Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-04-09 22:39:50

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Sniffing password being set by Chinese cloner

Hi all,

I just got my RDV4 last week and started my learning curve. I got it running on my ubuntu VM and have been playing around with different tags, commands etc.

As part of my learning I thought it'd be a good idea to try and sniff the password being set by one of the Chinese cloners to the t5577 tags, it seems to be a new version, at least of the software running on it, iCopy5, as none of the know passwords seem to be correct.

I've been reading a lot in the last few days but I can't seem to figure out how to correctly run the sniff command.

I guess the idea is to have a the PM3 in between the cloner and the tag, make the cloner write an ID while the PM3 is sniffing it, and then plot it and demodulate it manually. With the data sheet, understanding the protocol, I guess eventually I'd be able to figure out the password.

My first issue is trying to figure out how to configure LF SNIFF first, whenever I issue an LF SNIFF command, it returns with Data fetched so quickly that I do not have time to write from the cloner. In fact, even without anything near the PM3 it returns with data fetched pretty quick.

I'm sure I' doing something fundamentally wrong... I apologise in advance...

Can you point me in the right direction?

pm3 --> hw version

 [ Proxmark3 RFID instrument ]
          

 [ CLIENT ]          
  client: iceman build for RDV40 with flashmem; smartcard;  
          
 [ ARM ]
 bootrom: iceman/master/9c74a96c 2019-04-09 13:10:35
      os: iceman/master/9c74a96c 2019-04-09 13:10:44

 [ FPGA ]
 LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23          

 [ Hardware ]           
  --= uC: AT91SAM7S512 Rev B          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 252013 bytes (48%) Free: 272275 bytes (52%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory 

Offline

#2 2019-04-10 02:01:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Sniffing password being set by Chinese cloner

As mentioned in the lf sniff helptext,  it works together with lf config.  Look at threshold param

lf sniff h
lf config h

Offline

#3 2019-04-10 08:27:29

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Re: Sniffing password being set by Chinese cloner

Thanks Iceman. I set it to 64 and now I'm able to capture and plot it.

Can you advise if my other settings are good? Sampling 8 bits at 125KHz

lf config b 8 L t 64

I plotted the data but not sure I got the right sample....

This is what I captured from a iClone5 WRITE command UID 66666 https://pastebin.com/dl/9wWGFDux

Appreciate any guidance... Can anyone see the password there?

Offline

#4 2019-04-10 19:18:34

anybody
Contributor
Registered: 2016-12-20
Posts: 36

Re: Sniffing password being set by Chinese cloner

19 92 04 27

Offline

#5 2019-04-10 20:20:54

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Re: Sniffing password being set by Chinese cloner

anybody wrote:

19 92 04 27

Thanks Anybody.

I'd love to learn how you demodulated it. Any guide/post where that I can read to learn how to do it?

I have tried it though and it doesn't seem to work. I can't read any block or dump it.

This is the TAG after it's been written by the iCopy5 cloner.

 lf search
[=] NOTE: some demods output possible binary          
[=] if it finds something that looks like a tag          
[=] False Positives ARE possible          
[=]           
[=] Checking for known tags...
          
[+] HID Prox TAG ID: 20041e1d94 (3786) - Format Len: 26bit - FC: 15 - Card: 3786          
          
[+] Valid HID Prox ID  found!
pm3 --> lf t5 info
          
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 15          
 reserved                  : 15          
 Data bit rate             : 63 - RF/128          
 eXtended mode             : Yes - Warning           
 Modulation                : 0x1F (Unknown)           
 PSK clock frequency       : 3 - (Unknown)           
 AOR - Answer on Request   : Yes           
 OTP - One Time Pad        : Yes - Warning           
 Max block                 : 7          
 Password mode             : Yes           
 Sequence Start Marker     : Yes           
 Fast Write                : Yes           
 Inverse data              : Yes           
 POR-Delay                 : Yes           
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0xFFFFFFFF  11111111111111111111111111111111          
------------------------------------------------------------- 
pm3 --> lf t5 dump 19920427 o
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
Safety Check Overriden - proceeding despite risk          
 00 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 01 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 02 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 03 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 04 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 05 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 06 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 07 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
Safety Check Overriden - proceeding despite risk          
 00 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 01 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 02 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 03 | FFFFFFFF | 11111111111111111111111111111111 | ....  

Could it be that my trace was wrong?

Offline

#6 2019-04-11 23:36:34

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: Sniffing password being set by Chinese cloner

Your trace is most likely correct, it's the read of t55 that's in error. Unlike the HID read in search, reading the t55 chip directly requires knowing the modulation, data rate, and other parameters first. HID-encoded cards are usually FSK2, RF/50. Easiest option is to first try a 'lf t55 detect' when you identify a card you think is using the chip. If it detects, it will preset the parameters for reading from the chip.

Offline

#7 2019-04-12 01:13:56

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Re: Sniffing password being set by Chinese cloner

grauerfuchs wrote:

Your trace is most likely correct, it's the read of t55 that's in error. Unlike the HID read in search, reading the t55 chip directly requires knowing the modulation, data rate, and other parameters first. HID-encoded cards are usually FSK2, RF/50. Easiest option is to first try a 'lf t55 detect' when you identify a card you think is using the chip. If it detects, it will preset the parameters for reading from the chip.

Thanks grauerfuchs

lf t55 detect cannot automatically detect the modulation, not even if I provide the password that anybody got from the trace.

If I set it manually....

pm3 --> lf t5 config b 50 d FSK2
Chip Type  : T55x7          
Modulation : FSK2          
Bit Rate   : 4 - RF/50          
Inverted   : No          
Offset     : 0          
Seq. Term. : No          
Block0     : 0x00000000

Then the info command responds with this...

-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 8          
 reserved                  : 10          
 Data bit rate             : 42 - RF/86          
 eXtended mode             : Yes - Warning           
 Modulation                : 0x09 (Unknown)           
 PSK clock frequency       : 2 - RF/8          
 AOR - Answer on Request   : Yes           
 OTP - One Time Pad        : No          
 Max block                 : 5          
 Password mode             : No          
 Sequence Start Marker     : Yes           
 Fast Write                : No          
 Inverse data              : Yes           
 POR-Delay                 : No          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x8AAA9AAA  10001010101010101001101010101010          
-------------------------------------------------------------

I guess it's still not the right one as it now says Password mode = NO, and I can dump it without a password, but the block 0 info doesn't seem to make sense...

pm3 --> lf t55 dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 01 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 02 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 03 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 04 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 05 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 06 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 07 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 01 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 02 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 03 | 8FE37F97 | 10001111111000110111111110010111 | ....


pm3 --> lf t55 wipe
          
[=] Beginning Wipe of a T55xx tag (assuming the tag is not password protected)
          
[=] Writing page 0  block: 00  data: 0x000880E0 pwd: 0x00000000          
[=] Writing page 0  block: 01  data: 0x00000000           
[=] Writing page 0  block: 02  data: 0x00000000           
[=] Writing page 0  block: 03  data: 0x00000000           
[=] Writing page 0  block: 04  data: 0x00000000           
[=] Writing page 0  block: 05  data: 0x00000000           
[=] Writing page 0  block: 06  data: 0x00000000           
[=] Writing page 0  block: 07  data: 0x00000000


pm3 --> lf t5 dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 01 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 02 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 03 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 04 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 05 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 06 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 07 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 01 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 02 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 03 | 8FE37F97 | 10001111111000110111111110010111 | .... 

The iCopy5 cloner can still write to the tag and change the value...

I'm going crazy with this freaking cloner...

Offline

#8 2019-04-12 04:43:25

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Sniffing password being set by Chinese cloner

whats the output from

lf t55 detect p 19920427

Offline

#9 2019-04-12 07:07:43

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Re: Sniffing password being set by Chinese cloner

iceman wrote:

whats the output from

lf t55 detect p 19920427

No luck, just run it with and without running the manual config first (lf t5 config b 50 d FSK2).

pm3 --> lf t55 detect p 19920427
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

Offline

#10 2019-04-12 08:17:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Sniffing password being set by Chinese cloner

What does the data plot window look like when you run that detect with pwd?

Offline

#11 2019-04-12 22:07:33

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Re: Sniffing password being set by Chinese cloner

iceman wrote:

What does the data plot window look like when you run that detect with pwd?

Here are the screenshots...

t55detect01.png
t55detect02.png
t55detect03.png
t55detect04.png
t55detect05.png
t55detect06.png
t55detect07.png
t55detect08.png
t55detect09.png
t55detect10.png

And the trace ... t55detectp19920427

Offline

#12 2019-05-17 04:49:30

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Sniffing password being set by Chinese cloner

How did you go cpoole.  I am on the same learning trip, so dont give up.
A few things to think about.

I am using some cheap clonners just to create something to learn with.  With the one I am looking at at the moment it does things like you have seen... so your on the right track smile
In my case i think I am very close (and want to work out as much as I can by myself).

What I have done is as follow.
1. Create a clean LM41xx card onto the T5577.  make sure this can be read as needed. (I have a cheap 125Khz rfid reader/writer with its software, so I used that and test on the PM3 and then change on the PM3 and read on the reader, so its a way to check what I am doing is valid and correct.
2. I then cloned that card to a new card with the cloner (blue cloner atm, have the white one to play with soon).
3. Now lets see whats different.
- The original will show me the em and t55 results for the lf search.  and the lf t55 commands work as well as the lf t55 detect.
- The cloned card, no matter what i do just works like the em, no t55 commands return what I think I should see, and the detect cant find it.

So, why is it different, this is the fun part.

a) The cloner put a password on it, so we need to know that - so your on the right track a sniff with the PM will help.
With my tests to date, the cloner does not care if a card is there or note, it just spits out the commands, after everything is written it will check if it gets the valid ID back, then beep (no card no beep).  So you could try sniffing the write from the cloner direct to the pm in snoop mode (and not have the card in the way or drawing power).
When you get the data back and plot (and zoom out) you should see a series of bursts, there will be one for each command it sent.
If you see that, its a good start.

b) Now we have a good data capture you need to convert that (I am working on my own decoder software, as that helps me understand), but I am sure pm will do it.
On this bit I decoded the bulk of the commands.  The good bit here is if the cloner put a password on it, it has to send it to update, so you will see the same password bit pattern again and again (same 32 bits) so when looking at the bit patterns hunt for that, if you find it, you will be getting close.  Note: It would really help you if you put a password on a card yourself (and write it down), then see if the cloner can update it.  If it can it will be the same password wink
i.e. If you know the password, you can convert to bits and see if you can find that bit pattern.  If you see it again and again, you decode of the snoop will be very close if not perfect.

If you know that password, why do the t55 commands not seem to work as expected (this is where I am at now).
In my decode, I have discovered that what I thought was a string of 00 was miss decoded (happy to blame my software), and (yet to be confirmed) but very much looks like a write of all 00s to block 3 of page 1, so back to the tech sheet for the t5577... this is where it changes the mode of the card coms and some other bits.  I believe the default is meant to be all 00's.  Given that in my decode, all the commands look like normal downlink commands, setting the t55 back to default downlink mode makes some sense.

So keep working on your snooped data, and see if you can get that decoded.  With any luck, when you get that working, I hope I will have worked out the next bit (i have a fairly good idea here, so a busy weekend comming up)

Note: I tried not to spell it out as I am sure you are trying to learn, so some pointers and things to think about.

Offline

#13 2019-05-20 00:58:55

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Sniffing password being set by Chinese cloner

From what I learnt over the weekend and looking back over your findings, what i think may be happening.

You have a cloned HID card.  That card ID will be stored on the T55 in the user data blocks 1..x each data block is 32 bits.

I think you may find the card is in a different comms mode (as set via the config in block 3 page 1)
The default mode is fixed length, but it may be leading 0, long leading or 1-of-4
What this will mean is when you send the commands (e.g. read block x) the command will be incorrect when decoded on the card.  The card detects this error then resets and sends out the Tag Data (as you would expect in normal use).
If you have a look at your offest on the t55 config command (lf t55 config) it may be 0 or 32 or something .

Try this
Set your modulation and bit rates as before when you got some "good" looking data.
lf t55 config o 0
lf t55 read b 1
lf t55 config o 32
lf t55 read b 1
lf t55 config o 64
lf t55 read b 1

My guess will be you will get the data block output
Note the read b 1 could be any read command.
What the offset will do is take the data sent from the card and skip over x bits and dump 32 bits on the output, so 0 = first 32 bits, 1 = second 32 bits and so on.   

You are looking for PART of the card id data as stored on the t55 it may not be on the perfect 0,32,64 boundary), so you will need to know what the ID is and how it should be encoded on the card (have a look at http://www.proxmark.org/forum/viewtopic.php?id=1767 ).

To move forwards the best bet would be a full snoop and decode of the cloner write ( I would try this without the card present, just put the proxmark into snoop mode, place the cloner to the proxmark as if the proxmax was the card and send),
i expect one of the commands (maybe the first) should be something like
   ?? 11 ?? <password> 0/1 <config data> 011   
where ?? may or may not be there.

if the very first command looks like 0 11 00 <password> 0 00000000 011 then that will be putting the t55 back into normal mode from leading zero (it could be different, so look for the patterns)
If that is the case then one of the last commands will be putting it back into the other mode (this is the one we want)

To get all the capture it may take a few goes to get the settings right as the data sent trigger level may need to be tuned (try 64 to start) and view the plot. You may need to set sample d value.  e.g. d 1 will mean log every sample. d 2 will be ever 2nd sample (this will let you capture more time )

Let us know how you go.

Offline

Board footer

Powered by FluxBB