Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hey All,
I'm currently playing with various vehicle tags and the T5 is commonly used as a target for cloning. Although the T5 tags are very easy to acquire, I'm having trouble finding the datasheet so I can implement commands to read/write them. Does anyone know what their full designation is or where the datasheet lives?
thanks,
Adam
Offline
Here you go. (T5555 aka Q5)
Q5 Datasheet
Last edited by carl55 (2013-08-29 19:48:11)
Offline
Thanks, but a T5 is not a Q5.
Offline
Thanks, but a T5 is not a Q5.
Are you looking for a specific difference? The T5s and Q5s I have are functional equivalents and write the same.
Offline
Yes, Q5 is another name for a T5555
However, a T5 is not a Q5 or a T5555
I think it's actually one of these:
https://www.hidglobal.com/sites/hidglobal.com/files/resource_files/hid-rfid-il-brick-tag-nova-ds-en.pdf
http://www.sokymat-automotive.com/nova.aspx
Offline
Ok but where do you read the name T5? It seems a pcf7931 (shape) but it has 2 chips inside, an eeprom and a rfid interface chip (look at the sokymat pics). It is stated (1st link) that it also support hf frequencies (penultimate tab line)... maybe a new product... similar to EM H4062... and maybe the plastic "case" contains the antenna...
Last edited by asper (2013-09-03 20:17:08)
Offline
T5 is a common target in the automotive cloning industry. Sometimes it's referred to as a 'Sokymat T5':
http://www.noimmo.lt/equipment/params/86/
http://www.ecufactory.com/auto-transponder-chip/honda-t5-id20-sokymat_p2213/
http://www.lockandkeyshop.co.uk/cgi-bin/sh000001.pl?REFPAGE=http%3a%2f%2fwww.lockandkeyshop.co.uk%2f&WD=t5&PN=Transponders.html%23a5674#a5674
etc.
Since the sokymat link specifies that it is used for cloning, I'm assuming this is the same device, but I'm not sure. That's why I said "I think it's one of these".
Offline
T5 "should be" Sokymat SID160 (NOVA) (also JMA TP05) so probably here it is: https://www.spezial.com/doc/hid/SOKYMAT_alt/sok-glasstag-3.2-na.pdf so you are right, it is not Q5 or T5555.
More info (taken from this official page):
NOVA: read/write,160 Bit EEPROM (10 words of 16 Bit), data transmission ASK Manchester or Bifase,
Bit-rate user defined (CF/32, CF/64 or CF/100), memory size (64 Bit or 128 Bit) and memory protected area easily programmable.
Last edited by asper (2013-09-03 22:13:30)
Offline
OK, so "this official page" is just the German version of the link I posted earlier, so I guess we're agreed!
So now all we need is the programming manual...
Offline
Yeah but it seems to be some sort of "nda" or something because it's almost impossible to find even if this device is quite common... you can try to log some traces with pm3... but I don't think you will find programming commands, only reading... for what I read there are very few commands for it, just 4, for different writing procedures (info found on some ahrdware programmer pdf manuals) but no description of the command set (here at page 16 and 18).
I think those hex commands are for the programmer not for the real nova tag. Anyway you can find other "maybe" useful info in that pdf (ex. page 28).
Anyway IPC10 (T5) and IPC11 (Q5) seems to use the same command sets (page 24) so probably commands are the same as a Q5 !
IPC10 seems to be a specific Siemens product maybe partially cloned by sokymat to a T5 or mayb Siemens cloned it (only guessing - that pdf is 2009).
other document (german only - look for "ipc10")
another one (from page 64 - specific bit explanation)
good finding (page 52 - IPC10 seems to be EM4069 comaptible ! See the extracted picture below:
probably, after EM acquisition of Sokymat (in 2003), EM4069 becomes Nova (that last document in fact is 2002, others are 2009).
Last edited by asper (2014-11-23 10:56:36)
Offline
Hmmm... Some nice info!
As far as using the same command set goes, I can't use a Q5 programmer to read any sensible data from the T5, and the config block layout is definitely not the same...
I have a cheap automotive cloning system on order, so I'll try sniffing some write sessions once it arrives... We may have to simply reverse engineer it based on what the final characteristics of the tag are after programming.
Thanks for your help!
Offline
Well reading datasheets Q5 commands are different from H4069 (EM4069). You can try to sniff the communication inside your car with pm3.
Offline
I'm curious how you would go about sniffing LF with the PM3? I normally use an oscope.
Offline
You are absolutely right, there is no snoop function for LF ! You can pledge for an hackrf
Offline
I am also curious.
When sniffing LF, I usually burn what covers the antenna's enamel wire of the reader/tag and put my oscilloscope probe there.
But, when sniffing HF, I just use an "external" sniffer.
Is there anything similar to a sniffer that works at Low Frequency ?
Does anybody tried to make a LF antenna that works with his oscilloscope ?
Mine uses the BNC stuff...
Offline
You are absolutely right, there is no snoop function for LF ! You can pledge for an hackrf
HackRF start from 30MHz I read it's works well with 13.56MHz, but for 125KHz is very hard.
Offline
There is an additional very low cost module (ham it up) to start at 300kHz so maybe something at 120-130 kHz could be listened.
Last edited by asper (2013-09-04 19:51:16)
Offline
It might not be quite what you want but Henryk Plötz, Karsten Nohl demonstrated a very simple pc soundcard based sniffer for Lf tags at the 2009 HAR conference in their talk breaking hitag2 you can see the talk here:
https://www.youtube.com/watch?v=5wQKtYcJV88&list=PLEB5C4BB74C7CDF7C
the talk begins about 7 mins into the first section.
The papers for the talk are here:
https://har2009.org/program/events/135.en.html sadly they seem to be corrupted somehow as adobe reader is complainig about them, from memory it was just a coil and a diode for the sniffer, and a coil and a transistor to replay recordings.
Edit just to add the paper with the schematic is working here:
http://www2.informatik.hu-berlin.de/~ploetz/analyzing-an-unknown-access-control-system.pdf
Last edited by en4rab (2013-09-08 20:39:44)
Offline
It works but you have to connect to the antenna coil ends (and you can use an old mp3 player to record tracks connecting the antenna to the mic or recording from a netbook mic).
Offline
Well it turns out that T5 uses the same protocol as EM4170 (page 6 for commands).
For differencies and adaptation read this really interesting thesis (pag.266).
Offline
Well, it seems that T5 were replaced by Atmel TK5551M.
Offline
A blank T5 trace can be found here.
Last edited by asper (2014-01-25 10:23:06)
Offline
Any news about this adam ?
Offline
Pages: 1