Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-08-12 21:16:25

rbubba1911
Contributor
Registered: 2014-08-14
Posts: 86

lf t55 command serious bug

Hi,

I'm start playing with my new T55 chip, and I found two strange bug.

1) despite the fact this modulation is in supported list, that give:

proxmark3> lf t55 config d NZ
Unknown modulation 'NZ' 

2) Very annoying (stress me a lot)

if by accident you put:
lf t55 read 0 51243648

(which IMHO, should not modify the configuration)

that change something (the block0 ?),  make the card  unreadable   !!

no way to revert back, you can no more access to the chip. sad  sad

in data plot windows,  the signal is very different.

a read command even with a wrong passwd should not change the card configuration

ps:  I try two time with two card and got the same result (two card unreadable)

PM3 Version:
bootrom: master/v2.2.0-44-g987dfb6-suspect 2015-07-24 09:54:15
os: master/v2.2.0-44-g987dfb6-suspect 2015-07-24 09:54:16
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54

Last edited by rbubba1911 (2015-08-12 21:17:27)

Offline

#2 2015-08-12 21:21:22

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: lf t55 command serious bug

The config d nz is a known textual bug (as it should be nrz) and will be pushed in a later larger push.

The other item, a read command could only create issues if your antenna or tags antenna is poor and the chip miss interpreted the command.  Blame atmel for making read and write commands so similar.

Offline

#3 2015-08-12 21:23:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: lf t55 command serious bug

Bug no1,   is a help text error.   the correct parameter is:   

lf t55xx config d NRZ

the bug number two is exceptional strange.  The reading command doesn't write to the tag.
can you give the output for

lf t55 detect

Offline

#4 2015-08-12 21:26:41

rbubba1911
Contributor
Registered: 2014-08-14
Posts: 86

Re: lf t55 command serious bug

Hi,

I think you are right, but it is strange, the T55 have a very good signal (versus the original Noralsy),
and with the other card,  I don't have any trouble when I read or write block. (even with passwd).

I mean I have only this behaviour, when I issue the 'wrong' read cmd.

its so reproducible that lead me to think to a bug ..

do you have a clue to retrieve my card ?

Thanks

I should think to use NRZ, I'm stressed smile

Last edited by rbubba1911 (2015-08-12 21:31:22)

Offline

#5 2015-08-12 21:29:42

rbubba1911
Contributor
Registered: 2014-08-14
Posts: 86

Re: lf t55 command serious bug

proxmark3> lf t55 write 0 000c8040
Writing to block: 0  data  : 0x000C8040         
proxmark3> lf t55 detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

note: these commands work fine with other card

look the scenario:
from a never used card

proxmark3> lf t55 detect
clk 255         
Modulation : ASK         
Bit Rate   : 3 - RF/40         
Inverted   : No         
Offset     : 1         
Block0     : 0x000C8040         
         
proxmark3> lf t55 dump
[0] 0x000C8040  00000000000011001000000001000000         
[1] 0x12345678  00010010001101000101011001111000         
[2] 0x00000000  00000000000000000000000000000000         
...
proxmark3> lf t55 read 0 51243648
proxmark3> lf t55 detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

1439412556_read0.png

Last edited by rbubba1911 (2015-08-12 21:49:27)

Offline

#6 2015-08-12 21:35:41

rbubba1911
Contributor
Registered: 2014-08-14
Posts: 86

Re: lf t55 command serious bug

If you have a  blank/no passw T55 card,  please can you try (and  maybe loose one card big_smile big_smile )
the following command  :

lf t55 read 0 51243648

WARNING : MAY BREAK YOUR CARD

Offline

#7 2015-08-12 22:20:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: lf t55 command serious bug

hm, nasty,  I had to try it myself.....

What becomes written to block 0?

51243648
5 - nothing (safer key)
1 - resv
2 - resv
4 - RF/16
3 - modulation = PSK3
6 - AOR, PSKCGF RF/4
4 = maxblock = 2
8 - SST

Offline

#8 2015-08-12 22:24:43

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: lf t55 command serious bug

If your tag was blank,  I could make my tag reappear with a all zeros pwd.

lf t55 wr 0 00148040 00000000

Offline

#9 2015-08-12 22:29:01

rbubba1911
Contributor
Registered: 2014-08-14
Posts: 86

Re: lf t55 command serious bug

sounds good,

On my side, after long try, I got success with:

lf t55 write 0 000c8040 0

and that reset the chip to correct state

big_smile 

Do you agree, this behaviour is not expected ?
I mean, a read command even with a wrong passwd should not change the card configuration.

Last edited by rbubba1911 (2015-08-12 22:31:09)

Offline

#10 2015-08-12 22:32:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: lf t55 command serious bug

Your configuration block 0x000c8040 is not working to well on my tag. I can't get the "lf t55 detect" to find it.
Does yours?

Offline

#11 2015-08-12 22:34:02

rbubba1911
Contributor
Registered: 2014-08-14
Posts: 86

Re: lf t55 command serious bug

yep,

proxmark3> lf t55 write 0 000c8040 0
Writing to block: 0  data  : 0x000C8040         
pwd   : 0x00000000         
proxmark3> lf t55 detect
clk 255         
Modulation : ASK         
Bit Rate   : 3 - RF/40         
Inverted   : No         
Offset     : 1         
Block0     : 0x000C8040         
         
proxmark3> lf t55 info
         
-- T55xx Configuration & Tag Information --------------------         
-------------------------------------------------------------         
Safer key                 : 0         
reserved                  : 0         
Data bit rate             : 3 - RF/40         
eXtended mode             : No         
Modulation                : 8 - Manchester         
PSK clock frequency       : 0         
AOR - Answer on Request   : No         
OTP - One Time Pad        : No         
Max block                 : 2         
Password mode             : No         
Sequence Start Terminator : No         
Fast Write                : No         
Inverse data              : No         
POR-Delay                 : No         
-------------------------------------------------------------         
Raw Data - Page 0         
     Block 0  : 0x000C8040  00000000000011001000000001000000         
-------------------------------------------------------------

note : I found this value for block0  in post/trace on the forum, What is the default (from pm3 pov) configuration for a T55 ?

Last edited by rbubba1911 (2015-08-12 22:38:05)

Offline

#12 2015-08-12 22:55:12

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: lf t55 command serious bug

hm, i think there is a spindelayus("start_gap") inside the T55xxReadBlock() ( lfops.c)  which makes it behave like a write...

Offline

#13 2015-08-12 23:07:14

rbubba1911
Contributor
Registered: 2014-08-14
Posts: 86

Re: lf t55 command serious bug

It's too deep inside the code for me,

sadly, I don't take the time to read it correctly (shame on me !)

who is able to fix this ? do I need to report to somebody ?

Last edited by rbubba1911 (2015-08-12 23:09:19)

Offline

#14 2015-08-13 07:24:06

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: lf t55 command serious bug

If you start an issue on GitHub, that would be a good starting point

Offline

#15 2015-08-13 13:20:14

rbubba1911
Contributor
Registered: 2014-08-14
Posts: 86

Re: lf t55 command serious bug

I post an issues ticket on github, let's see wink

Offline

Board footer

Powered by FluxBB