Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2013-01-24 13:34:19

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Clone HID card to T55x7

OK, I introduced a bug from a test where I tried to use up to 45 bits in short format.
Fixed in r651. Sorry for this.

Could you please try now?

I also added block commands for EM4xxx (tested with EM4305, EM4269 and EM4469) based cards. This will allow soon to use these cards for cloning.

Last edited by Cex (2013-01-24 14:35:14)

Offline

#52 2013-01-24 23:28:27

elliot42
Contributor
From: Australia
Registered: 2013-01-11
Posts: 16

Re: Clone HID card to T55x7

Thanks, I'll try it out tonight (in about 12 hours from now). I had a look through the code and diffs to try and find the bug and didn't even notice the change from 11 to 12.

I also have one very minor comment about your code; it looks like the editor you're using is set up with soft tabs (replaced with spaces) and a tab width of 2 (?), and it makes the code misaligned when viewed on Google Code and editors with different tab widths.

Offline

#53 2013-01-25 00:00:22

elliot42
Contributor
From: Australia
Registered: 2013-01-11
Posts: 16

Re: Clone HID card to T55x7

A question: should lfops.c:781 be testing for hi2 as it does at :738?

It also seems like hi2 should be passed back to the caller as *high and *low are for consistency, but that would involve supporting the 84-bit format in CMDHIDsimTAG.

Offline

#54 2013-01-25 08:09:16

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Clone HID card to T55x7

elliot42 wrote:

A question: should lfops.c:781 be testing for hi2 as it does at :738?

Yes, it should, for consistency. I'll fix when possible, along with the TABs

elliot42 wrote:

It also seems like hi2 should be passed back to the caller as *high and *low are for consistency, but that would involve supporting the 84-bit format in CMDHIDsimTAG.

Surely, but I do not have time for this now. If you are interested in that functionality you can make the changes and ask Roel for SVN access for commit.

Offline

#55 2013-01-25 13:50:51

elliot42
Contributor
From: Australia
Registered: 2013-01-11
Posts: 16

Re: Clone HID card to T55x7

The latest commit works perfectly, thank you.

I didn't mean to suggest you need to make the changes to CMDHIDsimTAG, I was more just thinking out loud.
I'd make the change myself, but I don't have the hardware to test it with.

Offline

#56 2013-03-10 12:35:36

MF
Member
Registered: 2013-03-09
Posts: 8

Re: Clone HID card to T55x7

Thanks for all of your hard work on this guys! I got a new PM3 last week and flashed r671 osimage on it straightaway, but I did not do the FPGA as well. Now it seems that I have a flasher issue, see this post:

http://www.proxmark.org/forum/viewtopic … 1551#p1551

I guess I will have to JTAG it sad

When I am trying to clone a card I am also having issues. I am using lf hid sim, see this post:

http://www.proxmark.org/forum/viewtopic … 1550#p1550

But the write does not work. I suspect two possible issues:

1. My FPGA needs to be updated to the one from r671, can anyone confirm this?
2. My card does not support writes. I have an HID Crescendo C700. It definitely has a prox chip as I can read it using lf hid fskdemod, it returns FFFFFFFFFF as the ID. I am pretty sure that it can be written to as the shop that I purchased it from offers to ship it with custom data written to it. When I asked them they said "you can only write to the card using the official writer". I guess they mean the HID 6100 series writers. Is the PM3 able to achieve the same job?

Thanks,
Michael.

Offline

#57 2013-03-11 12:51:55

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Clone HID card to T55x7

MF,

Regarding HID genuine credentials they are password protected.
You will need to find out the 32-bit password in order to modify them with Proxmark3.

You also need to know the IDIC used in your credentials and use the proper programming algorithm.
As far as I know HID used Atmel AT5557 in the proxcard line and EM4469/4269/4305 in the proxcardII line of products.

Offline

#58 2013-03-11 12:58:23

MF
Member
Registered: 2013-03-09
Posts: 8

Re: Clone HID card to T55x7

Hi Cex,

Great, thank you. How would I specify that password during the clone process?

Thanks,
Michael.

Offline

#59 2013-03-13 08:03:51

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Clone HID card to T55x7

There's no implementation for cloning with password, but you can check the password by writting the second block of data with 0xAAAAAAAA.
If the password is OK this will make a part of the card UID to read as FFFF or 0000.

There are block commands for both T55x7 and EM4xxx.

Once you get the correct password you can either write the card block by block or modify the clone command to accept a password.

Offline

#60 2013-03-13 08:43:49

rule
Member
Registered: 2008-05-21
Posts: 417

Re: Clone HID card to T55x7

Just curious, is there only one (global system wide) password for all tags or are they diversified (derived from the ID and some (global?) secret).

Offline

#61 2013-03-13 15:17:44

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Clone HID card to T55x7

Version II of HID cards have a lot number that I think is requested when using official programmer, which suggests that the password may be different for each job lot (besides blank cards can't be written and also request for the lot), but version I cards do not have a job number printed (at least I have some old ones that do not have it), which suggests that the password should be the same as there's no way of distinguising between cards, so both of them are possible.

Offline

#62 2013-04-08 00:37:09

quiksilv7
Member
Registered: 2013-04-08
Posts: 2

Re: Clone HID card to T55x7

Excuse my ignorance whilst im learning the ins and outs - Is it possible to clone a HID Prox card used in a Proxpoint system such as the one below, to a T55x7 card if I don't know the password? Does anyone know if the T55x7 cards work on Proxpoint readers?

images?q=tbn:ANd9GcRvP5-Zp6EQbpEUtDh3VbB0TMbkHGekb8bEipOojWuRhuC_YC_Z

Thanks

Offline

#63 2013-04-10 00:23:21

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Clone HID card to T55x7

You don't need to know the HID password to copy  HID card data onto a T55x7 card. However, you would need to know the password if you were trying to write/modify an original HID card. HID utilizes the password feature when they program their cards at the factory in order to prevent their cards from later being modified.
All T55x7 cards support the password feature but its use is optional. If you desire to use a password you must define a 32-bit password and then set the password enable bit in Block 0.
In regards to your last question ... Yes, a T55x7 card work with a HID Proxpoint reader if Block 0 has been programmed with the correct HID modulation and data encoding parameters.

Last edited by carl55 (2013-04-10 00:53:46)

Offline

#64 2013-04-10 10:26:04

quiksilv7
Member
Registered: 2013-04-08
Posts: 2

Re: Clone HID card to T55x7

Thanks for the info Carl. Can I read the HID modulation and encoding params off an existing HID card / fob which I have?

Essentially I wan't to make a copy (legally) of a programmed HID card I already have, onto a blank T55x7 card.

I also have a blank/spare HID iClass fob. I assume this will be passworded so I won't be able to copy the site ID from the existing fob onto this one?

Cheers

Offline

#65 2013-04-13 17:25:13

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Clone HID card to T55x7

The HID modulation and data encoding parameters needed to program Block 0 of a T55x7 card can be found in the following chart.
http://www.proxmark.org/files/Documents … xample.pdf

Regarding your second question, I am not sure exactly what you are trying to do. You appear to be intermixing questions about 125Khz Prox and 13.56Mhz iClass technologies.
It is certainly possible to write card information to an iClass card/fob that is obtained from a different credential (either standard Prox or iClass) but you need to have the proper keys and iclass programming tools. The Proxmark3 currently does not support this capability.

Offline

#66 2013-04-14 14:03:07

vixx3n
Member
Registered: 2013-04-14
Posts: 2

Re: Clone HID card to T55x7

Having some trouble with installation.  I downloaded the files from http://www.proxmark.org/files/Various%20Software/PM3_T55x7_v2.zip

Getting the following error when attempting make.  Any pointers would be greatly appreciated.

root@bt:~/proxmark3-t55x7# make
make -C bootrom all
make[1]: Entering directory `/root/proxmark3-t55x7/bootrom'
perl ../tools/mkversion.pl .. > version.c || cp ../common/default_version.c version.c
arm-none-eabi-gcc -c -I../include -I../common -Wall -Werror -pedantic -std=c99 -I. -Os -mthumb -mthumb-interwork -o obj/version.o version.c
arm-none-eabi-gcc -c -I../include -I../common -Wall -Werror -pedantic -std=c99 -I. -Os -mthumb -mthumb-interwork -o obj/cmd.o ../common/cmd.c
../common/cmd.c: In function 'cmd_send':
../common/cmd.c:69:11: error: 'USB_CMD_DATA_SIZE' undeclared (first use in this function)
../common/cmd.c:69:11: note: each undeclared identifier is reported only once for each function it appears in
make[1]: *** [obj/cmd.o] Error 1
make[1]: Leaving directory `/root/proxmark3-t55x7/bootrom'
make: *** [bootrom/all] Error 2

Offline

#67 2013-09-06 16:02:09

Sentinel
Contributor
Registered: 2012-11-26
Posts: 190

Re: Clone HID card to T55x7

Рroposed to be added to the draft transcript UID MOTOROLA cards (37bit)
pSrc - card array from one unit in a sequence


static unsigned char  bConv[] = {32, 6, 16, 14, 24, 25, 20, 4, 31, 26, 21, 30, 23, 3, 2, 32, 29, 22,
                         5, 1, 7, 27, 28, 17, 19, 15, 18, 0};


void PSKconvert(unsigned char   *pSrc)

{
unsigned char       mask,i;
unsigned long     lDst;

              lDst = 0;

              for( i=0; i<28; ) {
                   for( mask = 0x80; mask; mask >>= 1 ) {
                        if( *pSrc & mask ) {
                            if( bConv[ i ] <=31 )   
                                lDst |= (1L << bConv[ i ]);
                        }
                        if( ++i >= 28 ) break;
                   }
                   pSrc++;
              }
              bPSK[0] = 0;
              bPSK[1] = lDst;
              bPSK[2] = lDst>>8;
              bPSK[3] = lDst>>16;
              bPSK[4] = lDst>>24;
}

Offline

#68 2013-09-06 17:55:42

vixx3n
Member
Registered: 2013-04-14
Posts: 2

Re: Clone HID card to T55x7

Hi xm,

I haven't found a fix for this yet, but will update if I come across anything.

Offline

#69 2013-09-09 19:05:32

urkis
Contributor
Registered: 2012-02-12
Posts: 30

Re: Clone HID card to T55x7

I have a strange manchester encoded 125kHz card with 105 bits data that I want to clone to a T55x7-card.

105 bits seems kind of mysterious. It seems to have a header of  "111111111" just like an EM4102-tag but it can't be that.
Maybe it is only 96 bit because the last bits (97-105) is always "101010101", maybe it isn't part of the relevant tag data? I don't really know.

Anyways, is it possible to configure the T55x7 for 105 bits, or must I choose 4 whole blocks which gives 128 data bits?

Last edited by urkis (2013-09-09 19:07:16)

Offline

#70 2013-09-13 12:12:21

adam@algroup.co.uk
Contributor
From: UK
Registered: 2009-05-01
Posts: 203
Website

Re: Clone HID card to T55x7

you must use whole blocks, but filling the remaining bits with all 0 often works as the reader will just see it as a gap in the transmission. if you want to post the trace we might be able to shed some more light on it...

Offline

#71 2013-09-22 13:57:17

nmrn
Member
Registered: 2013-09-22
Posts: 3

Re: Clone HID card to T55x7

Hi guys, I am also having some problems writing to what I think is a T5577 card.

As above, the terminal says:

proxmark3> lf hid clone 200459d32d 
Cloning tag with ID 200459d32d          
proxmark3> 
proxmark3> #db# DONE!  

It appears that data is in fact being written to the card but a HID reader won't register the card.

If I use the proxmark I get the following:

proxmark3> data samples 16000
Reading 16000 samples
Done!
proxmark3> 
proxmark3> data plot
proxmark3> 
proxmark3> data detectclock
Auto-detected clock rate: 63          
proxmark3> 
proxmark3> data mandemod  63
Manchester decoded bitstream          
0 0 0 1 1 0 1 0 0 1 0 1 0 0 1 0          
1 0 1 0 1 1 0 1 0 1 1 0 1 1 1 1          
1 1 0 0 0 0 0 0 0 0 1 1 0 1 0 0          
1 1 0 0 0 1 1 0 0 0 1 1 0 1 0 0          
0 0 0 0 1 1 0 1 0 0 1 0 1 0 0 1          
0 1 0 1 0 1 1 0 1 0 1 0 1 1 1 1          
1 1 1 0 0 0 0 0 0 0 0 1 1 0 1 0          
0 1 1 0 0 0 1 1 0 0 0 1 0 0 0 1          
1 1 1 1 1 0 0 1 0 1 1 0 1 0 1 1          
0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 0          
0 0 0 0 1 1 1 1 1 1 1 1 0 0 1 0          
proxmark3> 

Similarly, the trace looks good. I can post a screenshot on request.

The cards I purchased are here: http://www.ebay.com.au/itm/10pcs-RFID-125KHz-Writable-Rewrite-T5567-T5577-thick-card-Proximity-Access-card-/111092216880?pt=Intercoms_Access_Controls&hash=item19dd9cb430

And the description says:

10 pcs RFID 125KHz Writable Rewrite T5557 T5567 T5577 thick card Proximity Access card
Specifications:

    Chips:   T5577.
    Frequency:     125KHZ.
    Storage:     330bits,  10 blocks.
    Reading distance:   0-10 cm or further.
    Dimension:    85.88mm*53.98mm*1.96mm.
    Packaging:   10 pcs thick T5577 cards

Can anyone shed some light on why a HID reader doesn't recognise these cloned cards?

Offline

#72 2013-09-26 17:29:22

pms
Member
Registered: 2013-09-22
Posts: 4

Re: Clone HID card to T55x7

@nmrn: what happens when the HID reader doesn't register the card? Does it beep? Are you able to use proxmark to read the card back, e.g. lf hid fskdemod?

Offline

#73 2013-09-28 15:27:49

nmrn
Member
Registered: 2013-09-22
Posts: 3

Re: Clone HID card to T55x7

pms wrote:

@nmrn: what happens when the HID reader doesn't register the card? Does it beep? Are you able to use proxmark to read the card back, e.g. lf hid fskdemod?

No, the reader doesn't beep nor does the light come on. There is no wiegand output either. All of these things work with the original HID tag.

The proxmark will not read it using hid fskdemod but if I collect some samples and look at the plot it is obvious there is a card there outputting data (data as shown above). I'm still confused as to what's happening. Does the size of the card (330 bit in the case of the ones I bought) have anything to do with how they need to be written?

Offline

#74 2013-09-28 16:27:28

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: Clone HID card to T55x7

just try a different angle when you are programming your card. The angle, distance to the antenna, orientation is "tricky"...

nmrn wrote:
pms wrote:

@nmrn: what happens when the HID reader doesn't register the card? Does it beep? Are you able to use proxmark to read the card back, e.g. lf hid fskdemod?

No, the reader doesn't beep nor does the light come on. There is no wiegand output either. All of these things work with the original HID tag.

The proxmark will not read it using hid fskdemod but if I collect some samples and look at the plot it is obvious there is a card there outputting data (data as shown above). I'm still confused as to what's happening. Does the size of the card (330 bit in the case of the ones I bought) have anything to do with how they need to be written?

Offline

#75 2013-11-12 00:58:39

nmrn
Member
Registered: 2013-09-22
Posts: 3

Re: Clone HID card to T55x7

app_o1 wrote:

just try a different angle when you are programming your card. The angle, distance to the antenna, orientation is "tricky"...

Thanks, this was it. Also my home made antenna wasn't powerful enough even though it can read and emulate cards. When I tried programming with one of the PCB antennas, I found that it was necessary to hold the card perpendicular to the coil when programming.

Offline

#76 2014-06-11 06:05:59

eskizle
Contributor
Registered: 2011-07-18
Posts: 26

Re: Clone HID card to T55x7

nmrn wrote:

Hi guys, I am also having some problems writing to what I think is a T5577 card.

As above, the terminal says:

proxmark3> lf hid clone 200459d32d 
Cloning tag with ID 200459d32d          
proxmark3> 
proxmark3> #db# DONE!  

It appears that data is in fact being written to the card but a HID reader won't register the card.

If I use the proxmark I get the following:

proxmark3> data samples 16000
Reading 16000 samples
Done!
proxmark3> 
proxmark3> data plot
proxmark3> 
proxmark3> data detectclock
Auto-detected clock rate: 63          
proxmark3> 
proxmark3> data mandemod  63
Manchester decoded bitstream          
0 0 0 1 1 0 1 0 0 1 0 1 0 0 1 0          
1 0 1 0 1 1 0 1 0 1 1 0 1 1 1 1          
1 1 0 0 0 0 0 0 0 0 1 1 0 1 0 0          
1 1 0 0 0 1 1 0 0 0 1 1 0 1 0 0          
0 0 0 0 1 1 0 1 0 0 1 0 1 0 0 1          
0 1 0 1 0 1 1 0 1 0 1 0 1 1 1 1          
1 1 1 0 0 0 0 0 0 0 0 1 1 0 1 0          
0 1 1 0 0 0 1 1 0 0 0 1 0 0 0 1          
1 1 1 1 1 0 0 1 0 1 1 0 1 0 1 1          
0 1 0 1 0 1 0 0 1 0 1 0 1 0 0 0          
0 0 0 0 1 1 1 1 1 1 1 1 0 0 1 0          
proxmark3> 

Similarly, the trace looks good. I can post a screenshot on request.

The cards I purchased are here: http://www.ebay.com.au/itm/10pcs-RFID-125KHz-Writable-Rewrite-T5567-T5577-thick-card-Proximity-Access-card-/111092216880?pt=Intercoms_Access_Controls&hash=item19dd9cb430

And the description says:

10 pcs RFID 125KHz Writable Rewrite T5557 T5567 T5577 thick card Proximity Access card
Specifications:

    Chips:   T5577.
    Frequency:     125KHZ.
    Storage:     330bits,  10 blocks.
    Reading distance:   0-10 cm or further.
    Dimension:    85.88mm*53.98mm*1.96mm.
    Packaging:   10 pcs thick T5577 cards

Can anyone shed some light on why a HID reader doesn't recognise these cloned cards?


How do you know that from the "data mandemod " command the output is correct ? And why there is no askdemod  previously?

Offline

Board footer

Powered by FluxBB