Problems reading 125Khz T5557 card

DingYao · 2015-06-01 06:09:09

Hi, I have problems reading a T5557 card I recently bought on the the proxmark3.
None of the commands work, however a lf search u does detect the card.

Would appreciate any help I can get. Below is a quote of the output. Thanks in advance!

proxmark3> lf search u
#db# Sampling config:
#db# [q] divisor: 95
#db# bps: 8
#db# [d] decimation: 1
#db# [a] averaging: 1
#db# [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: ff ff ff ff ff e5 9f 5d ...
Reading 20000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

No Known Tags Found!

Checking for Unknown tags:
Possible Auto Correlation of 32 repeating samples
Unknown ASK Modulated and Manchester encoded Tag Found!
if it does not look right it could instead be ASK/Biphase - try 'data rawdemod a
b'
010101770101010771
010101770101010771
010101770101010771
01010177010101111
010101770101010771
010101770101010771
010101770101010771
010101770101010771
010101770101010771
010101770101010771
010101770101010771
010101770101010771
010101770101010770
110101770101010771
010101770101010771
010101770101010771
010101770101010771
010101770101010771
010101770101010771
010101770101010771
010101770101010771

DingYao · 2015-06-01 08:40:45

If you have written corrupted block 0 data to a t5557 card, is it possible to recover the card?

i.e

lf t55xx write 0 11111111

It does not respond to any read/write commands now.

iceman · 2015-06-01 09:50:01

Did you do a "lf t55xx detect" before trying to read/dump/info?

DingYao · 2015-06-01 09:57:49

Yes I did, but I could not find the modulation.

I realise this occurs after I run the

em410xwrite <UID> 1

command. This command seems to corrupts the card.
After running this command I can no long read or write to the card.

DingYao · 2015-06-01 09:59:03

The thing is I cannot write to the card at all.

Running

lf tm55xx write 0 <8 hex characters>

seems to do nothing to the card. Is the card damaged?

iceman · 2015-06-01 10:00:18

bummer, if it is a t55xx tag you can always write a new config block to the tag. That usually make the tag alive again.

iceman · 2015-06-01 10:01:48

lf t55xx write 0 00008040
lf t55xx detect
lf t55xx info

DingYao · 2015-06-01 10:02:05

Yea I suspected so. That's weird.

Are there any sample config blocks I can try? The operation of the write command is independent of the modulation right?

DingYao · 2015-06-01 10:18:02

I tried that but it still does not work. I cannot write to block 0. If I write a corrupted block 0 value to the card, etc.

11110001

, will the card still accept write commands?

DingYao · 2015-06-01 10:19:15

Also, does OTP affect the writing of block0?

iceman · 2015-06-01 10:31:16

t55xx is very nice, it listens to the write command regardless what you wrote to the config block 0.
However, if its in password mode, you kind of need to add a password
how does the graph look like after you try a "lf read/data samples 2000"?
and after a "lf t55xx read 0"?

DingYao · 2015-06-02 11:15:44

This is the graph. Could you help me identify if its in password mode? Thanks in advance!

DingYao · 2015-06-02 11:20:23

Also, what is the default data and config in blocks 0 - 7 in a new blank t5557 card?

iceman · 2015-06-02 12:02:40

A ask default config block 0, would be as I wrote earlier: "00008040"
the rest of the blocks is only interesting if you want the tag to emulate another tagtype.. (ie config yr t55x7 to be a em410x)

However, there is two different reads I want you to show and you didn't say which one you are showing.

DingYao · 2015-06-02 17:33:26

The tag does not allow me to write to block 0. I tried to write "00008040" to the tag, but nothing seems to happen to the tag.

Here are the data from the different reads! Thanks so much from your help!

lf t55xx read 0

lf read samples 2000

marshmellow · 2015-06-02 17:37:26

hmmm that isn't possible. it looks like you must not have sent the lf read - data samples 2000 correctly. (the plot still has 11996 samples in it)...
(they are separate commands - lf read - then - data samples 2000)

DingYao · 2015-06-02 18:02:44

Oh I see! Here is the updated data samples data. Thanks marshmellow for pointing out the error! I was wondering why both graphs look the same.

marshmellow · 2015-06-02 18:24:17

it looks like the sequence terminator is turned on. the t5xx commands do not yet work with this config. (write commands should though.)

DingYao · 2015-06-02 18:29:52

What is the sequence terminator?

The write commands don't work as well

marshmellow · 2015-06-02 18:37:11

are you sending the write command correctly? from the output above it looks like you likely have a valid t55xx tag (as it seems to respond to the read command if you notice the unmodulated starting point in your first plot image and the fact that the data shown isn't the same as the data in just a lf read.). meaning there is no reason the write command shouldn't work.

unless you have a t5555 or a Q5. there is a bug in the write of that tag in recent code (or at least i hear)

DingYao · 2015-06-02 18:45:04

I'm quite sure I am. Below is the screenshot of the commands.

marshmellow · 2015-06-02 19:32:04

Try holding the tag a little off the antenna?

DingYao · 2015-06-02 19:34:22

Tried that. It still does not work Are there any possible causes of such a scenario? Is there a one-time pad on T55xx cards?

iceman · 2015-06-02 19:49:52

the signal is strong, should be able to get a "lf t55xx info" out of it.. but it can't detect a clock..
how about you do it manually. use the "lf t55xx config" to set the ask, maybe a clock of 64 or 32...
and use the offset.. to skip until after the sequence marker... that should give you a good read...

marshmellow · 2015-06-02 20:02:58

it shouldn't affect the write command, as that always works. (as long as password isn't set, and yours isn't)
try the write command a few times in a row, sometimes the tag misses the start of command from the reader.

iceman · 2015-06-02 20:16:21

*edited*

or change the timings in lfops.c ... (and flash )

Last edited by iceman (2015-06-02 20:44:21)

marshmellow · 2015-06-02 20:22:22

iso14443a.c ??? you mean lfops.c

iceman · 2015-06-02 20:43:41

yes, yes, yes.. that was excatly what I meant.. ..

DingYao · 2015-06-03 02:22:15

Hmm, what offset value should I use in this case?

I asked the supplier of the card. He informed me that it is not preconfigured with a password. The default configuration of block0 is "00 08 80 E8".

Does "lf em4x em410xwrite" write a password to the card?

iceman · 2015-06-03 08:55:11

Please understand the difference when you are dealing with a t55x7 tag.

A t55x7 tag can be configured to emulate different LF tags via modulation, bitrates, etc
When you want to read / write / configure the t55x7 you need to use the specific t55xx commands.

when you want to test if your t55x7 tag has been programmed correct, ie to emulate for instance a em410x tag, you can use the "LF SEARCH" or in this case "LF EM4X" commands to see if it behavies correct. It behaves correct when you can get a good read and value out of it.

CONFUSION: the "lf em4x write" command doesnt write to a em4x tag (since they are readonly) , it tries to configure a t55x7 tag to emulate a em4x tag. However this command doesn't use a password. SO if your t55x7 tag is in password mode, you need to use the t55xx commands to re-configure it to not use password. Then you can use the "lf em4x write" command..

ok?

DingYao · 2015-06-03 16:12:49

I see.

But is there a way to tell if the t55xx is in password mode (e.g. analyzing the graph) besides trying to tag write failure?
What is the best offset value to use and how to calculate it?

Thanks so much for your help iceman!

Last edited by DingYao (2015-06-03 16:13:08)

iceman · 2015-06-03 17:23:38

yes, look at the config block there is a nice "lf t55xx info" command too

marshmellow · 2015-06-03 17:25:25

... The config block is not readable when it is in password mode unless you use the password with the read command

iceman · 2015-06-03 17:30:47

To see if a tag is in password mode (without having the password), on my t55x7 tags the data plot looks like "static noise"

If you can't sniff the tag / reader and figuring out the password, you might have to test default pwds like

0x00000000
0xFFFFFFFFF

There is these two known passwords.

Known cloner passwords:
	0x51243648
	0x000D8787

Last edited by iceman (2015-06-03 17:32:11)

DingYao · 2015-06-03 19:12:43

I have experimented with the tag. From the looks of the data plot it isn't static noise, nor did I write it with a password hence it is unlikely to be password protected. However, the tag still does not respond to write commands.

I've tried setting the config to ASK modulation and played around with the bit rates but to no avail. I get erronous data from the tag (all 7 blocks are the same).

Is it possible that the tag has been permenantly locked? If not, perhaps this is a Q5 tag and not a t5557 tag..

marshmellow · 2015-06-03 19:37:22

Make sure there is little around the pm3 and antenna/tag while sending the write. I've noticed the t5xxx is very sensitive to electromagnetic interference.

marshmellow · 2015-06-03 19:39:57

The t5557 is very old and wasn't tested with the new t55xx commands. It is possible it suffers from the same issues the q5 is right now. I am working to fix the q5 issue.

iceman · 2015-06-03 19:59:57

actually, I just call my tags for t55x7, but I don't know exactly which model they are.

I usually need some space between my tag and lf antenna. 1cm?

but when I have the right config settings for the tag, it works perfect. (with my timings, )

Proxmark3 community

Announcement

#1 2015-06-01 06:09:09

Problems reading 125Khz T5557 card

#2 2015-06-01 08:40:45

Re: Problems reading 125Khz T5557 card

#3 2015-06-01 09:50:01

Re: Problems reading 125Khz T5557 card

#4 2015-06-01 09:57:49

Re: Problems reading 125Khz T5557 card

#5 2015-06-01 09:59:03

Re: Problems reading 125Khz T5557 card

#6 2015-06-01 10:00:18

Re: Problems reading 125Khz T5557 card

#7 2015-06-01 10:01:48

Re: Problems reading 125Khz T5557 card

#8 2015-06-01 10:02:05

Re: Problems reading 125Khz T5557 card

#9 2015-06-01 10:18:02

Re: Problems reading 125Khz T5557 card

#10 2015-06-01 10:19:15

Re: Problems reading 125Khz T5557 card

#11 2015-06-01 10:31:16

Re: Problems reading 125Khz T5557 card

#12 2015-06-02 11:15:44

Re: Problems reading 125Khz T5557 card

#13 2015-06-02 11:20:23

Re: Problems reading 125Khz T5557 card

#14 2015-06-02 12:02:40

Re: Problems reading 125Khz T5557 card

#15 2015-06-02 17:33:26

Re: Problems reading 125Khz T5557 card

#16 2015-06-02 17:37:26

Re: Problems reading 125Khz T5557 card

#17 2015-06-02 18:02:44

Re: Problems reading 125Khz T5557 card

#18 2015-06-02 18:24:17

Re: Problems reading 125Khz T5557 card

#19 2015-06-02 18:29:52

Re: Problems reading 125Khz T5557 card

#20 2015-06-02 18:37:11

Re: Problems reading 125Khz T5557 card

#21 2015-06-02 18:45:04

Re: Problems reading 125Khz T5557 card

#22 2015-06-02 19:32:04

Re: Problems reading 125Khz T5557 card

#23 2015-06-02 19:34:22

Re: Problems reading 125Khz T5557 card

#24 2015-06-02 19:49:52

Re: Problems reading 125Khz T5557 card

#25 2015-06-02 20:02:58

Re: Problems reading 125Khz T5557 card

#26 2015-06-02 20:16:21

Re: Problems reading 125Khz T5557 card

#27 2015-06-02 20:22:22

Re: Problems reading 125Khz T5557 card

#28 2015-06-02 20:43:41

Re: Problems reading 125Khz T5557 card

#29 2015-06-03 02:22:15

Re: Problems reading 125Khz T5557 card

#30 2015-06-03 08:55:11

Re: Problems reading 125Khz T5557 card

#31 2015-06-03 16:12:49

Re: Problems reading 125Khz T5557 card

#32 2015-06-03 17:23:38

Re: Problems reading 125Khz T5557 card

#33 2015-06-03 17:25:25

Re: Problems reading 125Khz T5557 card

#34 2015-06-03 17:30:47

Re: Problems reading 125Khz T5557 card

#35 2015-06-03 19:12:43

Re: Problems reading 125Khz T5557 card

#36 2015-06-03 19:37:22

Re: Problems reading 125Khz T5557 card

#37 2015-06-03 19:39:57

Re: Problems reading 125Khz T5557 card

#38 2015-06-03 19:59:57

Re: Problems reading 125Khz T5557 card

Board footer