./client/proxmark3 /dev/ttyACM0
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: master/v3.0.1-75-g1dae981-suspect 2017-08-31 15:46:50
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/07/13 at 08:44:13
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 198426 bytes (38%). Free: 325862 bytes (62%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
I confirm it is PCF7931 inside Tag.
proxmark3> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 1 repeating samples
Using Clock:16, invert:0, Bits Found:259
PSK1 demoded bitstream:
0000000000000000
0000101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
1010101010101010
101
Possible unknown PSK1 Modulated Tag Found above!
Could also be PSK2 - try 'data rawdemod p2'
Could also be PSK3 - [currently not supported]
Could also be NRZ - try 'data rawdemod nr'
I happen to see mistakes. I think it's angry with the magnetic field. It's hard to find a good place on the antenna even if the tag is perpendicular to the antenna. I always see different lines, but numbers are always the same.
First try:
proxmark3> lf pcf7931 read
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
command execution time out
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) Max blocks: 1
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01
#db# Error reading the tag
#db# Here is the partial content
#db# -----------------------------------------
#db# Memory content:
#db# -----------------------------------------
#db# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# ----------------------------------------- ]
Second try:
proxmark3> lf pcf7931 read
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
command execution time out
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# Error reading the tag
#db# Here is the partial content
#db# -----------------------------------------
#db# Memory content:
#db# -----------------------------------------
#db# <missing block 0>
#db# <missing block 1>
#db# <missing block 2>
#db# <missing block 3>
#db# <missing block 4>
#db# <missing block 5>
#db# <missing block 6>
#db# <missing block 7>
#db# -----------------------------------------
The numbers inside are correct. I just do not know why they're repeating and why so much zero.
Here is a link to the pm3 file. Perhaps it will help. I do not know much about it yet. https://1drv.ms/u/s!AhQ8z_7i-A6egYtb-oxEYAROk1ycgw
The tag has about one block. How do I know there is a write-protected block? I'm getting no error while trying to write, but it did not do it. I did not find anything like that in the code. Is not it a shame?
proxmark3> lf pcf7931 write 1 1 dd
Writing block: 1
pos: 1
data: 0xDD
#db# Initialization delay : 0 us
#db# Offsets : -128 us on the low pulses width, -128 us on the low pulses positions
#db# Password (LSB first on each byte) : ff ff ff ff ff ff ff
#db# Block address : 01
#db# Byte address : 01
#db# Data : dd
#db# SENDING DATA FRAME...
#db# FINISH !
#db# (Could be usefull to send the same trame many times)
proxmark3> lf pcf7931 read
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Waiting for a response from the proxmark...
Don't forget to cancel its operation first by pressing on the button
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
command execution time out
#db# (dbg) 00 dc 00 00 d8 02 00 00 00 00 00 00 19 16 57 01
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# (dbg) Max blocks: 1
#db# Error reading the tag
#db# Here is the partial content
#db# -----------------------------------------
#db# Memory content:
#db# -----------------------------------------
#db# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
#db# -----------------------------------------
proxmark3>
Now just read and write data to Tag. I'll examine how to do it. Tonight I will be flashing the official firmware for my Proxmark3.
]]>lf t55xx detect
lf t55xx info
And yeah, LF 4x05/4x50 detection is irractic on iceman fork at the moment not to mention PSK..., try offical pm3
]]>as far as identifying the chip, your lf search output is a bit erratic. i suggest you try the latest code from the main repo and not icemans build, and we can go from there.
]]>Photo
So far I have tried:
pm3 --> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
Valid EM4x05/EM4x69 Chip Found
Try lf em 4x05... commands
Maybe it's t55x7. When I hit a lot of Enter, I sometimes saw it:
pm3 --> lf t55xx info
pm3 --> lf t55xx info
pm3 --> lf t55xx info
pm3 --> lf t55xx info
-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key : 0
reserved : 0
Data bit rate : 0 - RF/8
eXtended mode : No
Modulation : 0 - DIRECT (ASK/NRZ)
PSK clock frequency : 0
AOR - Answer on Request : No
OTP - One Time Pad : No
Max block : 0
Password mode : No
Sequence Start Terminator : No
Fast Write : No
Inverse data : No
POR-Delay : No
-------------------------------------------------------------
Raw Data - Page 0
Block 0 : 0x00000000 00000000000000000000000000000000
-------------------------------------------------------------
pm3 --> lf t55xx info
pm3 --> lf t55xx info
or
pm3 --> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
Valid Indala ID Found!
pm3 --> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
Valid Indala ID Found!
pm3 --> lf em 4x05_read 0
Reading address 00
Read Address 00 | failed
pm3 --> lf em 4x05_info
no tag found
no tag found
Chip Type: 0 Unknown
Cap Type: 0 | no resonant capacitor
Cust Code: 000 | Unknown
no tag found
What can I do to find out which chip is and could read it?
Proxmark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: iceman/master/v1.1.0-2207-gbd71e152 2017-08-28 10:21:02
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 216234 bytes (41%). Free: 308054 bytes (59%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hw tune
Measuring antenna characteristics, please wait......
# LF antenna: 36.30 V @ 125.00 kHz
# LF antenna: 23.93 V @ 134.00 kHz
# LF optimal: 37.54 V @ 126.32 kHz
# HF antenna: 18.54 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
pm3 --> lf read
#db# LF Sampling config:
#db# [q] divisor..............95 (125 KHz)
#db# [b] bps..................8
#db# [d] decimation...........1
#db# [a] averaging............Yes
#db# [t] trigger threshold....0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: 08 0d 14 1a 1f 25 2b 2e ...
Reading 39999 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1