LF Cloner Changing T5577 Page 1 traceability data

mcd1992 · 2019-05-14 02:44:49

There's a LF cloner out called the Keysy that uses its own proprietary tags which just seem to be ATA5577M1 tags. But the cloner itself is able to detect the difference between some of the plain T5577s I have and the branded ones that they sell.

Digging into the cards it looks like the cloner is using the T5577 test mode to change data in page1 blk1/2.
Here is a blank, genuine keysys branded, T5577 tag that was erased by the cloner.

pm3 --> lf t55 det    
Chip Type  : T55x7          
Modulation : ASK          
Bit Rate   : 2 - RF/32          
Inverted   : No          
Offset     : 32          
Seq. Term. : Yes           
Block0     : 0x00088000          
          
pm3 --> lf t55 info
          
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 0          
 reserved                  : 0          
 Data bit rate             : 2 - RF/32          
 eXtended mode             : No          
 Modulation                : 8 - Manchester          
 PSK clock frequency       : 0 - RF/2          
 AOR - Answer on Request   : No          
 OTP - One Time Pad        : No          
 Max block                 : 0          
 Password mode             : No          
 Sequence Terminator       : No          
 Fast Write                : No          
 Inverse data              : No          
 POR-Delay                 : No          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x00088000  00000000000010001000000000000000          
-------------------------------------------------------------          
pm3 --> lf t55 dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 00088000 | 00000000000010001000000000000000 | ....          
 01 | 1D555955 | 00011101010101010101100101010101 | .UYU          
 02 | 5569A9A5 | 01010101011010011010100110100101 | Ui..          
 03 | 55A59569 | 01010101101001011001010101101001 | U..i          
 04 | FFFFFFFF | 11111111111111111111111111111111 | ....          
 05 | FFFFFFFF | 11111111111111111111111111111111 | ....          
 06 | FFFFFFFF | 11111111111111111111111111111111 | ....          
 07 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 00088000 | 00000000000010001000000000000000 | ....          
 01 | E0150A84 | 11100000000101010000101010000100 | ....          
 02 | 57819A51 | 01010111100000011001101001010001 | W..Q          
 03 | FFFFFFFF | 11111111111111111111111111111111 | ....          
pm3 --> lf t55 trac
-- T55x7 Trace Information ----------------------------------          
-------------------------------------------------------------          
 ACL Allocation class (ISO/IEC 15963-1)  : 0xE0 (224)          
 MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x15 (21) - ATMEL France          
 CID                                     : 0x01 (1) - ATA5577M1          
 ICR IC Revision                         : 2          
 Manufactured          
     Year/Quarter : 2018/1          
     Lot ID       : 3585          
     Wafer number : 10          
     Die Number   : 2692          
-------------------------------------------------------------          
 Raw Data - Page 1          
     Block 1  : 0xE0150A84  11100000000101010000101010000100          
     Block 2  : 0xE0150A84  11100000000101010000101010000100          
-------------------------------------------------------------

The blank tags show up with good traceability data. But if I clone a HIDProx with the Keysy and re-read the T5577 data.

pm3 --> lf t55 det
Chip Type  : T55x7          
Modulation : FSK2a          
Bit Rate   : 24 - RF/50          
Inverted   : Yes           
Offset     : 32          
Seq. Term. : No          
Block0     : 0x60625062          
          
pm3 --> lf t55 info
          
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 6 - passwd           
 reserved                  : 0          
 Data bit rate             : 24 - RF/50          
 eXtended mode             : Yes - Warning           
 Modulation                : 5 - FSK 2 RF/8  RF/10          
 PSK clock frequency       : 0 - RF/2          
 AOR - Answer on Request   : No          
 OTP - One Time Pad        : No          
 Max block                 : 3          
 Password mode             : No          
 Sequence Start Marker     : No          
 Fast Write                : No          
 Inverse data              : Yes           
 POR-Delay                 : No          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x60625062  01100000011000100101000001100010          
-------------------------------------------------------------          
pm3 --> lf t55 dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 60625062 | 01100000011000100101000001100010 | `bPb          
 01 | 1D555955 | 00011101010101010101100101010101 | .UYU          
 02 | 5569A9A5 | 01010101011010011010100110100101 | Ui..          
 03 | 55A59569 | 01010101101001011001010101101001 | U..i          
 04 | 00000000 | 00000000000000000000000000000000 | ....          
 05 | 00000000 | 00000000000000000000000000000000 | ....          
 06 | FFFFFFFF | 11111111111111111111111111111111 | ....          
 07 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 60625062 | 01100000011000100101000001100010 | `bPb          
 01 | 700A8542 | 01110000000010101000010101000010 | p..B          
 02 | 57819A51 | 01010111100000011001101001010001 | W..Q          
 03 | 00000000 | 00000000000000000000000000000000 | ....

Now page1 block1 contains a different ACL instead of 0xE0, with a few other changes as well. I'm curious as to how the Keysy is changing page1 data as from what I've read it can only be used to force-overwrite the config block. I've tried to get a trace of the erase/program operation but the Keysy reads the card before it writes so the proxmark triggers on the read first. I might need to add code for a timed delay to the threshold in `lf config` unless someone has a better idea.

iceman · 2019-05-14 04:20:56

Interesting,

lf t55 trace should give you the output for trace info on page 1.

I meet the guy who designed and produce keysy, at that time he said he used a custom pwd algo to look down the t5577.
You can also have a look at write helptext and read about lf t55 write t testmode writes.

mcd1992 · 2019-05-14 16:41:59

The t55 trace command works when the tag is blank but when written with a tag the ACL isn't set to 0xE0 so the it throws a "The modulation is most likely wrong since the ACL is not 0xE0." error. I guess I can throw a 'force' option into cmdlft55xx.c to try and unpack regardless of ACL value.

Although another thing I've noticed is when a tag is written the option/master key or 'safer key' as proxmark calls it, gets set to 0x06 which according to the ATA5577C doc should disable test mode writes. But somehow the Keysy is still able to write page1:block1 back to 700A8542.

Am I misunderstanding how the T5577 test mode works or should this not be possible? Is test mode just a magical 'always able to write' mode for T5577 cards? I tested test mode with a card and it fully bricked it (doesn't even trigger the RF field/threshold anymore) so I feel like I'm missing something.

iceman · 2019-05-14 16:58:28

Search on this forum about test mode, marshmellow did some findings. It wipes the tag and fills it with a rotating default pattern.

zeppi · 2021-04-04 23:02:34

Any summary or outcome of this research?
Did you try to groom a regular T5577 card into one that would be accepted by Keysy?

I think it is outrageous that TinyLabs artificially limit Keysy's use to some cheap cards that have been re-configured to be able to sell them for a steep price.

There would be interest in how to re-configure regular T5577 cards so they can be used with Keysy (yes you could do it with PM, but Keysy is light, small and easy to use on the go)

iceman · 2021-04-05 09:20:37

The business model... somewhere they want to make money back. Its like printer cartridges.

zeppi · 2021-04-05 12:27:15

They are selling Keysy for how long? 10 years? At some point they cetainly broke even, I do not see any problem in trying to use other tags with Keysy. That could not even be illegal.

Was anyone successful in that? Or even has a lua script for that?

Proxmark3 community

Announcement

#1 2019-05-14 02:44:49

LF Cloner Changing T5577 Page 1 traceability data

#2 2019-05-14 04:20:56

Re: LF Cloner Changing T5577 Page 1 traceability data

#3 2019-05-14 16:41:59

Re: LF Cloner Changing T5577 Page 1 traceability data

#4 2019-05-14 16:58:28

Re: LF Cloner Changing T5577 Page 1 traceability data

#5 2021-04-04 23:02:34

Re: LF Cloner Changing T5577 Page 1 traceability data

#6 2021-04-05 09:20:37

Re: LF Cloner Changing T5577 Page 1 traceability data

#7 2021-04-05 12:27:15

Re: LF Cloner Changing T5577 Page 1 traceability data

Board footer