Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2017-12-20 15:13:35

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Jakcom R3 'Smart Ring' - Solved

Hi

I've recently purchased a Jakcom R3 'Smart Ring', it's the version that contains ID and M1 chips as well as an NFC component.

NFC works well with NFC Tools on Android, the ring performs as you would expect a stand NFC tag to work.

When scanning the the ID part of the ring with a Proxmark3, a valid EM410x ID and a Valid T55xx Chip are found.

I want to copy a Noralsy tag to this ring.

I can copy the Noralsy tag to a T5577 tag and a T5577 card with no issues.

When I try to copy the Noralsy tag to the ring nothing appears to happen.

Any ideas why?

Thanks

Spyder

Last edited by Spyder (2017-12-30 18:59:05)

Offline

#2 2017-12-20 15:58:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Jakcom R3 'Smart Ring' - Solved

is the ring's t5577 locked or password protected?

lf t55 detect
lf t55 info
lf t55 dump

Offline

#3 2017-12-20 16:21:13

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Jakcom R3 'Smart Ring' - Solved

I'm assuming the ring Chip's antenna is small.  A small antenna may require a special sized antenna on the pm3 to allow the chip to "hear" the write commands.

Offline

#4 2017-12-20 17:01:08

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Jakcom R3 'Smart Ring' - Solved

iceman wrote:

is the ring's t5577 locked or password protected?

lf t55 detect
lf t55 info
lf t55 dump

proxmark3> lf t55 detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

proxmark3> lf t55 info

proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------

proxmark3> lf t55 config
Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 0 - RF/8
Inverted   : No
Offset     : 0
Seq. Term. : No
Block0     : 0x00000000

Offline

#5 2017-12-20 17:02:29

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Jakcom R3 'Smart Ring' - Solved

marshmellow wrote:

I'm assuming the ring Chip's antenna is small.  A small antenna may require a special sized antenna on the pm3 to allow the chip to "hear" the write commands.

I have a horrible feeling you have hit the nail on the head.

Offline

#6 2017-12-20 17:32:10

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Jakcom R3 'Smart Ring' - Solved

lf t55xx p1detect

does however produce:

T55xx chip found!

Last edited by Spyder (2017-12-20 20:26:32)

Offline

#7 2017-12-21 14:11:36

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Jakcom R3 'Smart Ring' - Solved

I believe that may be a false positive.  What version firmware are you running?

Offline

#8 2017-12-21 14:43:25

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Jakcom R3 'Smart Ring' - Solved

The latest version, flashed via the Homebrew build on a Mac.

Offline

#9 2017-12-26 16:53:44

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Jakcom R3 'Smart Ring' - Solved

OK now have some more info.

The ring appears to have been written to using a cheap Chinese cloner:

New-JAKCOM-RDW-Reader-RFID-Copier-ID-Card-Reader-Writer-copy-for-Door-Lock-Access-Control.jpg_640x640.jpg

lf search produces this:

EM410x pattern found:

EM TAG ID      : 22007B0942

Possible de-scramble patterns
Unique TAG ID  : 4400DE9042
HoneyWell IdentKey {
DEZ 8          : 08063298
DEZ 10         : 0008063298
DEZ 5.5        : 00123.02370
DEZ 3.5A       : 034.02370
DEZ 3.5B       : 000.02370
DEZ 3.5C       : 123.02370
DEZ 14/IK2     : 00146036951362
DEZ 15/IK3     : 000292072362050
DEZ 20/ZK      : 04040000131409000402
}
Other          : 02370_123_08063298
Pattern Paxton : 579815234 [0x228F4742]
Pattern 1      : 14549346 [0xDE0162]
Pattern Sebury : 2370 123 8063298  [0x942 0x7B 0x7B0942]

Valid EM410x ID Found!

Valid T55xx Chip Found
Try lf t55xx ... commands

lf read
lf data rawdemod am produces:

Using Clock:64, Invert:0, Bits Found:625
ASK/Manchester - Clock: 64 - Decoded bitstream:
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000
0011111011100000
1001001001001010
0110111111111001
0100101000000000

I am assuming that the Chinese cloner has written the EM410x tag info to the ring using a password.

Is there any way to reset the ring?

Offline

#10 2017-12-26 17:08:38

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Jakcom R3 'Smart Ring' - Solved

look into the lf t55xx  the known cloner passwords found so far is also inside the default_pwd.dic file.

Do you have access to the cheap cloner?

Offline

#11 2017-12-26 17:11:11

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Jakcom R3 'Smart Ring' - Solved

Yes I have got hold of the cheap cloner.

Last edited by Spyder (2017-12-26 17:11:23)

Offline

#12 2017-12-26 17:34:16

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Jakcom R3 'Smart Ring' - Solved

If you could do a snoop and share the signaltrace here (via a fileshare service) that would be nice.  So we can figure out that specific cloner password.

data plot
lf snoop
data samples
data save cloner.pm3

Offline

#13 2017-12-26 17:44:44

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Jakcom R3 'Smart Ring' - Solved

https://expirebox.com/download/b22b2d98c4be0596531b292cdea56afb.html

Thanks, very interested to see what has happened.

Last edited by Spyder (2017-12-26 19:56:07)

Offline

#14 2017-12-26 20:42:23

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Jakcom R3 'Smart Ring' - Solved

Nice,  so this trace shows when cloner writes to ring?  (just to make certain)

Offline

#15 2017-12-26 20:43:39

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Jakcom R3 'Smart Ring' - Solved

Yes I can repeat it again to make sure if it would be helpful.

Offline

#16 2017-12-26 20:47:15

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Jakcom R3 'Smart Ring' - Solved

https://expirebox.com/download/bdc76b9e3012e843a4592fe000882020.html

Offline

#17 2017-12-30 18:57:51

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Jakcom R3 'Smart Ring' - Solved

OK Progress made.

Got hold of a second Jakcom R3 'Smart Ring'.

A little tricky to write to it but it correctly identified as a T55xx chip straight away and after a few clone commands it has accepted the programming to act as a Noralsy tag.

Oddly it doesn't show up on lf search consistently after programming but it does work with the entry system.

If anyone is interested in playing with the original ring and the programmer (pictured above) which it seems managed to lock down the ring with a password I am more than happy to wrap them up and post them.

Offline

#18 2017-12-31 03:35:49

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Jakcom R3 'Smart Ring' - Solved

Nice!

After figuring out several of the issues with these cloner devices over the past months - see:

https://forum.dangerousthings.com/t/xem … oners/1547

I am pretty eager to try and see if I can figure out what is happening here.

Last edited by Tom5ive (2017-12-31 03:36:07)

Offline

#19 2017-12-31 13:22:46

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Jakcom R3 'Smart Ring' - Solved

Send your address to my gmail spyderpalace, will sort it out next week.

Offline

#20 2018-01-02 00:37:48

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Jakcom R3 'Smart Ring' - Solved

Done!

Offline

#21 2018-01-20 10:12:09

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Jakcom R3 'Smart Ring' - Solved

Password found!

AA55BBBB - which is actually in the defauld_pwd.dic file included with the latest pm3 source.

You need to issue the unlock command in test mode with these rings when the chip has been put in
EM / ID mode.

See below command:

lf t55xx write b 0 d 00148041 p AA55BBBB t

The stock proxmark coils probably wont cut it either! For a coil that is very close to perfectly tuned for the pm3 (needs a few wraps unwound, 2-3 should do it - test using hw tune etc) get yourself one of the coils linked below - it's what I used to unlock this ring.

http://www.ebay.com.au/itm/10pcs-125KHZ-reader-RFID-antenna-access-control-ID-self-adhesive-coil-22-35/131981806414?hash=item1ebaba8b4e:g:OnwAAOSwA3dYDxYX

Spyder, would you like me to ship the ring back to you? It's way too large for me! I cloned a random HID ID to it.

Last edited by Tom5ive (2018-01-20 10:12:42)

Offline

#22 2018-01-20 16:09:37

Danz
Contributor
From: Dubai
Registered: 2015-10-24
Posts: 98

Re: Jakcom R3 'Smart Ring' - Solved

I have had one of those rings before, works perfectly but need sweet spot to write and read as antenna is pretty micro, mine didn't come with locked t55.

Offline

#23 2018-01-29 03:09:25

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Jakcom R3 'Smart Ring' - Solved

This specific ring was locked by the Jakcom cloner pictured above - it did not come locked (as far as I know)/

Offline

#24 2018-06-22 06:43:05

Navster
Contributor
Registered: 2017-07-09
Posts: 50

Re: Jakcom R3 'Smart Ring' - Solved

Would you say the coil  is the same as one found in a t5557 card or  any other nfc card?could I remove the coil out of a card and use it as an antenna to program a smart ring?
Thoughts?

Tom5ive wrote:

Password found!




AA55BBBB - which is actually in the defauld_pwd.dic file included with the latest pm3 source.

You need to issue the unlock command in test mode with these rings when the chip has been put in
EM / ID mode.

See below command:

lf t55xx write b 0 d 00148041 p AA55BBBB t

The stock proxmark coils probably wont cut it either! For a coil that is very close to perfectly tuned for the pm3 (needs a few wraps unwound, 2-3 should do it - test using hw tune etc) get yourself one of the coils linked below - it's what I used to unlock this ring.

http://www.ebay.com.au/itm/10pcs-125KHZ-reader-RFID-antenna-access-control-ID-self-adhesive-coil-22-35/131981806414?hash=item1ebaba8b4e:g:OnwAAOSwA3dYDxYX

Spyder, would you like me to ship the ring back to you? It's way too large for me! I cloned a random HID ID to it.

Offline

#25 2018-09-11 02:50:36

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Jakcom R3 'Smart Ring' - Solved

Navster wrote:

Would you say the coil  is the same as one found in a t5557 card or  any other nfc card?could I remove the coil out of a card and use it as an antenna to program a smart ring?
Thoughts?

Tom5ive wrote:

Password found!




AA55BBBB - which is actually in the defauld_pwd.dic file included with the latest pm3 source.

You need to issue the unlock command in test mode with these rings when the chip has been put in
EM / ID mode.

See below command:

lf t55xx write b 0 d 00148041 p AA55BBBB t

The stock proxmark coils probably wont cut it either! For a coil that is very close to perfectly tuned for the pm3 (needs a few wraps unwound, 2-3 should do it - test using hw tune etc) get yourself one of the coils linked below - it's what I used to unlock this ring.

http://www.ebay.com.au/itm/10pcs-125KHZ-reader-RFID-antenna-access-control-ID-self-adhesive-coil-22-35/131981806414?hash=item1ebaba8b4e:g:OnwAAOSwA3dYDxYX

Spyder, would you like me to ship the ring back to you? It's way too large for me! I cloned a random HID ID to it.


Unfortunately this will not work. You either design coils to be on the reader or on the tag. They are not cross compatible.

Offline

#26 2019-10-10 04:36:18

saizad
Contributor
Registered: 2019-10-09
Posts: 2

Re: Jakcom R3 'Smart Ring' - Solved

I also have same issue. What is the solution?
I am trying to clone to my smartring( Jackom R3) from Indala, it does write to it but doesn't work when I try to open door.

Spyder wrote:

OK Progress made.

Got hold of a second Jakcom R3 'Smart Ring'.

A little tricky to write to it but it correctly identified as a T55xx chip straight away and after a few clone commands it has accepted the programming to act as a Noralsy tag.

Oddly it doesn't show up on lf search consistently after programming but it does work with the entry system.

If anyone is interested in playing with the original ring and the programmer (pictured above) which it seems managed to lock down the ring with a password I am more than happy to wrap them up and post them.

Offline

Board footer

Powered by FluxBB