Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I'm trying to write Block 0 of a t55xx card with no success.
I've been able to change the EM TAG ID with this command:
lf em 410x_write 3700333333 1
However, I can't change the Block0 value.
When I detect the target tag, I get this:
[usb] pm3 --> lf t55 detect
[=] Chip Type : T55x7
[=] Modulation : ASK
[=] Bit Rate : 5 - RF/64
[=] Inverted : No
[=] Offset : 32
[=] Seq. Term. : Yes
[=] Block0 : 0x00323240
[=] Downlink Mode : default/fixed bit length
[=] Password Set : No
And the search command:
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] EM410x pattern foundEM TAG ID : 3700333333
Possible de-scramble patterns
Unique TAG ID : XXXXXXXXXX (not real)
HoneyWell IdentKey {
DEZ 8 : 03904599
DEZ 10 : 0003904599
DEZ 5.5 : 00059.37975
DEZ 3.5A : 055.37975
DEZ 3.5B : 000.37975
DEZ 3.5C : 059.37975
DEZ 14/IK2 : 00236227105879
DEZ 15/IK3 : 001013626710506
DEZ 20/ZK : 14120000131202091410
}
Other : 37975_059_03904599
Pattern Paxton : 927978071 [0x374FD257]
Pattern 1 : 6185788 [0x5E633C]
Pattern Sebury : 37975 59 3904599 [0x9457 0x3B 0x3B9457][+] Valid EM410x ID found!
However, I've tried writing Block 0 with these commands in the target key (after reading with the 'lf t55 read b 0' command):
lf t55 write b 0 d 0014FFFF
lf t55xx wr b 0 d 0014FFFF
After any of the commands, when I use 'lf t55 read b 0' I get an error:
[usb] pm3 --> lf t55 read b 0
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------And not only that, detect and search doesn't work either:
[usb] pm3 --> lf t55 detect
[!] ⚠️ Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] ⛔ No data found!
[=] Signal looks like noise. Maybe not an LF tag?
Only when I set the UID again (with this command --> 'lf em 410x_write 3700333333 1'), it seems to work again, but the Block 0 is not changed. Is still the original from the target key.
And..., worse. One of the keys, after this procedure, is not working any more. I've tried wiping and anything, and still dead.
Any clues why I can't write block 0?
How can I recover the dead key?
Offline
I've managed to unbrick one of the tags.
I guess to write UID I should just use this:
lf em 410x_write 0F0368568B 1
And block 0 shouldn't be touched.
Is that right?
But..., card is EM4305.
And there is no similar to 'lf em 4x05_write'.
It isn't specific to ID.
Then, which command should I use?
Last edited by underlive (2020-06-28 22:32:46)
Offline
You should take some time reading the helptexts properly and maybe even the datasheet for t5577 in order to understand what you are doing wrong.
Offline