T5 Vehicle tags

adam@algroup.co.uk · 2013-08-29 17:04:44

Hey All,

I'm currently playing with various vehicle tags and the T5 is commonly used as a target for cloning. Although the T5 tags are very easy to acquire, I'm having trouble finding the datasheet so I can implement commands to read/write them. Does anyone know what their full designation is or where the datasheet lives?

thanks,
Adam

carl55 · 2013-08-29 19:46:50

Here you go. (T5555 aka Q5)
Q5 Datasheet

Last edited by carl55 (2013-08-29 19:48:11)

adam@algroup.co.uk · 2013-08-31 11:23:37

Thanks, but a T5 is not a Q5.

Bugman1400 · 2013-09-01 00:47:11

adam@algroup.co.uk wrote:

Thanks, but a T5 is not a Q5.

Are you looking for a specific difference? The T5s and Q5s I have are functional equivalents and write the same.

asper · 2013-09-01 10:55:28

Here and here. Q5 seems really the same as T5555.

adam@algroup.co.uk · 2013-09-03 17:52:40

Yes, Q5 is another name for a T5555

However, a T5 is not a Q5 or a T5555

I think it's actually one of these:

https://www.hidglobal.com/sites/hidglobal.com/files/resource_files/hid-rfid-il-brick-tag-nova-ds-en.pdf

http://www.sokymat-automotive.com/nova.aspx

asper · 2013-09-03 20:05:34

Ok but where do you read the name T5? It seems a pcf7931 (shape) but it has 2 chips inside, an eeprom and a rfid interface chip (look at the sokymat pics). It is stated (1st link) that it also support hf frequencies (penultimate tab line)... maybe a new product... similar to EM H4062... and maybe the plastic "case" contains the antenna...

Last edited by asper (2013-09-03 20:17:08)

adam@algroup.co.uk · 2013-09-03 20:44:59

T5 is a common target in the automotive cloning industry. Sometimes it's referred to as a 'Sokymat T5':

http://www.noimmo.lt/equipment/params/86/

http://www.ecufactory.com/auto-transponder-chip/honda-t5-id20-sokymat_p2213/

http://www.lockandkeyshop.co.uk/cgi-bin/sh000001.pl?REFPAGE=http%3a%2f%2fwww.lockandkeyshop.co.uk%2f&WD=t5&PN=Transponders.html%23a5674#a5674

etc.

Since the sokymat link specifies that it is used for cloning, I'm assuming this is the same device, but I'm not sure. That's why I said "I think it's one of these".

asper · 2013-09-03 21:42:47

T5 "should be" Sokymat SID160 (NOVA) (also JMA TP05) so probably here it is: https://www.spezial.com/doc/hid/SOKYMAT_alt/sok-glasstag-3.2-na.pdf so you are right, it is not Q5 or T5555.

More info (taken from this official page):
NOVA: read/write,160 Bit EEPROM (10 words of 16 Bit), data transmission ASK Manchester or Bifase,
Bit-rate user defined (CF/32, CF/64 or CF/100), memory size (64 Bit or 128 Bit) and memory protected area easily programmable.

Last edited by asper (2013-09-03 22:13:30)

adam@algroup.co.uk · 2013-09-04 08:55:47

OK, so "this official page" is just the German version of the link I posted earlier, so I guess we're agreed!

So now all we need is the programming manual...

asper · 2013-09-04 09:06:56

Yeah but it seems to be some sort of "nda" or something because it's almost impossible to find even if this device is quite common... you can try to log some traces with pm3... but I don't think you will find programming commands, only reading... for what I read there are very few commands for it, just 4, for different writing procedures (info found on some ahrdware programmer pdf manuals) but no description of the command set (here at page 16 and 18).

I think those hex commands are for the programmer not for the real nova tag. Anyway you can find other "maybe" useful info in that pdf (ex. page 28).

Anyway IPC10 (T5) and IPC11 (Q5) seems to use the same command sets (page 24) so probably commands are the same as a Q5 !

IPC10 seems to be a specific Siemens product maybe partially cloned by sokymat to a T5 or mayb Siemens cloned it (only guessing - that pdf is 2009).

other document (german only - look for "ipc10")

another one (from page 64 - specific bit explanation)

good finding (page 52 - IPC10 seems to be EM4069 comaptible ! See the extracted picture below:

probably, after EM acquisition of Sokymat (in 2003), EM4069 becomes Nova (that last document in fact is 2002, others are 2009).

Last edited by asper (2014-11-23 10:56:36)

adam@algroup.co.uk · 2013-09-04 12:23:51

Hmmm... Some nice info!

As far as using the same command set goes, I can't use a Q5 programmer to read any sensible data from the T5, and the config block layout is definitely not the same...

I have a cheap automotive cloning system on order, so I'll try sniffing some write sessions once it arrives... We may have to simply reverse engineer it based on what the final characteristics of the tag are after programming.

Thanks for your help!

asper · 2013-09-04 12:26:56

Well reading datasheets Q5 commands are different from H4069 (EM4069). You can try to sniff the communication inside your car with pm3.

adam@algroup.co.uk · 2013-09-04 14:50:09

I'm curious how you would go about sniffing LF with the PM3? I normally use an oscope.

asper · 2013-09-04 15:07:33

You are absolutely right, there is no snoop function for LF ! You can pledge for an hackrf

o0o0o0o · 2013-09-04 16:13:13

I am also curious.
When sniffing LF, I usually burn what covers the antenna's enamel wire of the reader/tag and put my oscilloscope probe there.
But, when sniffing HF, I just use an "external" sniffer.

Is there anything similar to a sniffer that works at Low Frequency ?
Does anybody tried to make a LF antenna that works with his oscilloscope ?
Mine uses the BNC stuff...

jonor · 2013-09-04 19:44:37

asper wrote:

You are absolutely right, there is no snoop function for LF ! You can pledge for an hackrf

HackRF start from 30MHz I read it's works well with 13.56MHz, but for 125KHz is very hard.

asper · 2013-09-04 19:48:45

There is an additional very low cost module (ham it up) to start at 300kHz so maybe something at 120-130 kHz could be listened.

Last edited by asper (2013-09-04 19:51:16)

en4rab · 2013-09-08 20:34:30

It might not be quite what you want but Henryk Plötz, Karsten Nohl demonstrated a very simple pc soundcard based sniffer for Lf tags at the 2009 HAR conference in their talk breaking hitag2 you can see the talk here:
https://www.youtube.com/watch?v=5wQKtYcJV88&list=PLEB5C4BB74C7CDF7C
the talk begins about 7 mins into the first section.
The papers for the talk are here:
https://har2009.org/program/events/135.en.html sadly they seem to be corrupted somehow as adobe reader is complainig about them, from memory it was just a coil and a diode for the sniffer, and a coil and a transistor to replay recordings.

Edit just to add the paper with the schematic is working here:
http://www2.informatik.hu-berlin.de/~ploetz/analyzing-an-unknown-access-control-system.pdf

Last edited by en4rab (2013-09-08 20:39:44)

asper · 2013-09-09 01:01:15

It works but you have to connect to the antenna coil ends (and you can use an old mp3 player to record tracks connecting the antenna to the mic or recording from a netbook mic).

asper · 2013-10-03 21:57:39

Well it turns out that T5 uses the same protocol as EM4170 (page 6 for commands).

For differencies and adaptation read this really interesting thesis (pag.266).

asper · 2014-01-06 12:31:55

Well, it seems that T5 were replaced by Atmel TK5551M.

asper · 2014-01-25 10:22:55

A blank T5 trace can be found here.

Last edited by asper (2014-01-25 10:23:06)

asper · 2014-11-23 10:58:24

Any news about this adam ?

Proxmark3 community

Announcement

#1 2013-08-29 17:04:44

T5 Vehicle tags

#2 2013-08-29 19:46:50

Re: T5 Vehicle tags

#3 2013-08-31 11:23:37

Re: T5 Vehicle tags

#4 2013-09-01 00:47:11

Re: T5 Vehicle tags

#5 2013-09-01 10:55:28

Re: T5 Vehicle tags

#6 2013-09-03 17:52:40

Re: T5 Vehicle tags

#7 2013-09-03 20:05:34

Re: T5 Vehicle tags

#8 2013-09-03 20:44:59

Re: T5 Vehicle tags

#9 2013-09-03 21:42:47

Re: T5 Vehicle tags

#10 2013-09-04 08:55:47

Re: T5 Vehicle tags

#11 2013-09-04 09:06:56

Re: T5 Vehicle tags

#12 2013-09-04 12:23:51

Re: T5 Vehicle tags

#13 2013-09-04 12:26:56

Re: T5 Vehicle tags

#14 2013-09-04 14:50:09

Re: T5 Vehicle tags

#15 2013-09-04 15:07:33

Re: T5 Vehicle tags

#16 2013-09-04 16:13:13

Re: T5 Vehicle tags

#17 2013-09-04 19:44:37

Re: T5 Vehicle tags

#18 2013-09-04 19:48:45

Re: T5 Vehicle tags

#19 2013-09-08 20:34:30

Re: T5 Vehicle tags

#20 2013-09-09 01:01:15

Re: T5 Vehicle tags

#21 2013-10-03 21:57:39

Re: T5 Vehicle tags

#22 2014-01-06 12:31:55

Re: T5 Vehicle tags

#23 2014-01-25 10:22:55

Re: T5 Vehicle tags

#24 2014-11-23 10:58:24

Re: T5 Vehicle tags

Board footer