Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2019-07-07 20:20:49

lockakey
Contributor
Registered: 2015-10-10
Posts: 22

T55xx Issue when writing data

Working on a Keri fob, I've read and written many of these in the past.... Recently having some issues with a few
When I write the data using the t55 commands, the data that's written isn't the same as the data read

Keri Gray Fob - Marked as N1455-3009859*

using Iceman or Standard, both have same results

 [ CLIENT ]
 client: iceman build for RDV40 with flashmem; smartcard;

 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-1083-g05f43ba6 2019-05-01 13:40:37
      os: iceman/master/ice_v3.1.0-1083-g05f43ba6 2019-05-01 13:40:41

 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23

 [ Hardware ]
  --= uC: AT91SAM7S256 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 256K bytes, Used: 237349 bytes (91%) Free: 24795 bytes ( 9%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

When I run a detect I'm able to read the data as a t55 chip

proxmark3> lf t55 det
Chip Type  : T55x7
Modulation : FSK2a
Bit Rate   : 4 - RF/50
Inverted   : Yes
Offset     : 32
Seq. Term. : No
Block0     : 0x90107080

I can read blocks 1-4

  0 | 90107080 | 1001000000010000011100001000000
  1 | 00010101 | 0000000000000001000000010000000
  2 | 04927748 | 0000010010010010011101110100100
  3 | 2557D6AD | 0010010101010111110101101010110
  4 | 7594D288 | 0111010110010100110100101000100

When I try to write these blocks to a t55 chip, blocks 1 and 4 read correctly, but 2 and 3 do not, seems like one 0 off at block 2
Block 2 reads as 

 02 | 0924EE90 | 00001001001001001110111010010000 | .$..

Block 3 reads as 

 03 | 4AAFAD5A | 01001010101011111010110101011010 | J..Z

Attached a trace for good reference below.
Any ideas on why it's reading back wrong?

Offline

#2 2019-07-07 20:29:36

lockakey
Contributor
Registered: 2015-10-10
Posts: 22

Re: T55xx Issue when writing data

Trace of Keri - N1455 - 3009859*


keriN14553009859star.pm3
https://ufile.io/9zy7cv21

Offline

#3 2019-07-08 02:18:41

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: T55xx Issue when writing data

I have a few questions.

1. What happens if you offset the t55 config by 1 bit less
lf t55xx config o 31
Does it work for any/all/none ?

2. Whats the output of hw tune ?

3. Whats the data (if any) in b 3 page 1
lf t55 read b 3 1

4. Even if you read it back wrong, does it work ?  i.e. is it a read "error" or a write "error"

Offline

#4 2019-07-08 05:57:43

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: T55xx Issue when writing data

Found some time to have a play
When set to FSK2a (as per your config) with your same data, I got the exact some results.
I beleive the data is written correctly, but decoding for some modulations may not be 100%
I set the card to FSK2 (not 2a :  lf t55 write b 0 d 90105080)  it seemed to read ok
I then tried FSK2a but with a of RF/64 (not the 50 : 90147080) it seemed to read ok as well.

Offline

Pages: 1

Board footer

Powered by FluxBB