Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
HW: PM3 Easy
Own key: T5577 identified as a Pyramid ID
Objective: Clone to another T5577
proxmark3> lf search
#db# Sampling config:
#db# [q] divisor: 95
#db# [b] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 30000 out of 30000 seen samples at 8 bits/sample
#db# buffer samples: 72 39 07 37 94 d2 fc b5 ...
Reading 20000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
Pyramid ID Found - BitLength: 26, FC: 35, Card: 2034 - Wiegand: 2460fe5, Raw: 000101010101010101010164313ecb04
Checksum 04 passed
Valid Pyramid ID Found!
----------------
proxmark3> lf t55xx detect
Modulation : FSK2a
Bit Rate : 4 - RF/50
Inverted : Yes
Offset : 0
Block0 : 0x00107080
-----------------
proxmark3> lf t55xx dump
0x00107080 00000000000100000111000010000000 [0]
0x00010101 00000000000000010000000100000001 [1]
0x01010101 00000001000000010000000100000001 [2]
0x01010164 00000001000000010000000101100100 [3]
0x310E5DE5 00110001000011100101110111100101 [4]
0x00000000 00000000000000000000000000000000 [5]
0x00000000 00000000000000000000000000000000 [6]
0x00000000 00000000000000000000000000000000 [7]I tried the following:
1) write to a new t5577 tag manually using the WriteBlock command in PM windows client block by block (i.e. from 0 - 7) with the same HEX code from own key. Verified result on the new t5577 tag and all the data seem identical.
2) write to an old t5577 tag (used) using the WriteBlock command as 1), however the data on the 2nd t5577 tag never change, across all blocks.
Would love to check (a) if what i did in (1) was the best way to clone a t5577. if not, how can i improve efficiencies. (b) Is the reason I couldnt re-write the t5577 tag because it's brick? Can I reset the fob data so i can re-use the tag again? (c) In general, are t5577 fobs re-programmable?
PS: Below is what I see for the old t5577 tag.
proxmark3> lf search
#db# Sampling config:
#db# [q] divisor: 95
#db# [b] bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 30000 out of 30000 seen samples at 8 bits/sample
#db# buffer samples: 00 4b b0 f1 ff d1 91 58 ...
Reading 20000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
Pyramid ID Found - BitLength: 26, FC: 35, Card: 471 - Wiegand: 24603ae, Raw: 000101010101010101010164310e5de5
Checksum e5 passed
Valid Pyramid ID Found!
proxmark3> lf t55xx detect
Modulation : FSK2a
Bit Rate : 4 - RF/50
Inverted : Yes
Offset : 33
Block0 : 0x80107080
proxmark3> lf t55xx dump
0x40083840 01000000000010000011100001000000 [0]
0x50010808 01010000000000010000100000001000 [1]
0x01010101 00000001000000010000000100000001 [2]
0x01010164 00000001000000010000000101100100 [3]
0x8627D968 10000110001001111101100101101000 [4]
0x00000000 00000000000000000000000000000000 [5]
0x00000000 00000000000000000000000000000000 [6]
0x00000000 00000000000000000000000000000000 [7] Thank you all heaps!
Last edited by ccdfun (2017-11-28 06:04:18)
Offline
In your data output the last block differs from the first card, so that is why it's not reading on the reader. Yes all AT5577 can be re-written. You can prevent this by using a password on the chip though...
Last edited by hkplus (2018-05-07 18:11:25)
Offline
Pages: 1