Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I've bricked two tags (see this post explaining how: http://www.proxmark.org/forum/viewtopic.php?id=7924) when trying to clone a T55x7 tag into another T55x7 tag with different offset.
The original tag is like this:
[usb] pm3 --> lf t55xx detect
[=] Chip Type : T55x7
[=] Modulation : ASK
[=] Bit Rate : 2 - RF/32
[=] Inverted : No
[=] Offset : 31
[=] Seq. Term. : Yes
[=] Block0 : 0x00088048
[=] Downlink Mode : default/fixed bit length
[=] Password Set : No
Whereas the "blank" o "target" tag is equal but with offset 32 instead of 31.
However, I've tried using
lf t55xx dump
and then
lf t55xx restore
And I bricked two tags.
In one of them I ran
lf t55xx detect
before the restore command. In both cases bricked but with different data when I run
lf t55xx dump
in the bricked tags (all commands shown in here: http://www.proxmark.org/forum/viewtopic.php?id=7924).
So...
- How should I clone a T55x7 into another T55x7 tag with different offset?
- Any idea of how could I debrick the tags?
Offline
The offset is not really linked to the card. It is where the demod believes it can reliably find good bits from to decode. So that is not really linked to you issue.
First up, most of the time, tags can be wiped and reused. They may look unresponsive and may be bricked (it can happen), but maybe not.
With cloning from 1 T55x7 to another, its having confidence that the data read from the first is correct (some encoding are easier the others) That said ASK is normally fairly good.
I wrote all that data to a blank T55x7 and it did not brick the card, so not sure if you had a typo or did something else or not.
It looks like the card has been password protected (i.e. why all the data is the same from your other post : the "bricked" dump).
Note: if the card is responding, I dont call it bricked as it is working, just not the way you want. - So chance of recovery is better.
The config block of 00088048 would not set the password. ( 00088058 would set the password bit)
IF the card password bit has been set, the password is stored in block 7 page 0
So from your posts : lf t55 write b 7 d 69919EA9
Note: trying to read form the card using a password where a password has NOT been set, is where the chance of bricking the card increases.... so warning made.
Lets see if we can recover the cards first.
If its a real T55x7 this could work. Place a "bricked" card on the proxmark and run this command
lf t55 write b 0 d 00088048 t
then retry the detect / read / dump commands to see it it looks better.
lf t55 det
lf t55 read b 0
lf t55 read b 1
etc
Offline
Actually I bricked the card using that command (and a few following) as described in this post:
http://www.proxmark.org/forum/viewtopic.php?id=7924
I manually tried to copy all of the blocks with this:
[usb] pm3 --> lf t55 write b 0 d 00088048
[=] Writing page 0 block: 00 data: 0x00088048
[usb] pm3 --> lf t55 write b 1 d 2203206E
[=] Writing page 0 block: 01 data: 0x2203206E
[usb] pm3 --> lf t55 write b 2 d 4AD019CE
[=] Writing page 0 block: 02 data: 0x4AD019CE
[usb] pm3 --> lf t55 write b 3 d 4D243AF1
[=] Writing page 0 block: 03 data: 0x4D243AF1
[usb] pm3 --> lf t55 write b 4 d 521B67C8
[=] Writing page 0 block: 04 data: 0x521B67C8
[usb] pm3 --> lf t55 write b 5 d 12345678
[=] Writing page 0 block: 05 data: 0x12345678
[usb] pm3 --> lf t55 write b 6 d 386FAACF
[=] Writing page 0 block: 06 data: 0x386FAACF
[usb] pm3 --> lf t55 write b 7 d 69919EA9
[=] Writing page 0 block: 07 data: 0x69919EA9
[usb] pm3 --> lf t55 write b 0 d 00088048 1
[=] Writing page 1 block: 00 data: 0x00088048
[usb] pm3 --> lf t55 write b 1 d F00A80AB 1
[=] Writing page 1 block: 01 data: 0xF00A80AB
[usb] pm3 --> lf t55 write b 2 d 285C8E23 1
[=] Writing page 1 block: 02 data: 0x285C8E23
[usb] pm3 --> lf t55 write b 3 d FFFFFFFF 1
[=] Writing page 1 block: 03 data: 0xFFFFFFFF
I also tried automatically with dump and restore.
In both cases I got a unusable tag (maybe not bricked).
The info from the original tags told me that there is no password. And the only difference was the offset, that's why I though it may be related to that.
Offline
Lets have a very quick 101 of the T55x7 card (I highly recommend reading the data sheet).
When it is energized it will send block 1 page 0 to block x page 0, where X is the max block as per set in the config in block 0 page 0.
Note: Given the block 0 in your posts it will only send back data blocks 1 and 2 (and repeat until a valid command or de-energized).
If you sent a command to the card and it does not accept it, then it will do the above.
There are 3 main reasons why a card would not accept a command.
- Invalid command format (given you are using the built in proxmark commands, I think we can rule this out.
- The wrong downlink mode. given your block data, this "might" be an issue, but I used the same data and had no issues.
- The card wants a password and no password supplied.
If you get hold of the T55x7 data sheet and have a look at the config in block 3 page 1, you will find that FFFFFFFF is invalid.
that said "...Notes 1. If Option Key is 6 or 9, the front end options are activated..." since the option key is 0xF it is neither 6 nor 9 so the page 1 config should not be in use, thus the downlink mode should be the default.
If a card sends out the same data for every block (e.g. via a dump command) its a good indication that it does not accept the command sent to the card.
Given the way the card appears to behave, it appears if something sent to the card is not what is in you example... i.e. something went wrong.
Also I am happy the dump with all the same data is sending back and presenting the data in block 2 (1 bit out) so the card is mostly working as I would expect, just not doing what you want.
As such, try to focus on one thing at a time. I think if we try to work on more then one thing we will just go around in circles.
As such.... as per my previous post, please try the commands a suggest and report back on the findings.
Once we have either recovered the cards or confirmed that cant be recovered, then we can move to to cloning side.
Note: there are real T5577 cards that support page 1 block 3 config and the test write command) and clones that dont.
So we just need to try a few things and check the results.
Offline
Sorry about waiting so much for replying, I didn't have the Proxmark with me.
Here is the output of the commands:
[usb] pm3 --> lf t55 write b 0 d 00088048 t
[=] Writing page 0 block: 00 data: 0x00088048
#db# Using Test Mode
[usb] pm3 --> lf search u
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] ⛔ No known 125/134 kHz tags found![=] Checking for unknown tags:
^[[A[-] ⛔ no repeating pattern found, try increasing window size
[=] Possible auto correlation of 7168 repeating samples
[=] Possible 896 bytes
01111011010011001000110011110101
01001001000100000001100100000011
01110010010101101000000011001110
01110010011010010010000111010111
10001010100100001101101100111110
01000000100100011010001010110011
11000001110000110111110101010110
01111011010011001000110011110101
01001001000100000001100100000011
01110010010101101000000011001110
01110010011010010010000111010111
10001010100100001101101100111110
01000000100100011010001010110011
11000001110000110111110101010110
01111011010011001000110011110101
01001001000100000001100100000011Unknown ASK Modulated and Manchester encoded Tag found!
if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'
[usb] pm3 --> lf t55 write b 0 d 00088048 t
[=] Writing page 0 block: 00 data: 0x00088048
#db# Using Test Mode
[usb] pm3 --> lf search u
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] ⛔ No known 125/134 kHz tags found![=] Checking for unknown tags:
[-] ⛔ no repeating pattern found, try increasing window size
[=] Possible auto correlation of 7168 repeating samples
[=] Possible 896 bytes
01111011010011001000110011110101
01001001000100000001100100000011
01110010010101101000000011001110
01110010011010010010000111010111
10001010100100001101101100111110
01000000100100011010001010110011
11000001110000110111110101010110
01111011010011001000110011110101
01001001000100000001100100000011
01110010010101101000000011001110
01110010011010010010000111010111
10001010100100001101101100111110
01000000100100011010001010110011
11000001110000110111110101010110
01111011010011001000110011110101
01001001000100000001100100000011Unknown ASK Modulated and Manchester encoded Tag found!
if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'
[usb] pm3 --> lf t55 detect
[!] ⚠️ Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t55 read b 0
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[usb] pm3 --> lf t55 read b 1
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[usb] pm3 -->
The only difference between the two tags is the binary output.
All the other things same output.
However, if I send the
lf t55 detect
of a valid blank tag, and after that I send the same commands, things are different.
This from the blank (working) tag:
[usb] pm3 --> lf t55 detect
[=] Chip Type : T55x7
[=] Modulation : ASK
[=] Bit Rate : 5 - RF/64
[=] Inverted : No
[=] Offset : 32
[=] Seq. Term. : Yes
[=] Block0 : 0x00148040
[=] Downlink Mode : default/fixed bit length
[=] Password Set : No
And now the broken tags:
[usb] pm3 --> lf t55 write b 0 d 00088048 t
[=] Writing page 0 block: 00 data: 0x00088048
#db# Using Test Mode
[usb] pm3 --> lf t55 detect
[!] ⚠️ Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t55 read b 0
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | FFFFFFFF | 11111111111111111111111111111111 | ....
[usb] pm3 --> lf t55 read b 1
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 01 | FFFFFFFF | 11111111111111111111111111111111 | ....
Still, same result for both.
Last edited by underlive (2020-07-10 18:46:26)
Offline