Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-11-25 14:32:28

ccdfun
Contributor
Registered: 2017-11-23
Posts: 5

T5577 clone from Pyramid

HW: PM3 Easy
Own key: T5577 identified as a Pyramid ID
Objective: Clone to another T5577

 proxmark3> lf search
#db# Sampling config:                  
#db#   [q] divisor:           95                  
#db#   [b] bps:               8                  
#db#   [d] decimation:        1                  
#db#   [a] averaging:         1                  
#db#   [t] trigger threshold: 0                  
#db# Done, saved 30000 out of 30000 seen samples at 8 bits/sample                 
#db# buffer samples: 72 39 07 37 94 d2 fc b5 ...                 
Reading 20000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
Pyramid ID Found - BitLength: 26, FC: 35, Card: 2034 - Wiegand: 2460fe5, Raw: 000101010101010101010164313ecb04          
Checksum 04 passed          

Valid Pyramid ID Found!          

----------------
proxmark3> lf t55xx detect
Modulation : FSK2a          
Bit Rate   : 4 - RF/50          
Inverted   : Yes          
Offset     : 0          
Block0     : 0x00107080          

-----------------
          
proxmark3> lf t55xx dump
0x00107080  00000000000100000111000010000000 [0]          
0x00010101  00000000000000010000000100000001 [1]          
0x01010101  00000001000000010000000100000001 [2]          
0x01010164  00000001000000010000000101100100 [3]          
0x310E5DE5  00110001000011100101110111100101 [4]          
0x00000000  00000000000000000000000000000000 [5]          
0x00000000  00000000000000000000000000000000 [6]          
0x00000000  00000000000000000000000000000000 [7]

I tried the following:
1) write to a new t5577 tag manually using the WriteBlock command in PM windows client block by block (i.e. from 0 - 7) with the same HEX code from own key. Verified result on the new t5577 tag and all the data seem identical.
2) write to an old t5577 tag (used) using the WriteBlock command as 1), however the data on the 2nd t5577 tag never change, across all blocks.

Would love to check (a) if what i did in (1) was the best way to clone a t5577. if not, how can i improve efficiencies. (b) Is the reason I couldnt re-write the t5577 tag because it's brick? Can I reset the fob data so i can re-use the tag again? (c) In general, are t5577 fobs re-programmable?

PS: Below is what I see for the old t5577 tag.

proxmark3> lf search
#db# Sampling config:                  
#db#   [q] divisor:           95                  
#db#   [b] bps:               8                  
#db#   [d] decimation:        1                  
#db#   [a] averaging:         1                  
#db#   [t] trigger threshold: 0                  
#db# Done, saved 30000 out of 30000 seen samples at 8 bits/sample                 
#db# buffer samples: 00 4b b0 f1 ff d1 91 58 ...                 
Reading 20000 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
NOTE: some demods output possible binary
  if it finds something that looks like a tag          
False Positives ARE possible
          

Checking for known tags:
          
Pyramid ID Found - BitLength: 26, FC: 35, Card: 471 - Wiegand: 24603ae, Raw: 000101010101010101010164310e5de5          
Checksum e5 passed          

Valid Pyramid ID Found!          

proxmark3> lf t55xx detect
Modulation : FSK2a          
Bit Rate   : 4 - RF/50          
Inverted   : Yes          
Offset     : 33          
Block0     : 0x80107080          
          
proxmark3> lf t55xx dump
0x40083840  01000000000010000011100001000000 [0]          
0x50010808  01010000000000010000100000001000 [1]          
0x01010101  00000001000000010000000100000001 [2]          
0x01010164  00000001000000010000000101100100 [3]          
0x8627D968  10000110001001111101100101101000 [4]          
0x00000000  00000000000000000000000000000000 [5]          
0x00000000  00000000000000000000000000000000 [6]          
0x00000000  00000000000000000000000000000000 [7]    

Thank you all heaps!

Last edited by ccdfun (2017-11-28 06:04:18)

Offline

#2 2018-05-07 18:11:07

hkplus
Contributor
Registered: 2015-01-07
Posts: 127

Re: T5577 clone from Pyramid

In your data output the last block differs from the first card, so that is why it's not reading on the reader.  Yes all AT5577 can be re-written.  You can prevent this by using a password on the chip though...

Last edited by hkplus (2018-05-07 18:11:25)

Offline

Board footer

Powered by FluxBB