T5577 issue

jeroen · 2014-03-17 23:31:15

Hi,

I own a number of T5577 cards. They seem to work fine:

//--------------------------------------------------------------------------

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 844 2014-02-06 22:03:08
#db# os: svn 848 2014-03-17 23:06:49
#db# FPGA image built on 2014/02/25 at 07:43:59
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
<EM410x tag placed on antenna>
proxmark3> lf em4x em410xread
Auto-detected clock rate: 64
EM410x Tag ID: 04120d6ed4
<T557 card placed on antenna>
proxmark3> lf em4x em410xwrite 04120d6ed4 1
Writing T55x7 tag with UID 0x04120d6ed4 (clock rate: 64)
#db# Started writing T55x7 tag ...
#db# Clock rate: 64
#db# Tag T55x7 written with 0xff81232836ceed36
<T557 card still placed on antenna>
proxmark3> lf em4x em410xread
Auto-detected clock rate: 64
EM410x Tag ID: 04120d6ed4

//--------------------------------------------------------------------------

However using the T5577 as a HID prox is not working:

//--------------------------------------------------------------------------

proxmark3> lf hid clone 0123456789
Cloning tag with ID 123456789
proxmark3> lf hid fskdemod
proxmark3>

//--------------------------------------------------------------------------

Do you have a clue about what's going on? Reading a (real) HID prox with 'lf hid fskdemod' works just fine. Do I need to initialize the T5577 first? Something else? Thanks for your help!

Cheers,

Jeroen

vivat · 2014-03-18 03:43:54

You should first learn about HID site and facility codes. Read the proxcard2 datasheet

jeroen · 2014-03-18 10:31:38

vivat wrote:

You should first learn about HID site and facility codes. Read the proxcard2 datasheet

The ID 0123456789 is just an example. If I read an actual valid ID from a real card (which I don't want to post here and try to clone it, the outcome is the same.

Cheers,

Jeroen

carl55 · 2014-03-18 14:56:23

Are you sure that the code that you are using is a valid 44-bit code?
If the format information contained in the front part of the code is wrong then the HID reader will not recognize it as a valid card.
Here are a few examples. Can you get any of these to work?

44-bit Code FC Card#
02006F764DD 123 45678
02006020002 001 00001
0200603FFFF 001 65535
02005FFFFFF 255 65535

jeroen · 2014-03-18 22:15:02

carl55 wrote:

Are you sure that the code that you are using is a valid 44-bit code?
If the format information contained in the front part of the code is wrong then the HID reader will not recognize it as a valid card.
Here are a few examples. Can you get any of these to work?
44-bit Code FC Card#
02006F764DD 123 45678
02006020002 001 00001
0200603FFFF 001 65535
02005FFFFFF 255 65535

proxmark3> lf hid clone 02006F764DD
Cloning tag with ID 2006f764dd
#db# DONE!
proxmark3> lf hid fskdemod
<nothing happens>
<reset>
lf hid clone 02006020002
#db# DONE!
proxmark3> lf hid fskdemod
<nothing happens>

marshmellow · 2014-03-21 17:51:58

are you doing an lf read before the lf hid fskdemod?

jeroen · 2014-03-21 17:57:00

marshmellow wrote:

are you doing an lf read before the lf hid fskdemod?

Doesn't matter: the result is the same

marshmellow · 2014-03-21 18:01:53

3 commands to read a prox should look like:
lf read
data samples 16000
lf hid demod

Last edited by marshmellow (2014-03-21 18:04:46)

marshmellow · 2014-03-21 18:04:35

make that: lf hid demod

jeroen · 2014-10-15 20:30:58

Ok new try:

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: master/v1.1.0-24-g92d255d-suspect 2014-10-14 21:38:36
#db# os: master/v1.1.0-24-g92d255d-suspect 2014-10-14 21:38:38
#db# LF FPGA image built on 2014/ 6/23 at 9:25:13
<real HID Prox placed on antenna, data obfuscated>
proxmark3> lf hid fskdemod
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
<pm3 button pressed>
#db# Stopped
<T5577 placed on antenna>
proxmark3> lf hid clone 2e********
Cloning tag with ID 2e********
#db# DONE!
proxmark3> lf hid fskdemod
<T5577 removed and placed on antenna>
<nothing>
<T5577 removed, original HID Prox placed on antenna>
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
#db# TAG ID: 2e******** (****)
..

So it seems that the T5577 is not detected / recognized? Any clues?

Tags are for sure writable, checked with simple LF cloner device. I've tried two types of T5577's.

Last edited by jeroen (2014-10-15 20:36:36)

gbhuk · 2014-10-16 04:23:18

I think the clue is that you've used a 'simple cloner device' on the cards.

These tend to password-protect them making them writeable only by the same cloner from that point in time onwards.

However it is possible to reset passwords with the PM3 - take a look at this thread: http://proxmark.org/forum/viewtopic.php?pid=11778#p11778

If the cloner is a little blue handheld one then try writing to the card with the command: lf t55xx writeblockPWD 00148041 0 51243648 - it just may get your cards up and running again for HID cloning.

If it's a little white multi-frequency cloner then user diaconom decoded the password for it and the command would be: lf t55xx writeblockPWD 00148041 0 000D8787

Last edited by gbhuk (2014-10-16 04:28:06)

Proxmark3 community

Announcement

#1 2014-03-17 23:31:15

T5577 issue

#2 2014-03-18 03:43:54

Re: T5577 issue

#3 2014-03-18 10:31:38

Re: T5577 issue

#4 2014-03-18 14:56:23

Re: T5577 issue

#5 2014-03-18 22:15:02

Re: T5577 issue

#6 2014-03-21 17:51:58

Re: T5577 issue

#7 2014-03-21 17:57:00

Re: T5577 issue

#8 2014-03-21 18:01:53

Re: T5577 issue

#9 2014-03-21 18:04:35

Re: T5577 issue

#10 2014-10-15 20:30:58

Re: T5577 issue

#11 2014-10-16 04:23:18

Re: T5577 issue

Board footer