Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-12-13 21:22:47

Dep
Contributor
Registered: 2020-12-12
Posts: 7

Weird T55xx cards behavior (non writable by PM3)

I have a bunch of clamshell T55xx(i presume) cards and i cannot clone nor do any direct write/read to these cards with my new PM3 Easy.
However cheap cloners can write on these cards. Tested with SK-658 and with black usb-hid (like in this thread).
I found out cloners set passwords on tags and i did my attempt to sniff out the password they use to write and I found out it was the standard password "51243648". Here's the successful sniff of writing UID 1000000001 with usb-hid cloner:

[usb] pm3 --> lf t55 sniff
[#] LF Sampling config
[#]   [q] divisor.............95 ( 125.00 kHz )
[#]   [b] bits per sample.....8
[#]   [d] decimation..........1
[#]   [a] averaging...........No
[#]   [t] trigger threshold...10
[#]   [s] samples to skip.....20000 
[#] LF Sampling Stack
[#]   Max stack usage.........4040 / 8480 bytes
[#] Done, saved 44480 out of 0 seen samples at 8 bits/sample
[=] Reading 44479 bytes from device memory
[+] Data fetched
[=] Samples @ 8 bits/smpl, decimation 1:1 

[=] T55xx command detection
[+] Downlink mode         | password |   Data   | blk | page |  0  |  1  | raw
[+] ----------------------+----------+----------+-----+------+-----+-----+-------------------------------------------------------------------------------
[+] Default write         |          | 00000060 |  2  |   0  |  20 |  47 | 10000000000000000000000000001100000010
[+] Default write         |          | 00148041 |  0  |   0  |  20 |  45 | 10000000000000101001000000001000001000
[+] Default pwd write     | 1C0B5848 | 51243648 |  7  |   0  |  20 |  46 | 1000011100000010110101100001001000001010001001001000011011001001000111
[+] Default pwd write     | 51243648 | FF8C0000 |  1  |   0  |  20 |  46 | 1001010001001001000011011001001000011111111100011000000000000000000001
[+] Default pwd write     | 51243648 | 00000060 |  2  |   0  |  19 |  45 | 1001010001001001000011011001001000000000000000000000000000001100000010
[+] Default Read          |          |          |  2  |   0  |  27 |  35 | 101010
[+] Leading 0 pwd write   | 00000000 | 00000000 |  0  |   0  |  10 |  16 | 0100000000000000000000000000000000000000000000000000000000000000000000000
[+] Default Read          |          |          |  5  |   1  |   7 |  29 | 110101
[+] -----------------------------------------------------------------------------------------------------------------------------------------------------

It looks like this cloner tries to change password for some reason. From 1C0B5848 to 51243648.
According to configration block that cloner sends to card (00148041) it must be standard RF/64, Manchester, transmit blocks 1-2 and init delay bit (hmm?). So i set my config according to this and continued:

lf t55 config b 64 d ASK o 32

I tried to wipe card using both passwords above, change configuration, write to blocks 1&2 to change UID but it had no any effect.
The card reads fine in normal mode but overall behavior looks strange to me. Since i'm beginner im sure i just missing out some things.

Trace output

The modulation is most likely wrong since the ACL is not 0xE0.

Info output (weird, looks like a stream of normal read mode)

--- T55x7 Configuration & Information ---------
-------------------------------------------------------------
 Safer key                 : 15
 reserved                  : 99
 Data bit rate             : 0 - RF/8
 eXtended mode             : No
 Modulation                : 0 - DIRECT (ASK/NRZ)
 PSK clock frequency       : 0 - RF/2
 AOR - Answer on Request   : No
 OTP - One Time Pad        : No
 Max block                 : 0
 Password mode             : No
 Sequence Terminator       : No
 Fast Write                : No
 Inverse data              : No
 POR-Delay                 : No
-------------------------------------------------------------
 Raw Data - Page 0,  block 0
    0xFC600000 11111100011000000000000000000000
-------------------------------------------------------------

I'm really confused now. I got the password that the cloner uses and cannot repeat write from PM3. Makes me feel that card doesn't enters write mode for some reason. Wrong PW? Wrong timings? Init delay?
Is there something can be done to make them also writable with PM3?
Would be very glad to get any help or hint.

UPD: Just used mentioned above cheap copiers on a blank new T5577 coin tags and they remain fully writable & cloneable by PM3 after that.

Last edited by Dep (2020-12-14 11:02:59)

Offline

#2 2020-12-18 09:46:15

mwalker
Moderator
Registered: 2019-05-11
Posts: 311

Re: Weird T55xx cards behavior (non writable by PM3)

Did you try to detect with the password from the cloner ?

ie
lf t55 det p 51243648

Offline

#3 2020-12-18 16:34:13

Dep
Contributor
Registered: 2020-12-12
Posts: 7

Re: Weird T55xx cards behavior (non writable by PM3)

mwalker wrote:

Did you try to detect with the password from the cloner ?

ie
lf t55 det p 51243648

Hello. Yes I did and it didn't worked sad
I think it must be locked with a password, but the password isn't publicly known.
However mentioned cloners appears to be having that password.
I tried to sniff something else a hundred times and with different samples skip setting, but nothing worked.
Is there anything else I can do? Perhaps, i also can try recoring the modulating signal using logic analyzer, but I doubt i can analyze it the proper way.

Offline

#4 2020-12-18 23:36:49

mwalker
Moderator
Registered: 2019-05-11
Posts: 311

Re: Weird T55xx cards behavior (non writable by PM3)

If the cloner is working on new tags and you can still use the PM3 on the new tags ok, but you cant on the old tag, then it sounds like the tag may have been locked with a different password already.
the lf t55 info is reading blocks 1 and 2 on page 1 (trackability data) and trying to decode, but of those two blocks have been over written with other data, then the info will be a bit random.

While a bit hard to say, it kinda looks like the trackability has been over written with the card ID packet (kinda looks like an EM4100 pre-amble with the read offset out a little).

FF8C0000 : 11111111100011000000000000000000
FC600000 :    11111100011000000000000000000000

On the tag, what do you get from an lf search ?

Offline

#5 2020-12-21 17:39:40

Dep
Contributor
Registered: 2020-12-12
Posts: 7

Re: Weird T55xx cards behavior (non writable by PM3)

mwalker wrote:

it sounds like the tag may have been locked with a different password already.

I have the same feeling too.

mwalker wrote:

kinda looks like an EM4100 pre-amble with the read offset out a little

Yep, same thoughts. The tag is definitely doesn't enters the write mode.

mwalker wrote:

On the tag, what do you get from an lf search ?

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 
[+] EM 410x ID 1000000001
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : 0800000080
[=] HoneyWell IdentKey
[+]     DEZ 8          : 00000001
[+]     DEZ 10         : 0000000001
[+]     DEZ 5.5        : 00000.00001
[+]     DEZ 3.5A       : 016.00001
[+]     DEZ 3.5B       : 000.00001
[+]     DEZ 3.5C       : 000.00001
[+]     DEZ 14/IK2     : 00068719476737
[+]     DEZ 15/IK3     : 000034359738496
[+]     DEZ 20/ZK      : 00080000000000000800
[=] 
[+] Other              : 00001_000_00000001
[+] Pattern Paxton     : 269762049 [0x10143E01]
[+] Pattern 1          : 512 [0x200]
[+] Pattern Sebury     : 1 0 1  [0x1 0x0 0x1]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

Couldn't identify a chipset

Offline

#6 2020-12-22 00:57:18

Dep
Contributor
Registered: 2020-12-12
Posts: 7

Re: Weird T55xx cards behavior (non writable by PM3)

I feel really desperate. Can't sniff anything useful besides writing to 1 & 2 blocks with pwd 51243648. Carefully checked dozens times with 0 to 100k skipped samples. The black cloner actually writes to tags, PM3 with this password does not.
Also tried to sniff this tag as EM4x05 and sometimes i get only garbage, so it couldn't be EM4305 i suppose.

So I ran out of clues and as a last step I've decided to open cloner and physically record the field with logic analyzer.
Here's the capture of writing a tag (uid 1000000001). I hope someday someone proficient can take a look.
https://gofile.io/d/88ay9Q
Can be viewed with Saelae Logic app.

Last edited by Dep (2020-12-22 00:57:56)

Offline

#7 2020-12-22 20:37:36

Sentinel
Contributor
Registered: 2012-11-26
Posts: 186

Re: Weird T55xx cards behavior (non writable by PM3)

nOota4W.jpg
First command - authorization with password 00000000

Offline

#8 2020-12-22 21:11:23

Sentinel
Contributor
Registered: 2012-11-26
Posts: 186

Re: Weird T55xx cards behavior (non writable by PM3)

6l9AEXC.jpg
Configuration word for  RF/64,  Manchester,   2block

Offline

#9 2020-12-23 18:05:44

Dep
Contributor
Registered: 2020-12-12
Posts: 7

Re: Weird T55xx cards behavior (non writable by PM3)

Sentinel wrote:

https://i.imgur.com/nOota4W.jpg
First command - authorization with password 00000000

Hey. Really appreciate you taking a look at this.
I think that cloner tries a few tag kinds at once.
I've tried using password 00000000 with em 4x05 and em 4x50 commands with no success.
4x05 gives no answer in return (read,info,dump,wipe) and 4x50 commands fails, including login.

[usb] pm3 --> lf em 4x50 login -p 00000000
[-] ⛔ Login failed

Last edited by Dep (2020-12-23 18:19:08)

Offline

#10 2020-12-23 20:48:04

Sentinel
Contributor
Registered: 2012-11-26
Posts: 186

Re: Weird T55xx cards behavior (non writable by PM3)

This bit not set
co20: Write Login.
When the Write Login bit is set to logic 1, modification of
EEPROM content is protected
advanide.com /wp-content/ uploads/ products/ rfid/ EM4205-4305.pdf (page7)
try reading and writing without authorization command

Offline

#11 2020-12-23 20:58:37

Dep
Contributor
Registered: 2020-12-12
Posts: 7

Re: Weird T55xx cards behavior (non writable by PM3)

Made some recording from SK-658 cloner during write using PulseView.
After adjusting (extending) Write One timings the T55xx decoder, it worked, showing a little bit of correct information, but there's much more info left undecoded, EM4x i guess.
Photo of HW
PulseView session

Sentinel wrote:

try reading and writing without authorization command

[usb] pm3 --> lf em 4x05 info
[usb] pm3 --> lf em 4x05 dump
[usb] pm3 --> 
[usb] pm3 --> lf em 4x05 read -a 0
[=] Reading address 00
[!] ⚠️  No answer from tag
[usb] pm3 --> lf em 4x05 read -a 1
[=] Reading address 01
[!] ⚠️  No answer from tag
[usb] pm3 --> lf em 4x05 wipe --4205
[usb] pm3 --> lf em 4x05 wipe --4305
[usb] pm3 --> lf search
...
[=] Checking for known tags...
[=] 
[+] EM 410x ID 1000000001
[+] EM410x ( RF/64 )
...

Last edited by Dep (2020-12-23 21:06:17)

Offline

Board footer

Powered by FluxBB