Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I am trying to decode/clone my chinese office access card.
I have used "lf search" and no results and "lf search u" gives the following result:
proxmark3> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 5248 repeating samples
Found Sequence Terminator - First one is shown by orange and blue graph markers
Using Clock:32, Invert:0, Bits Found:513
ASK/Manchester - Clock: 32 - Decoded bitstream:
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001
Unknown ASK Modulated and Manchester encoded Tag Found!
if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'
Valid T55xx Chip Found
Try lf t55xx ... commands
then I tried " data rawdemod am" but the results dont seems correct:
data rawdemod am
Using Clock:32, Invert:0, Bits Found:513
ASK/Manchester - Clock: 32 - Decoded bitstream:
0110110110001111
0001110000100100
0001100000001000
0011101100011100
1001011010010010
0100010100001100
1001100000000011
0011001100110110
1001001111000177
1001001011001100
0101101101100011
1100011100001001
0000011000000010
0000111011000111
0010010110100100
1001000101000011
0010011000000000
1100110011001101
1010010011110001
7710010010110011
0001011011011000
1111000111000010
0100000110000000
1000001110110001
1100100101101001
0010010001010000
1100100110000000
0011001100110011
0110100100111100
0177100100101100
1100010110110110
0011110001110000
hw version and hw tune output:
hw version
\Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-41-g786ad91-dirty-suspect 2019-01-09 05:07:17
os: master/v3.1.0-41-g786ad91-dirty-suspect 2019-01-09 05:07:38
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/09/12 at 15:18:46
SmartCard Slot: not available
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 198864 bytes (76%). Free: 63280 bytes (24%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 24.06 V @ 125.00 kHz
# LF antenna: 19.80 V @ 134.00 kHz
# LF optimal: 23.65 V @ 123.71 kHz
# HF antenna: 24.78 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
Im not an expert on pm3 and trying to learn get this to work, I will appreciate the help..
Thank you.
Offline
The good news is you found a T55xx chip. Have you tried 'lf t55 detect' followed by 'lf t55 dump'? If it can read the raw blocks, you'll still be able to clone it even if you can't decode it yet. Additionally, the dumped result will provide a simpler starting point for decoding.
Next, does the card have any number written on it? Many access cards have the card number and/or batch number printed on them (not including the image added by your company if any).
Offline
I have tried before and there is no data coming up with those commands.
proxmark3> lf t55xx detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
proxmark3> lf t55xx dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
proxmark3>
Offline
All that means is that the configuration couldn't automatically be detected. Since your above 'lf search u' results reported something, let's start there. You can configure the t55 decoding modes, and with it set, try the 'lf t55 dump' again. For instance, your search results suggest issuing the following command:
lf t55 config d ASK b 32 i 0
That command translates to:
* Use ASK demodulation
* Use Clock / 32 bit rate
* Data is not inverted
Once that command is issued, try the 'lf t55 dump' command again.
Offline
Thanks , Seems that worked, but as far as I know binaries should not return "7's" maybe I got something wrong :
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | E4B316D8 | 77100100101100110001011011011000
1 | E4B316D8 | 77100100101100110001011011011000
2 | E4B316D8 | 77100100101100110001011011011000
3 | E4B316D8 | 77100100101100110001011011011000
4 | E4B316D8 | 77100100101100110001011011011000
5 | E4B316D8 | 77100100101100110001011011011000
6 | E4B316D8 | 77100100101100110001011011011000
7 | E4B316D8 | 77100100101100110001011011011000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | F00A852C | 77110000000010101000010100101100
1 | F00A852C | 77110000000010101000010100101100
2 | F00A852C | 77110000000010101000010100101100
3 | F00A852C | 77110000000010101000010100101100
Last edited by Zeushn (2019-01-14 03:14:50)
Offline
I have followed the steps in here http://proxmark.org/forum/viewtopic.php?id=2795
with these results:
11100011100001001000001100000001 E3848301
00000111011000111001001011010010 76392D2
01001000101000011001001100000000 48A19300
01100110011001101101001001111000 6666D278
adding
as block 0 00088088
still no good results...
Offline
I have been reading the ATA5577C_Datasheet and now I understand much more the block 0, so having the below data from lf T55xx info, I'm trying to get the block 0 right but I dont understand the data bit rate part, help will be very appreciated guys
-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key : 62
reserved : 37
Data bit rate : 4 - RF/10
eXtended mode : Yes - Warning
Modulation : 17 - Reserved
PSK clock frequency : 1
AOR - Answer on Request : Yes
OTP - One Time Pad : No
Max block : 6
Password mode : Yes
Sequence Start Terminator : Yes
Fast Write : No
Inverse data : No
POR-Delay : No
-------------------------------------------------------------
Raw Data - Page 0
Block 0 : 0xE4B316D8 77100100101100110001011011011000
-------------------------------------------------------------
my guess is that block 0 is 00000000001010101000011011011000
but still not working,
Offline
The data bit rate is how fast the card transmits the data in normal read mode. For instance, RF/10 means that one bit is transmitted over ten cycles of the carrier. RF/32 means that one bit is transmitted over 32 cycles of the carrier.
Since the carrier is roughly 125kHz, this means that the encoded data would be sent at (125kHz / 10 == 12.5kHz) speed.
Offline
@Zeushn, notice the 77 in your binary read. That indicates a read error. Try a different distance to your tag, or just try another time.
Offline
Working with a t55xx chip with the sequence terminator requires a very good antenna currently.
It looks like yours is boarderline for this operation.
That said, in the case of you're tag I don't think the t55xx cmds are going to help a lot as your dump (while partially not demodded correctly) indicates that your tag is password protected.
unless you can snoop the reader reading the card to get the pwd, you won't be able to read it completely.
You do seem to have the full 4 blocks it outputs in your first post though, so you could attempt a clone (and see if the reader just gets the streamed data or accesses more pwd protected data.)
Offline
Thanks mashmellow, seems that my antenna is somehow not working good, I cant write in another t55xx cards of fobs, i'll try to snoop the reader tomorrow at the office and bring the output.
Offline
Found the first problem, my T55 empty cards were damaged , thats why didnt write anything. I have been trying to snoop the reader and the card(like a sandwich) but no output of the command, the data is stored somewhere???
Offline
Go back to the first thing you did before using random commands:
Possible Auto Correlation of 5248 repeating samplesFound Sequence Terminator - First one is shown by orange and blue graph markers
Using Clock:32, Invert:0, Bits Found:513
ASK/Manchester - Clock: 32 - Decoded bitstream:
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001
1110001110000100
1000001100000001
0000011101100011
1001001011010010
0100100010100001
1001001100000000
0110011001100110
1101001001111000
1100100101100110
0010110110110001
There is a pattern here, do you see it?
It does not matter if your "T55 empty cards" is damaged as long as you keep trying to write wrong data on it...
Offline
Pages: 1