Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
So, I set a password on my T5577 and it promptly stopped letting me access the configuration. After several hours of digging I think it's a bug in the client.
Using latest git:
proxmark3> hw ver
[[[ Cached information ]]]
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: master/v2.2.0-227-g51b4267-suspect 2016-09-04 23:48:18
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 185644 bytes (35%). Free: 338644 bytes (65%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
New card, 'detect' works fine:
proxmark3> lf t55xx detect
Chip Type : T55x7
Modulation : ASK
Bit Rate : 2 - RF/32
Inverted : No
Offset : 32
Seq. Term. : Yes
Block0 : 0x000880E8
Writing EM4x data works:
proxmark3> lf em4x em410xwrite 181507BA4D 1 64
Writing T55x7 tag with UID 0x181507ba4d (clock rate: 64)
#db# Started writing T55x7 tag ...
#db# Clock rate: 64
#db# Tag T55x7 written with 0xff8e23501f7a2764
Locking it down:
proxmark3> lf t55xx write b 7 d DEADBEEF
Writing page 0 block: 07 data: 0xDEADBEEF
proxmark3> lf t55xx write b 0 d 00148050
Writing page 0 block: 00 data: 0x00148050
However, now 'detect' fails and 'info' returns garbage:
proxmark3> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
proxmark3> lf t55xx info
-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key : 1
reserved : 123
Data bit rate : 6 - RF/100
eXtended mode : Yes - Warning
Modulation : 2 - PSK 2 phase change on bitclk if input high
PSK clock frequency : 1
AOR - Answer on Request : Yes
OTP - One Time Pad : Yes - Warning
Max block : 3
Password mode : No
Sequence Start Terminator : No
Fast Write : Yes
Inverse data : No
POR-Delay : No
-------------------------------------------------------------
Raw Data - Page 0
Block 0 : 0x1F7A2764 00011111011110100010011101100100
-------------------------------------------------------------
However, since I set the password, I know it. Providing it to 'detect' works:
proxmark3> lf t55 detect p deadbeef
Chip Type : T55x7
Modulation : ASK
Bit Rate : 5 - RF/64
Inverted : No
Offset : 33
Seq. Term. : Yes
Block0 : 0x00148050
But 'read' or 'write' fails:
proxmark3> lf t55xx read b 1 p deadbeef
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Safety Check: Could not detect if PWD bit is set in config block. Exits.
After some "Use the source, Luke!" I discovered the "override" flag. Using it allows read/write to work:
proxmark3> lf t55xx read b 1 p deadbeef o
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Safety Check Overriden - proceeding despite risk
1 | FF8E2350 | 11111111100011100010001101010000
So, why do I need to force an override when reading/writing?
Offline
If you provide a password on a read to a chip not configured for a password it can write and lock the tag permanently.
Offline
Ok, but always requiring the "override" flag when reading/writing chips which are password protected doesn't help at all as it gets put right next to the password (there's no point in providing a password without it).
Last edited by lonewolf (2016-09-11 15:25:00)
Offline
The logic is like this:
A) "p deadbeef" -- Try detect in config block if pwdmode bit is set. if set, allow to read.
B) "p deadbeef o" -- never mind trying to detect in configblock, just read it, I know what I am doing..
For us, A) means that users who thinks the pwd bit is set and tries it because they actually don't know what they are doing, does have the chance of perma locking, like @marshmellow said.
The option B) is go a head, you are on your own now.
We felt this gives safety and flexibility to everyone, but if you don't like it just change it for your own taste. It will however not come into the PM3 Master. For that you will need to convince @marshmellow and me.
Offline
My original point was your "A" case fails and it is not detecting the config block when a password is set. This means I must always provide the "o" when providing a password.
If using a password is so dangerous, why does "detect" not need the override flag?
Offline
Because I'vent gotten around to implement it. @marshmellow thinks more of users than I do. If you use the password option, you should know what you are doing. Thats my philosophy. If you want to brick your tag, thats fine with me.
However the question you should be asking is why does the detection fail in case A if the "lf t55 detect" finds the pwd bit set...
Offline
That's what I was trying to imply in my original question, sorry if that wasn't clear.
Offline
Funny thing when looking at the code, it can't detect the pwd-bit because it can't read configurationblock without password.
"The chicken or the egg"
Offline