Proxmark3 community

M&S

Contributor

Registered: 2015-12-15

Posts: 44

the T55xx commands release are not toys....

Today I, by my own stupidity, have nearly shot all my AT5577 cards and fobs by secretly playing with the new t55xx commands Marshmellow and iceman have updated and released recently.

(see Post 130
http://www.proxmark.org/forum/viewtopic.php?pid=20197#p20197)

The reason was because I had played the T55XX menu in Proxmark Client, where I did not realise that although I had not filled the text box with any password, when clicked on "READ" button,  I still sent out the read-with-password command "lf t55xx read b 0 p", and not just the harmless "lf t55xx read b 0" as I intended.

Thanks for a safety check for the password bit, which Marshmellow and iceman had built-in the SW, no harm came to my precious, very few chips and cards, what I have got with the purchase of the Proxmark3 system.

This danger is not a scaremongering trick, it is confirmed separately by Marshmellow, iceman and rbubba1911, so I consider I, very lucky, have a near escape a big loss this time.

Consider that, when a newb buys the proxmark, he/she/heshe would run much experiment firstly with any available material: the AT55xx the classic Mifare and HID card and definitely all the commands available in the Proxmark client. The danger what has happened to me today could happen to any newb, and that next time there may be not a lucky escape.

So, I think I repent/doing my detention by working on "improve" the menu part T55XX
1/ Make the "t55xx detect" function stay at top of the menu
2/ Separating read/write without and with password command; and also put clear warning sign to the command where harm can happen to chips.
3/ Restructure configuration command so that "get configuration", "set configuration" for at55xx and for at5555 (Q5) chip are clearly separated
4/ add new sector of t55xx "Extra Tools"  but with warning sign, rather than let them "laying" so yummily around

For that I modified the file "setting.xml" of the latest release pm3-bin-2.5.0 from Asper's sticky post
Compiled Windows Client - Download
http://www.proxmark.org/forum/viewtopic.php?id=1562 

(setting.xml for download here/ and replace the setting.xml in the Client directory, or where you call "Proxmark tool.exe" from. PS pls remember to keep a copy of your own version of setting.xml, in case you don't like this change)

Regard modification point 1/ and 2/

Regard modification point 3/

Regard modification point 4/

if you think
- you can use it, do take it
- you have comments, do critise
- think this is useless, just tell or ...

This is only for my lesson/detention/after-class-sitting....

Last edited by M&S (2016-02-23 14:22:07)

Apt-Get

Contributor

Registered: 2015-12-23

Posts: 111

Re: the T55xx commands release are not toys....

Just out of curiosity, and because im new to this.. I always run first.  lf t55 det.. then wipe if i want to work with them.
Is that a good best practice?

Also why would we not always just "lf search" a t5577 tag? they are pretty much guaranteed to be a clone of something we already know anyways. no? 
If im ever in doubt on the thin plastic cards i just shine a flashlight through them. lots of them will say t5577 inside. or if its an HF card the antenna inside is square instead of round.
Also I have noticed that em chips are smaller than 5577's
Am I doing ok with that? this is just what i have seen with a dozen or so cards so far.

-when you write blocks to the card it seems pretty hard to F this up and put in a pw without noticing. Or am i missing something?
-when would you need to set t55 config? example?

Sorry if these are stupid questions. Like i said. Im one of the newbs as referred in post 1.

MS if you dont want to order t5577's from china, Phidgets sells real France Atmel fobs for about $1 ea. Check them out.

Last edited by Apt-Get (2016-02-23 08:48:40)

iceman

Administrator

Registered: 2013-04-25

Posts: 9,501

Website

Re: the T55xx commands release are not toys....

lf search on a t55xx tag will only get what it is configured to output and if it fits any of the known demods.
however as a valid point, you will get modulation, bitrate,  from it.    Which is a good starting point if it is a known tag.

For unknown t55xx tags, its a guessing game.  The detect method tries all modulations, bitrates, inverted, st, etc and keep track of it.  It tries to load block0, and verify with these variables.   From all that is still positiv it can find multiple valid configurations of block 0...   

When it come to read block with pwd,  when pwd is not set in the config block,  it is actually exact same command as write block..  which gives you this nasty sideeffect if you use "read block0 with pwd", and tag is actually not configured for pwd.
It then overwrites block0,   ...  and if you write a invalid configblock to t55xx you can perma F it..     that is the real danger,  where me myself and others has perma F a couple of t55xx tags.

Hence Marshmellows warning and extra security protections.   Which has saved some tags by now.

I like the way you find out what kind of tag it is.  I never done it that way.   Good knowledge to have.

Apt-Get

Contributor

Registered: 2015-12-23

Posts: 111

Re: the T55xx commands release are not toys....

my first attempt to clone a tag on t5577 i wrote the bad block 0 if you remember lol.  -1$
haha

Apt-Get

Contributor

Registered: 2015-12-23

Posts: 111

Re: the T55xx commands release are not toys....

removed

Last edited by Apt-Get (2016-02-23 09:31:34)

iceman

Administrator

Registered: 2013-04-25

Posts: 9,501

Website

Re: the T55xx commands release are not toys....

Maybe if you start a new thread,  with pictures and your exeriences,  it would be better.  We could make it sticky.
as it is now, this thread is about block0 and pwd settings.

M&S

Contributor

Registered: 2015-12-15

Posts: 44

Re: the T55xx commands release are not toys....

In general when seeing a new fob/card I would start with "lf search u"

But reading the forum a lot of chip types can be simulated by a t55x7 so it is good to have a strong section of t55x7 commands (to read the config block 0, data block for example)
 
I use "lf t55xx info" or "lf t55xx config" to check after I play writing to t55x7 whether it has written correctly or not. Once I met a bad  t55x7, wrote with no difficulty, no complaint, but what ever I changed it still behaves a ASK RF/32

I like your method of fob/card identify by light shine-through and antenna form, size.

Regarding the set/get configuration, actually I should put a warning sign in there too... I am not sure if it is that far to config read the Q5?

If leave all fields empty, so "lf t55xx config b  d  i  o  q5"  would it harm the Q5 fob?

if "lf t55xx config q5" would get the configuration of my Q5

M&S

Contributor

Registered: 2015-12-15

Posts: 44

Re: the T55xx commands release are not toys....

and the brute force password part, when is it implemented? Does it work?

16^8 is a very large amount of PW keys to check

iceman

Administrator

Registered: 2013-04-25

Posts: 9,501

Website

Re: the T55xx commands release are not toys....

the BF against a t55xx works,  but is very slow.   its in the PM3 master,  under  "lf t55xx brute"

Realistic to run? no, not against the whole search space.

M&S

Contributor

Registered: 2015-12-15

Posts: 44

Re: the T55xx commands release are not toys....

the BF against a t55xx works,  but is very slow.   its in the PM3 master,  under  "lf t55xx brute"

Realistic to run? no, not against the whole search space.

I know  did give it a menu item, under T55xx/Extra Tools/Brute force wit start and end password and dictionary.file loading option.

I know it is not realistic to run at the moment, but I still like to read somewhere OFFSIDE about the principle you two have worked out, if you could share it is interesting subject.

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: the T55xx commands release are not toys....

You remember years ago, when WEP has been still considered a good network protection measure, and people still can use 5,6 char long word as safe PW, we had started to tackle wifi with aircrack running at first with 300 keys/s, then WITH SSE, AMD came, we could check 1700 keys/s, John the ripper came along, Cain & Able, then Pyrit,  hashcat, OCL, EWSA, REAVER nowadays multiple processor core CPU then GPU, BOT, Cloud networking, password crack running at over millions key/s is possible

yes a million keys per second

the ironie is nowadays it seems to be unwise or crazy to arm your network with an uncrackable password. It is safe & required by law to have a network PW but to protect yourself from higher power, from GOV's sniffing from NSA don't make it impossible hard.

I like to read about your BF password method too, even when "Realistic to run? no, not against the whole search space". pls share

Last edited by ntk (2016-02-23 17:07:42)

iceman

Administrator

Registered: 2013-04-25

Posts: 9,501

Website

Re: the T55xx commands release are not toys....

You can read about it in the actual thread where it all started.

Ref:   http://www.proxmark.org/forum/viewtopic … 227#p20227

And no,  there is no "offline" mode where a GPU can take over.

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: the T55xx commands release are not toys....

Many thanks iceman

marshmellow

Contributor

From: US

Registered: 2013-06-10

Posts: 2,302

Re: the T55xx commands release are not toys....

this whole subject fits better in the windows client section as the issue appears to have been driven by the windows GUI interface which is a separate project and not used or supported by most of the PM3 developers.

Asper works at keeping it up to date but cannot always keep up with changing commands or knowing what the commands do or are for to add warnings.  i'm sure Asper would welcome support in fixing the ever changing xml file.

and as is often stated for any software relating to the PM3, use at your own risk .  read twice do once.

M&S

Contributor

Registered: 2015-12-15

Posts: 44

Re: the T55xx commands release are not toys....

Happy that my "detention" can make a small contribution to the project. I am very glad to help.

Last edited by M&S (2016-02-24 03:52:10)