Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-05-20 12:06:28

mwalker
Moderator
Registered: 2019-05-11
Posts: 279

T5577 Cloner Passwords

Not sure if there is a list thread, feel free to update and delete this thread as needed.

I got a white cloner to play with today.

It does not seem to do anything special, but did have 3 passwords in its writes, none of which was it the password file i have.

I have confirmed the following.

It sets the password to :
00434343

It also tried a password write with two other passwords, so I assume they have been used at some point

   44B44CAE   and  88661858

I tested this by creating a tag with each and got the cloner to write to it, it updated the card and changed the password to the one it set.

Edit:
Update
Seems that the white (English) Cloner puts different passwords on the card on write.  The 44B44CAE   and  88661858 are always in the first write commands so believe them to be common old ones.
I have started to play with how it knows the old password (if not the above 2).  Early testing shows its based on the data/id.
The unit does not allow you to enter full id number ranges (it works in decimal), but I can set the customer ID to 0/1/2 and nothing seems to change in the password (more testing needed).  But early bit testing does show things changing with the customer data bits.

Last edited by mwalker (2019-05-23 03:37:18)

Offline

#2 2019-06-11 06:52:49

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: T5577 Cloner Passwords

These things are so frustrating! How is this for a laugh.

I ended up with one back in 2014 that shows correct ID's for HID and EM tags. You should even enter the ID like 103345 and get a HID chip programmed with SC: 10 ID: 3345.

Then in 2016 I got 4 more passed on to me that were totally different PCB revisions - they obfuscated the ID shown on the display so it was totally meaningless and similarly the ID entered to program would be scrambled. Go figure.

The only one I see worth playing with now is:


https://www.amazon.com/English-Version-Duplicator-Function-Machine/dp/B077HTDMK6

Apparently it has tag password management etc built in and storage for tag ID's.

Also if you look inside one of these colour screen ones that you are talking about - they are basically a proxmark3 with a screen and buttons. Same ARM chip - same FPGA and similar RF front end.... Crazy, just crazy..

Last edited by Tom5ive (2019-06-11 06:53:52)

Offline

#3 2019-06-11 07:09:56

mwalker
Moderator
Registered: 2019-05-11
Posts: 279

Re: T5577 Cloner Passwords

LOL yeah, I got them for a play and to help me learn.  Always good to have a goal when learning.
The white one I have is different but same button layout and speaks to you.
I spent some time and got it to spit out the "snoop" data for 0 1 2 4 ... max bit. so all the password for a single bit set.
Then based on that put to together my initial "password generator"
It almost worked with my test data. i.e. it was the 2 middle digits in the password that were a little out (but it could get worse).
My code worked for 00's and ff's and some others but not all.
Some bits seem to change nothing (as single bits) while others can change 2 bits.
If what you say is right (have not pulled to cover off yet), I might be better turning into a proxmark smile

So that said, If the goal is to "reuse" a card, then, with mine, all that I need to do is send a card ID of 0 (or any other known password) and then I know that password.

Offline

#4 2019-06-11 07:24:32

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,301

Re: T5577 Cloner Passwords

The algo probably uses some simple bit math.  If you share your dataset the community could comment.  smile

Offline

#5 2019-06-11 08:01:29

mwalker
Moderator
Registered: 2019-05-11
Posts: 279

Re: T5577 Cloner Passwords

The raw data set.
My initial (random tests) seem to show that the "customer id" did not change the password.  Just the 32 Bit User data
The decimal id was logged as thats what the programmer/cloner wants it keyed in as.

for Reference, bit order/index 32 31 .... 2 1

Dec. ID		Binary ID					Binary Password
0		0000 0000 0000 0000 0000 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
1		0000 0000 0000 0000 0000 0000 0000 0001		0000 0000 0000 0001 0000 0011 0000 0011
2		0000 0000 0000 0000 0000 0000 0000 0010		0000 0000 0000 0001 0000 0011 0000 0011
4		0000 0000 0000 0000 0000 0000 0000 0100		0000 0000 0000 0001 0000 0111 0000 0111
8		0000 0000 0000 0000 0000 0000 0000 1000		0000 0000 0000 0001 0000 1011 0000 1011
16		0000 0000 0000 0000 0000 0000 0001 0000		0000 0000 0000 0001 0000 0011 0000 0011
32		0000 0000 0000 0000 0000 0000 0010 0000		0000 0000 0000 0001 0010 0011 0010 0011
64		0000 0000 0000 0000 0000 0000 0100 0000		0000 0000 0000 0001 0100 0011 0100 0011
128		0000 0000 0000 0000 0000 0000 1000 0000		0000 0000 0000 0001 1000 0011 1000 0011
256		0000 0000 0000 0000 0000 0001 0000 0000        	0000 0000 0000 0001 0000 0011 0000 0011
512	 	0000 0000 0000 0000 0000 0010 0000 0000        	0000 0000 0000 0001 0000 0011 0000 0011
1024	 	0000 0000 0000 0000 0000 0100 0000 0000        	0000 0000 0000 0001 0000 0011 0000 0011
2048		0000 0000 0000 0000 0000 1000 0000 0000        	0000 0000 0000 0001 0000 0011 0000 0011
4096		0000 0000 0000 0000 0001 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
8192    	0000 0000 0000 0000 0010 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
16384 		0000 0000 0000 0000 0100 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
32768		0000 0000 0000 0000 1000 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
65536		0000 0000 0000 0001 0000 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
131072		0000 0000 0000 0010 0000 0000 0000 0000	        0000 0000 0000 0011 0000 0011 0000 0011
262144		0000 0000 0000 0100 0000 0000 0000 0000		0000 0000 0000 0101 0000 0011 0000 0011
524288		0000 0000 0000 1000 0000 0000 0000 0000	        0000 0000 0000 1001 0000 0011 0000 0011
1048576		0000 0000 0001 0000 0000 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
2097152		0000 0000 0010 0000 0000 0000 0000 0000	        0000 0000 0010 0001 0000 0011 0000 0011
4194304 	0000 0000 0100 0000 0000 0000 0000 0000	        0000 0000 0100 0001 0000 0011 0000 0011
8388608		0000 0000 1000 0000 0000 0000 0000 0000        	0000 0000 1000 0001 0000 0011 0000 0011
16777216	0000 0001 0000 0000 0000 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
33554432  	0000 0010 0000 0000 0000 0000 0000 0000		0000 0010 0000 0001 0000 0101 0000 0011
67108864	0000 0100 0000 0000 0000 0000 0000 0000		0000 0100 0000 0001 0000 0111 0000 0011
134217728	0000 1000 0000 0000 0000 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
268435456	0001 0000 0000 0000 0000 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
536870912	0010 0000 0000 0000 0000 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
1073741824	0100 0000 0000 0000 0000 0000 0000 0000		0000 0000 0000 0001 0000 0011 0000 0011
2147483648	1000 0000 0000 0000 0000 0000 0000 0000		1000 0000 0000 0001 1000 0011 0000 0011

where i started was I seeded the "password" with the result of all 0 (0000 0000 0000 0001 0000 0011 0000 0011)
Then i looked at what changes were made with each data bit set (based on an XOR) e.g LSB bit 3 (right most bit 1) XOR with password bit 3 and 11

e.g. (May not be 100% as i was playing)

Bit	Action

1		0000 0000 0000 0000 0000 0000 0000 0001		-
2		0000 0000 0000 0000 0000 0000 0000 0010		-
4		0000 0000 0000 0000 0000 0000 0000 0100		xor b3, xor b11
8		0000 0000 0000 0000 0000 0000 0000 1000		xor b4, xor b12       
16		0000 0000 0000 0000 0000 0000 0001 0000		-
32		0000 0000 0000 0000 0000 0000 0010 0000		xor b6, xor b14
64		0000 0000 0000 0000 0000 0000 0100 0000		xor b7, xor b15
128		0000 0000 0000 0000 0000 0000 1000 0000		xor b8, xor b16
256		0000 0000 0000 0000 0000 0001 0000 0000		-
512	 	0000 0000 0000 0000 0000 0010 0000 0000		-
1024	 	0000 0000 0000 0000 0000 0100 0000 0000		-
2048		0000 0000 0000 0000 0000 1000 0000 0000		-
4096		0000 0000 0000 0000 0001 0000 0000 0000		-
8192    	0000 0000 0000 0000 0010 0000 0000 0000		-
16384 		0000 0000 0000 0000 0100 0000 0000 0000		-  
32768		0000 0000 0000 0000 1000 0000 0000 0000		-
65536		0000 0000 0000 0001 0000 0000 0000 0000		-
131072		0000 0000 0000 0010 0000 0000 0000 0000		xor b18
262144		0000 0000 0000 0100 0000 0000 0000 0000		xor b19
524288		0000 0000 0000 1000 0000 0000 0000 0000		xor b20
1048576		0000 0000 0001 0000 0000 0000 0000 0000		-	
2097152		0000 0000 0010 0000 0000 0000 0000 0000		xor b22
4194304 	0000 0000 0100 0000 0000 0000 0000 0000		xor b23
8388608		0000 0000 1000 0000 0000 0000 0000 0000		xor b24
16777216	0000 0001 0000 0000 0000 0000 0000 0000		-
33554432  	0000 0010 0000 0000 0000 0000 0000 0000		xor b26, b11
67108864	0000 0100 0000 0000 0000 0000 0000 0000		xor b27, b10, b11
134217728	0000 1000 0000 0000 0000 0000 0000 0000		-
268435456	0001 0000 0000 0000 0000 0000 0000 0000		-
536870912	0010 0000 0000 0000 0000 0000 0000 0000		-
1073741824	0100 0000 0000 0000 0000 0000 0000 0000		-
2147483648	1000 0000 0000 0000 0000 0000 0000 0000		xor b32, xor 16

Happy to create the password for any "id values" needed.

Last edited by mwalker (2019-06-11 08:02:24)

Offline

#6 2019-06-11 17:33:15

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,301

Re: T5577 Cloner Passwords

could you double test the

33554432  	0000 0010 0000 0000 0000 0000 0000 0000		0000 0010 0000 0001 0000 0101 0000 0011

line?

Offline

#7 2019-06-12 10:39:42

mwalker
Moderator
Registered: 2019-05-11
Posts: 279

Re: T5577 Cloner Passwords

33554432 Password : 0000 0010 0000 0001 0000 0101 0000 0011
So as posted.  Note I did find this was more then just a simple xor.  and some bits change if more then one bit is set.
So I think we need some more sample data and happy for some ideas.  I was thinking things like 010101.... and 101010 and/or all 1 for each nibble.

Offline

#8 2019-06-12 11:50:45

iceman
Administrator
Registered: 2013-04-25
Posts: 6,560
Website

Re: T5577 Cloner Passwords

uid AND 0x00010303

Curious of this one

32			0000 0000 0000 0000 0000 0000 0010 0000		0000 0000 0000 0001 0010 0011 0010 0011
64			0000 0000 0000 0000 0000 0000 0100 0000		0000 0000 0000 0001 0100 0011 0100 0011
128			0000 0000 0000 0000 0000 0000 1000 0000		0000 0000 0000 0001 1000 0011 1000 0011

what pwd will be generated with uid of 224?


If you feel the love,  https://www.patreon.com/iceman1001

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Online

#9 2019-06-12 13:03:18

mwalker
Moderator
Registered: 2019-05-11
Posts: 279

Re: T5577 Cloner Passwords

UID of 224 : 0000 0000 0000 0001 1110 0011 1110 0011

uid 0xFFFFFFFF : 1000 0110 1110 1111 0111 0101 1110 1111

Offline

#10 2019-06-18 17:02:00

swampcat
Contributor
Registered: 2019-06-18
Posts: 2

Re: T5577 Cloner Passwords

Just a quick memorydump on blue/black and white cloners.
A bit rusty, but it should still be correct:

Intro
Chinese sell the same looking stuff in 4 quality grades. Grade A to D

Grade A is perfectly working, without any problems, the most expensive
Grade D is barely working or breaks down quickly, the cheapest

Hey they sell you what you want to pay and a litlle soldering skills can improve a grade D to a grade A....


Chinese (125kHz) cloners

Blue and black cloners
3 variants: 1) EM cloner; 2)HID cloner; 3)EM/HID cloner
Quality varies my manufacturer (Quality A (Good) until D (Bad))
They set a password on block 7 of the chip and set the password enable bit in block 0
Standard password is normally:    51243648
Be sure to purchase the EM/HID version

White cloner (pre 2015)
Multifrequency
Buttons light up BLUE
Reads data correctly
Standard password is normally (for T55xx):  AA55BBBB
Standard password 13,56mHz:       individual per white cloner
Coil performance acceptable

White cloner (2016-)
Multifrequency
Buttons light up  WHITE
Data scrambled (variable per individual cloner, possibly due to prevent legal issues)
Standard password is normally (for T55xx):  AA55BBBB
Standard password 13,56mHz:       individual per white cloner
Coil performance good

White cloner (2016- D Quality)
Multifrequency (Well it says so....but it doesn't....)
Only works for EM/HID card (125kHz)
High frequency not working
Standard password is normally (for T55xx):  AA55BBBB
Note: Sets the HID card in TEST MODE

Unless you want to do some lazy cloning. Stick to the Proxmark 3 or other projects

Fixing your broken-by-chinese-cheap-cloners-T55xx cards:
Restore the page 1 data:

If t55xx write b 1 d E0150A48 1
If t55xx write b 2 d 2D782308 1

P.S. always doublecheck that cloner doesn't set your card to test mode...
Be aware if you want to use the card with your proxmark

Offline

#11 2019-06-19 08:35:38

mwalker
Moderator
Registered: 2019-05-11
Posts: 279

Re: T5577 Cloner Passwords

What do you mean by
"always doublecheck that cloner doesn't set your card to test mode."

I thought test mode was used to make some changes and undo some protection, but had no long term affect.

update:

I went over the data sheet for the T5577 again and the way i read it is.
If the config in block 0 page 0 has its "master" key set to 6 then the page 0 test function is disabled.
If the config in block 3 page 1 has its "master" key set to 6 then the page 1 test function is disabled.
So, by setting either of those to 6 you can still make changes as long as you dont need the test option, you can also re-write the config and remove the masterkey to re-enable it.

The real challenge kicks in if you start setting the lock bits.  As the way i read it, if you set the lock bit on any block, it cant be undone via the rfid commands, so if you set the master key to 6 then set the lock bit, thats it, locked.
i.e. for page 1
quote for data sheet.
"...If Option Key is 6 then the complete page 1 (i.e., option register and traceability data) cannot be overwritten by any Test Write Command.
This means, if the Lock bits of the three blocks of page 1 are set and the Option Key is 6, then all of page 1’s blocks
are locked against change...."

It hints that you need to disable the test write commands AND set the lock bit to "lock against change"

What I have not tested yet (for example) is what happens if you set the lock bits on (say) page 1 block 1 and 2, but NOT 3 (page 1 config).
Can you then change block 3 to remove the masterkey as its not locked, then use the test mode to clear the lock bits on the other blocks.

I would need to setup the software to allow the lock bit to be set (its hard coded to NOT lock atm).

Of course, happy to hear from those that have tried it.

Last edited by mwalker (2019-06-19 12:03:44)

Offline

Board footer

Powered by FluxBB