Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hi
I've recently purchased a Jakcom R3 'Smart Ring', it's the version that contains ID and M1 chips as well as an NFC component.
NFC works well with NFC Tools on Android, the ring performs as you would expect a stand NFC tag to work.
When scanning the the ID part of the ring with a Proxmark3, a valid EM410x ID and a Valid T55xx Chip are found.
I want to copy a Noralsy tag to this ring.
I can copy the Noralsy tag to a T5577 tag and a T5577 card with no issues.
When I try to copy the Noralsy tag to the ring nothing appears to happen.
Any ideas why?
Thanks
Spyder
Last edited by Spyder (2017-12-30 18:59:05)
Offline
is the ring's t5577 locked or password protected?
lf t55 detect
lf t55 info
lf t55 dump
Offline
I'm assuming the ring Chip's antenna is small. A small antenna may require a special sized antenna on the pm3 to allow the chip to "hear" the write commands.
Offline
is the ring's t5577 locked or password protected?
lf t55 detect lf t55 info lf t55 dump
proxmark3> lf t55 detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
proxmark3> lf t55 info
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
proxmark3> lf t55 config
Chip Type : T55x7
Modulation : ASK
Bit Rate : 0 - RF/8
Inverted : No
Offset : 0
Seq. Term. : No
Block0 : 0x00000000
Offline
I'm assuming the ring Chip's antenna is small. A small antenna may require a special sized antenna on the pm3 to allow the chip to "hear" the write commands.
I have a horrible feeling you have hit the nail on the head.
Offline
lf t55xx p1detect
does however produce:
T55xx chip found!
Last edited by Spyder (2017-12-20 20:26:32)
Offline
I believe that may be a false positive. What version firmware are you running?
Offline
The latest version, flashed via the Homebrew build on a Mac.
Offline
OK now have some more info.
The ring appears to have been written to using a cheap Chinese cloner:
lf search produces this:
EM410x pattern found:
EM TAG ID : 22007B0942
Possible de-scramble patterns
Unique TAG ID : 4400DE9042
HoneyWell IdentKey {
DEZ 8 : 08063298
DEZ 10 : 0008063298
DEZ 5.5 : 00123.02370
DEZ 3.5A : 034.02370
DEZ 3.5B : 000.02370
DEZ 3.5C : 123.02370
DEZ 14/IK2 : 00146036951362
DEZ 15/IK3 : 000292072362050
DEZ 20/ZK : 04040000131409000402
}
Other : 02370_123_08063298
Pattern Paxton : 579815234 [0x228F4742]
Pattern 1 : 14549346 [0xDE0162]
Pattern Sebury : 2370 123 8063298 [0x942 0x7B 0x7B0942]
Valid EM410x ID Found!
Valid T55xx Chip Found
Try lf t55xx ... commands
lf read
lf data rawdemod am produces:
Using Clock:64, Invert:0, Bits Found:625
ASK/Manchester - Clock: 64 - Decoded bitstream:
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
I am assuming that the Chinese cloner has written the EM410x tag info to the ring using a password.
Is there any way to reset the ring?
Offline
look into the lf t55xx the known cloner passwords found so far is also inside the default_pwd.dic file.
Do you have access to the cheap cloner?
Offline
Yes I have got hold of the cheap cloner.
Last edited by Spyder (2017-12-26 17:11:23)
Offline
If you could do a snoop and share the signaltrace here (via a fileshare service) that would be nice. So we can figure out that specific cloner password.
data plot
lf snoop
data samples
data save cloner.pm3
Offline
https://expirebox.com/download/b22b2d98c4be0596531b292cdea56afb.html
Thanks, very interested to see what has happened.
Last edited by Spyder (2017-12-26 19:56:07)
Offline
Nice, so this trace shows when cloner writes to ring? (just to make certain)
Offline
Yes I can repeat it again to make sure if it would be helpful.
Offline
https://expirebox.com/download/bdc76b9e3012e843a4592fe000882020.html
Offline
OK Progress made.
Got hold of a second Jakcom R3 'Smart Ring'.
A little tricky to write to it but it correctly identified as a T55xx chip straight away and after a few clone commands it has accepted the programming to act as a Noralsy tag.
Oddly it doesn't show up on lf search consistently after programming but it does work with the entry system.
If anyone is interested in playing with the original ring and the programmer (pictured above) which it seems managed to lock down the ring with a password I am more than happy to wrap them up and post them.
Offline
Nice!
After figuring out several of the issues with these cloner devices over the past months - see:
https://forum.dangerousthings.com/t/xem … oners/1547
I am pretty eager to try and see if I can figure out what is happening here.
Last edited by Tom5ive (2017-12-31 03:36:07)
Offline
Send your address to my gmail spyderpalace, will sort it out next week.
Offline
Done!
Offline
Password found!
AA55BBBB - which is actually in the defauld_pwd.dic file included with the latest pm3 source.
You need to issue the unlock command in test mode with these rings when the chip has been put in
EM / ID mode.
See below command:
lf t55xx write b 0 d 00148041 p AA55BBBB t
The stock proxmark coils probably wont cut it either! For a coil that is very close to perfectly tuned for the pm3 (needs a few wraps unwound, 2-3 should do it - test using hw tune etc) get yourself one of the coils linked below - it's what I used to unlock this ring.
http://www.ebay.com.au/itm/10pcs-125KHZ-reader-RFID-antenna-access-control-ID-self-adhesive-coil-22-35/131981806414?hash=item1ebaba8b4e:g:OnwAAOSwA3dYDxYX
Spyder, would you like me to ship the ring back to you? It's way too large for me! I cloned a random HID ID to it.
Last edited by Tom5ive (2018-01-20 10:12:42)
Offline
I have had one of those rings before, works perfectly but need sweet spot to write and read as antenna is pretty micro, mine didn't come with locked t55.
Offline
This specific ring was locked by the Jakcom cloner pictured above - it did not come locked (as far as I know)/
Offline
Would you say the coil is the same as one found in a t5557 card or any other nfc card?could I remove the coil out of a card and use it as an antenna to program a smart ring?
Thoughts?
Password found!
AA55BBBB - which is actually in the defauld_pwd.dic file included with the latest pm3 source.
You need to issue the unlock command in test mode with these rings when the chip has been put in
EM / ID mode.See below command:
lf t55xx write b 0 d 00148041 p AA55BBBB t
The stock proxmark coils probably wont cut it either! For a coil that is very close to perfectly tuned for the pm3 (needs a few wraps unwound, 2-3 should do it - test using hw tune etc) get yourself one of the coils linked below - it's what I used to unlock this ring.
http://www.ebay.com.au/itm/10pcs-125KHZ-reader-RFID-antenna-access-control-ID-self-adhesive-coil-22-35/131981806414?hash=item1ebaba8b4e:g:OnwAAOSwA3dYDxYX
Spyder, would you like me to ship the ring back to you? It's way too large for me! I cloned a random HID ID to it.
Offline
Would you say the coil is the same as one found in a t5557 card or any other nfc card?could I remove the coil out of a card and use it as an antenna to program a smart ring?
Thoughts?Tom5ive wrote:Password found!
AA55BBBB - which is actually in the defauld_pwd.dic file included with the latest pm3 source.
You need to issue the unlock command in test mode with these rings when the chip has been put in
EM / ID mode.See below command:
lf t55xx write b 0 d 00148041 p AA55BBBB t
The stock proxmark coils probably wont cut it either! For a coil that is very close to perfectly tuned for the pm3 (needs a few wraps unwound, 2-3 should do it - test using hw tune etc) get yourself one of the coils linked below - it's what I used to unlock this ring.
http://www.ebay.com.au/itm/10pcs-125KHZ-reader-RFID-antenna-access-control-ID-self-adhesive-coil-22-35/131981806414?hash=item1ebaba8b4e:g:OnwAAOSwA3dYDxYX
Spyder, would you like me to ship the ring back to you? It's way too large for me! I cloned a random HID ID to it.
Unfortunately this will not work. You either design coils to be on the reader or on the tag. They are not cross compatible.
Offline
I also have same issue. What is the solution?
I am trying to clone to my smartring( Jackom R3) from Indala, it does write to it but doesn't work when I try to open door.
OK Progress made.
Got hold of a second Jakcom R3 'Smart Ring'.
A little tricky to write to it but it correctly identified as a T55xx chip straight away and after a few clone commands it has accepted the programming to act as a Noralsy tag.
Oddly it doesn't show up on lf search consistently after programming but it does work with the entry system.
If anyone is interested in playing with the original ring and the programmer (pictured above) which it seems managed to lock down the ring with a password I am more than happy to wrap them up and post them.
Offline
Pages: 1