Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
// T5567WriteBlock(0x603E10E2,0);
I came across this configuration I am not sure how it would work on the real reader. Could you pls help me understand it better?
to ease the discussion we better use the sane doc ATA5577C, found here: ATA5577C
Last edited by ntk (2017-07-06 20:55:39)
Offline
according to the author ""//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)"
Check up the Table 5-3. Block 0 Page 0 X mod– Configuration Mapping in X Mode we have 32 bits
b0 lock bit should be 0
b1..b4 master key could be 6 or 9 or neither
b9 .. b14 data bit rate
b15 must be 1 for extended mode
b16..b20 modulation
b21..b22 psk cf
b23 AOR
b24 OTP
b25..b27 max block
b28 PWD
b29 STT
b30 fast DL
b31 invers data
b32 init delay
So what we have here
hex 0x603E10E2 is 0110 0000 0011 1110 0001 0000 1110 0010
with bit 0 as lock bit =0 mapping is
0 0110 0000 001111 1 00001 00 0 0 111 0 0 0 1 0
What the author want is "Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)"....
bit 15 is 1
bit 31 is 1
modul bit are 00001
bit rate 001111
what does that mean for bit rate 001111. Accordiing to ATA table for Xtended mode that is RF/(2n+2),
n n in 6 bit digit RF/2n+2
0 000000 RF/2
1 000001 RF/4
3 000011 RF/8
7 000111 RF/16
15 001111 RF/32
19 010011 RF/40
24 011000 RF/50
31 011111 RF/64
49 110001 RF/100
63 111111 RF/128
ah, I understand now the trick is extended mode, and there is a bit0 added to the to binary converted HEX number. According to the table 5.3 there is a bit 0, then bit 1, bit 2 ... bit 32) so there are 33 bits we have check here not just map down the 32 bits coming from the converted result of the hex 0x603E10E2 which was 0110 0000 0011 1110 0001 0000 1110 0010.
You are correct Marschmellow. the author of indala code can use this config as an alternative configuration data block for indala tag with long UID
Last edited by ntk (2017-07-02 10:36:38)
Offline
Now for confirm there was this configuration, in the past I thought it was wrong
0x603E0080
what is it for? Is this wrong or right?
0x603E0080, that in binary is 01100000000010000001000001000000
with b0 as lock bit =0, assuming it is a gain extended mode configuration block 0, then its mapping is
0 0110 0000 000010 0 00001 00 0 0 010 0 0 0 0 0
in the case of 0x603E0080, our b15 isn't 1 so it can't not be about an extended configuration.
What is it in basic configuration?
the author would like to emulate a tag RF/128, PSK-CF RF/2, direct modulation; 4 max data blcks, no PW no ST... What else can it be ? rarely see a RF/128 bit rate but the rest seem to make sense. Is it what the author wanted?
I was noted down long ago. Today I know I could use lf t55xx det, trace, dump, to see its content... My note was: Repeating of two data blocks, hence I thought the configuration for 4 max data blocks was unnecessary, or mistaken.
Last edited by ntk (2017-07-02 10:53:46)
Offline
0x603E0080
0 0110 0000 001111 1 00000 00 0 0 100 0 0 0 0 0
bit15 =1 so X-tended mode; RF/32, Direct modulation, 4 data blocks, no inv
Last edited by ntk (2017-07-07 16:05:57)
Offline
60081040 extract from thread DKS - DOORKING - 125khz - WHITE FOB
assuming this is an extended configuration
0 0110 0000 000010 0 00001 00 0 0 010 0 0 0 0 0
bit 15 = 0 so it can't be from X-mode configuration
If it is a basic configuration then RF/32; PSK1; 2 blocks; no PW, no invert, no STT
But why use 60081040 instead of just 00081040?
According to ATA5577C doc,
1. If the Master Key is 6 the test mode access is disabled
2. If the Master Key is neither 6 nor 9, the extended function mode and Init Delay are disabled
and if configuration in eX-mode, then
1. If the Master Key is 6 and bit 15 is set, the test mode access is disabled and the extended mode is active
2. If the Master Key is 9 and bit 15 is set, the extended mode is enabled
further
●Master key = 9: Test mode access and extended mode are both enabled.
● Master key = 6: Any test mode access will be denied but the extended mode is still enabled
Remarkable if the master key is set to 6, one need to remember something about a OPT bit (OTP == Off The Pist!?!?)
"If the OTP bit is set to 1, all memory blocks are write protected and behave as if all lock bits are set to 1. If, in addition, the
master key is set to 6, the Atmel ATA5577C mode of operation is locked forever (one-time-programming functionality).
If the master key is set to 9, test-mode access allows re-configuration of the tag."
Hummm, "allows re-configuration of the tag" What is the different?
Don't we many times re-configuration of a tag with master key code =0
Why should one make his life more miserable and set master key =6 to dis-able test mode? or remember to set MK=9 for reconfigure a tag?
Last edited by ntk (2017-07-06 22:01:49)
Offline