T55x7 and Tags Emulation

kristian1991 · 2015-06-21 09:07:28

I need some help with the data that i need to program T5557 with.

I have the below, can anyone assist

proxmark3> data fskawiddemod
AWID Found - BitLength: 50 -unknown BitLength- (24432) - Wiegand: 1f400016bee1, Raw: 0128817e4111114dbebd1811

Best regards,

meccan · 2015-06-21 13:41:44

Hi,

Trying to program a t5577 key fob to a HID prox with lf hid clone 2006bxxxxx. I previously successfully done indalaclone on the same t5577 key fob.Now after doing a lf hid clone, the lf hid fskdemod is not working on the t5577. When doing a lf search I get Indala UID=0000000000000000000000000000000000000000000000000000000010001001 (000000089). I also do not seem to be able to do lf indalaclone again on the same key fob. What is going on here?

#db# bootrom: master/v2.0.0-133-g9f9b6b7-suspect 2015-06-19 05:14:06
#db# os: master/v2.0.0-133-g9f9b6b7-suspect 2015-06-19 05:14:07
#db# LF FPGA image built on 2015/03/06 at 07:38:04

proxmark3> lf t55xx dump
[0] 0xF0000000 11110000000000000000000000000000
[1] 0xF0000000 11110000000000000000000000000000
[2] 0xF0000000 11110000000000000000000000000000
[3] 0xF0000000 11110000000000000000000000000000
[4] 0xFFFFFFFF 11111111111111111111111111111111
[5] 0xF0000000 11110000000000000000000000000000
[6] 0xF0000000 11110000000000000000000000000000
[7] 0xF0000000 11110000000000000000000000000000

Last edited by meccan (2015-06-22 02:11:18)

marshmellow · 2015-06-21 16:07:37

try the code changes that are pending:
https://github.com/marshmellow42/proxma … 7b9e5e25c4

meccan · 2015-06-22 01:29:30

marshmellow, wow that worked perfectly! Thanks a lot!

marshmellow · 2015-06-22 01:38:12

Thx for the feedback, I'll see if we can get that code in the next release.

Go_tus · 2015-10-02 08:52:03

Hi, I am wonder, if is there a way to program T55x7 to 13.56Mhz only UID (hardcode) ?

iceman · 2015-10-02 09:01:46

No. Hardware limitations. ie antenna built for 125khz. processor doesn't speak "iso14443a" protocol etc etc..

Go_tus · 2015-10-02 09:19:44

@iceman, thank you I agree with u, some how penturalabs.wordpress.com website said it could be done.

iceman · 2015-10-02 11:07:32

Do you have a link to that blog/article?

Go_tus · 2015-10-02 17:03:51

https://penturalabs.wordpress.com/2013/07/15/access-control-part-2-mifare-attacks/

marshmellow · 2015-10-02 19:55:43

looks to me like a copy paste of their HID write up and forgot to edit that section. while cloning a mifare uid is possible with uid changeable cards it IS NOT with a t5557 chip.

iceman · 2015-10-02 19:58:14

That article deals with Mifare tags, not t55x7, the only reference to t55x7 is this line:

pentura wrote:

T5557 cards can potentially clone hardcoded UID

So no, Pentura didn't say it could be done, that is a mixup.

Danz · 2015-12-02 21:35:36

need excel sheet for all of this ... please

iceman · 2015-12-02 22:22:15

Have you looked at the files section on the proxmark site?!? Start there.

Go_tus · 2016-01-05 13:11:34

Hi, I am trying a way to add this feature on PM3. This converts SC and CN into Hex number for HID 26(tested), 34 (tested) and 37 standard (not test). Can someone help to test it please.
All credits to the original author(s)

Last edited by Go_tus (2016-01-07 12:57:13)

iceman · 2016-01-08 15:24:24

@go_tus , I added your wiegand generation code (with changes) its not done, but you can test it in my fork

Go_tus · 2016-01-09 10:31:27

Impressive

iceman · 2016-01-09 10:32:30

you did the most, but the next step is more interesting

kwx · 2016-02-08 19:49:39

So it's in a logical thread.

Viking Badges (26-bit Weigand Format)
Typically a white / grey badge with their ID code stamped on them.

Block 0 Format is: 00088040

kwx · 2016-02-08 20:43:31

NOP

Last edited by kwx (2016-02-09 08:53:58)

iceman · 2016-02-09 08:03:36

if you need to compile my fork on linux, use the extra parameter:

make clean && make all UBUNTU_1404_QT4=1

And as @marshmellow says here: http://www.proxmark.org/forum/viewtopic … 824#p18824

Last edited by iceman (2016-02-09 08:16:20)

kwx · 2016-02-09 08:55:52

iceman wrote:

if you need to compile my fork on linux, use the extra parameter:
make clean && make all UBUNTU_1404_QT4=1
And as @marshmellow says here: http://www.proxmark.org/forum/viewtopic … 824#p18824

Thank you.
I got the 'calculator' from the hex ID to raw ID working too.
What is strange is that when using the viking clone command, the tag does not work ( the proxmark won't recognise it)
When I write it manually, it works..

I'll have to dig around in marshmellow's code to see why..

iceman · 2016-02-09 11:19:51

"lf viking clone" takes your printed id,
adds a 0xF2 in the beginning,
adds a checksum in the end,
and sends it to device side, where it write to a t55x7 (or q5) configblock and block1, 2...

quite simple.

Question is if you were using a raw id from another lf read or you used the printed id...

kwx · 2016-02-09 11:28:42

iceman wrote:

"lf viking clone" takes your printed id,
adds a 0xF2 in the beginning,
adds a checksum in the end,
and sends it to device side, where it write to a t55x7 (or q5) configblock and block1, 2...
quite simple.
Question is if you were using a raw id from another lf read or you used the printed id...

I was using the printed ID - which is why I found it weird that it wouldn't work.

iceman · 2016-02-09 12:09:30

now that is odd..

Can you dump the t55x7 tag when its written by the clone command, and when you did it manually and share it here?

marshmellow · 2016-02-09 15:42:14

might be better in a new thread or in the viking thread.

i'm not aware of any bugs there, but i didn't make the original clone routine.

iceman · 2016-02-09 15:56:15

Yes, I agree with @marshmellow, start a new thread so we keep it clean and easy to find.

marshmellow · 2016-02-09 19:35:25

not sure where it came from but the bug is the mask of line 77 applied to rawID. should be 0xFFFFFFFF not 0xFFFF.

kwx · 2016-02-13 13:21:16

marshmellow wrote:

not sure where it came from but the bug is the mask of line 77 applied to rawID. should be 0xFFFFFFFF not 0xFFFF.

I see you made a PR for this - thanks kindly!

iceman · 2016-05-12 19:55:24

C15001 Keyscan HID 36bits

thanks @mnelson for the sample. Without it we wouldn't know.

RAW 3708b43459

preamble 0x3  =  bin 11
a) OEM 900   10bits
f) FC 90     8bits
c) CN 6700   16bits

e) even parity bits
o) odd parity bits


   E                                         O 
   P aaaaaaaaaa ffffffff cccc cccc cccc cccc P
11 0 1110000100 01011010 0001 1010 0010 1100 1
     eeeeeeeeee eeeeeeeo oooo oooo oooo oooo

blogfish · 2016-07-03 17:09:17

I know how to write em ids to t55xx tags with the 'lf em4x em410xwrite xxxxxxx 1'. But how would I do this 1 block at a time with the 'lf t55xx writeblock' commands? I want to understand this format at a lower level.

Does anyone have an example of writing a em format to t55xx tag with block commands?

iceman · 2016-07-03 17:25:05

You need to understand T55XX datasheet and you will need to understand the EM410xx datasheet, if you want to learn the protocol and how to program a t55xx tag.

Another source of information is to read the code, but that is a longer way of to understanding.

blogfish · 2016-07-03 20:43:44

Thanks Iceman. So I understand the em format parities and I end up with a 64 bit binary string. I convert that to a manchester string now its 128 bits long. That is 4 blocks on a t55xx.

The 'EM4102 1.pm3 Walkthrough' on the wiki says em format is ASK encoded underneath the manchester encoding. Does the t55xx config string for manchester take care of the ASK encoding?

Here is what I have so far for the config block:
0x00148080
64 bit
manchester
4 blocks

iceman · 2016-07-03 20:59:31

there is a excel sheet for t55xx configuration, so you can easily see which configuration you're entered.
the tag will take care of ask,fsk,psk modulation, the rest is up to you in the data blocks.

marshmellow · 2016-07-04 02:24:00

With the t55xx Manchester stands for ask/Manchester so the Manchester encoding is done by the chip config, no need to have it part of the binary.

Last edited by marshmellow (2016-07-04 02:24:24)

blogfish · 2016-07-04 02:55:18

Thanks marshmellow. I saw your earlier post with the correct config hex.

marshmellow · 2016-07-04 03:45:31

You can also write one tag using the em command then read back with the t55xx commands (after t55xx detect) to see what it programmed on blocks 1 and 2 for the em Id.

MrOler · 2018-10-09 11:18:32

iceman wrote:

Have you looked at the files section on the proxmark site?!? Start there.

iceman wrote:

there is a excel sheet for t55xx configuration, so you can easily see which configuration you're entered.
the tag will take care of ask,fsk,psk modulation, the rest is up to you in the data blocks.

Is this file still up at http://www.proxmark.org/files?
I can't find it for the life of me

Proxmark3 community

Announcement

#51 2015-06-21 09:07:28

Re: T55x7 and Tags Emulation

#52 2015-06-21 13:41:44

Re: T55x7 and Tags Emulation

#53 2015-06-21 16:07:37

Re: T55x7 and Tags Emulation

#54 2015-06-22 01:29:30

Re: T55x7 and Tags Emulation

#55 2015-06-22 01:38:12

Re: T55x7 and Tags Emulation

#56 2015-10-02 08:52:03

Re: T55x7 and Tags Emulation

#57 2015-10-02 09:01:46

Re: T55x7 and Tags Emulation

#58 2015-10-02 09:19:44

Re: T55x7 and Tags Emulation

#59 2015-10-02 11:07:32

Re: T55x7 and Tags Emulation

#60 2015-10-02 17:03:51

Re: T55x7 and Tags Emulation

#61 2015-10-02 19:55:43

Re: T55x7 and Tags Emulation

#62 2015-10-02 19:58:14

Re: T55x7 and Tags Emulation

#63 2015-12-02 21:35:36

Re: T55x7 and Tags Emulation

#64 2015-12-02 22:22:15

Re: T55x7 and Tags Emulation

#65 2016-01-05 13:11:34

Re: T55x7 and Tags Emulation

#66 2016-01-08 15:24:24

Re: T55x7 and Tags Emulation

#67 2016-01-09 10:31:27

Re: T55x7 and Tags Emulation

#68 2016-01-09 10:32:30

Re: T55x7 and Tags Emulation

#69 2016-02-08 19:49:39

Re: T55x7 and Tags Emulation

#70 2016-02-08 20:43:31

Re: T55x7 and Tags Emulation

#71 2016-02-09 08:03:36

Re: T55x7 and Tags Emulation

#72 2016-02-09 08:55:52

Re: T55x7 and Tags Emulation

#73 2016-02-09 11:19:51

Re: T55x7 and Tags Emulation

#74 2016-02-09 11:28:42

Re: T55x7 and Tags Emulation

#75 2016-02-09 12:09:30

Re: T55x7 and Tags Emulation

#76 2016-02-09 15:42:14

Re: T55x7 and Tags Emulation

#77 2016-02-09 15:56:15

Re: T55x7 and Tags Emulation

#78 2016-02-09 19:35:25

Re: T55x7 and Tags Emulation

#79 2016-02-13 13:21:16

Re: T55x7 and Tags Emulation

#80 2016-05-12 19:55:24

Re: T55x7 and Tags Emulation

#81 2016-07-03 17:09:17

Re: T55x7 and Tags Emulation

#82 2016-07-03 17:25:05

Re: T55x7 and Tags Emulation

#83 2016-07-03 20:43:44

Re: T55x7 and Tags Emulation

#84 2016-07-03 20:59:31

Re: T55x7 and Tags Emulation

#85 2016-07-04 02:24:00

Re: T55x7 and Tags Emulation

#86 2016-07-04 02:55:18

Re: T55x7 and Tags Emulation

#87 2016-07-04 03:45:31

Re: T55x7 and Tags Emulation

#88 2018-10-09 11:18:32

Re: T55x7 and Tags Emulation

Board footer