Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-10-27 22:44:36

lnicola
Contributor
Registered: 2019-10-24
Posts: 3

[solved] Cloning an unknown tag

I recently got a Proxmark3 and I managed to clone an EM410x onto a T5577 badge, so I probably have the basics down. I want to clone another tag, though, and I can't make it work:

proxmark3> lf search u      
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          

No Known Tags Found!
          

Checking for Unknown tags:
          
Possible Auto Correlation of 8192 repeating samples          

Using Clock:64, Invert:0, Bits Found:467          
ASK/Manchester - Clock: 64 - Decoded bitstream:          
0101010101010101
0101010101010101
0101010111111111
0000000110111100
0011000000000000
0000001100110011
1110000011111100
0011110101010101
0101010101010101
0101010101010101
0101010111111111
0000000110111100
0011000000000000
0000001100110011
1110000011111100
0011110101010101
0101010101010101
0101010101010101
0101010111111111
0000000110111100
0011000000000000
0000001100110011
1110000011111100
0011110101010101
0101010101010101
0101010101010101
0101010111111111
0000000110111100
0011000000000000
000          

Unknown ASK Modulated and Manchester encoded Tag Found!          

if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'          

That's obviously periodic, so I trimmed it down to:

0101010101010101
0101010101010101
0101010111111111
0000000110111100
0011000000000000
0000001100110011
1110000011111100
0011110101010101

, that is:

55555555
55FF01BC
30000333
E0FC3D55

Looking in this section, I found a similar post, http://www.proxmark.org/forum/viewtopic.php?id=5806, where the tag may or may not be a t5 tag. The solution there was to simply write those bytes onto the new tag. I don't know if it makes sense, but I tried to do the same thing, and I simply couldn't write the data:

proxmark3> lf t5 wipe

Beginning Wipe of a T55xx tag (assuming the tag is not password protected)
          
Writing page 0  block: 00  data: 0x00088040 pwd: 0x00000000          
Writing page 0  block: 01  data: 0x00000000           
Writing page 0  block: 02  data: 0x00000000           
Writing page 0  block: 03  data: 0x00000000           
Writing page 0  block: 04  data: 0x00000000           
Writing page 0  block: 05  data: 0x00000000           
Writing page 0  block: 06  data: 0x00000000           
Writing page 0  block: 07  data: 0x00000000           
proxmark3> lf t5 detect
Chip Type  : T55x7          
Modulation : ASK          
Bit Rate   : 2 - RF/32          
Inverted   : No          
Offset     : 31          
Seq. Term. : No          
Block0     : 0x00088040          
          
Downlink Mode used : default/fixed bit length          
proxmark3> lf t5 config d ASK b 64
Chip Type  : T55x7          
Modulation : ASK          
Bit Rate   : 5 - RF/64          
Inverted   : No          
Offset     : 31          
Seq. Term. : No          
Block0     : 0x00000000          
          
proxmark3> lf t5 write b 0 d 55555555
Writing page 0  block: 00  data: 0x55555555           
proxmark3> lf t5 dump
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | FFFFFFFF | 11111111111111111111111111111111          
  1 | FFFFFFFF | 11111111111111111111111111111111          
  2 | FFFFFFFF | 11111111111111111111111111111111          
  3 | FFFFFFFF | 11111111111111111111111111111111          
  4 | FFFFFFFF | 11111111111111111111111111111111          
  5 | FFFFFFFF | 11111111111111111111111111111111          
  6 | FFFFFFFF | 11111111111111111111111111111111          
  7 | FFFFFFFF | 11111111111111111111111111111111          
Reading Page 1:          
blk | hex data | binary          
----+----------+---------------------------------          
proxmark3> lf t5 write b 1 d 55FF01BC
Writing page 0  block: 01  data: 0x55FF01BC           
proxmark3> lf t5 write b 2 d 30000333
Writing page 0  block: 02  data: 0x30000333           
proxmark3> lf t5 write b 3 d E0FC3D55
Writing page 0  block: 03  data: 0xE0FC3D55           
proxmark3> lf t5 dump                
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | FFFFFFFF | 11111111111111111111111111111111          
  1 | FFFFFFFF | 11111111111111111111111111111111          
  2 | FFFFFFFF | 11111111111111111111111111111111          
  3 | FFFFFFFF | 11111111111111111111111111111111          
  4 | FFFFFFFF | 11111111111111111111111111111111          
  5 | FFFFFFFF | 11111111111111111111111111111111          
  6 | FFFFFFFF | 11111111111111111111111111111111          
  7 | FFFFFFFF | 11111111111111111111111111111111          
Reading Page 1:          
blk | hex data | binary          
----+----------+---------------------------------    

This is the same badge I used before, so I know I can write it with lf em 410xwrite, then read or write the data with lf t5. Yet I can't seem to program it:

proxmark3> lf search u      
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
#: DEBUG: Error - hitag failed          

No Data Found! - maybe not an LF tag?

And the tag stops working until I wipe it. Am I doing something wrong? Should I be able to write to the tag, and is it possible to clone my original one?

Last edited by lnicola (2019-10-28 10:13:16)

Offline

#2 2019-10-28 03:14:21

mwalker
Contributor
Registered: 2019-05-11
Posts: 213

Re: [solved] Cloning an unknown tag

A few things to consider.

I have assumed you blank is a T55x7 as per your detect.

Given that block 0 of page 0 is the config block - Not a data block then the following command would have resulted in an invalid config block.
lf t5 write b 0 d 55555555

So first up make sure you can get back to a known clean card with the lf t55xx wipe followed by a lf t55xx detect.

Once back to a clean card, then move on.

From your post : ASK/Manchester - Clock: 64 - Decoded bitstream:
So ASK/Manchester rf/64 clock, so we need to configure the blank card to that.
and you have 4 blocks of data (so max block is 4 )
55555555
55FF01BC
30000333
E0FC3D55

You should be able to work this out from the data sheet, but to get you going.
T55x7 config block 0

0000    - No Master Key 
0000000 - Not used basic mode
101     - RF/64
0       - Basic Mode
01000   - ASK/Manchester
00      - RF/2
0       - No AOR
0       - No OTP
100     - Max Block 4
0       - Dont use password
0       - No ST
00      - not used in Basic Mode
0       - No Initial Delay

Binary : 00000000000101001000000010000000
Hex    : 00148080

So now
Config block 0 could be
00148080

then block 1-4 as per your data
55555555
55FF01BC
30000333
E0FC3D55

Offline

#3 2019-10-28 08:35:06

iceman
Administrator
Registered: 2013-04-25
Posts: 6,178
Website

Re: [solved] Cloning an unknown tag

testing to write the data suggests a nedap tag.  However its not correct.
The demodulation here must been a bit wrong.

Is there any printed numbers?

save a trace and share it here.

lf read
data save lf_unk_nedap.pm3

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#4 2019-10-28 09:40:13

lnicola
Contributor
Registered: 2019-10-24
Posts: 3

Re: [solved] Cloning an unknown tag

Thank you, mwalker, it worked like a charm -- if only I had tried to read the datasheet. I didn't realize that block 0 was the config block.

@iceman, I uploaded a trace here:
https://send.firefox.com/download/6cc72 … OESm3zPGKg. No printed numbers, unfortunately.

Last edited by lnicola (2019-10-28 09:46:29)

Offline

#5 2019-10-28 10:10:49

iceman
Administrator
Registered: 2013-04-25
Posts: 6,178
Website

Re: [solved] Cloning an unknown tag

You can edit your first post and add the prefix [solved],  I will move this thread to  LF 125 section since your tag is a Nedap.

[usb] pm3 --> da load traces/lf_unk_nedap.pm3
[+] loaded 39999 samples
[usb] pm3 --> da pl
[usb] pm3 --> lf nedap demo
[!!] Bad parity (1)
[!!] Checksum : failed  (calc 0x4FAD != 0x800A)
[+] NEDAP Tag Found: Card ID 05197  subtype: 0  customer code: 205
[+] Checksum is OK  (0x4FAD)
[+] Raw: FF 80 40 B1 14 00 01 55 08 41 11 FF FF FF FF FF
[!!] Bad parity (1)
[usb] pm3 -->

If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

Board footer

Powered by FluxBB