ 5.5 : 45059.47169
DEZ 3.5A : 018.47169
DEZ 3.5B : 176.47169
DEZ 3.5C : 003.47169
DEZ 14/IK2 : 00080262445121
DEZ 15/IK3 : 000309468339586
DEZ 20/ZK : 04080013120001130802
}
Other : 47169_003_00243777
Pattern Paxton : 303560257 [0x1217F641]
Pattern 1 : 684864 [0xA7340]
Pattern Sebury : 47169 3 243777 [0xB841 0x3 0x3B841]
[+] Valid EM410x ID Found!
pm3 --> lf read
#db# LF Sampling config
#db# [q] divisor.............95 (125 KHz)
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: ff ff ff ff ff ff ff ff ...
Reading 39999 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1 3. I configured the device for the t55xx card:
pm3 --> lf t55xx deviceconfig a 29 b 17 c 15 d 47 e 15 p
#db# LF T55XX config
#db# [a] startgap............29*8 (232)
#db# [b] writegap............17*8 (136)
#db# [c] write_0.............15*8 (120)
#db# [d] write_1.............47*8 (376)
#db# [e] readgap.............15*8 (120) P.S: I tried to wipe out the card and write it again but it didn't work after configuring the device.
4. Wiping t5577 card:
pm3 --> lf t55xx wipe
Beginning Wipe of a T55xx tag (assuming the tag is not password protected)
Writing page 0 block: 00 data: 0x000880E0 pwd: 0x00000000
Writing page 0 block: 01 data: 0x00000000
Writing page 0 block: 02 data: 0x00000000
Writing page 0 block: 03 data: 0x00000000
Writing page 0 block: 04 data: 0x00000000
Writing page 0 block: 05 data: 0x00000000
Writing page 0 block: 06 data: 0x00000000
Writing page 0 block: 07 data: 0x00000000
pm3 --> lf t55xx wipe i
Beginning Wipe of a T55xx tag (assuming the tag is not password protected)
Writing page 0 block: 00 data: 0x000880E0 pwd: 0x00000000
Writing page 0 block: 01 data: 0x00000000
Writing page 0 block: 02 data: 0x00000000
Writing page 0 block: 03 data: 0x00000000
Writing page 0 block: 04 data: 0x00000000
Writing page 0 block: 05 data: 0x00000000
Writing page 0 block: 06 data: 0x00000000
Writing page 0 block: 07 data: 0x00000000
pm3 --> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found
EM TAG ID : 12B003B841
Possible de-scramble patterns
Unique TAG ID : 480DC01D82
HoneyWell IdentKey {
DEZ 8 : 00243777
DEZ 10 : 2953033793
DEZ 5.5 : 45059.47169
DEZ 3.5A : 018.47169
DEZ 3.5B : 176.47169
DEZ 3.5C : 003.47169
DEZ 14/IK2 : 00080262445121
DEZ 15/IK3 : 000309468339586
DEZ 20/ZK : 04080013120001130802
}
Other : 47169_003_00243777
Pattern Paxton : 303560257 [0x1217F641]
Pattern 1 : 684864 [0xA7340]
Pattern Sebury : 47169 3 243777 [0xB841 0x3 0x3B841]
[+] Valid EM410x ID Found! .
5. dumping the t5577 card:
pm3 --> lf t55xx config
Chip Type : T55x7
Modulation : DIRECT/NRZ
Bit Rate : 0 - RF/8
Inverted : No
Offset : 0
Seq. Term. : No
Block0 : 0x00000000
pm3 --> lf t55xx dump
Reading Page 0:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
00 | FF0F0F0F | 11111111000011110000111100001111 | ....
01 | FF0F0F0F | 11111111000011110000111100001111 | ....
02 | 00F0F0F0 | 00000000111100001111000011110000 | ....
03 | 0F0F0F0F | 00001111000011110000111100001111 | ....
04 | 00F0F0F0 | 00000000111100001111000011110000 | ....
05 | 07878787 | 00000111100001111000011110000111 | ....
06 | 00F0F0F0 | 00000000111100001111000011110000 | ....
07 | FF0F0F0F | 11111111000011110000111100001111 | ....
Reading Page 1:
blk | hex data | binary | ascii
----+----------+----------------------------------+-------
00 | 00F0F00F | 00000000111100001111000000001111 | ....
01 | 0F0F0F0F | 00001111000011110000111100001111 | ....
02 | 00F0F0F0 | 00000000111100001111000011110000 | ....
03 | 0F0F0F0F | 00001111000011110000111100001111 | .... 6. Device version:
pm3 --> hw ver
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/13ed4f4 2019-01-14 12:53:36
os: iceman/master/13ed4f4 2019-01-14 12:53:38
[ FPGA ]
LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 248101 bytes (47%) Free: 276187 bytes (53%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory 7. Device status
pm3 --> hw stat
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........40000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............0
#db# Currently loaded FPGA image
#db# mode.................... LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51
#db# Flash memory
#db# Baudrate................24MHz
#db# Init....................OK
#db# Memory size.............2 mbits / 256kb
#db# Unique ID...............0xd567a882a7a0c825
#db# Smart card module (ISO 7816)
#db# version.................v3.10
#db# LF Sampling config
#db# [q] divisor.............95 (125 KHz)
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# LF T55XX config
#db# [a] startgap............29*8 (232)
#db# [b] writegap............17*8 (136)
#db# [c] write_0.............15*8 (120)
#db# [d] write_1.............47*8 (376)
#db# [e] readgap.............15*8 (120)
#db# USB Speed
#db# Sending USB packets to client...
Status command failed. USB Speed Test timed out
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!
[-] WARNING: Command buffer about to overwrite command! This needs to be fixed!
#db# Time elapsed............1500ms
#db# Bytes transferred.......1367552
#db# USB Transfer Speed PM3 -> Client = 911701 Bytes/s
#db# Various
#db# MF_DBGLEVEL.............1
#db# ToSendMax...............-1
#db# ToSendBit...............0
#db# ToSend BUFFERSIZE.......2308
#db# Installed StandAlone Mode
#db# LF HID26 standalone - aka SamyRun (Samy Kamkar) Last edited by patrick (2019-01-23 17:25:26)
Offline
#2 2019-02-20 20:28:30
- patrick
- Contributor
- Registered: 2019-01-14
- Posts: 8
Re: t5577 card not working
can anyone explain the buffer sample please?
Offline
#3 2019-02-20 21:00:11
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: t5577 card not working
i can't see a lf t55 detect before wiping or dumping ...
Offline
#4 2019-02-20 22:32:58
- patrick
- Contributor
- Registered: 2019-01-14
- Posts: 8
Re: t5577 card not working
Hey Iceman when I do lf t55 detect it gives me:
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'.
But right now it's not working anymore:
pm3 --> lf t55xx deviceconfig a 29 b 17 c 15 d 47 e 15 p
#db# LF T55XX config
#db# [a] startgap............29*8 (232)
#db# [b] writegap............17*8 (136)
#db# [c] write_0.............15*8 (120)
#db# [d] write_1.............47*8 (376)
#db# [e] readgap.............15*8 (120) trying the t55xx proxgrind card
pm3 --> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
[-] No known 125/134 KHz tags Found!
[=] Checking for Unknown tags:
[-] no repeating pattern found
[=] Possible Auto Correlation of 20480 repeating samples
[=] Possible 2560 bytes
FSK1a decoded bitstream:
1100101010101011
0011001011010101
0011000000000000
0000000000000000
0000000011101010
1010101011001010
1010101010101011
0100101010101010
1100101010101011
0011001011010101
0011000000000000
0000000000000000
0000000011101010
1010101011001010
1010101010101011
0100101010101010
1100101010101011
0011001011010101
0011000000000000
0000000000000000
0000000011101010
1010101011001010
1010101010101011
0100101010101010
1100101010101011
0011001011010101
0011000000000000
0000000000000000
0000000011101010
1010101011001010
10
Unknown FSK Modulated Tag Found! Changing the configuration:
pm3 --> lf t55xx config d FSK
Chip Type : T55x7
Modulation : FSK
Bit Rate : 0 - RF/8
Inverted : Yes
Offset : 0
Seq. Term. : No
Block0 : 0x00000000Try to copy the fob tag
lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found
EM TAG ID : 12B003B841
Possible de-scramble patterns
Unique TAG ID : 480DC01D82
HoneyWell IdentKey {
DEZ 8 : 00243777
DEZ 10 : 2953033793
DEZ 5.5 : 45059.47169
DEZ 3.5A : 018.47169
DEZ 3.5B : 176.47169
DEZ 3.5C : 003.47169
DEZ 14/IK2 : 00080262445121
DEZ 15/IK3 : 000309468339586
DEZ 20/ZK : 04080013120001130802
}
Other : 47169_003_00243777
Pattern Paxton : 303560257 [0x1217F641]
Pattern 1 : 684864 [0xA7340]
Pattern Sebury : 47169 3 243777 [0xB841 0x3 0x3B841]
[+] Valid EM410x ID Found!
pm3 --> lf read
#db# LF Sampling config
#db# [q] divisor.............95 (125 KHz)
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 00 00 03 0a 4f 82 ab c9 ...
Reading 39999 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
pm3 --> lf em 410x_write 12B003B841 1
Writing T55x7 tag with UID 0x12b003b841 (clock rate: 64)
#db# Started writing T55x7 tag ...
#db# Clock rate: 64
#db# Tag T55x7 written with 0xff8cb7000d78a47a But the issue persists:
pm3 --> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
[-] No known 125/134 KHz tags Found! Do you think that the card is damaged and need to be replaced or do I need to use the official repo from GitHub instead of the RRG repo?
Thank you in advance for your help.
Last edited by patrick (2019-02-20 22:33:57)
Offline
#5 2019-02-20 22:44:15
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: t5577 card not working
There is a lot of wrongs here.
First, you seem to be confused about t55xx config and t55xx deviceconfig.
Second, when reading a t55xx tag, where you set FSK and a wrong bitrate in order to read a em410x will be problematic.
So before I would even think about saying "damaged card" or swapping repo I would consider trying to understand what I am trying do to and maybe even read a datasheet or two...
Offline
#6 2019-02-28 05:26:46
- patrick
- Contributor
- Registered: 2019-01-14
- Posts: 8
Re: t5577 card not working
I still couldn't find any explanation about the buffer samples. Can you please guide me through or enlighten me with your knowledge.
Thank you
Offline
Pages: 1