Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
You should run "lf t55 detect" first, it should configure the card with the right offsets. Setting offsets manually is for when you are having difficulties.
I usually save the blocks in reverse, like block2,1 and in the end block 0.
And if you doubt your card, I recommend the following procedure
lf t55 wipe
lf t55 detect
lf t55 write b 2
lf t55 write b 1
lf t55 write b 0
lf t55 detect
lf t55 dump
Offline
You should run "lf t55 detect" first, it should configure the card with the right offsets. Setting offsets manually is for when you are having difficulties.
Yeah, I'm setting it manually because detect fails:
proxmark3> lf t55 detect
Found [3] possible matches for modulation.
--[1]---------------
Chip Type : T55x7
Modulation : DIRECT/NRZ
Bit Rate : 0 - RF/8
Inverted : No
Offset : 55
Seq. Term. : No
Block0 : 0xF0000000
--[2]---------------
Chip Type : T55x7
Modulation : DIRECT/NRZ
Bit Rate : 0 - RF/8
Inverted : Yes
Offset : 32
Seq. Term. : No
Block0 : 0x0000001F
--[3]---------------
Chip Type : T55x7
Modulation : PSK1
Bit Rate : 2 - RF/32
Inverted : No
Offset : 29
Seq. Term. : No
Block0 : 0x00081040
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
Once I figured out it was simply inverting block 2 on the read it wasn't a problem. The official IDTK reader reads the tag just fine, which is the important part
Offline
'lf t55 detect' has a tendency to identify NRZ when the tag is configured for PSK. I also get tree possible configblocks.
In your block0, you have "I 1" (inverted=true)
When I try it without, I get the expected outcome.
pm3 --> lf t55 con b 32 d PSK1 o 28
Chip Type : T55x7
Modulation : PSK1
Bit Rate : 2 - RF/32
Inverted : No
Offset : 28
Seq. Term. : Yes
Block0 : 0x00000000
pm3 --> lf t55 write b 2 d 5CF30BF5
Writing page 0 block: 02 data: 0x5CF30BF5
pm3 --> lf t55 write b 1 d 4944544B
Writing page 0 block: 01 data: 0x4944544B
pm3 --> lf se
Checking for known tags:
IDTECK Tag Found: Card ID 0 , Raw: 4944544B5CF30BF5
Valid Idteck ID Found!
pm3 --> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
00 | 00081040 | 0000000000001000000100000100000
01 | 4944544B | 0100100101000100010101000100101
02 | 5CF30BF5 | 0101110011110011000010111111010
03 | 00000000 | 0000000000000000000000000000000
...cut...
Offline
Not sure if it's my card or my PM3, but that's not what I'm seeing:
proxmark3> lf t55 det
Found [3] possible matches for modulation.
--[1]---------------
Chip Type : T55x7
Modulation : DIRECT/NRZ
Bit Rate : 0 - RF/8
Inverted : No
Offset : 55
Seq. Term. : No
Block0 : 0xF0000000
--[2]---------------
Chip Type : T55x7
Modulation : DIRECT/NRZ
Bit Rate : 0 - RF/8
Inverted : Yes
Offset : 32
Seq. Term. : No
Block0 : 0x0000001F
--[3]---------------
Chip Type : T55x7
Modulation : PSK1
Bit Rate : 2 - RF/32
Inverted : Yes
Offset : 28
Seq. Term. : No
Block0 : 0x00081040
The above says I need "i 1." Trying without gives:
proxmark3> lf t55 config b 32 d PSK1 o 28
Chip Type : T55x7
Modulation : PSK1
Bit Rate : 2 - RF/32
Inverted : No
Offset : 28
Seq. Term. : Yes
Block0 : 0x00000000
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | FFF7EFBF | 11111111111101111110111110111111
1 | B6BBABB4 | 10110110101110111010101110110100
2 | 5CF30BF5 | 01011100111100110000101111110101
3 | 00000000 | 00000000000000000000000000000000
4 | 00000000 | 00000000000000000000000000000000
...
Blocks 2+ are correct, but 0/1 are not. Setting i 1 results in blocks 2+ getting inverted but 0/1 are fine:
proxmark3> lf t55 config b 32 d PSK1 o 28 i 1
Chip Type : T55x7
Modulation : PSK1
Bit Rate : 2 - RF/32
Inverted : Yes
Offset : 28
Seq. Term. : Yes
Block0 : 0x00000000
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 00081040 | 00000000000010000001000001000000
1 | 4944544B | 01001001010001000101010001001011
2 | A30CF40A | 10100011000011001111010000001010
3 | FFFFFFFF | 11111111111111111111111111111111
4 | FFFFFFFF | 11111111111111111111111111111111
...
I tried a "t55 wipe" and wrote block 2 then 1 then 0, but nothing changed.
Last edited by lonewolf (2017-01-13 07:17:54)
Offline
Strange, which firmware are you running?
Try the iceman fork, and see if you still have the same issue?
Offline
One idea to test:
take your t55x7 and flip one bit at the time in block2, and test it against yr valid reader and see what it outputs.
Offline
Already tried that, reader doesn't register a tag My guess is there is either a checksum or parity in those extra 8 bits.
Offline
dang,
did you analyse the reader firmware?
Offline
Still working on that, it's going to be a day or 2 before I can get it all wired up. Not sure if I'm going to be able to dump it, the PIC chip used has all-or-nothing code protect bits and does not allow partial erase/rewrite.
Offline
you could also look into the firmware update files..
Offline
I would love to, do you know where to find them?
Offline
use your google-fu
Offline
My Google-fu seems to be weak on this one :'( If you could send a link to modhex(ichthriifchjhbhehnhgiddthuhkhuduhehvht) it would be much appreciated.
Offline
iceman wrote:@lonewolf,
A manual review of the graphs ("data plot") agrees with the above ones/zeros as the first bit. Unless the format is 31+33 it's not p2.
I believe I just ran into a white idteck that uses the 31+33 bit format instead of the 32+32 bit.
Does this mean I use rawdem p2 instead of p1?
When I use p1 I get matching the first 31 bits of block1, then the 32'd bit is always a 7 or error..
Any info helps
Offline
sounds like a read error. can you post a trace or plot?
Offline
or its that "half" stt bit you mentioned before @marshmellow?
Offline
sounds like a read error. can you post a trace or plot?
Uploaded two data samples 16000
http://www.filedropper.com/lkkdump
Thanks
Offline
hmmm. when was the last time you updated your client? it appears whatever your problem is has been fixed in the current github version as i can demod your traces without any errors.
Offline
or its that "half" stt bit you mentioned before @marshmellow?
i don't believe STT works with psk. at the very least the traces show no STT. so it is unrelated
Offline
hmmm. when was the last time you updated your client? it appears whatever your problem is has been fixed in the current github version as i can demod your traces without any errors.
Running binaries from the 2.5.0 proxmark sticky post @
http://www.proxmark.org/forum/viewtopic.php?id=1562
I dont yet know how to compile properly. Ive gone through about 15 tutorials... still iffy about the process.
Every time I try I miss another dependency...
I was able to connect and upload the fullimage through terminal. Was kinda proud right there..
Not giving up, just gonna have to dedicate some time
Any advice on quick compile? can run ubuntu, osx, or winxpto10
Last edited by lockakey (2017-03-27 05:34:37)
Offline
Those binaries v2.5.0 from Asper is outofdate. You could use some latest binaries from the other sticky thread http://www.proxmark.org/forum/viewtopic.php?id=3975 Those has builds based on the latest source, if I understand correct.
About installtion texts:
The wiki, the INSTALL.txt, the README.md and countless threads on this forum has all detailed explaintions on how / what to do. Do please read and try it.
Offline
hmmm. when was the last time you updated your client? it appears whatever your problem is has been fixed in the current github version as i can demod your traces without any errors.
Ok, I uploaded to the latest client. I loaded the trace, and I ran a raw dem p1.
The output gave me
Using Clock:32, invert:0, Bits Found:500
PSK1 demoded bitstream:
0101000100101101
0010100001001110
0000101010000101
0010010100010001
0101000100101101
0010100001001110
0000101010000101
0010010100010001
0101000100101101
0010100001001110
0000101010000101
0010010100010001
0101000100101101
0010100001001110
0000101010000101
0010010100010001
0101000100101101
0010100001001110
0000101010000101
0010010100010001
0101000100101101
0010100001001110
0000101010000101
0010010100010001
0101000100101101
0010100001001110
0000101010000101
0010010100010001
0101000100101101
0010100001001110
0000101010000101
001
I do see a repeating pattern, I dont however see the matching correlation to the 0100100101000010001 from the 4944544B line from lonewolf post.
Am I doing this process correctly?
Offline
It is in that binary string.
Offline
If you're not good at binary you could use
data printd x o 1
And change 1 to other offsets... (2, 3...)
Offline
You shoulda seen my jaw just drop when I ran x o 2....
I will test my binary set tomorrow. would you like me to post the markings on the side?
Offline
If you're not good at binary you could use
data printd x o 1
And change 1 to other offsets... (2, 3...)
So I got 2 sets of data 4944544B as expected and 4A1382A1
Is it reasonable for me to believe that writing a
b 0 00081040
b 1 4944544B
b 2 4A1382A1
should this be a valid exercise for a clone?
is there any reason when I try to write this that by b0 keeps changing to 55555555?
Maybe something is bit flipping?
Offline
Once you write a block0, you need to run lf t55 detect again afterwards or set configuation manually with lf t55 config command.
Offline
is there any reason when I try to write this that by b0 keeps changing to 55555555?
Maybe something is bit flipping?
I always write b1+b2 first and then go back and write b0. Keeps from needing to re-detect (which fails more often then not).
Last edited by lonewolf (2017-04-01 21:09:53)
Offline
... needing to re-detect (which fails more often then not).
Failure rate is directly related to your antenna strength how tuned it is to the tag size. I typically have a 90℅ detection rate with my home made antennas, but a lot less with bought antennas.
Offline
Even with "lf t55 detect" and tags programmed for PSK? Iceman seemed to imply it's normal for "lf t55 detect" to think PSK is NRZ.
Offline
Especially with psk do you need the right antenna for the right tag. For low psk clocks (rf/16) it can be difficult to auto detect, but beyond that it can work pretty well.
Unfortunately due to the way the chip communicates and the effect different antennas on the pm3 seem to have on it's timing it is difficult to get it perfect for all setups.
Offline
Is there an easy way to make a clone for these without a physical tag in hand? Picture of a Doorking tag that was sent to me has 409 186 19458 on it.
Last edited by atyppo (2017-09-14 20:42:15)
Offline
Not at this time. I've been meaning to brute force a bunch to try and determine a pattern / the algo, but haven't gotten around to trying.
Offline
Not at this time. I've been meaning to brute force a bunch to try and determine a pattern / the algo, but haven't gotten around to trying.
I'm not sure that I understand how it works even with a physical tag in hand. I can pull that off, it would just be easier to do it at home so I can troubleshoot more effectively. I already have a PM3. What commands do I need to run to clone it to a T5577 tag?
Offline
lf read
data hpf
data raw p1
and then 1 of: "data printd x" or "data printd x o 1" or "data printd x o 2" or "data printd x o 3" . One of those should produce an output like "...4944544Bxxxxxxxx4944544Bxxxxxxxx4944544Bxxxxxxxx4944544B..." . Those "xxxxxxxx" are your T5577 block 2.
Write the T5577:
lf t55xx write b 1 d 4944544B
lf t55xx write b 2 d xxxxxxxx
lf t55xx write b 0 d 00081040
Offline
lf read
data hpf
data raw p1
and then 1 of: "data printd x" or "data printd x o 1" or "data printd x o 2" or "data printd x o 3" . One of those should produce an output like "...4944544Bxxxxxxxx4944544Bxxxxxxxx4944544Bxxxxxxxx4944544B..." . Those "xxxxxxxx" are your T5577 block 2.Write the T5577:
lf t55xx write b 1 d 4944544B
lf t55xx write b 2 d xxxxxxxx
lf t55xx write b 0 d 00081040
Ok, thanks. What data should I post for this tag when I read it? Any specific command syntaxes I should run?
Offline
Hi Icman,
I am a bit confused about how you made a demod of it and hooked it up in"lf Search"
Can you please explain, how I can do that or do I need to update my PM3, and If so Where can I find the Update.
Thank you
I've made a demod for it and hooked it up in 'lf search'
even if it has to invert, it still get the same raw block1.pm3 --> da load traces/idtec/card-410-192-18710-shifted.pm3 loaded 29272 samples pm3 --> lf se 1 Checking for known tags: IDTECK Tag Found: Card ID 0 , Raw: 4944544BC58D8250 Valid Idteck ID Found! pm3 --> da load traces/idtec/card-410-192-18711-shifted.pm3 loaded 28720 samples pm3 --> lf se 1 Checking for known tags: IDTECK Tag Found: Card ID 0 , Raw: 4944544B7DCEDE61 Valid Idteck ID Found! pm3 --> da load traces/idtec/card-I1407-005-31920-shifted.pm3 loaded 28890 samples pm3 --> lf se 1 Checking for known tags: IDTECK Tag Found: Card ID 0 , Raw: 4944544B519AA55F Valid Idteck ID Found! pm3 -->
Offline
@atyppo I'm not sure why you need to post anything, I gave you all the commands you need to clone it.
@fidel It just searches for "4944544B" in the p1 demod data, it has no relation to the numbers written on the card. The same thing can be done manually with the commands in my last post.
Offline
@atyppo I'm not sure why you need to post anything, I gave you all the commands you need to clone it.
@fidel It just searches for "4944544B" in the p1 demod data, it has no relation to the numbers written on the card. The same thing can be done manually with the commands in my last post.
What I meant was if I should run any specific commands to help out you, @marshmellow or @iceman in finding a pattern in the tags.
Offline
More data points are always nice Just need the number printed on the card and the 4944544Bxxxxxxxx ID read from it. You can email me if you don't want to post it.
Offline
Hi, Thank you for all your help,
the number is 11601-129-03854
Offline
Hi, Thank you for all your help,
the number is 11601-129-03854
Your number isn't 11601-129-03854 it's I1601... It starts with the letter I, not the number 1.
I1601= Manufacture date = January of 2016
129 = Facitlity Code/ Site Code
03854= Card number/ Serial Number.
Hope this helps.
Offline
I now have six tags encoded from 11601 - 11606 with FC 151. When I'm trying to run that specific syntax to post the data on the forum, I always get this output: 64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB. What am I doing wrong?
Offline
your data is the data you need just repeating over and over... select out starting with 4944544B.... then post.
Offline
What am I doing wrong?
Nothing. Like marshmellow said, your answer is in the data you posted.
"...4944544Bxxxxxxxx4944544Bxxxxxxxx4944544Bxxxxxxxx4944544B..." . Those "xxxxxxxx" are your T5577 block 2.
64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB
Offline
atyppo wrote:What am I doing wrong?
Nothing. Like marshmellow said, your answer is in the data you posted.
lonewolf wrote:"...4944544Bxxxxxxxx4944544Bxxxxxxxx4944544Bxxxxxxxx4944544B..." . Those "xxxxxxxx" are your T5577 block 2.
atyppo wrote:64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB0E435E64944544BB
Here's T1608 151 11603:
proxmark3> data printd x
DemodBuffer: 00000544B55E9AE984944544B55E9AE984944544B55E9AE984944544B55E9AE984944544B55E9AE984944544B55E9AE984944544B55E9AE984944544B55E9AE9
Here's I1608 151 11602:
proxmark3> data printd x o 3
DemodBuffer: CBD08E24484944544BD08E24484944544BD08E24484944544BD08E24484944544BD08E24484944544BD08E24484944544BD08E24484944544BD08E2448494454
Here's I1608 151 11601:
proxmark3> data printd x o 3
DemodBuffer: FFE474944544BD65476474944544BD65476474944544BD65476474944544BD65476474944544BD65476474944544BD65476474944544BD65476474944544BD65
Unfortunately, I don't have access to the other three anymore. Are these enough? Thanks for the hard work everyone!
Last edited by atyppo (2018-05-02 20:51:01)
Offline
Some new IDTECK sample
Temic Data Wiegand26
4944544B A0CB9C27 0-707CF4-0
4944544B A0CB9C64 0-2709F5-1
4944544B A0CB9C77 1-89F18A-1
4944544B A0CB9CBA 1-CDCA94-0
4944544B 0000006E 1-692BAA-0
4944544B 62000000 1-AEC2EA-1
4944544B AC000000 1-A92F0B-0
4944544B 00B40000 1-2509BB-1
4944544B 00001A00 0-1195C3-1
Offline
Some strange IDTECK sample
Temic Data Wiegand26
4944544B CAFE009A 1-85042B-0
4944544B CAFE009B 0-E10305-1
data differs only by 1 bit, and codes of cards at output of Wiegand differ very much.
Offline
Looks like a hash or encryption is taking place and only some bytes is used from the hash/encryption
Offline