Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I come across this blue T55x7 fob of my friend. It looks like easy but I can not understand it. it shows different information in lf search and in lf t55 dump. and then the clone does not work at the reader at all. It recognize lit, but then blinks and does nothing else.
My current SW is
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-28-g1cbb352-suspect 2017-07-01 13:28:51
os: master/v3.0.1-28-g1cbb352-suspect 2017-07-01 13:29:04
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI when I ran search it says no tag found
proxmark3> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 1 repeating samples
Too many errors found, clk: 16, invert: 0, numbits: 2155, errCnt: 280
Valid T55xx Chip Found
Try lf t55xx ... commands
No Data Found!
proxmark3> Suspected it did read some thing so I ran
proxmark3> data pri x
DemodBuffer: E41336F5E41336F5E41336F5E41336F5E41336F5E41336F5E41336F5E4FFFFFFFFFFFFFFFFFFFF It looks like sending repeative pattern 1 data block of value E41336F5
restart system it shows the same repeating pattern.
But, cloning would be easy peasy because it is a T55x7 blue fob, so I check
lf t55 dec
lf t55 dump
proxmark3> lf t55xx detect
Chip Type : T55x7
Modulation : DIRECT/NRZ
Bit Rate : 15 - RF/32
Inverted : No
Offset : 31
Seq. Term. : No
Block0 : 0x603E0000
proxmark3>
proxmark3> lf t55xx dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 603E0080 | 01100000001111100000000010000000
1 | 03F00FC0 | 00000011111100000000111111000000
2 | 6F9324D9 | 01101111100100110010010011011001
3 | 806C9378 | 10000000011011001001001101111000
4 | 813C689B | 10000001001111000110100010011011
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | C07C0100 | 11000000011111000000000100000000
1 | E0150A5C | 11100000000101010000101001011100
2 | E0728D4B | 11100000011100101000110101001011
proxmark3> seeing we have got some data.
I copy configuration block and 4 data blocks. and run my check on the clone
proxmark3> lf t55xx detect
Chip Type : T55x7
Modulation : DIRECT/NRZ
Bit Rate : 15 - RF/32
Inverted : No
Offset : 30
Seq. Term. : No
Block0 : 0x603E0080
proxmark3>
proxmark3> lf t55xx dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 603E0080 | 01100000001111100000000010000000
1 | 0E1C0E1C | 00001110000111000000111000011100
2 | 6F9324D9 | 01101111100100110010010011011001
3 | 806C9378 | 10000000011011001001001101111000
4 | 813C689B | 10000001001111000110100010011011
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 603E0080 | 01100000001111100000000010000000
1 | E0150A61 | 11100000000101010000101001100001
2 | 0C431158 | 00001100010000110001000101011000
proxmark3> Oh dear, why it looks very different, and worse news is: The clone does not work on the real reader.
Please help.
What did I do wrong.?
why I write in the t5577 and read back without moving the fob but result is different. Is it normal? I have elec house and I have try different distance I did repeat the writing several times, but each time the clone's reading is different
Last edited by M&S (2017-07-07 18:51:14)
Offline
You'll want to verify the t55xx dump with a demod of the repeating output by running
lf read
data rawdemod nr
data printd x
(Try other offsets too ... data printd x o 1)
You should see something similar to the t55xx dump of blocks 1 to 4.
But The block read of t55xx has trouble knowing exactly what bit to start at and can be off for many configurations.
Offline
Thank you Mashmellow. I have forgotten to check with offsets. I do see the piece of the data now in offset = 1 or 5 .
proxmark3> data printd x o 1
DemodBuffer: 1806C9378813C689B
03F00FC06F9324D9806C9378813C689B
03F00FC06F9324D9806C9378813C689B
03F00FC06F9324D9806C9378813C689B
03F00FC06F9324D
proxmark3> data printd x o 5
DemodBuffer: 806C9378813C689B
03F00FC06F9324D9806C9378813C689B
03F00FC06F9324D9806C9378813C689B
03F00FC
06F9324D9806C9378813C689B03F00FC06F9324D9which means the dump of the clone did show the data what the original fob should have. So why the fob is not working at the reader?
Sorry I haven't kept the trace file of the original fob, it appeared as an too easy job
I just discover something odd: Block0 in "lf t55 det" shown the value 0x603E0000 , but in "lf t55 dum" Block0 was 603E0080. I think I did copy the block0 data and the data of block 1 to 4
Offline
Looks like the block 1 didn't take on your clone. Sometimes you have to try to write twice.
Offline
I see now the mistake in original block1 is 03F00FC0. but in clone it is 0E1C0E1C.
thank you. it was odd because I double write the order block 0 to block 4 always. This time after write block 0 to block 4, I then write block1 twice more and now I check I do get 03F00FC0... So it should work on the real reader, right?
It is still weird...
Anyway, thank you for pointing out that fault.
Offline
Pages: 1