Help,can't write to block3 to block6 on T5577 fobs

seanedu · 2022-07-19 20:19:05

hi,I need a help to figure this out,I ordered t5577 fobs from china,and tested to clone,a few of fobs which are indala,em 4100 and io prox are succeed to clone no issue,but other fobs like hid,awid,and pyramid etc. which I tried to clone did'nt work,so i tried to write block by block,and noticed that t5577 not allowed me to write block 3 to block 6,hope someone can point out what's wrong with these t5577 fobs,thanks in advance.

uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 207305 bytes (40%). Free: 316983 bytes (60%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

I tried to detect as follow
pm3)lf t55 detect
Chip Type : T55x7
Modulation : ASK
Bit Rate : 2 - RF/32
Inverted : No
Offset : 32
Seq. Term. : Yes
Block0 : 0x000880E8

pm3)lf t55 dump

Downlink Mode used : default/fixed bit length
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 000880E8 | 00000000000010001000000011101000
1 | FF800006 | 11111111100000000000000000000110
2 | C18C3F6E | 11000001100011000011111101101110
3 | 00000000 | 00000000000000000000000000000000
4 | 00000000 | 00000000000000000000000000000000
5 | 00000000 | 00000000000000000000000000000000
6 | 00000000 | 00000000000000000000000000000000
7 | FFFFFFFF | 11111111111111111111111111111111
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 000880E8 | 00000000000010001000000011101000
1 | E03902D0 | 11100000001110010000001011010000
2 | 007F2865 | 00000000011111110010100001100101
3 | 00A00003 | 00000000101000000000000000000011
pm3)lf t55 info

-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key : 0
reserved : 0
Data bit rate : 2 - RF/32
eXtended mode : No
Modulation : 8 - Manchester
PSK clock frequency : 0
AOR - Answer on Request : No
OTP - One Time Pad : No
Max block : 7
Password mode : No
Sequence Start Terminator : Yes
Fast Write : No
Inverse data : No
POR-Delay : No
-------------------------------------------------------------
Raw Data - Page 0
Block 0 : 0x000880E8 00000000000010001000000011101000
pm3)lf t55 wr b 3 d AABBCCDD
-------------------------------------------------------------
Writing page 0 block: 03 data: 0xAABBCCDD

pm3)lf t55 read b 3

Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
3 | 00000000 | 00000000000000000000000000000000

pm3)lf t55 wr b 4 d AABBCCDD

Writing page 0 block: 04 data: 0xAABBCCDD

pm3)lf t55 read b 4

Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
4 | 00000000 | 00000000000000000000000000000000

pm3)lf t55 wr b 5 d AABBCCDD

Writing page 0 block: 05 data: 0xAABBCCDD

pm3)lf t55 read b 5

Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
5 | 00000000 | 00000000000000000000000000000000

pm3)lf t55 wr b 6 d AABBCCDD

Writing page 0 block: 06 data: 0xAABBCCDD

pm3)lf t55 read b 6

as you can see from block 3 to block 6,data are not changing at all,I don't think these fobs are password protected,I can write block 0 to block 2 and block 7 without any passwords,can anyone have an idea what made these fob not writing from block 3 to block 6,any help will be appreciated.

Last edited by seanedu (2022-07-20 04:12:20)

xugmu · 2022-08-28 23:35:10

In my opinion the problem is the keyfob. Instead of a t5577 it has a EM4305

iceman · 2022-08-30 21:17:10

... em4305 wouldn't react to t5577 write commands.

There is discussions on the discord server that several members has gotten tags from China which has been locked or is just bad for block 3-6 ...

Buy from another source and get real working ones

seanedu · 2022-09-02 13:10:23

Thanks to @xugmu and @iceman,I actually contacted supplier in china,they claimed that fobs are T5577 chips in it,to cut long story,I returned fobs and got partially refunded,so confused never happened before,@iceman,for discord,can you re invite me?I can't login saying invalid or ask for reinvitation from administrator,can you send me invitation please.

iceman · 2022-09-02 16:00:06

the vanity link got cancelled, but its back again...

https://discord.gg/iceman

seanedu · 2022-09-03 16:54:35

Hi,@iceman,I tried the link,still said that the invite may have expired,ask for new invite from administrator,can you resend me a new invite for me,thanks in advance.

iceman · 2022-09-04 17:10:28

odd, that invite works for me

seanedu · 2022-09-04 19:19:30

Hi,@iceman,it finally worked,thanks for that.

Proxmark3 community

Announcement

#1 2022-07-19 20:19:05

Help,can't write to block3 to block6 on T5577 fobs

#2 2022-08-28 23:35:10

Re: Help,can't write to block3 to block6 on T5577 fobs

#3 2022-08-30 21:17:10

Re: Help,can't write to block3 to block6 on T5577 fobs

#4 2022-09-02 13:10:23

Re: Help,can't write to block3 to block6 on T5577 fobs

#5 2022-09-02 16:00:06

Re: Help,can't write to block3 to block6 on T5577 fobs

#6 2022-09-03 16:54:35

Re: Help,can't write to block3 to block6 on T5577 fobs

#7 2022-09-04 17:10:28

Re: Help,can't write to block3 to block6 on T5577 fobs

#8 2022-09-04 19:19:30

Re: Help,can't write to block3 to block6 on T5577 fobs

Board footer