Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-04-09 22:39:50

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Sniffing password being set by Chinese cloner

Hi all,

I just got my RDV4 last week and started my learning curve. I got it running on my ubuntu VM and have been playing around with different tags, commands etc.

As part of my learning I thought it'd be a good idea to try and sniff the password being set by one of the Chinese cloners to the t5577 tags, it seems to be a new version, at least of the software running on it, iCopy5, as none of the know passwords seem to be correct.

I've been reading a lot in the last few days but I can't seem to figure out how to correctly run the sniff command.

I guess the idea is to have a the PM3 in between the cloner and the tag, make the cloner write an ID while the PM3 is sniffing it, and then plot it and demodulate it manually. With the data sheet, understanding the protocol, I guess eventually I'd be able to figure out the password.

My first issue is trying to figure out how to configure LF SNIFF first, whenever I issue an LF SNIFF command, it returns with Data fetched so quickly that I do not have time to write from the cloner. In fact, even without anything near the PM3 it returns with data fetched pretty quick.

I'm sure I' doing something fundamentally wrong... I apologise in advance...

Can you point me in the right direction?

pm3 --> hw version

 [ Proxmark3 RFID instrument ]
          

 [ CLIENT ]          
  client: iceman build for RDV40 with flashmem; smartcard;  
          
 [ ARM ]
 bootrom: iceman/master/9c74a96c 2019-04-09 13:10:35
      os: iceman/master/9c74a96c 2019-04-09 13:10:44

 [ FPGA ]
 LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23          

 [ Hardware ]           
  --= uC: AT91SAM7S512 Rev B          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 252013 bytes (48%) Free: 272275 bytes (52%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory 

Offline

#2 2019-04-10 02:01:59

iceman
Administrator
Registered: 2013-04-25
Posts: 5,298
Website

Re: Sniffing password being set by Chinese cloner

As mentioned in the lf sniff helptext,  it works together with lf config.  Look at threshold param

lf sniff h
lf config h

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2019-04-10 08:27:29

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Re: Sniffing password being set by Chinese cloner

Thanks Iceman. I set it to 64 and now I'm able to capture and plot it.

Can you advise if my other settings are good? Sampling 8 bits at 125KHz

lf config b 8 L t 64

I plotted the data but not sure I got the right sample....

This is what I captured from a iClone5 WRITE command UID 66666 https://pastebin.com/dl/9wWGFDux

Appreciate any guidance... Can anyone see the password there?

Offline

#4 2019-04-10 19:18:34

anybody
Contributor
Registered: 2016-12-20
Posts: 22

Re: Sniffing password being set by Chinese cloner

19 92 04 27

Offline

#5 2019-04-10 20:20:54

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Re: Sniffing password being set by Chinese cloner

anybody wrote:

19 92 04 27

Thanks Anybody.

I'd love to learn how you demodulated it. Any guide/post where that I can read to learn how to do it?

I have tried it though and it doesn't seem to work. I can't read any block or dump it.

This is the TAG after it's been written by the iCopy5 cloner.

 lf search
[=] NOTE: some demods output possible binary          
[=] if it finds something that looks like a tag          
[=] False Positives ARE possible          
[=]           
[=] Checking for known tags...
          
[+] HID Prox TAG ID: 20041e1d94 (3786) - Format Len: 26bit - FC: 15 - Card: 3786          
          
[+] Valid HID Prox ID  found!
pm3 --> lf t5 info
          
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 15          
 reserved                  : 15          
 Data bit rate             : 63 - RF/128          
 eXtended mode             : Yes - Warning           
 Modulation                : 0x1F (Unknown)           
 PSK clock frequency       : 3 - (Unknown)           
 AOR - Answer on Request   : Yes           
 OTP - One Time Pad        : Yes - Warning           
 Max block                 : 7          
 Password mode             : Yes           
 Sequence Start Marker     : Yes           
 Fast Write                : Yes           
 Inverse data              : Yes           
 POR-Delay                 : Yes           
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0xFFFFFFFF  11111111111111111111111111111111          
------------------------------------------------------------- 
pm3 --> lf t5 dump 19920427 o
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
Safety Check Overriden - proceeding despite risk          
 00 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 01 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 02 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 03 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 04 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 05 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 06 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 07 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
Safety Check Overriden - proceeding despite risk          
 00 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 01 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 02 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Safety Check Overriden - proceeding despite risk          
 03 | FFFFFFFF | 11111111111111111111111111111111 | ....  

Could it be that my trace was wrong?

Offline

#6 2019-04-11 23:36:34

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 40

Re: Sniffing password being set by Chinese cloner

Your trace is most likely correct, it's the read of t55 that's in error. Unlike the HID read in search, reading the t55 chip directly requires knowing the modulation, data rate, and other parameters first. HID-encoded cards are usually FSK2, RF/50. Easiest option is to first try a 'lf t55 detect' when you identify a card you think is using the chip. If it detects, it will preset the parameters for reading from the chip.

Offline

#7 2019-04-12 01:13:56

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Re: Sniffing password being set by Chinese cloner

grauerfuchs wrote:

Your trace is most likely correct, it's the read of t55 that's in error. Unlike the HID read in search, reading the t55 chip directly requires knowing the modulation, data rate, and other parameters first. HID-encoded cards are usually FSK2, RF/50. Easiest option is to first try a 'lf t55 detect' when you identify a card you think is using the chip. If it detects, it will preset the parameters for reading from the chip.

Thanks grauerfuchs

lf t55 detect cannot automatically detect the modulation, not even if I provide the password that anybody got from the trace.

If I set it manually....

pm3 --> lf t5 config b 50 d FSK2
Chip Type  : T55x7          
Modulation : FSK2          
Bit Rate   : 4 - RF/50          
Inverted   : No          
Offset     : 0          
Seq. Term. : No          
Block0     : 0x00000000

Then the info command responds with this...

-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 8          
 reserved                  : 10          
 Data bit rate             : 42 - RF/86          
 eXtended mode             : Yes - Warning           
 Modulation                : 0x09 (Unknown)           
 PSK clock frequency       : 2 - RF/8          
 AOR - Answer on Request   : Yes           
 OTP - One Time Pad        : No          
 Max block                 : 5          
 Password mode             : No          
 Sequence Start Marker     : Yes           
 Fast Write                : No          
 Inverse data              : Yes           
 POR-Delay                 : No          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x8AAA9AAA  10001010101010101001101010101010          
-------------------------------------------------------------

I guess it's still not the right one as it now says Password mode = NO, and I can dump it without a password, but the block 0 info doesn't seem to make sense...

pm3 --> lf t55 dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 01 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 02 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 03 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 04 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 05 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 06 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 07 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 01 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 02 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 03 | 8FE37F97 | 10001111111000110111111110010111 | ....


pm3 --> lf t55 wipe
          
[=] Beginning Wipe of a T55xx tag (assuming the tag is not password protected)
          
[=] Writing page 0  block: 00  data: 0x000880E0 pwd: 0x00000000          
[=] Writing page 0  block: 01  data: 0x00000000           
[=] Writing page 0  block: 02  data: 0x00000000           
[=] Writing page 0  block: 03  data: 0x00000000           
[=] Writing page 0  block: 04  data: 0x00000000           
[=] Writing page 0  block: 05  data: 0x00000000           
[=] Writing page 0  block: 06  data: 0x00000000           
[=] Writing page 0  block: 07  data: 0x00000000


pm3 --> lf t5 dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 01 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 02 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 03 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 04 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 05 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 06 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
 07 | 8AAA9AAA | 10001010101010101001101010101010 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 01 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 02 | 8FE37F97 | 10001111111000110111111110010111 | ....          
 03 | 8FE37F97 | 10001111111000110111111110010111 | .... 

The iCopy5 cloner can still write to the tag and change the value...

I'm going crazy with this freaking cloner...

Offline

#8 2019-04-12 04:43:25

iceman
Administrator
Registered: 2013-04-25
Posts: 5,298
Website

Re: Sniffing password being set by Chinese cloner

whats the output from

lf t55 detect p 19920427

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#9 2019-04-12 07:07:43

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Re: Sniffing password being set by Chinese cloner

iceman wrote:

whats the output from

lf t55 detect p 19920427

No luck, just run it with and without running the manual config first (lf t5 config b 50 d FSK2).

pm3 --> lf t55 detect p 19920427
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

Offline

#10 2019-04-12 08:17:35

iceman
Administrator
Registered: 2013-04-25
Posts: 5,298
Website

Re: Sniffing password being set by Chinese cloner

What does the data plot window look like when you run that detect with pwd?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#11 2019-04-12 22:07:33

cpoole
Contributor
Registered: 2019-04-09
Posts: 7

Re: Sniffing password being set by Chinese cloner

iceman wrote:

What does the data plot window look like when you run that detect with pwd?

Here are the screenshots...

t55detect01.png
t55detect02.png
t55detect03.png
t55detect04.png
t55detect05.png
t55detect06.png
t55detect07.png
t55detect08.png
t55detect09.png
t55detect10.png

And the trace ... t55detectp19920427

Offline

Board footer

Powered by FluxBB