Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-04-06 06:09:17

daemon
Contributor
Registered: 2014-04-03
Posts: 11

T5557 issues (multitags)

I've been experimenting with some tags. I have successfully cloned an HID card to a tag (although I'm not sure what type of tag it is...I think T5xx7 but it shouldn't matter). Anyhow, I have about 20 T5557 tags and have been trying to do anything with them...read/write, etc. I'm having some really strange issues. I did a EM410xwatch and my antenna wouldn't pick anything up but once in a while it would pick up random items (depending on how I moved the tag(s)):

Auto-detected clock rate: 65535         
#db# buffer samples: 00 00 00 00 00 00 0e 30 ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 118         
#db# buffer samples: 00 00 00 00 00 00 00 06 ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 30         
#db# buffer samples: fc c0 80 e7 bc d0 c0 4e ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 3         
#db# buffer samples: 00 00 00 00 00 00 00 00 ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 2         
#db# buffer samples: 8c 90 50 84 58 5c 78 b8 ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 94         
#db# buffer samples: 40 48 50 70 30 32 d8 40 ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 15         
#db# buffer samples: f0 7a 7d 7d 00 6c 78 77 ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 20         
#db# buffer samples: c8 72 90 e0 c0 c8 80 c0 ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 2         
#db# buffer samples: 80 70 60 40 c8 f0 73 76 ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 221         
#db# buffer samples: 38 30 98 98 60 34 7e dc ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 1562         
#db# buffer samples: 90 38 a7 58 a0 b4 b5 40 ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 192         
#db# buffer samples: fc 6d c0 40 40 48 80 70 ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 64         
#db# buffer samples: 70 08 08 00 bd 8a a0 a0 ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 2355         
#db# buffer samples: 78 68 64 42 61 60 60 7e ...                 
Reading 16000 samples
Done!
Auto-detected clock rate: 28         
#db# buffer samples: e2 68 62 c0 e0 71 62 c0 ...                 
Reading 16000 samples
Done!

I started the cut and paste with the clock rate of 65535  because that's usually what I get when I try to figure out the clock rate. I have done hw tune and my voltage seems really low to me. Is this normal:

proxmark3> # LF antenna: 17.59 V @   125.00 kHz         
proxmark3> # LF antenna: 13.96 V @   134.00 kHz         
proxmark3> # LF optimal: 22.02 V @   127.66 kHz         

I'm wondering if that could be the reason why this isn't working well. I can read and write some other types of tags with no problem though so I don't know.

I can get a pretty consistent data plot also:

ocg7.png

Does anyone have any ideas? I'm pulling my hair out on this and starting to think I have something wrong on my end.

Offline

#2 2014-04-06 07:13:43

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: T5557 issues (multitags)

Yes, your antenna voltage is not very good, this can be the reason why as you suggested.

Offline

#3 2014-04-06 07:31:38

daemon
Contributor
Registered: 2014-04-03
Posts: 11

Re: T5557 issues (multitags)

Hi asper, thanks for the reply. I'm using a manufactured PCB antenna - do you think there's anything I can do to increase voltage or do I have to try to make my own/purchase another one? :S

Offline

#4 2014-04-06 08:01:23

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: T5557 issues (multitags)

Probably with an hand-made one you will find a much better performance. Build it with a 0.1mm enamelled copper wire. Have a look at this for more details.

Offline

#5 2014-04-06 08:43:02

daemon
Contributor
Registered: 2014-04-03
Posts: 11

Re: T5557 issues (multitags)

Great resource, thanks for the link! I will try something out and see if I get better (or any) performance out of the T5557 tags.

Offline

#6 2014-04-09 06:29:22

daemon
Contributor
Registered: 2014-04-03
Posts: 11

Re: T5557 issues (multitags)

Well I made my own antenna and it seems to be working pretty well so far. I got results like this:

proxmark3> # LF antenna: 25.65 V @   125.00 kHz         
proxmark3> # LF antenna: 42.16 V @   134.00 kHz         
proxmark3> # LF optimal: 42.03 V @   129.03 kHz         
proxmark3> # HF antenna:  0.16 V @    13.56 MHz         
proxmark3> # Your HF antenna is unusable.   

Only problem is, that I still can't seem to do anything with my T5557 tags...well nothing that I can see with my PM3 anyway. Other tags seem to work so it's either something that I'm doing or it's something with these particular tags (although what are the chances that 20 tags are bad?).

I try to write words and read them back using the T55x7 commands in PM3...they don't seem to do anything (that I can see anyway)...I get feedback like this:

proxmark3> lf t55xx readblock 1
Reading block 1         
proxmark3>
proxmark3> #db# DONE!                 
proxmark3> lf t55xx readblock 5
Reading block 5         
proxmark3>
proxmark3> #db# DONE!

Something interesting that I get when I plot two different T5557 tags is the difference. One of these tags I haven't used, the other I was messing around with the PM3...so maybe it's working but I'm not getting any feedback. What are some basic things that I should be able to do with T5557s? I would think read/write words would be simple...

Tag 1 (default tag, untouched):
icidex.jpg


Tag 2 (the one I messed around with PM3)
35jfjv7.jpg



Any ideas?

Offline

#7 2014-04-09 07:03:55

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: T5557 issues (multitags)

Due to the different encoding schemes posible the readblock command do not try to decode the data read. It simply puts it into de buffer, so you can plot it and use decoding commands after that.
If you want to tests your T55x7 cards try out the 'lf hid clone' and lf hid fskdemod' commands.

Offline

#8 2014-04-09 07:16:28

daemon
Contributor
Registered: 2014-04-03
Posts: 11

Re: T5557 issues (multitags)

ok great, thanks a lot Cex, I will give this a shot.

Offline

#9 2014-04-10 02:06:37

daemon
Contributor
Registered: 2014-04-03
Posts: 11

Re: T5557 issues (multitags)

Ok, so to update you guys; the "tag 1" from above appears to be a damaged tag that I can not program or read. One of my default T5557 tags look similar to "tag 2" (depending on it's programming history of course). That should alleviate some of the confusion.

One question that I have for anyone who knows their T5557 (which I haven't seen answered in the other T55x7 threads) is; once you program a T55x7 to emulate/sim a different tag, how do you determine that it's a T55x7?

Offline

#10 2014-04-10 07:00:43

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: T5557 issues (multitags)

For what i know you can't except trying to put it back in its programmable configuration: if it revert back it is a t55x7.

Offline

#11 2014-04-10 17:04:01

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: T5557 issues (multitags)

a T55x7 chip will still respond to a block read command with the contents of that block as long as security isn't enabled.  the trick is it will respond in whatever output modulation it is currently configured in.  so it can be difficult for a reader to correctly perform this read without knowing first what mode the chip is in.  currently I do not know how to accomplish this on the proxmark but I use another reader to test a block read and read the serial number blocks of the chip to identify it.

I'm sure it is possible to write a module for the proxmark to accomplish this, but it doesn't exist today.  (you might be able to try a block read and then ?graph the output? to manually decode - anyone else?)

Last edited by marshmellow (2014-04-10 17:07:58)

Offline

#12 2014-04-10 20:10:33

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: T5557 issues (multitags)

For what i know the method to put a t55x7 in its own mode is to send a very quick command before it starts the simulating routine (written on the datasheet) but this way it will remain in its own mode until you specify to turn it back into one of the possible emulation mode.

Offline

#13 2014-04-10 21:10:12

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: T5557 issues (multitags)

I wasn't going to go "That" far. wink

Offline

#14 2014-09-05 13:42:06

diaconom
Contributor
Registered: 2014-08-31
Posts: 16

Re: T5557 issues (multitags)

->For what i know the method to put a t55x7 in its own mode is to send a very quick command before it starts the simulating routine

Has anyone tried this? I would love to get this to work as I have a number of t5557 tags which have been set to EM4100 emulation with one of the readily available HID hand cloners but I need get them back to default emulation.

Any help appreciated.


Owner: ProxMark3, P1D urfid, Handheld RFID Writer

Offline

#15 2014-09-05 21:08:06

diaconom
Contributor
Registered: 2014-08-31
Posts: 16

Re: T5557 issues (multitags)

I answered my own question in another post on this board http://www.proxmark.org/forum/viewtopic.php?pid=12158#p12158

Offline

#16 2014-10-08 20:59:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: T5557 issues (multitags)

Late reply:

but,  daemon,  your tag #1 looks like a FSK modulated config and tag #2 a manchester modulated.

You should be able to see the contents of your t55x7 tag with the recent changes I made.

Offline

Board footer

Powered by FluxBB