Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
But if it needed the login it should have rejected the cmd
I'd suggest the login requirement is mentioned only in the context of
"When the Write Login bit is set to logic 1"
Last edited by marshmellow (2019-06-12 02:54:56)
Offline
Thanks. I wont have a chance to play until my cards arrive. So was just doing some high level re-con
Offline
marshmellow wrote:i confirmed the lf em 4x05protect command works in my fork, but you cannot change the protection for block 1
...
@marshmellow, I think you meant this post http://www.proxmark.org/forum/viewtopic.php?id=6542
You are correct!. i get in trouble sometimes with my phone (sorry). i'd move these posts around but i don't have access currently.
Offline
more about this topic however, also in my lastest fork repo is a Samples_To_Skip parameter for the lf config that allows you to skip x samples after the threshold is satisfied on an lf snoop..
this should allow the capturing of every command a cloner sends (with a couple trace captures)
to test this you'd need to compile my github fork of the proxmark3 repo, flash and then set lf config
example:
lf config d 2 t 80 s 40000
lf snoop
disclaimer, i have not fully tested this functionality yet..
Last edited by marshmellow (2019-06-12 03:39:26)
Offline
Sorry if this is posted somewhere. Do you have a link to the git for your fork ?
At the moment if I have been rrg on the RDv4 and the stock (with some of my mods) on the easy.
Once I have it, I will give the snoop skip a good work out and testing.
Thanks
Offline
https://github.com/marshmellow42/proxmark3
once i've been able to test the commands out i will submit them to the official master repo.
Last edited by marshmellow (2019-06-12 04:04:55)
Offline
more about this topic however, also in my lastest fork repo is a Samples_To_Skip parameter for the lf config that allows you to skip x samples after the threshold is satisfied on an lf snoop..
this should allow the capturing of every command a cloner sends (with a couple trace captures)
to test this you'd need to compile my github fork of the proxmark3 repo, flash and then set lf config
example:
lf config d 2 t 80 s 40000 lf snoop
disclaimer, i have not fully tested this functionality yet..
Side topic.
First up and most important, thanks for all the work. looking good.
Hope this saves you a little time.
I download the git files and compiled. In my download one little line was missing
The last line in the code snippet below. i.e. The client had the option and the arm code had the data structures, but the copy of the samples to skip into the config data structure was missing, so the client always reported 0 and no offset. As soon as I added that line, bingo command showed the value and a very quick test showed it did offset. I will do some more detailed testing.
src file : lfsampling.c
void setSamplingConfig(sample_config *sc)
{
if(sc->divisor != 0) config.divisor = sc->divisor;
if(sc->bits_per_sample!= 0) config.bits_per_sample= sc->bits_per_sample;
if(sc->decimation!= 0) config.decimation= sc->decimation;
if(sc->trigger_threshold != -1) config.trigger_threshold= sc->trigger_threshold;
if(sc->samples_to_skip != 0) config.samples_to_skip = sc->samples_to_skip;
......
Offline
Thx, untested code is fun... sorry about that.
I believe we should set the if compare to > -1
and change the default to -1 so 0 skipped samples could be set
I'll adjust my fork in a bit
And sorry we have drifted from topic
Last edited by marshmellow (2019-06-12 12:36:51)
Offline
@marshmellow, great stuff! Further poking the Chinese cloners will be possible!
Offline
Thx, untested code is fun... sorry about that.
I believe we should set the if compare to > -1
and change the default to -1 so 0 skipped samples could be setI'll adjust my fork in a bit
And sorry we have drifted from topic
Happy to have my posts removed/moved as needed to keep things clean (as we are off topic a little)
No issues, all good work. You did make it clear "untested" and I did offer to test so no issue at all. I was impressed with the rapid turn-around.
I did some more detailed testing... so 2 changes needed (then more testing), but looking good
Both in the file : lfsampling.c
first one is to bring the data type inline int to uint32
change:
Old: uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after, int samples_to_skip)
New: uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after, uint32_t samples_to_skip)
And the compare needs the switching
old
if (samples_to_skip < samples_skipped) {
samples_skipped++;
continue;
}
new
if (samples_to_skip > samples_skipped) {
samples_skipped++;
continue;
}
After that it seems to be done.
Offline
i confirmed the lf em 4x05protect command works in my fork, but you cannot change the protection for block 1
pre protect command through protect cmd:
Lock Address 14 | 00008002 Lock Address 15 | 00000000 proxmark3> lf em 4x05protect d 0 Writing Protect data 00000000 Protect Verified proxmark3> lf em 4x05dump Got Address 00 | 00040072 Got Address 01 | 3F8DAD59 PWD Address 02 | cannot read Got Address 03 | 0000D5C3 ... Got Address 13 | 00000000 Lock Address 14 | 00000000 Lock Address 15 | 00008002
@marshmellow, is protection bit can be set to 1 and to 0? Or only to 1?
Offline
pull request created for master, any further discussion should be there for that command, so we don't confuse this topic further
https://github.com/Proxmark/proxmark3/pull/833
Last edited by marshmellow (2019-06-12 15:27:47)
Offline
Quick Update.
My 4305 units arrived. I have had a very quick play to see how the behave compared to the unknown chips.
Using the same blue cloner,
- I can read a real 4100 and write to the t5577 and read/recover (already covered)
- I can then clone the some 4100 to the 4305 and read the 4305 blocks (write protect bit set)
- I can reset both the 5577 and 4305 with the blue cloner (turn on and NOT read, just write) and both cards have the passwords cleared and config lock cleared.
- I can clone a real 4100 to the unknown fob and change the ID with the same blue cloner, yet the power on write does not put it into a state that can be used (read or write outside of the emulated 4100 tag)
So, at this point I still don't believe they are 5577 or an 4305 as I would expect the some procedure used on the known chips would have worked on the unknown chip.
Offline
Thanks for the update @mwalker! Good stuff. I didn't know about the "reset feature" of the cloner. I will try it with my blue fob and see what happens around mid this week, since I'm traveling.
If you reset a T5577 or 4305 and try to clone it to the unknown chip blue fob, does anything interesting happen? I would suspect the cloner wouldn't read anything from the reset T5577 or 4305, but just a bit of curiosity from my end...
Thanks!
Offline
I have a few things on the go as well (like most of us). All good.
What i was trying to do is work out (the easy stuff first) what works and does not work. To try to prove (or at least support) what it could or could not be.
I would need to check as I only did quick tests and did not take too much note. But I am fairly sure if I take a new (blank) 5577 or 4305, the cloner read fails. i.e. they are expecting a RFID tag so they know what they are trying to clone.
What I thought was also interesting. I read a HID proxcard ii with the cloner that can clone them. I could write that to the 5577, but not the unknown fob. (I have not tried to write to the EM4305 yet, but suspect it will work). The way I was looking at this was, a T5577 and EM4305 are generic cards that can be told to store X amount of data and modulate at needed rates and encoding, then on power-up they send out the data from block x to y, then repeat. So IF a chip can be told to store the data (enough storage) and can support the correct config and the cloner can write EM4100 tag but not a HID tag to the unknown chip, then the chip is not one I know and use (rule those out) and (at some level) cant support the HID format (in this example) for some reason (cloner or chip limitation).
So time to step up and learn some more.
What I want to do next is learn to use the play pack "lf sim" correctly and work out its challenges and how to best use it. i.e. lf sim with know things first (send commands to a t5577) and make sure they work, then test again to the 4305.
Next I am going to slice up the lf snoop data and play back the unknown part(s). e.g. I know the T5577 packets, so remove those. If that changes the EM4100 id on my unkown fob, then I know the command is in that reaming group. If it does not, then either its not in the group or a challenge with the data to send with the sim.
So, split that into groups that look like the same modulation/encoding. and play back each (re-setting the EM ID on the fob each time).
So all going well, what I expect to end up with is a group of wave forms that actually write to the fob.
Then I can focus on that to see what it is.
Challenges I expect along the way.
1. Me not doing something correctly New Skills to learn - thats why I'm here.
2. fob an antenna coupling challenges (so will work out the best way to hold the fob in the best place)
3. the snooped data not at the correct levels, so back to item 1 and learn about that.
This is where marshmellow's new snoop option will kick in, get a good 1:1 of the data.
Offline
I have dumped all downlink/write packets from the blue cloner for an EM4100 ID write/clone (thanks to marshmellow's skip option).
The first group are clearly 5577 commands (not shown here). The second group is clearly 4x05 (4305) commands (not shown here).
The third group is the interesting one.
The encoding/modulation seems to be similar to the 5577 where a narrow width pulse is a 0 and a wide pulse is a 1
the initial 01 has a wider "1" pulse, so may be a sync pulse.
Lines 2 and 3 are clearly the EM4100 data as it decoded 100% to the tag ID I cloned.
The tailing "1" could just be an end of packet decay.
(it may have a few bit errors, I had 1 error in the em data, but corrected)
The 4 packet streams are very clearly sent as the group shown below, spaces added where i believe needed for sync, command/addr, data and tail.
01 0000100010100000100 000000000000100000000000000000000000000001000000000000000000000000000000 1 <- ? clear ?
01 0000000101000000000 11111111100000110110000000000010 1 <- EM4100 Data
01 0000000101010000000 01001100011011000010010011001100 1 <- EM4100 Data
01 0000000101011111111 00010101000000000001000000000000 1 <- ? Config ?
Has anyone seen anything that looks like the above i.e. 19(?) bits then data with a modulation like the 5577 ?
Offline
Any new info on this unknown "T5200" tag?
I recently picked up a PM3 RVD4, and just learning. I also picked up a blue cloner and white cloner to play with. I now have what I believe are 20 of these unknown tags (5 white badge style all tagged "EM 410x ID 3D00D51E2C" and 15 blue fob style all tagged "EM 410x ID 0000002049"). I have one real T5577 that came with the pm3, but trying to see whether I can do anything with these cloner tags other than use them with the cloner. Just learning and trying to figure things out. I've read a bunch of existing posts, and saw a recent update that we haven't been able to locate the data sheet on these yet.
What I've done so far:
* I have sent the reset code "lf t55xx write b 0 d 00148040", and "lf t55xx write b 0 d 00088040", and both with and without the default password (51243648), and it's had no effect on the card. Does this mean they are the "T5200" card?
* I confirmed that both my blue cloner and white cloner can write to these cards. The blue cloner can also "erase" the cards when writing without reading anything first. The white cloner will not write without a valid read first.
* I've tried the "lf t5 chk" and "lf em xxxx chk" commands and nothing found consistently. It sometimes throws a "password found" result - but I think it's garbage output as it's not repeatable.
Has anyone found a way to unlock these cards and write to them with pm3?
Offline
If you are running latest fw/client and done the correct setup according to the documents, there shouldn't be any issue.
If you open your pm3 case, and on the backside you can see two sliding switches on the antenna. It should be in 125 and 7(8) Q mode for your device to work best with t55x7 / t5200 tags.
Offline
Thanks, Iceman. I did verify the hardware setting - the antenna is in 125 and Q7, and running a new compile of YOUR ( thanks!) fork.
Here's HW ver, status, and tune:
[usb] pm3 --> hw version
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.9237-2904-g4d2d65a0c 2021-01-23 15:34:18
compiled with GCC 8.3.0 OS:Linux ARCH:arm
[ PROXMARK3 ]
firmware.................. PM3RDV4
external flash............ present
smartcard reader.......... present
FPC USART for BT add-on... absent
[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-2904-g4d2d65a0c 2021-01-23 15:35:39
os: RRG/Iceman/master/v4.9237-2904-g4d2d65a0c 2021-01-23 15:36:29
compiled with GCC 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907]
[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 309986 bytes (59%) Free: 214302 bytes (41%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 --> hw status
[#] Memory
[#] BigBuf_size.............42352
[#] Available memory........42296
[#] Tracing
[#] tracing ................1
[#] traceLen ...............0
[#] dma8 memory.............-2111816
[#] dma16 memory............-2111816
[#] toSend memory...........-2111816
[#] Current FPGA image
[#] mode.................... HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
[#] Flash memory
[#] Baudrate................24 MHz
[#] Init....................OK
[#] Memory size.............2 mbits / 256 kb
[#] Unique ID...............0xD5697C309773D825
[#] Smart card module (ISO 7816)
[#] version.................v3.11
[#] LF Sampling config
[#] [q] divisor.............95 ( 125.00 kHz )
[#] [b] bits per sample.....8
[#] [d] decimation..........1
[#] [a] averaging...........Yes
[#] [t] trigger threshold...0
[#] [s] samples to skip.....0
[#] LF Sampling Stack
[#] Max stack usage.........3960 / 8480 bytes
[#] LF T55XX config
[#] [r] [a] [b] [c] [d] [e] [f] [g]
[#] mode |start|write|write|write| read|write|write
[#] | gap | gap | 0 | 1 | gap | 2 | 3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | N/A | N/A |
[#] long leading reference | 29 | 17 | 18 | 50 | 15 | N/A | N/A |
[#] leading zero | 29 | 17 | 18 | 40 | 15 | N/A | N/A |
[#] 1 of 4 coding reference | 29 | 17 | 15 | 31 | 15 | 47 | 63 |
[#]
[#] HF 14a config
[#] [a] Anticol override....std : follow standard
[#] [b] BCC override........std : follow standard
[#] [2] CL2 override........std : follow standard
[#] [3] CL3 override........std : follow standard
[#] [r] RATS override.......std : follow standard
[#] Transfer Speed
[#] Sending packets to client...
h[#] Time elapsed............500ms
[#] Bytes transferred.......297984
[#] Transfer Speed PM3 -> Client = 595968 bytes/s
[#] Various
[#] Max stack usage.........4104 / 8480 bytes
[#] DBGLEVEL................1 ( ERROR )
[#] ToSendMax...............-1
[#] ToSend BUFFERSIZE.......2308
[#] Slow clock..............33764 Hz
[#] Installed StandAlone Mode
[#] HF - Reading Visa cards & Emulating a Visa MSD Transaction(ISO14443) - (Salvador Mendoza)
[#] Flash memory dictionary loaded
[#] Mifare..................1013 keys
[#] T55x7...................112 keys
[#] iClass..................9 keys
[usb] pm3 --> hw tune
[=] REMINDER: 'hw tune' doesn't actively tune your antennas, it's only informative
[=] Measuring antenna characteristics, please wait...
? 9
[=] ---------- LF Antenna ----------
[+] LF antenna: 36.29 V - 125.00 kHz
[+] LF antenna: 26.85 V - 134.83 kHz
[+] LF optimal: 36.02 V - 123.71 kHz
[+] Approx. Q factor (*): 5.4 by frequency bandwidth measurement
[+] Approx. Q factor (*): 6.3 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 48.18 V - 13.56 MHz
[+] Approx. Q factor (*): 8.4 by peak voltage measurement
[+] HF antenna is OK
I can interact with the T5200:
[usb] pm3 --> lf t5 info
--- T55x7 Configuration & Information ---------
-------------------------------------------------------------
Safer key : 0
reserved : 0
Data bit rate : 0 - RF/8
eXtended mode : No
Modulation : 0 - DIRECT (ASK/NRZ)
PSK clock frequency : 0 - RF/2
AOR - Answer on Request : No
OTP - One Time Pad : No
Max block : 0
Password mode : No
Sequence Terminator : No
Fast Write : Yes - Warning
Inverse data : Yes - Warning
POR-Delay : Yes
-------------------------------------------------------------
Raw Data - Page 0, block 0
0x00000007 00000000000000000000000000000111
-------------------------------------------------------------
But writing to it has no effect:
[usb] pm3 --> lf t5 write b 0 d 00088040 t
[=] Writing page 0 block: 00 data: 0x00088040
[#] Using Test Mode
[usb] pm3 --> lf t5 dump
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00000007 | 00000000000000000000000000000111 | ....
[+] 01 | 00000007 | 00000000000000000000000000000111 | ....
[+] 02 | 00000007 | 00000000000000000000000000000111 | ....
[+] 03 | 0000000F | 00000000000000000000000000001111 | ....
[+] 04 | 00000007 | 00000000000000000000000000000111 | ....
[+] 05 | 0000000F | 00000000000000000000000000001111 | ....
[+] 06 | 0000000F | 00000000000000000000000000001111 | ....
[+] 07 | 0000000F | 00000000000000000000000000001111 | ....
[+] Reading Page 1:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00000007 | 00000000000000000000000000000111 | ....
[+] 01 | 0000000F | 00000000000000000000000000001111 | ....
[+] 02 | 0000000F | 00000000000000000000000000001111 | ....
[+] 03 | 0000000F | 00000000000000000000000000001111 | ....
By the way, this is on a "cleared" tag (do a write with the blue cloner without a valid read).
Am I missing something?
Offline
It looks like you got your RDV4 set up just nice.
Regarding your tag remember, you always need to run detect first before trying any other t55xx command.
lf t55xx detect
Offline
Yep, I did that. I did a hw reset, reconnect, and then the "lf t55 detect". I also tried to change the config bitrates as it only getting a response at 64.
Could there be an unknown password required?
Offline
If you used it with a gun cloner, then its passworded.
You can either run the check command with some options, or you can sniff the gun cloner direct and see which pwd it writes.
lf t55 chk -h
lf t55 sniff
Offline