Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-10-21 10:20:44

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Perhaps password protect 5577

I get a new card as follow:

proxmark3> hw ver
[[[ Cached information ]]]

Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-103-gaa757f7-suspect 2017-10-20 15:13:00
os: master/v3.0.1-103-gaa757f7-suspect 2017-10-20 15:13:04
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/07/13 at 08:44:13

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 199154 bytes (38%). Free: 325134 bytes (62%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hw tune

Measuring antenna characteristics, please wait.........
# LF antenna: 46.75 V @   125.00 kHz
# LF antenna: 23.24 V @   134.00 kHz
# LF optimal: 46.75 V @   125.00 kHz
# HF antenna: 31.87 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

proxmark3> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!

proxmark3> lf search u
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!


Checking for Unknown tags:

Possible Auto Correlation of 1 repeating samples

Found Sequence Terminator - First one is shown by orange and blue graph markers

Using Clock:32, Invert:0, Bits Found:513
ASK/Manchester - Clock: 32 - Decoded bitstream:
1100100100000001
0000010111011111
0110001110000011
1000000100000001
0000010001100001
1000100111110010
0101000010001010
0000101100011110
0000110000001100
0100111101011101
1100100100000001
0000010111011111
0110001110000011
1000000100000001
0000010001100001
1000100111110010
0101000010001010
0000101100011110
0000110000001100
0100111101011101
1100100100000001
0000010111011111
0110001110000011
1000000100000001
0000010001100001
1000100111110010
0101000010001010
0000101100011110
0000110000001100
0100111101011101
1100100100000001
0000010111011111

Unknown ASK Modulated and Manchester encoded Tag Found!
if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'

proxmark3> data rawdemod am

Using Clock:32, Invert:0, Bits Found:513
ASK/Manchester - Clock: 32 - Decoded bitstream:
0001011101111101
1000111000001110
0000010000000100
0001000110000110
0010011111001001
0100001000101000
0010110001111000
0011000000110001
0011110101110117
7100100100000001
0000010111011111
0110001110000011
1000000100000001
0000010001100001
1000100111110010
0101000010001010
0000101100011110
0000110000001100
0100111101011101
1771001001000000
0100000101110111
1101100011100000
1110000001000000
0100000100011000
0110001001111100
1001010000100010
1000001011000111
1000001100000011
0001001111010111
0117710010010000
0001000001011101
1111011000111000

proxmark3> lf t55 con b 32
Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 2 - RF/32
Inverted   : No
Offset     : 0
Seq. Term. : No
Block0     : 0x00000000

proxmark3> lf t55 detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

proxmark3> lf t55 info

-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key                 : 15
reserved                  : 73
Data bit rate             : 0 - RF/8
eXtended mode             : No
Modulation                : 2 - PSK 2 phase change on bitclk if input high
PSK clock frequency       : 0
AOR - Answer on Request   : No
OTP - One Time Pad        : No
Max block                 : 5
Password mode             : Yes
Sequence Start Terminator : Yes
Fast Write                : No
Inverse data              : Yes
POR-Delay                 : Yes
-------------------------------------------------------------
Raw Data - Page 0
     Block 0  : 0xF92020BB  01771001001000000010000010111011
-------------------------------------------------------------

proxmark3> lf t55 brute i default_pwd.dic
Password NOT found.

Who knows? thanks!

Last edited by zhuminggang (2017-10-21 10:41:10)

Offline

#2 2017-10-21 10:25:33

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: Perhaps password protect 5577

I read this, http://www.proxmark.org/forum/viewtopic.php?id=2795, Are they like each other?

Offline

#3 2017-10-21 16:42:07

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Perhaps password protect 5577

How is the card looks like, pic pls,  and do you have reader to test?

Last edited by ntk (2017-10-21 16:43:05)

Offline

#4 2017-10-22 01:24:14

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: Perhaps password protect 5577

It is a hotel door card with logo,no other info,no reader to test so can not snoop.
I just discover lf card,is it possible to clone a password protect t5577 card without snoop?
if I find the reader,snoop the communication,is it possible to find the password?

Last edited by zhuminggang (2017-10-22 08:58:46)

Offline

#5 2017-10-22 01:51:59

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: Perhaps password protect 5577

So you or the owner of the card would know which hotel which room to test a copy to see it works or not. if yes, you can test this


lf t55xx wr b 0 d 000880A8
lf t55xx wr b 1 d 248082EF
lf t55xx wr b 2 d B1C1C080
lf t55xx wr b 3 d 8230C4F9
lf t55xx wr b 4 d 2845058F
lf t55xx wr b 5 d 060627AE
lf t55xx wr b 0 d 000880A8

A password protected T5577 hinders nobody to see to hear its data.

Last edited by ntk (2017-10-22 02:38:00)

Offline

#6 2017-10-22 03:20:57

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: Perhaps password protect 5577

ntk wrote:

So you or the owner of the card would know which hotel which room to test a copy to see it works or not. if yes, you can test this


lf t55xx wr b 0 d 000880A8
lf t55xx wr b 1 d 248082EF
lf t55xx wr b 2 d B1C1C080
lf t55xx wr b 3 d 8230C4F9
lf t55xx wr b 4 d 2845058F
lf t55xx wr b 5 d 060627AE
lf t55xx wr b 0 d 000880A8

A password protected T5577 hinders nobody to see to hear its data.

so it is like http://www.proxmark.org/forum/viewtopic.php?id=2795 describe

I will test it next time I go to the hotel,thanks!

Last edited by zhuminggang (2017-10-22 03:32:24)

Offline

#7 2017-10-22 03:23:29

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Perhaps password protect 5577

some lf hotel readers check password, so a snoop might be needed to get complete working clone.

hint to work lf snoop set threshold in lf config...

Offline

#8 2017-10-22 03:29:01

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: Perhaps password protect 5577

marshmellow wrote:

some lf hotel readers check password, so a snoop might be needed to get complete working clone.

hint to work lf snoop set threshold in lf config...

thanks!

Last edited by zhuminggang (2017-10-22 08:57:03)

Offline

#9 2017-10-22 11:35:48

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: Perhaps password protect 5577

marshmellow: Would you please send me a thread it clear illustrate how to do from snoop data to get password,thanks!

Last edited by zhuminggang (2017-10-22 11:37:21)

Offline

#10 2017-10-22 13:29:51

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Perhaps password protect 5577

Set the threshold to 100 using lf config

Run lf snoop
Present card and antenna to the reader (antenna between reader and card.

Save the plot and post it.

The only docs on how to read are the chip datasheets.

Offline

#11 2017-10-23 14:41:41

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: Perhaps password protect 5577

ntk wrote:

So you or the owner of the card would know which hotel which room to test a copy to see it works or not. if yes, you can test this


lf t55xx wr b 0 d 000880A8
lf t55xx wr b 1 d 248082EF
lf t55xx wr b 2 d B1C1C080
lf t55xx wr b 3 d 8230C4F9
lf t55xx wr b 4 d 2845058F
lf t55xx wr b 5 d 060627AE
lf t55xx wr b 0 d 000880A8

A password protected T5577 hinders nobody to see to hear its data.

From http://www.proxmark.org/forum/viewtopic.php?id=2795 there are block 1-4 data and one leftover 1 ,if write above,there are block1-5 data and two leftovers 11 , how to choose, sorry, I did not read the Atmel t5577chip datasheet carefully!
form 5.11.3 http://www.atmel.com/images/atmel-9187-rfid-ata5577c_datasheet.pdf,the Sequence Terminator that is placed before block 0 on every sequence, why convert block 1 data to 248082ef not 92020bbe?

Last edited by zhuminggang (2017-10-24 13:00:03)

Offline

#12 2017-10-25 09:18:27

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: Perhaps password protect 5577

After read t5577 data sheet,I make a test use a blank t5577 card:
lf t5 wr b 1 d AAAAAAAA
lf t5 wr b 2 d 00000000
lf t5 wr b 3 d AAAAAAAA
lf t5 wr b 4 d 00000000
lf t5 wr b 5 d AAAAAAAA
lf t5 wr b 0 d 000880a8

lf read
data rawd am 32

                           7
7010101010101010
1010101010101010
0000000000000000
0000000000000000
1010101010101010
1010101010101010
0000000000000000
0000000000000000
1010101010101010
1010101010101010
177

between 77 have 160 bits(32*5) .

lf t5 wr b 1 d 7AAAAAAA

lf read
data rawd am 32

                           7
7011110101010101
0101010101010101
0000000000000000
0000000000000000
0101010101010101
0101010101010101
0000000000000000
0000000000000000
0101010101010101
0101010101010101
0177
between 77 have 161 bits(32*5+1)

the different is block 1 first byte, if it greater than 7(111 bin),it EAT first bit 1. also test 8aaa,9aaa and others!

so I think first step is judge bits between 77, if bits equal 32*blocks, the first byte great than 7,plus one binary 1 before first three binary bits,the last binary 1 is leftover.if bits equal 32*blocks+1,the first four binary bits is as it is,the last binary 1 is leftover.

http://www.proxmark.org/forum/viewtopic.php?id=2795 is also like this!

My card above ought to be:

lf t5 wr b 1 d C90105DF
lf t5 wr b 2 d 63838101
lf t5 wr b 3 d 046189F2
lf t5 wr b 4 d 508A0B1E
lf t5 wr b 5 d 0C0C4F5D
lf t5 wr b 0 d 000880A8

If somebody interesting in it, Please test!

Last edited by zhuminggang (2017-10-25 11:16:17)

Offline

#13 2017-10-25 09:34:59

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: Perhaps password protect 5577

Perhaps this post should move to 125kHz Low Frequency

Last edited by zhuminggang (2017-10-25 09:35:34)

Offline

#14 2017-10-25 11:13:19

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Perhaps password protect 5577

lf t55xx commands has both read and write. 

You don't need to do a signal read only and try to decode it.  Finding a starting point in those signals is hard.
Thats why @marshmellow42 and I put so much time into making t55xx command good.   

If you want to be hardcore,  you need to read that atmel datasheet so  many times,  look at all code and understand all the possibilities that card has and its pitfalls. 


Its also why I recomment ppl to start learning LF, is the basics concepts is so easy to see there.

Offline

#15 2017-10-25 12:33:59

zhuminggang
Contributor
Registered: 2017-09-06
Posts: 46

Re: Perhaps password protect 5577

iceman wrote:

lf t55xx commands has both read and write. 

You don't need to do a signal read only and try to decode it.  Finding a starting point in those signals is hard.
Thats why @marshmellow42 and I put so much time into making t55xx command good.   

If you want to be hardcore,  you need to read that atmel datasheet so  many times,  look at all code and understand all the possibilities that card has and its pitfalls. 


Its also why I recomment ppl to start learning LF, is the basics concepts is so easy to see there.

You're absolutely right. Although I have read the manual several times, there are still many things that I don't understand.

Last edited by zhuminggang (2017-10-25 12:34:21)

Offline

Board footer

Powered by FluxBB