Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-03-04 23:02:15

egon2
Contributor
Registered: 2017-03-01
Posts: 9

Pigeon

sorry for my angielski.have proxmark3 5 days I am looking for possibilities of change em tag id.Not clone.I know that doing.I do not know whether it PM3.this possible?

I am green.so much from one chip.




-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key                 : 3
reserved                  : 97
Data bit rate             : 7 - RF/128
eXtended mode             : No
Modulation                : 3 - PSK 3 phase change on rising edge of input
PSK clock frequency       : 3
AOR - Answer on Request   : Yes
OTP - One Time Pad        : Yes - Warning
Max block                 : 6
Password mode             : No
Sequence Start Terminator : No
Fast Write                : No
Inverse data              : No
POR-Delay                 : No
-------------------------------------------------------------
Raw Data - Page 0
     Block 0  : 0x3C3C3FC0  0011110000111100001111111100000
-------------------------------------------------------------
proxmark3>



----------------------------------------------------------
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 78787F80 | 0111100001111000011111111000000
  1 | 3C3C3FC0 | 0011110000111100001111111100000
  2 | 3C3C3FC0 | 0011110000111100001111111100000
  3 | 87F807F8 | 1000011111111000000001111111100
  4 | 3C3C3FC0 | 0011110000111100001111111100000
  5 | C3FC03FC | 1100001111111100000000111111110
  6 | C3FC03FC | 1100001111111100000000111111110
  7 | 87F807F8 | 1000011111111000000001111111100
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
  0 | 3C3C3FC0 | 0011110000111100001111111100000
  1 | C3FC03FC | 1100001111111100000000111111110
  2 | 87F807F8 | 1000011111111000000001111111100
  3 | 87F807F8 | 1000011111111000000001111111100
proxmark3>

one chip


proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 3C3C3FC0 | 0011110000111100001111111100000
  1 | E1FE01FE | 1110000111111110000000011111111
  2 | 1E1E1FE0 | 0001111000011110000111111110000
  3 | E1FE01FE | 1110000111111110000000011111111
  4 | E00001FE | 1110000000000000000000011111111
  5 | E00001FE | 1110000000000000000000011111111
  6 | E00001FE | 1110000000000000000000011111111
  7 | E1FE01FE | 1110000111111110000000011111111
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
  0 | E1FE01FE | 1110000111111110000000011111111
  1 | E1FE01FE | 1110000111111110000000011111111
  2 | E1FE01FE | 1110000111111110000000011111111
  3 | C00003FC | 1100000000000000000000111111110

also this chip



proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 01FE01FE | 0000000111111110000000011111111
  1 | E00001FE | 1110000000000000000000011111111
  2 | E00001FE | 1110000000000000000000011111111
  3 | E00001FE | 1110000000000000000000011111111
  4 | E1FC03FC | 1110000111111100000000111111110
  5 | 000001FE | 0000000000000000000000011111111
  6 | 00FF00FF | 0000000011111111000000001111111
  7 | FE1E1E1E | 1111111000011110000111100001111
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
  0 | E1FE01FE | 1110000111111110000000011111111
  1 | 000001FE | 0000000000000000000000011111111
  2 | 000001FC | 0000000000000000000000011111110
  3 | E0000000 | 1110000000000000000000000000000
proxmark3>

Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
proxmark3> lf t55 det
Chip Type  : T55x7
Modulation : DIRECT/NRZ
Bit Rate   : 0 - RF/8
Inverted   : No
Offset     : 51
Seq. Term. : No
Block0     : 0xF00001FE

proxmark3>



proxmark3> lf se
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

EM410x pattern found:

EM TAG ID      : C77B38773C

Possible de-scramble patterns
Unique TAG ID  : E3DE1CEE3C
HoneyWell IdentKey {
DEZ 8          : 03700540
DEZ 10         : 2067298108
DEZ 5.5        : 31544.30524
DEZ 3.5A       : 199.30524
DEZ 3.5B       : 123.30524
DEZ 3.5C       : 056.30524
DEZ 14/IK2     : 00856765790012
DEZ 15/IK3     : 000978684014140
DEZ 20/ZK      : 14031314011214140312
}
Other          : 30524_056_03700540
Pattern Paxton : 3343693116 [0xC74CB53C]
Pattern 1      : 5561502 [0x54DC9E]
Pattern Sebury : 30524 56 3700540  [0x773C 0x38 0x38773C]

Valid EM410x ID Found!
proxmark3>

proxmark3> lf em 4x05dump
Read Address 00 | failed
Read Address 01 | failed
PWD Address 02 | cannot read
Read Address 03 | failed
Read Address 04 | failed
Read Address 05 | failed
Read Address 06 | failed
Read Address 07 | failed
Read Address 08 | failed
Read Address 09 | failed
Read Address 10 | failed
Read Address 11 | failed
Read Address 12 | failed
Read Address 13 | failed
Read Address 14 | failed
Read Address 15 | failed
proxmark3>


please suggestions

Offline

#2 2017-03-04 23:31:52

egon2
Contributor
Registered: 2017-03-01
Posts: 9

Re: Pigeon

This chip is pigeon racing.sorry for my englisch. hitag?100%?

Offline

#3 2017-03-05 09:40:34

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Pigeon

Either you have the wrong config for t55x7, or your tag is not t55x7.  All that data is wrong.

Your tag could be em4x05,  try those commands instead. They are under lf em

Offline

#4 2017-03-05 16:21:20

egon2
Contributor
Registered: 2017-03-01
Posts: 9

Re: Pigeon

Thanks for your fast answer. I tried many times and nothing worked so far. May it be HITAG? I tried commands for hitag - no results. Are there any scripts you can recommend for hitag?

Offline

#5 2017-03-05 19:11:46

egon2
Contributor
Registered: 2017-03-01
Posts: 9

Re: Pigeon

I also tried to do this using your fork.

Producer says it's hitag2.
No hitag2 function is working (any fork).
I've got proxmark v3, maybe antenna is too weak.
Spits some shit on tt55.

Offline

#6 2017-03-05 19:17:49

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Pigeon

the hitag2 code is PoC,  but should work both in PM3 Master and in my fork.   You always need a good antenna.

Offline

#7 2017-03-06 15:43:31

Onisan
Contributor
From: London
Registered: 2016-07-18
Posts: 88

Re: Pigeon

I don't think this is Hitag2 Tag as Page 1 would be the Password and you need to log into the tag before you can read it.
Also page three would need to start With one of the following:
06 - Password Mode
0E - Crypto Mode
02 - Public Mode A
00 - Public Mode B
04 - Public Mode C

Last edited by Onisan (2017-03-06 15:57:57)

Offline

#8 2017-03-08 13:50:01

egon2
Contributor
Registered: 2017-03-01
Posts: 9

Re: Pigeon

proxmark3> hw tune
pm3 ~$ ./client/proxmark3.exe com8
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2017-03-01 13:17:16
os: /-suspect 2017-03-01 13:17:17
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 192467 bytes (73%). Free: 69677 byt
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune

Measuring antenna characteristics, please wait........#db# DownloadFPGA(len: 42096)
.
# LF antenna: 30.52 V @   125.00 kHz
# LF antenna: 31.35 V @   134.00 kHz
# LF optimal: 36.85 V @   129.03 kHz
# HF antenna: 29.21 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

/\
Is it correct?

Something is wrong: i cant make a dump of card t5577 original without password . It reads her similiar to data in post #1 - no results. With hitag command it doesnt work at all. What should i change and check? Using HF everything works.

Last edited by egon2 (2017-03-08 13:53:53)

Offline

#9 2017-03-08 23:50:47

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Pigeon

your lf antenna is fine voltage wise, though small tags require small antennas.  so if you are working with a tag that is keyfob or smaller in size you may need a smaller antenna than is shipped with any pm3.

also t55xx commands require a t55xx detect or config that is successful and accurate before any other t55xx commands will output anything useful.  they also can be finicky and depend on precise distance from the antenna. (and they only work on t55xx compatible chips)

if it is a hitag2 then it must be configured to public-mode A to output an em410x ID.  read up on the datasheets and command help docs.

Offline

Board footer

Powered by FluxBB