Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I have a cheap RIFD keypad that I want to use for a demo but I am having trouble cloning the tag in the Proxmark. I start with:
[usb] pm3 --> lf search
[!] command execution time out
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[=] You can cancel this operation by pressing the pm3 button
[!] timeout while waiting for reply.
[+] EM410x pattern found
EM TAG ID : 330051BB58
Possible de-scramble patterns
Unique TAG ID : CC008ADD1A
HoneyWell IdentKey {
DEZ 8 : 05356376
DEZ 10 : 0005356376
DEZ 5.5 : 00081.47960
DEZ 3.5A : 051.47960
DEZ 3.5B : 000.47960
DEZ 3.5C : 081.47960
DEZ 14/IK2 : 00219048688472
DEZ 15/IK3 : 000876182428954
DEZ 20/ZK : 12120000081013130110
}
Other : 47960_081_05356376
Pattern Paxton : 862320984 [0x3365F958]
Pattern 1 : 12744138 [0xC275CA]
Pattern Sebury : 47960 81 5356376 [0xBB58 0x51 0x51BB58]
[+] Valid EM410x ID found!
[!] command execution time out
[usb] pm3 --> data detectclock a
[+] Auto-detected clock rate: 64, Best Starting Position: 79
[usb] pm3 --> lf em 410x_write 330051BB58 1
[+] Writing T55x7 tag with UID 0x330051bb58 (clock rate: 64)
[+] Done
[usb] pm3 --> lf em 410x_read
[!] command execution time out
[+] EM410x pattern found
EM TAG ID : 330051BB58
Possible de-scramble patterns
Unique TAG ID : CC008ADD1A
HoneyWell IdentKey {
DEZ 8 : 05356376
DEZ 10 : 0005356376
DEZ 5.5 : 00081.47960
DEZ 3.5A : 051.47960
DEZ 3.5B : 000.47960
DEZ 3.5C : 081.47960
DEZ 14/IK2 : 00219048688472
DEZ 15/IK3 : 000876182428954
DEZ 20/ZK : 12120000081013130110
}
Other : 47960_081_05356376
Pattern Paxton : 862320984 [0x3365F958]
Pattern 1 : 12744138 [0xC275CA]
Pattern Sebury : 47960 81 5356376 [0xBB58 0x51 0x51BB58]It appears to have made a clone of the original card, but it doesn't work on the lock. If I clone with one of cheap chinese cloners to the same T5577 card (or a different one) it works perfectly and opens the lock.
What am I doing wrong in the Proxmark?
Offline
If the cloner works to the same target card, but the Proxmark does not then the question will be what is different between the two.
We know, cloners tend to put a password on the card after programming it. - Proxmark does not. But you can if you want.
So, if you know the password the cloner is setting, use that and dump the card. Then program with the proxmark and dump the card. Is there anything different between the two dumps.
Offline
The issue is that even with a brand new, never written T5577 card, the Proxmark appears to make a perfect clone of the original tag. I write it and then read it and they are the same as shown in the code above. But the new card won't open the lock. If I take either that same card (already written by the Proxmark) or another new card and do the clone on the chinese cloner, the lock opens.
Is there a good way to see the differences in the cards? Because if I just do a read, they look the same.
Thanks for your help
Offline
As its a t5577 card, try the lf t55xx commands
there should be a
lf t55 dump
that should show every block.
Remember run
lf t55 detect
first, else your results wont be correct.
Offline