Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-02-04 11:45:22

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

lf t55xx read b 0 doesnt work?

I am trying to read the t5577 and it doenst look like works. I get always the same result
I have the proxmark3 rdv board

bootrom: /-suspect 2015-11-19 10:08:02
os: /-suspect 2016-09-26 12:50:46
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8


proxmark3> lf t55xx read b 0
Reading Page 0:         
blk | hex data | binary         
proxmark3>

Offline

#2 2017-02-04 12:21:52

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: lf t55xx read b 0 doesnt work?

always run detection before trying anything with t55xx.

lf t55xx detect

--if it found a valid config, you can now try

lf t55xx read b 0

Offline

#3 2017-02-04 12:54:41

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

proxmark3> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config' 


I think that block 0 is 0x00150060

Offline

#4 2017-02-04 13:00:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: lf t55xx read b 0 doesnt work?

Would you mind posting your output from "hw tune"?

Offline

#5 2017-02-04 13:08:30

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

.....I dont understand what happens.. why antenna is 0V

Prox/RFID mark3 RFID instrument         
bootrom: /-suspect 2015-11-19 10:08:02
os: /-suspect 2016-09-26 12:50:46
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8
uC: AT91SAM7S512 Rev B         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 512K bytes. Used: 188608 bytes (36%). Free: 335680 bytes (64%).         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory         
proxmark3> hw tune
Measuring antenna characteristics, please wait...         
# LF antenna:  0.00 V @   125.00 kHz         
# LF antenna:  0.00 V @   134.00 kHz         
# LF optimal:  0.00 V @ 12000.00 kHz         
# HF antenna:  0.00 V @    13.56 MHz         
# Your LF antenna is unusable.         
# Your HF antenna is unusable.

Offline

#6 2017-02-04 13:09:47

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

the antenna works... if i put other tag it can read... so why it shows 0v?
proxmark3> lf t55xx detect
#db# DownloadFPGA(len: 42096)                 
Modulation : ASK         
Bit Rate   : 5 - RF/64         
Inverted   : No         
Offset     : 1         
Block0     : 0x00148040

Offline

#7 2017-02-04 13:18:35

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: lf t55xx read b 0 doesnt work?

something tells me that you are not running the same client / flashed fullimage from the same build.

Offline

#8 2017-02-04 13:20:47

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

is there a way to flash all again?
Easy way...please

Offline

#9 2017-02-04 13:32:14

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: lf t55xx read b 0 doesnt work?

read the wiki,  search the forum,, there has been alot written about it.

Offline

#10 2017-02-04 16:20:10

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

Can you tell me the latest version? I will figure out how to install it

Offline

#11 2017-02-04 16:51:11

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

Flashed all again, now the antenna works.



C:\PM3\Windows\client>proxmark3 com4
Qt: Untested Windows version 6.2 detected!
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-11-19 10:08:02
os: master/v2.3 2016-09-19 20:28:38
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 183707 bytes (35%). Free: 340581 bytes (65%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune

Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)
......#db# DownloadFPGA(len: 42096)
.
# LF antenna: 44.41 V @   125.00 kHz
# LF antenna: 22.55 V @   134.00 kHz
# LF optimal: 44.41 V @   125.00 kHz
# HF antenna: 27.86 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.



proxmark3> lf t55xx detect
#db# DownloadFPGA(len: 42096)
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

Offline

#12 2017-02-04 17:57:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: lf t55xx read b 0 doesnt work?

Antenna works smile and with output too.
Now, whats the output when you have tag on the antenna?

and whats the output from "lf search"

Offline

#13 2017-02-04 18:38:07

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

proxmark3> lf search
Reading 30000 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:


No Known Tags Found!

Offline

#14 2017-02-04 18:42:19

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

I know that this tag should show block 0 0x00150060

and it shows something strange


proxmark3> lf t55xx dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 14011454 | 00010100000000010001010001010100
  1 | BC165B51 | 10111100000101100101101101010001
  2 | 14011454 | 00010100000000010001010001010100
  3 | 280228A8 | 00101000000000100010100010101000
  4 | 14011454 | 00010100000000010001010001010100
  5 | 14011454 | 00010100000000010001010001010100
  6 | BC165B51 | 10111100000101100101101101010001
  7 | 14011454 | 00010100000000010001010001010100
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
  0 | 14011454 | 00010100000000010001010001010100
  1 | 14011454 | 00010100000000010001010001010100
  2 | 14011454 | 00010100000000010001010001010100
  3 | 14011454 | 00010100000000010001010001010100


AND THE FUNNY IS!!! that if i put the tag 1 cm away of the antenna it read somerthing else

proxmark3> lf t55xx dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 280228A8 | 00101000000000100010100010101000
  1 | 280228A8 | 00101000000000100010100010101000
  2 | 280228A8 | 00101000000000100010100010101000
  3 | 50045150 | 01010000000001000101000101010000
  4 | 280228A8 | 00101000000000100010100010101000
  5 | 50045150 | 01010000000001000101000101010000
  6 | 50045150 | 01010000000001000101000101010000
  7 | 50045150 | 01010000000001000101000101010000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
  0 | 280228A8 | 00101000000000100010100010101000
  1 | 50045150 | 01010000000001000101000101010000
  2 | 50045150 | 01010000000001000101000101010000
  3 | 50045150 | 01010000000001000101000101010000


Note that it is the number of first read but * 2  smile)))   

first read       14011454
second read   280228A8

Offline

#15 2017-02-04 19:18:31

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: lf t55xx read b 0 doesnt work?

Can you do a read block 0, save a trace and post it to pastebin.com? Link it here.

Offline

#16 2017-02-04 20:07:41

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: lf t55xx read b 0 doesnt work?

you are getting wrong values because the "lf t55 detect" didn't find a config block for you.

If you have two the same tags, and one is failing with detection,  try the other one and get most stuff right.
try "lf t55 read b 0"   if it doesn't match your "0x00148040"  but gets read.
Try different offsets with  "lf t55 config" command and do the read again.

Offline

#17 2017-02-04 21:57:47

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

I will make the trace tomorrow.
The 2 dump are from the same tag. Just onw is touching the antenna and the second 1 cm away of it. The 2nd dump is shifted left compared with the first
The block 0 should be 0x00150060.

Offline

#18 2017-02-06 10:11:04

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

proxmark3> lf t55 read b 0
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 280228A8 | 00101000000000100010100010101000

Offline

#19 2017-02-06 10:12:34

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

proxmark3> lf t55xx trace
The modulation is most likely wrong since the ACL is not 0xE0..

Offline

#20 2017-02-06 16:48:36

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: lf t55xx read b 0 doesnt work?

that is not what i meant by trace.  let me clerify:
lf t55xx trace reads the traceability data from the T55xx chips. (if it exists)

i'm looking for a lf tag trace, obtained from the `data save [filename]` command

so do a `lf t55 read b 0` and a `data save xxx.pm3` then upload the contents of that file to pastebin.com and paste the link to pastebin here.  that way i can look at what your pm3 is actually reading.

Offline

#21 2017-02-07 18:21:17

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

http://pastebin.com/n30DYPGc

Offline

#22 2017-02-07 18:30:59

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

http://pastebin.com/YtVNK2As

Offline

#23 2017-02-07 18:32:27

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

the block 0 should be

proxmark3> lf t55 detect
Chip Type  : T55x7
Modulation : BIPHASE
Bit Rate   : 5 - RF/64
Inverted   : No
Offset     : 31
Seq. Term. : No
Block0     : 0x00150060




proxmark3> lf t55 read b 0
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
  0 | 00150060 | 00000000000101010000000001100000

Offline

#24 2017-02-08 05:40:16

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: lf t55xx read b 0 doesnt work?

it looks like it works fine there... 

if a tag is password protected it will not read unless the correct password is sent.  instead it will send it's normal stream of data.  which is what your traces look like

Offline

#25 2017-02-08 05:41:14

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: lf t55xx read b 0 doesnt work?

are you sure they are t55xx chips?

Offline

#26 2017-02-08 11:04:14

drakospart
Contributor
Registered: 2016-02-11
Posts: 67

Re: lf t55xx read b 0 doesnt work?

In a former version of this tag, it was a t5557, now the new one is glued with resin so.. i cant see what kind of chip is it.The both tags works with the reader old and new version.
So.. if this is password protect, the only one way is to snif with a receiver and tag?

Offline

#27 2017-02-09 14:09:49

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: lf t55xx read b 0 doesnt work?

If it is password protected likely the only way to get the password is to snoop on the original programmer programming the tag.  Snooping the reader might get it but it likely will not if the reader works on tags not password protected.

Offline

#28 2017-02-09 14:28:51

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: lf t55xx read b 0 doesnt work?

if pwd protected, @OP could use the t55xx bruteforce  with the default_pwd.dic   to see if its a known pwd.

Offline

Board footer

Powered by FluxBB