Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2016-01-27 00:57:51

Apt-Get
Contributor
Registered: 2015-12-23
Posts: 111

Anybody Played with one of these t5577 tags?

1453852215_img_1629.jpg

lf t55 det wont work, and Ive tried a few modulations but cannot wipe, clone or write to this tag.

1453852601_screen_shot_2016-01-26_at_4.57.05_pm.png

Heres a link to the data file.

https://www.dropbox.com/s/7rzusg2ta00lxbs/buttonT55.pm3?dl=0

Last edited by Apt-Get (2016-01-27 00:59:46)

Offline

#2 2016-01-27 01:08:15

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Anybody Played with one of these t5577 tags?

Looks like its ASK/32/inverted also with a STT.
You should be able to use the "lf t55xx" commands with that config.

Offline

#3 2016-01-27 01:13:23

Apt-Get
Contributor
Registered: 2015-12-23
Posts: 111

Re: Anybody Played with one of these t5577 tags?

proxmark3> lf t55 conf i 1
Chip Type  : T55x7         
Modulation : ASK         
Bit Rate   : 2 - RF/32         
Inverted   : Yes         
Offset     : 0         
Block0     : 0x00000000         
         
proxmark3> lf t55 dump
Reading Page 0:         
blk | hex data | binary         
----+----------+---------------------------------         
#db# DownloadFPGA(len: 42096)                 
  0 | 00000000 | 00000000000000000000000000000000         
  1 | 00000000 | 00000000000000000000000000000000         
  2 | 00000000 | 00000000000000000000000000000000         
  3 | 00000000 | 00000000000000000000000000000000         
  4 | 00000000 | 00000000000000000000000000000000         
  5 | 00000000 | 00000000000000000000000000000000         
  6 | 00000000 | 00000000000000000000000000000000         
  7 | 00000000 | 00000000000000000000000000000000         
Reading Page 1:         
blk | hex data | binary         
----+----------+---------------------------------         
  0 | 00000000 | 00000000000000000000000000000000         
  1 | 00000000 | 00000000000000000000000000000000         
  2 | 00000000 | 00000000000000000000000000000000         
  3 | 00000000 | 00000000000000000000000000000000         
proxmark3> lf t55 wipe

Beginning Wipe of a T55xx tag (assuming the tag is not password protected)
         
Writing page 0  block: 00  data: 0x00088040 pwd: 0x00000000         
Writing page 0  block: 01  data: 0x00000000           
Writing page 0  block: 02  data: 0x00000000           
Writing page 0  block: 03  data: 0x00000000           
Writing page 0  block: 04  data: 0x00000000           
Writing page 0  block: 05  data: 0x00000000           
Writing page 0  block: 06  data: 0x00000000           
Writing page 0  block: 07  data: 0x00000000           
proxmark3> lf t55 read b 0
Reading Page 0:         
blk | hex data | binary         
----+----------+---------------------------------         
  0 | 00000000 | 00000000000000000000000000000000


Still cannot write. I tried offset 1,3 33,30 also.

Last edited by Apt-Get (2016-01-27 01:49:09)

Offline

#4 2016-01-27 02:37:09

Apt-Get
Contributor
Registered: 2015-12-23
Posts: 111

Re: Anybody Played with one of these t5577 tags?

Any ideas? i cant write to these tags. What is STT? do I need to do something different fro my writes?

Last edited by Apt-Get (2016-01-27 02:38:00)

Offline

#5 2016-01-27 03:11:07

M&S
Contributor
Registered: 2015-12-15
Posts: 44

Re: Anybody Played with one of these t5577 tags?

Could I ask what you want to do with this tag? What modulation type, what data you write into it?

I wonder about that value at the line
"Writing page 0  block: 00  data: 0x00088040 pwd: 0x00000000" that could not be the result of this "lf t55 wipe". Where did you find this wipe command?  The question is because the value for block 0 "0x00088040" was mentioned from GO_TUS, it was in an write experiment on AT55x7 with an AM modulation, and with only 2 block of data ...

Here how could you be shure that this is AT55x7. When there are also AT5567 and 5577? When you set that config 0x00088040 with the first write command then write all the 7 data blocks, so we assuming the chip is very independent. It may not be good at all

I understood from Marshmellow and Iceman support, they mentioned in one place (I could not remember where) reset AT55x7 config by7 just overwriting what ever on any AT55x7 chip,

' Just write the block 0 all to 0' which means 'lf at55 wr b 0 d 00000000' you must not use even with the password.

Have you tried just that? only that one line.

Offline

#6 2016-01-27 03:12:18

M&S
Contributor
Registered: 2015-12-15
Posts: 44

Re: Anybody Played with one of these t5577 tags?

M&S wrote:

Could I ask what you want to do with this tag? What modulation type, what data you write into it?

I wonder about that value at the line
"Writing page 0  block: 00  data: 0x00088040 pwd: 0x00000000" that could not be the result of this "lf t55 wipe". Where did you find this wipe command?  The question is because the value for block 0 "0x00088040" was mentioned from GO_TUS, it was in an write experiment on AT55x7 with an AM modulation, and with only 2 block of data ...

Here how could you be sure that this is AT55x7. When there are also AT5567 and 5577? When you set that config 0x00088040 with the first write command then write all the 7 data blocks, so we assuming the chip is very independent. It may not be good at all

I understood from Marshmellow and Iceman support, they mentioned in one place (I could not remember where) reset AT55x7 config by7 just overwriting what ever on any AT55x7 chip,

' Just write the block 0 all to 0' which means 'lf at55 wr b 0 d 00000000' you must not use even with the password.

Have you tried just that? only that one line.

Offline

#7 2016-01-27 03:16:43

M&S
Contributor
Registered: 2015-12-15
Posts: 44

Re: Anybody Played with one of these t5577 tags?

Sorry my mistake the command line is
"lf t55xx wr b 0 d 00000000". NOT "lf at55xx wr b 0 d 00000000".

Somehow forum does not let me edit my post.

Offline

#8 2016-01-27 03:42:49

Apt-Get
Contributor
Registered: 2015-12-23
Posts: 111

Re: Anybody Played with one of these t5577 tags?

M&S wrote:

Sorry my mistake the command line is
"lf t55xx wr b 0 d 00000000". NOT "lf at55xx wr b 0 d 00000000".

Somehow forum does not let me edit my post.

Yes tried all these. From Icemans Suggestion.
- try first
lf t55xx write b 0 d 00088040
--test with
lf t55 detect
- try second.
lf t55xx write b 0 d 00088040 p 00000000
lf t55 detect
lf t55xx write b 0 d 00088040 p ffffffff
lf t55 detect


Still nothing. no Writes. no t55 detect.
I think my problem lies in the modulation??

Offline

#9 2016-01-27 03:59:28

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Anybody Played with one of these t5577 tags?

Problem likely lies in a large antenna vs small chip, it can cause problems if the antenna and tag size are not tuned.

Oh and do not write a block 0 of 00000000 it will make your tag go crazy.  It is NOT a valid config block setting.

Offline

#10 2016-01-27 04:01:44

Apt-Get
Contributor
Registered: 2015-12-23
Posts: 111

Re: Anybody Played with one of these t5577 tags?

anything i can do to tune this Marshmellow? im running a pm3 v2

bootrom: /-suspect 2015-11-04 22:15:34
os: master/v1.1.0-657-gc4c3af7-suspect 2016-01-26 07:48:55
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

# LF antenna: 45.10 V @   125.00 kHz         
# LF antenna: 20.35 V @   134.00 kHz         
# LF optimal: 46.20 V @   123.71 kHz         
# HF antenna: 28.75 V @    13.56 MHz         
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

Offline

#11 2016-01-27 04:20:43

M&S
Contributor
Registered: 2015-12-15
Posts: 44

Re: Anybody Played with one of these t5577 tags?

Could you try with these

lf t55xx wr b 0 d 00088040
lf t55xx wr b 1 d D1063838
lf t55xx wr b 2 d 7C800001

then try the lf t55 commands again.

resumee:
this is ASK, 2 data blocks config. We set the config, then we give the fob exact the data it should have been configured to contain. With that we construct a clean situation, the lf t55 commands should report cleanly back, as expected.

(I wish I could understand what is in b1 and b2??? where can we have info what is in those blocks and how to decode it)

Last edited by M&S (2016-01-27 04:34:53)

Offline

#12 2016-01-27 04:26:19

M&S
Contributor
Registered: 2015-12-15
Posts: 44

Re: Anybody Played with one of these t5577 tags?

you have a very strong antenna. Could you have problem when writing?

Also something is not right: Your divisor is 89 !

Last edited by M&S (2016-01-27 04:27:13)

Offline

#13 2016-01-27 04:39:54

Apt-Get
Contributor
Registered: 2015-12-23
Posts: 111

Re: Anybody Played with one of these t5577 tags?

M&S wrote:

you have a very strong antenna. Could you have problem when writing?

Also something is not right: Your divisor is 89 !


Heres what i found out..
http://www.proxmark.org/forum/viewtopic.php?pid=19715#p19715

Offline

#14 2016-01-27 10:42:17

atkinchris
Contributor
Registered: 2016-01-24
Posts: 10

Re: Anybody Played with one of these t5577 tags?

Are these foam shrouded?

Offline

#15 2016-01-27 20:19:45

Apt-Get
Contributor
Registered: 2015-12-23
Posts: 111

Re: Anybody Played with one of these t5577 tags?

atkinchris wrote:

Are these foam shrouded?

no, thick hard plastic. smaller than a dime About the size of a mexican 5cent

I am able to read a write to these no problem Turns out my antenna was too strong for reliable detects and writes.
Once i brought the voltage down to 35 its working perfect on all t5577 that i have tried.

Thanks again to @Marshmellow for the Tip. cool

Last edited by Apt-Get (2016-01-27 20:22:46)

Offline

Board footer

Powered by FluxBB