Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2019-02-06 13:32:02

danv
Contributor
Registered: 2019-02-05
Posts: 13

Possible T55xx Tag & Chinese Cloner

Hi everyone,

I have a question regarding some possible T55xx tags that came with a chinese cloner I bought from AliExpress. I initially noted I could not use this tags with the proxmark, because I was unable to write into them as usual using the

 lf em 410xwrite 

command.

chinese-cloner.jpg

Reading through this forum I became aware that this infamous cloner sets a password on cloned tags. Since I tried all the passwords I could find with the

 lf t55xx bruteforce 

command with no success, I thought that maybe this cloner uses a different password. I set out to find this password, and as is turns out it is : 0x51243648

blue-chinese-reader-from-trace-2-Kopie.png

Currently, I have following questions:

1) How can I configure the proxmark to read a T5XX tag, when lf t55xx detect is unable to identify the tags configutaration (modulations, offset, rate)?
2) Why does lf t55xx bruteforce fail to identify the password eventhough it is in the default_pwd.dic ?
3) Can block 0 (containing the configuration) still be read even though password protected?
4) Is it possible that my tag is actually not all a T55xx?

Any help would be greatly appreciated. Please let me know what other information I should provide. I'm new to this community.

Thanks! smile


email: modhex(hjhfhbhuhkhghrihebedfchihthbhkhrduhehvht)

Offline

#2 2019-02-07 12:53:55

danv
Contributor
Registered: 2019-02-05
Posts: 13

Re: Possible T55xx Tag & Chinese Cloner

Hi again,

I decoded the payload sent by the blue cloner (data for block #0) and was able to determine (I think. Not entirely confident.) the tag's configuration. Nevertheless, I'm still unable to correctly read the contents. Could anyone help me out?


Scope capture for configuration block:
Chinese-cloner-trace-5-block-0-decoded.jpg
Data Bit Rate: 64 cycles/bit
Modulation: Manchester
Password: 1
ST: 0
Fast Write: 0
Invert: 0
POR: 0

proxmark3> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'     
proxmark3> lf t55x config
Chip Type  : T55x7          
Modulation : ASK          
Bit Rate   : 5 - RF/64          
Inverted   : No          
Offset     : 0          
Seq. Term. : No          
Block0     : 0x00000000
proxmark3> lf t55x read b 0 p 51243648 o
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
Safety Check Overriden - proceeding despite risk          
  0 | 7FD94000 | 01111111110110010100000000000000     

I would expect to see 0x00148050. I've tried with different offsets, with no success.

proxmark3> hw tune l

Measuring antenna characteristics, please wait........          
# LF antenna: 34.65 V @   125.00 kHz          
# LF antenna: 31.49 V @   134.00 kHz          
# LF optimal: 35.89 V @   127.66 kHz          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
proxmark3> hw version
Prox/RFID mark3 RFID instrument          
bootrom: master/v3.1.0-53-ga9104f7-suspect 2019-01-30 20:13:07
os: master/v3.1.0-53-ga9104f7-suspect 2019-01-30 20:13:08
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/11/28 at 08:33:11
SmartCard Slot: not available
          
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 202493 bytes (39). Free: 321795 bytes (61).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory      

Last edited by danv (2019-02-07 12:56:40)


email: modhex(hjhfhbhuhkhghrihebedfchihthbhkhrduhehvht)

Offline

#3 2019-02-07 18:26:48

anybody
Contributor
Registered: 2016-12-20
Posts: 22

Re: Possible T55xx Tag & Chinese Cloner

it is possible that your chinese cloner can write em4305 and your tag is..
not t55xx

Offline

#4 2019-02-07 21:11:09

danv
Contributor
Registered: 2019-02-05
Posts: 13

Re: Possible T55xx Tag & Chinese Cloner

Hi @anybody,

Thank you for your suggestion. I had indeed tried out the em4305 commands with no success. My two main reasons for suspecting it is not an EM4305 tag are: the payload send by the reader matches surprisingly well to the programming protocol of a T55xx tag described in the datasheet. Second, according to the EM4305 datasheet, block 0 and 1 are not read protected. When I tried to read them, I just get a failed message. 

Have you ever captured the blue cloner's programming sequence? I'm curious to compare.

proxmark3> lf em 4x05dump 51243648
Read Address 00 | failed          
Read Address 01 | failed          
 PWD Address 02 | 51243648          
Read Address 03 | failed          
Read Address 04 | failed          
Read Address 05 | failed          
Read Address 06 | failed          
Read Address 07 | failed          
Read Address 08 | failed          
Read Address 09 | failed          
Read Address 10 | failed          
Read Address 11 | failed          
Read Address 12 | failed          
Read Address 13 | failed          
Read Address 14 | failed          
Read Address 15 | failed   
proxmark3> lf em 4x05dump
Read Address 00 | failed          
Read Address 01 | failed          
 PWD Address 02 | cannot read          
Read Address 03 | failed          
Read Address 04 | failed          
Read Address 05 | failed          
Read Address 06 | failed          
Read Address 07 | failed          
Read Address 08 | failed          
Read Address 09 | failed          
Read Address 10 | failed          
Read Address 11 | failed          
Read Address 12 | failed          
Read Address 13 | failed          
Read Address 14 | failed          
Read Address 15 | failed     

email: modhex(hjhfhbhuhkhghrihebedfchihthbhkhrduhehvht)

Offline

#5 2019-02-11 21:32:41

danv
Contributor
Registered: 2019-02-05
Posts: 13

Re: Possible T55xx Tag & Chinese Cloner

Just wanted to update this thread with some progress I made.

I finally took the time to decode every single pulse train / writing sequence the "blue cloner" transmits. In essence, my cloner transmits a total of 14 pulse trains separated by period in which the antenna is left "on" oscillating at 125kHz (there is probably a name for this, not really sure what to call it). This period is required by the tag finish programming after a write sequence is transmitted. Roughly the first half of the sequences assume the tag is protected and can be accessed with the password 0x51243648. The other half attempts to write the tag using normal no-password commands. The ID being written is 0x6A0016E5AB.
Pulse 1 is a bit special, as it uses leading-zero reference protocol.

(Only for sequence 1) [Reference Zero] [Op Code] [00] [Password 1-32] [Lock Bit] [Data 1-32] [Addr 2-0]
Seq #1: [0] [11] [00] [pwd: 0101 0001 0010 0100 0011 0110 0100 1000] [0] [32 0s] [011]


Seq#: [Op Code] [Password 1-32] [Lock Bit] [Data 1-32] [Addr 2-0]
Seq #2: [10] [pwd ...] [0] [pwd ...] [111]
Seq #3: [10] [pwd ...] [0] [pwd ...] [111] (Block #7 is written two times with the password.)
Seq #4: [10] [pwd ...] [0] [0000 0000 0001 0100 1000 0000 0101 0000] [000]
Seq #5: [10] [pwd ...] [0] [1111 1111 1011 0010 1000 0000 0000 0000] [001]
Seq #6: [11] [pwd ...] [0] [1111 1111 1011 0010 1000 0000 0000 0000] [001]
Seq #7: [10] [pwd ...] [0] [1101 1001 1101 0101 0101 0010 1110 0010] [010]
Seq #8: [11] [pwd ...] [0] [1101 1001 1101 0101 0101 0010 1110 0010] [010]
(Writing into block 1 & 2 in page 1 the same payload as in page 0. I'm not certain if this actually overwrites the traceability data.)
Seq #9: [11] [pwd ...] [0] [0110 00000000 0000 0000 1000 0000 0000] [011]
(Enabling analog front-end by setting Option Key=0x6 and setting leading-zero reference protocol).

Seq #10: [000] (A reset command with leading zero reference.)

The next sequences attempt to write the tag without using a password
Seq#: [Op Code] [0] [Data 1-32] [Addr 2-0]
Seq #11: [10] [0] [0000 0000 0001 0100 1000 0000 0100 0000] [000]
Seq #12: [10] [0] [1111 1111 1011 0010 1000 0000 0000 0000] [001]
Seq #13: [10] [0] [1101 1001 1101 0101 0101 0010 1110 0010] [010]

Seq #14: [00] (Simple reset op code.)

It seems that by enabling the leading-zero reference protocol the cloner "soft-bricks" the tag, that is, with the latest public firmware, it is not possible to change the settings of block 3 page 1. I modified the write command on the proxmark to accept a 'z' argument and send the required reference and padding zeros.

Part of the T55xxwriteBlockExt function:

void T55xxWriteBlockExt(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) { LED_A_ON(); bool PwdMode = arg & 0x1; uint8_t Page = (arg & 0x2)>>1; bool testMode = arg & 0x4; bool leadingZero = arg & 0x8; uint32_t i = 0;
  // Set up FPGA, 125kHz
LFSetupFPGAForADC(95, true);
StartTicks();
// make sure tag is fully powered up...
WaitMS(5);
// Trigger T55x7 in mode.
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
WaitUS(START_GAP);
// Send "zero" reference pulse
if (leadingZero) {
    T55xxWriteBit(0);
}
if (testMode) Dbprintf("TestMODE");
// Std Opcode 10
T55xxWriteBit(testMode ? 0 : 1);
T55xxWriteBit(testMode ? 1 : Page); //Page 0
// Send Padding zeros
if (PwdMode & leadingZero){
    T55xxWriteBit(0);
    T55xxWriteBit(0);
}
if (PwdMode) {
    // Send Pwd
    for (i = 0x80000000; i != 0; i >>= 1)
        T55xxWriteBit(Pwd & i);

   }
// Send Lock bit
T55xxWriteBit(0);
...

My first attempt to rewrite the analog front-end settings produced no change on the tag. At this point, I thought it was easier to capture the proxmark writing sequence with an oscilloscope rather than debugging the proxmark using JTAG etc...

proxmark-write-capture.jpg

Except for a few differences in gap lengths, the proxmark emulates the cloner's first sequence. Yet, the contents of block 3 page 1 seem to remain unchanged.

I'm stuck again. sad

Any comments or insights would be greatly appreciated.

Last edited by danv (2019-02-11 21:48:49)


email: modhex(hjhfhbhuhkhghrihebedfchihthbhkhrduhehvht)

Offline

#6 2019-02-12 13:17:58

anybody
Contributor
Registered: 2016-12-20
Posts: 22

Re: Possible T55xx Tag & Chinese Cloner

Offline

#7 2019-02-12 19:16:38

danv
Contributor
Registered: 2019-02-05
Posts: 13

Re: Possible T55xx Tag & Chinese Cloner

Hi @anybody,

At this point I feel I'm going in circles. I managed to get my hands on a brand new T577. I used the cloner to copy the same UID (as in my previous entry) and was able to unlock it with a simple lf t55xx write b 0 d 001480E0 p 51243648 .

 
proxmark3> lf t55xx write b 0 d 001480E0 p 51243648 
Writing page 0  block: 00  data: 0x001480E0 pwd: 0x51243648           
proxmark3> lf t55xx dump
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | 001480E0 | 00000000000101001000000011100000          
  1 | FFB28000 | 11111111101100101000000000000000          
  2 | D9D552E2 | 11011001110101010101001011100010          
  3 | FFFFFFFF | 11111111111111111111111111111111          
  4 | FFFFFFFF | 11111111111111111111111111111111          
  5 | FFFFFFFF | 11111111111111111111111111111111          
  6 | FFFFFFFF | 11111111111111111111111111111111          
  7 | 51243648 | 01010001001001000011011001001000          
Reading Page 1:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | 001480E0 | 00000000000101001000000011100000          
  1 | FFB28000 | 11111111101100101000000000000000          
  2 | D9D552E2 | 11011001110101010101001011100010          
  3 | 60000800 | 01100000000000000000100000000000  

This verified the decoded data of my last entry. Except for the analog front end, not sure whats is going on there. As I understand it, it should be in leading-zero protocol mode. I have no clue. My attempt to write the new block 0 data using leading-zero also failed.

This proofs that the first tag I was using for testing (small blue key fob) is indeed not a T55xx tag.
IMG-2645.jpg
With this in mind, I took a longer capture  of the cloner's write sequence with the oscilloscope. It turns out it sends more pulse trains after the ones I decode. Probably to write a EM4305? One of the pulse trains seems to be 96 pulses long!
96-pulses.png

Can a EM4305 also produce a EM410x pattern?

@anybody, you were probably right! Thanks!

Last edited by danv (2019-02-12 19:52:17)


email: modhex(hjhfhbhuhkhghrihebedfchihthbhkhrduhehvht)

Offline

#8 2019-02-13 06:40:42

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,260

Re: Possible T55xx Tag & Chinese Cloner

Can a EM4305 also produce a EM410x pattern?

Yes it can.  You just need to configure it correctly.   

Now em4305 keyfobs can be especially difficult to communicate with with the pm3.  A properly tuned and sized antenna is your friend.

I'm interested in why the pm3 write command looks like a fish when all the traces of the cloner are nice and square.  Is that a good capture?

Offline

#9 2019-02-13 16:14:50

anybody
Contributor
Registered: 2016-12-20
Posts: 22

Re: Possible T55xx Tag & Chinese Cloner

danv wrote:

With this in mind, I took a longer capture  of the cloner's write sequence with the oscilloscope. It turns out it sends more pulse trains after the ones I decode. Probably to write a EM4305? One of the pulse trains seems to be 96 pulses long!
https://postimg.cc/NKPJSJW8

@danv, it's not em4305, most likely it's t55xx..
Can you attach another 3 long traces from your Chinese cloner (each must be 69 bits, starts from 01)?

Last edited by anybody (2019-02-13 19:59:02)

Offline

#10 2019-02-18 20:58:28

danv
Contributor
Registered: 2019-02-05
Posts: 13

Re: Possible T55xx Tag & Chinese Cloner

Hello @marshmellow & @anybody,

Sorry that it took me this long to reply.

Regarding the strange shape of the proxmark's read command: I think it was due to aliasing. I increased the sample rate to 2 MS/s and the trace now looks normal. See below:

Aliased trace:
Aliasing-500-ks-s.png

Non-aliased trace:
No-aliasing-2-Ms-s.png

@anybody: I surely would appreciate your help with these tags, although I'm not sure how they could be T55xx tags, they do not respond to any command. I just ordered some EM4305 from AliExpress to compare how they behave.

I uploaded traces as pictures. There are 3 folders, each containing a set of sequences, each set of sequences is separated by a 'long' period of the field being ON (not shown), that is, with no write data. Additionally I included the entire trace as a WAV file, viewable with Audacity. Folder A contains captures of T55xx write commands (the ones I showed in my earlier post). I have not managed to decoded the sequences contained in folders B & C.

https://mega.nz/#F!QERlkIYa!HKpcNqRe0Ez3L4P82Z1Xlw

Thank you for your help!

Last edited by danv (2019-02-19 19:03:27)


email: modhex(hjhfhbhuhkhghrihebedfchihthbhkhrduhehvht)

Offline

#11 2019-02-19 16:50:49

anybody
Contributor
Registered: 2016-12-20
Posts: 22

Re: Possible T55xx Tag & Chinese Cloner

@danv, if you are ready to "break" one more tag t5577, then try the following:
1. Write some ID to the tag and set a password (not 51243648) using proxmark
2. Try to copy another ID (not from 1.) to this tag using a blue cloner
3. Most likely, nothing more can be written to this tag using proxmark... only chinese cloner

Offline

#12 2019-02-19 19:02:18

danv
Contributor
Registered: 2019-02-05
Posts: 13

Re: Possible T55xx Tag & Chinese Cloner

Hi @anybody,

The problem is that all the tags that came with this cloner behave the same way. In other words, non of them are empty, they all contain the same EM TAG ID 3D00D51E2C. I'm only able to write them using the cloner. Quite puzzling. I think the vendor might have tested all of them, some sort of quality control. neutral

Last edited by danv (2019-02-19 19:02:38)


email: modhex(hjhfhbhuhkhghrihebedfchihthbhkhrduhehvht)

Offline

#13 2019-02-19 22:35:20

danv
Contributor
Registered: 2019-02-05
Posts: 13

Re: Possible T55xx Tag & Chinese Cloner

I confirmed the sequences on folder B are valid EM4305 write commands. If the tags were EM4305, the password being set would have been 0x9F3BD705.

Configuration being set:
RF/66
Manchester
No Delay
Last default read = 6
Read login = 0
Write login = 1
Reader talk first =  0
Pigeon mode = 0

My hypotheses is then that, the sequences of folder C (the one with 96 pulses) must be accepted write sequence. Figuring out what chip accepts these sequences is the next task. See below:

Sequence 1:
Sequence-1.png
Sequence 2:
Sequence-2.png
Sequence 3:
Sequence-3.png
Sequence 4:
Sequence-4.png



So, is there any other tag that can emulate a EM410x? Could the traces be a strange configuration of the T55xx/EM4x05?

Last edited by danv (2019-02-20 00:09:06)


email: modhex(hjhfhbhuhkhghrihebedfchihthbhkhrduhehvht)

Offline

#14 2019-02-20 11:54:35

anybody
Contributor
Registered: 2016-12-20
Posts: 22

Re: Possible T55xx Tag & Chinese Cloner

@danv,
Is EM TAG ID  6A 00 16 E5 AB ?
Finally, WAV downloaded.
The question is removed.

Last edited by anybody (2019-02-21 16:02:29)

Offline

#15 2019-02-21 16:03:16

danv
Contributor
Registered: 2019-02-05
Posts: 13

Re: Possible T55xx Tag & Chinese Cloner

Yes! Sequence 2 & 3 encode the EM ID 6A 00 16 E5 AB, including initial 0b1 + 0xFF and parity bits. All sequences begin with 0x4, might be the op-code?

See annotated sequences below:

[Click on picture to enlarge]
Sequence 1:
1-2-17-35-5.jpg
Sequence 2: (0b1 + FF 6A 00)
2-2-17-35-6.jpg
Sequence 3: (16 E5 AB)
3-2-17-35-7.jpg
Sequence 4:
4-2-17-35-8.jpg

If you take a look at the entire capture (wav file), it is clear that the tag is responding to this commands (sequences C), contrary to the sequences A (T55xx) & B (EM4x05), where the tag goes into regular read mode immediately after the sequence ends.


Tag accepts command (Unknown C sequence)  /  Tag rejects command (T55xx)
accepted-cmd.png rejected-command.png


email: modhex(hjhfhbhuhkhghrihebedfchihthbhkhrduhehvht)

Offline

#16 2019-02-22 07:44:14

anybody
Contributor
Registered: 2016-12-20
Posts: 22

Re: Possible T55xx Tag & Chinese Cloner

I saw almost the same sequences in WAV file here:
http://www.proxmark.org/forum/viewtopic.php?id=6029
T55x7 (with PWD) - EM4x05 (with PWD) - T55x7 (???)
Most likely, it's  t55x7 test mode (opcode "01"). But I did not find any information about this mode.
Here @marshmellow tried to understand this question...
http://www.proxmark.org/forum/viewtopic … 933#p26933
May be(???)
Sequence1 (wipe, precfg?) - 93 bits
01(opcode)-0000100010100000000 (19bits cfg?)-000....000(72bits)
Sequence2 (data) - 53 bits
01(opcode)-0000000101000000000 (19bits cfg?)-32bits(ID, as blk1)
Sequence3 (data) - 53 bits
01(opcode)-0000000101010000000 (19bits cfg?)-32bits(ID, as blk2)
Sequence4 (cfg?) - 53 bits
01(opcode)-0000000101011111111 (19bits cfg?)-00000101000000000000000000000000 (32bits)
Try locked t5577 and different ID

Last edited by anybody (2019-02-22 19:27:09)

Offline

#17 2019-03-05 23:18:08

danv
Contributor
Registered: 2019-02-05
Posts: 13

Re: Possible T55xx Tag & Chinese Cloner

Hi @anybody,
Sorry for taking so long to reply sad . I did what you suggested. I wrote a blank T55xx tag with 0xFFFFFFFFFF and copied to one of the unknown tags using the cloner. I decoded once more the cloner write sequences. I XOR'ed the write sequences (C) of 0x6A0016E5AB and  0xFFFFFFFFFF.

https://pastebin.com/EMBx0rSX

I've marked my assumption for the page bit. Sequence 1 and 4 are identical for both.
My intention is to simulate this write sequence with the proxmark and fuzz some bits. My first attempt will be to swap blocks.

Last edited by danv (2019-03-05 23:21:42)


email: modhex(hjhfhbhuhkhghrihebedfchihthbhkhrduhehvht)

Offline

Board footer

Powered by FluxBB