Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2017-01-17 14:26:24

CoolLink
Contributor
Registered: 2016-12-09
Posts: 31

How to clone the EM410x tag to a T5577 tag [SOLVED]

I have a programmed EM410x tag and want to clone it to T5577 tag.

The firmware on my PM3 and antenna tuning are as follows:

Prox/RFID mark3 RFID instrument
bootrom: master/v2.3 2016-09-19 20:28:38
os: master/v2.3 2016-09-19 20:28:38
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 183707 bytes
581 bytes (65%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune

Measuring antenna characteristics, please wait........#db# Down
96)
.
# LF antenna: 13.89 V @   125.00 kHz
# LF antenna: 28.60 V @   134.00 kHz
# LF optimal: 28.60 V @   131.87 kHz
# HF antenna:  0.74 V @    13.56 MHz
# Your HF antenna is unusable.
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

Then i placed the EM410x tag i want to clone on an antenna and run the following command:

1. lf em4x em410xwatch

proxmark3> lf em4x em410xwatch
#db# DownloadFPGA(len: 42096)
Reading 8201 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
EM410x pattern found:

EM TAG ID      : 3100E2B749
Unique TAG ID  : 8C0047ED92

Possible de-scramble patterns
HoneyWell IdentKey {
DEZ 8          : 14858057
DEZ 10         : 0014858057
DEZ 5.5        : 00226.46921
DEZ 3.5A       : 049.46921
DEZ 3.5B       : 000.46921
DEZ 3.5C       : 226.46921
DEZ 14/IK2     : 00210468255561
DEZ 15/IK3     : 000601300135314
DEZ 20/ZK      : 08120000040714130902
}
Other          : 46921_226_14858057
Pattern Paxton : 838268233 [0x31F6F549]
Pattern 1      : 12089222 [0xB87786]
Pattern Sebury : 46921 98 6469449  [0xB749 0x62 0x62B749]

then I placed the T5577 tag I want to write to on an antenna and run:

2. lf t55xx config

proxmark3> lf t55xx config
Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 0 - RF/8
Inverted   : No
Offset     : 0
Seq. Term. : No
Block0     : 0x00000000

3. lf t55xx bruteforce 00000000 ffffffff

proxmark3> lf t55xx bruteforce 00000000 ffffffff
Search password range [00000000 -> FFFFFFFF]
...Chip Type  : T55x7
Modulation : DIRECT/NRZ
Bit Rate   : 0 - RF/8
Inverted   : Yes
Offset     : 32
Seq. Term. : No
Block0     : 0xF0000000


Found valid password: [00000002]

From this I gather that the password of the T5577 tag is: 00000002

-------------------------------------------------------------------------------------------

NOW I WANT TO CLONE THE EM410x TAG TO THE T5577 TAG:

---I placed again the EM410x tag on antenna and run:

1. proxmark3> lf em4x em410xsim 8c0047ed92

Starting simulating UID 8C0047ED92  clock: 64
Press pm3-button to about simulation
Sending [4096 bytes]........
Starting to simulate
#db# Stopped

2. proxmark3> lf t55xx write

nothing happens. what am i doing wrong

Last edited by CoolLink (2017-01-18 10:12:57)

Offline

#2 2017-01-17 14:30:45

CoolLink
Contributor
Registered: 2016-12-09
Posts: 31

Re: How to clone the EM410x tag to a T5577 tag [SOLVED]

Now when I run

1. proxmark3> lf t55xx read b 0 p 00000002
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 2 - RF/32
Inverted   : No
Offset     : 33
Seq. Term. : Yes
Block0     : 0x00088040

Safety Check: PWD bit is NOT set in config block. Reading without password...

  0 | 00088040 | 00000000000010001000000001000000
-------
is the password changed???

Offline

#3 2017-01-17 14:33:08

CoolLink
Contributor
Registered: 2016-12-09
Posts: 31

Re: How to clone the EM410x tag to a T5577 tag [SOLVED]

and then:

proxmark3> lf t55xx detect

Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 2 - RF/32
Inverted   : No
Offset     : 33
Seq. Term. : Yes
Block0     : 0x00088040


why is block0 different now?

Offline

#4 2017-01-17 14:41:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: How to clone the EM410x tag to a T5577 tag [SOLVED]

It is rare that your t55xx card has the password bit set.  chinese cloner tools does it,  but otherwise no.

if you want to clone a em410x..  just use those commands https://github.com/Proxmark/proxmark3/w … ds#lf-em4x

There is no need to manually program the t55xx blocks for em410x.  Its a practise if you want to learn more.

Offline

#5 2017-01-17 15:10:24

CoolLink
Contributor
Registered: 2016-12-09
Posts: 31

Re: How to clone the EM410x tag to a T5577 tag [SOLVED]

@iceman, here is what i did but still no luck:

1. EM410x tag

proxmark3> lf em4x em410xwatch
Reading 8201 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
EM410x pattern found:

EM TAG ID      : 3100E2B749
Unique TAG ID  : 8C0047ED92

Possible de-scramble patterns
HoneyWell IdentKey {
DEZ 8          : 14858057
DEZ 10         : 0014858057
DEZ 5.5        : 00226.46921
DEZ 3.5A       : 049.46921
DEZ 3.5B       : 000.46921
DEZ 3.5C       : 226.46921
DEZ 14/IK2     : 00210468255561
DEZ 15/IK3     : 000601300135314
DEZ 20/ZK      : 08120000040714130902
}
Other          : 46921_226_14858057
Pattern Paxton : 838268233 [0x31F6F549]
Pattern 1      : 12089222 [0xB87786]
Pattern Sebury : 46921 98 6469449  [0xB749 0x62 0x62B749]

2. proxmark3> data rawdemod am

Using Clock:64, Invert:0, Bits Found:128
ASK/Manchester - Clock: 64 - Decoded bitstream:
0100101101110111
1010011001011110
1111111110011000
0110000000000111
0100101101110111
1010011001011110
1111111110011000
0110000000000111

EM410x pattern found:

EM TAG ID      : 3100E2B749
Unique TAG ID  : 8C0047ED92

Possible de-scramble patterns
HoneyWell IdentKey {
DEZ 8          : 14858057
DEZ 10         : 0014858057
DEZ 5.5        : 00226.46921
DEZ 3.5A       : 049.46921
DEZ 3.5B       : 000.46921
DEZ 3.5C       : 226.46921
DEZ 14/IK2     : 00210468255561
DEZ 15/IK3     : 000601300135314
DEZ 20/ZK      : 08120000040714130902
}
Other          : 46921_226_14858057
Pattern Paxton : 838268233 [0x31F6F549]
Pattern 1      : 12089222 [0xB87786]
Pattern Sebury : 46921 98 6469449  [0xB749 0x62 0x62B749]

3. proxmark3> lf em4x em410xwrite 8c0047ed92 1
Writing T55x7 tag with UID 0x8c0047ed92 (clock rate: 64)
#db# Started writing T55x7 tag ...
#db# Clock rate: 64
#db# Tag T55x7 written with 0xffc700025fddc8be

4. proxmark3> lf t55xx read
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------

5. proxmark3> lf t55xx special
OFFSET | DATA       | BINARY
----------------------------------------------------
    00 | 0xFF986007 | 11111111100110000110000000000111
    01 | 0xFF30C00E | 11111111001100001100000000001110
    02 | 0xFE61801D | 11111110011000011000000000011101
    03 | 0xFCC3003A | 11111100110000110000000000111010
    04 | 0xF9860074 | 11111001100001100000000001110100
    05 | 0xF30C00E9 | 11110011000011000000000011101001
    06 | 0xE61801D2 | 11100110000110000000000111010010
    07 | 0xCC3003A5 | 11001100001100000000001110100101
    08 | 0x9860074B | 10011000011000000000011101001011
    09 | 0x30C00E96 | 00110000110000000000111010010110
    10 | 0x61801D2D | 01100001100000000001110100101101
    11 | 0xC3003A5B | 11000011000000000011101001011011
    12 | 0x860074B7 | 10000110000000000111010010110111
    13 | 0x0C00E96E | 00001100000000001110100101101110
    14 | 0x1801D2DD | 00011000000000011101001011011101
    15 | 0x3003A5BB | 00110000000000111010010110111011
    16 | 0x60074B77 | 01100000000001110100101101110111
    17 | 0xC00E96EF | 11000000000011101001011011101111
    18 | 0x801D2DDE | 10000000000111010010110111011110
    19 | 0x003A5BBD | 00000000001110100101101110111101
    20 | 0x0074B77A | 00000000011101001011011101111010
    21 | 0x00E96EF4 | 00000000111010010110111011110100
    22 | 0x01D2DDE9 | 00000001110100101101110111101001
    23 | 0x03A5BBD3 | 00000011101001011011101111010011
    24 | 0x074B77A6 | 00000111010010110111011110100110
    25 | 0x0E96EF4C | 00001110100101101110111101001100
    26 | 0x1D2DDE99 | 00011101001011011101111010011001
    27 | 0x3A5BBD32 | 00111010010110111011110100110010
    28 | 0x74B77A65 | 01110100101101110111101001100101
    29 | 0xE96EF4CB | 11101001011011101111010011001011
    30 | 0xD2DDE997 | 11010010110111011110100110010111
    31 | 0xA5BBD32F | 10100101101110111101001100101111
    32 | 0x4B77A65E | 01001011011101111010011001011110
    33 | 0x96EF4CBC | 10010110111011110100110010111100
    34 | 0x2DDE9979 | 00101101110111101001100101111001
    35 | 0x5BBD32F2 | 01011011101111010011001011110010
    36 | 0xB77A65E4 | 10110111011110100110010111100100
    37 | 0x6EF4CBC9 | 01101110111101001100101111001001
    38 | 0xDDE99792 | 11011101111010011001011110010010
    39 | 0xBBD32F25 | 10111011110100110010111100100101
    40 | 0x77A65E4B | 01110111101001100101111001001011
    41 | 0xEF4CBC96 | 11101111010011001011110010010110
    42 | 0xDE99792D | 11011110100110010111100100101101
    43 | 0xBD32F25B | 10111101001100101111001001011011
    44 | 0x7A65E4B7 | 01111010011001011110010010110111
    45 | 0xF4CBC96E | 11110100110010111100100101101110
    46 | 0xE99792DD | 11101001100101111001001011011101
    47 | 0xD32F25BB | 11010011001011110010010110111011
    48 | 0xA65E4B77 | 10100110010111100100101101110111
    49 | 0x4CBC96EF | 01001100101111001001011011101111
    50 | 0x99792DDE | 10011001011110010010110111011110
    51 | 0x32F25BBD | 00110010111100100101101110111101
    52 | 0x65E4B77A | 01100101111001001011011101111010
    53 | 0xCBC96EF4 | 11001011110010010110111011110100
    54 | 0x9792DDE9 | 10010111100100101101110111101001
    55 | 0x2F25BBD3 | 00101111001001011011101111010011
    56 | 0x5E4B77A6 | 01011110010010110111011110100110
    57 | 0xBC96EF4C | 10111100100101101110111101001100
    58 | 0x792DDE99 | 01111001001011011101111010011001
    59 | 0xF25BBD32 | 11110010010110111011110100110010
    60 | 0xE4B77A65 | 11100100101101110111101001100101
    61 | 0xC96EF4CB | 11001001011011101111010011001011
    62 | 0x92DDE997 | 10010010110111011110100110010111
    63 | 0x25BBD32F | 00100101101110111101001100101111

the data from the em410x tag is not written to the t5577 tag? what is wrong

Offline

#6 2017-01-17 15:23:21

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: How to clone the EM410x tag to a T5577 tag [SOLVED]

How do you know? You didn't attempt to read an em410x.

Offline

#7 2017-01-17 15:44:18

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: How to clone the EM410x tag to a T5577 tag [SOLVED]

Im guessing @OP is confused with how a t55x7 card works.

T55x7 can emulate a lot of different tags.

The question is to read the actual t55x7 blocks or to read the emulated bytes.  Its here ppl get confused.

LF T55XX commands reads/writes actual blocks on t55x7.

LF SEARCH,  LF EM410x* , LF READ all reads the emulated data on a T55x7.

Offline

#8 2017-01-17 16:05:33

CoolLink
Contributor
Registered: 2016-12-09
Posts: 31

Re: How to clone the EM410x tag to a T5577 tag [SOLVED]

@marshmellow, the read from the em410x gives:

proxmark3> lf em4x em410xread
EM410x pattern found:

EM TAG ID      : 3100E2B749
Unique TAG ID  : 8C0047ED92

Possible de-scramble patterns
HoneyWell IdentKey {
DEZ 8          : 14858057
DEZ 10         : 0014858057
DEZ 5.5        : 00226.46921
DEZ 3.5A       : 049.46921
DEZ 3.5B       : 000.46921
DEZ 3.5C       : 226.46921
DEZ 14/IK2     : 00210468255561
DEZ 15/IK3     : 000601300135314
DEZ 20/ZK      : 08120000040714130902
}
Other          : 46921_226_14858057
Pattern Paxton : 838268233 [0x31F6F549]
Pattern 1      : 12089222 [0xB87786]
Pattern Sebury : 46921 98 6469449  [0xB749 0x62 0x62B749]

@iceman, my mistake was to use the unique Tag ID instead of the EM Tag ID

then:
proxmark3> lf em4x em410xwrite 3100e2b749 1
Writing T55x7 tag with UID 0x3100e2b749 (clock rate: 64)
#db# Started writing T55x7 tag ...
#db# Clock rate: 64
#db# Tag T55x7 written with 0xff9860074b77a65e

and:

proxmark3> lf search
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

EM410x pattern found:

EM TAG ID      : 3100E2B749
Unique TAG ID  : 8C0047ED92

Possible de-scramble patterns
HoneyWell IdentKey {
DEZ 8          : 14858057
DEZ 10         : 0014858057
DEZ 5.5        : 00226.46921
DEZ 3.5A       : 049.46921
DEZ 3.5B       : 000.46921
DEZ 3.5C       : 226.46921
DEZ 14/IK2     : 00210468255561
DEZ 15/IK3     : 000601300135314
DEZ 20/ZK      : 08120000040714130902
}
Other          : 46921_226_14858057
Pattern Paxton : 838268233 [0x31F6F549]
Pattern 1      : 12089222 [0xB87786]
Pattern Sebury : 46921 98 6469449  [0xB749 0x62 0x62B749]

Valid EM410x ID Found!

--------
Which is similar to the original em410x tag.

Thanks guys for the help. much appreciated.

Offline

#9 2017-01-17 16:24:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: How to clone the EM410x tag to a T5577 tag [SOLVED]

Great that you solved it.
I do suggest you edit your first post and add "[solved]" to your subject.

Also, I recommend, in the future use pastebin.com for sharing logs and tracelogs and output and stuff that is long

Offline

#10 2017-01-18 10:09:40

CoolLink
Contributor
Registered: 2016-12-09
Posts: 31

Re: How to clone the EM410x tag to a T5577 tag [SOLVED]

@iceman, thanks will do so

Last edited by CoolLink (2017-01-18 10:10:45)

Offline

#11 2017-07-31 23:25:04

Navster
Contributor
Registered: 2017-07-09
Posts: 50

Re: How to clone the EM410x tag to a T5577 tag [SOLVED]

Can the EM410X be cloned as a T5577 tag?

Offline

Pages: 1

Board footer

Powered by FluxBB