Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-06-28 22:23:12

underlive
Contributor
Registered: 2020-06-23
Posts: 7

Bricked tag writing with different offset, how to unbrick it?

I've bricked two tags.

Now, I may know some of the reasons.

Original tag to clone has this offset when detected:

[usb] pm3 --> lf t55 detect
Block0         : 0x00088048
[usb] pm3 --> lf t55 detect
[=]      Chip Type      : T55x7
[=]      Modulation     : ASK
[=]      Bit Rate       : 2 - RF/32
[=]      Inverted       : No
[=]      Offset         : 31
[=]      Seq. Term.     : Yes
[=]      Block0         : 0x00088048
[=]      Downlink Mode  : default/fixed bit length
[=]      Password Set   : No

In destiny tag the only difference is the offset, which is 32.

This is exactly the way I broke it.

1.- I first made a dump from the "original" tag:

[usb] pm3 --> lf t55 dump
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00088048 | 00000000000010001000000001001000 | ...H
[+]  01 | 2203206E | 00100010000000110010000001101110 | ". n
[+]  02 | 4AD019CE | 01001010110100000001100111001110 | J...
[+]  03 | 4D243AF1 | 01001101001001000011101011110001 | M$:.
[+]  04 | 521B67C8 | 01010010000110110110011111001000 | R.g.
[+]  05 | 12345678 | 00010010001101000101011001111000 | .4Vx
[+]  06 | 386FAACF | 00111000011011111010101011001111 | 8o..
[+]  07 | 69919EA9 | 01101001100100011001111010101001 | i...
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00088048 | 00000000000010001000000001001000 | ...H
[+]  01 | F00A80AB | 11110000000010101000000010101011 | ....
[+]  02 | 285C8E23 | 00101000010111001000111000100011 | (\.#
[+]  03 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+] saved to json file lf-t55xx-2203206E-4AD019CE-4D243AF1-521B67C8-12345678-386FAACF-69919EA9-dump.json
[+] saved 12 blocks to text file lf-t55xx-2203206E-4AD019CE-4D243AF1-521B67C8-12345678-386FAACF-69919EA9-dump.eml
[+] saved 48 bytes to binary file lf-t55xx-2203206E-4AD019CE-4D243AF1-521B67C8-12345678-386FAACF-69919EA9-dump.bin

[=] Default configation block 000880E0

2.- Then, I set the "destiny" tag and wiped.

3.- Finally, I "restored" the info from the original tag into the now "bricked" tag:

[usb] pm3 --> lf t55 restore f lf-t55xx-2203206E-4AD019CE-4D243AF1-521B67C8-12345678-386FAACF-69919EA9-dump.bin
[+] loaded 48 bytes from binary file lf-t55xx-2203206E-4AD019CE-4D243AF1-521B67C8-12345678-386FAACF-69919EA9-dump.bin
[=] Writing page 0  block: 01  data: 0x2203206E
[=] Writing page 0  block: 02  data: 0x4AD019CE
[=] Writing page 0  block: 03  data: 0x4D243AF1
[=] Writing page 0  block: 04  data: 0x521B67C8
[=] Writing page 0  block: 05  data: 0x12345678
[=] Writing page 0  block: 06  data: 0x386FAACF
[=] Writing page 0  block: 07  data: 0x69919EA9
[=] Writing page 1  block: 01  data: 0xF00A80AB
[=] Writing page 1  block: 02  data: 0x285C8E23
[=] Writing page 1  block: 03  data: 0xFFFFFFFF
[=] Writing page 0  block: 00  data: 0x00088048

In one of the "bricked" tags I sent 'lf t55xx detect' before, and wrote the blocks one by one, like this:

[usb] pm3 --> lf t55 write b 0 d 00088048
[=] Writing page 0  block: 00  data: 0x00088048
[usb] pm3 --> lf t55 write b 1 d 2203206E
[=] Writing page 0  block: 01  data: 0x2203206E
[usb] pm3 --> lf t55 write b 2 d 4AD019CE
[=] Writing page 0  block: 02  data: 0x4AD019CE
[usb] pm3 --> lf t55 write b 3 d 4D243AF1
[=] Writing page 0  block: 03  data: 0x4D243AF1
[usb] pm3 --> lf t55 write b 4 d 521B67C8
[=] Writing page 0  block: 04  data: 0x521B67C8
[usb] pm3 --> lf t55 write b 5 d 12345678
[=] Writing page 0  block: 05  data: 0x12345678
[usb] pm3 --> lf t55 write b 6 d 386FAACF
[=] Writing page 0  block: 06  data: 0x386FAACF
[usb] pm3 --> lf t55 write b 7 d 69919EA9
[=] Writing page 0  block: 07  data: 0x69919EA9
[usb] pm3 --> lf t55 write b 0 d 00088048 1
[=] Writing page 1  block: 00  data: 0x00088048
[usb] pm3 --> lf t55 write b 1 d F00A80AB 1
[=] Writing page 1  block: 01  data: 0xF00A80AB
[usb] pm3 --> lf t55 write b 2 d 285C8E23 1
[=] Writing page 1  block: 02  data: 0x285C8E23
[usb] pm3 --> lf t55 write b 3 d FFFFFFFF 1
[=] Writing page 1  block: 03  data: 0xFFFFFFFF

After that, dead:

[usb] pm3 --> lf t55 detect
[!] ⚠️  Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'


I've also found two more things:
1.- I can dump data from the tag. Data information changes depending on offset. If offset is set at 31 ('lf t55xx config o 31'), I get this:
"25680CE7" in brickedtagwhite and '4AD019CE' in brickedtagred.

If set to 32 ('lf t55xx config o 32'), I get this:
"4AD019CE" in brickedtagwhite and '95A0339C' in brickedtagred.

I guess that because I bricked brickedtagwhite when offset was set to 31, and brickedtagred after doing a detect, and therefore when offset was set to 32.

[usb] pm3 --> lf t55 dump
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 95A0339C | 10010101101000000011001110011100 | ..3.
[+]  01 | 95A0339C | 10010101101000000011001110011100 | ..3.
[+]  02 | 95A0339C | 10010101101000000011001110011100 | ..3.
[+]  03 | 95A0339C | 10010101101000000011001110011100 | ..3.
[+]  04 | 95A0339C | 10010101101000000011001110011100 | ..3.
[+]  05 | 95A0339C | 10010101101000000011001110011100 | ..3.
[+]  06 | 95A0339C | 10010101101000000011001110011100 | ..3.
[+]  07 | 95A0339C | 10010101101000000011001110011100 | ..3.
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 95A0339C | 10010101101000000011001110011100 | ..3.
[+]  01 | 95A0339C | 10010101101000000011001110011100 | ..3.
[+]  02 | 95A0339C | 10010101101000000011001110011100 | ..3.
[+]  03 | 95A0339C | 10010101101000000011001110011100 | ..3.



2.- Using the "u" for unknown tags I get this:

[usb] pm3 --> lf search u
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] ⛔ No known 125/134 kHz tags found!

[=] Checking for unknown tags:

[-] ⛔ no repeating pattern found, try increasing window size
[=] Possible auto correlation of 7168 repeating samples
[=] Possible 896 bytes
01111011010011001000110011110101
01001001000100000001100100000011
01110010010101101000000011001110
01110010011010010010000111010111
10001010100100001101101100111110
01000000100100011010001010110011
11000001110000110111110101010110
01111011010011001000110011110101
01001001000100000001100100000011
01110010010101101000000011001110
01110010011010010010000111010111
10001010100100001101101100111110
01000000100100011010001010110011
11000001110000110111110101010110
01111011010011001000110011110101
01001001000100000001100100000011

Unknown ASK Modulated and Manchester encoded Tag found!
if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'

(and slightly different in the other bricked tag)


However, I find no way to restore it.

I've tried wiping, and with this commands among other:

lf t55xx write b 0 d 00088040

lf t55xx write b 0 d 00088040 p 00000000

lf t55xx write b 0 d 00088040 p ffffffff


But nothing..., could anyone help me here?

Last edited by underlive (2020-06-28 23:27:51)

Offline

Board footer

Powered by FluxBB