Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi guys,
Hoping someone can point me in the right direction on this one, I tried googling and searching the forums and didn't have any luck finding an answer.
I've just purchased a Chinese clone of a PM3 Easy, I've flashed the latest RRG/Iceman fork, and I'm having trouble working with T55xx cards.
Wipe commands complete successfully, and the various clone commands work (I've written and read EM410x and HID data, which is detected properly with lf search and on separate reader hardware) but I can't get 'lf t55xx detect' to work - I've tried 3 different tags from different suppliers, in various stages of config (After wipe, with EM data, with HID data) and always get the below result.
[usb] pm3 --> lf t55xx detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
I'm suspecting I may have just gotten a bad antenna that isn't coupling well, but I'd love if anyone had suggestions of things to try! These are full ISO size cards sitting directly on top of the antenna, but being a clone I could have got the dud.
hw info
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman
compiled with Clang/LLVM 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.10.44.4) OS:OSX ARCH:x86_64
[ PROXMARK3 ]
[ ARM ]
bootrom: RRG/Iceman/master/688fb782 2020-01-24 20:59:28
os: RRG/Iceman/master/688fb782 2020-01-24 20:59:42
compiled with GCC 5.4.1 20160919 (release) [ARM/embedded-5-branch revision 240496]
[ FPGA ]
LF image built for 2s30vq100 on 2020-01-12 at 15:31: 2
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 254528 bytes (49%) Free: 269760 bytes (51%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
hw status
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........28000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............10
#db# Currently loaded FPGA image
#db# mode.................... LF image built for 2s30vq100 on 2020-01-12 at 15:31: 2
#db# LF Sampling config
#db# [q] divisor.............95 ( 125.00 kHz )
#db# [b] bits per sample.....8
#db# [d] decimation..........1
#db# [a] averaging...........No
#db# [t] trigger threshold...0
#db# [s] samples to skip.....0
#db# LF T55XX config
#db# [r] [a] [b] [c] [d] [e] [f] [g]
#db# mode |start|write|write|write| read|write|write
#db# | gap | gap | 0 | 1 | gap | 2 | 3
#db# ---------------------------+-----+-----+-----+-----+-----+-----+------
#db# fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | N/A | N/A |
#db# long leading reference | 29 | 17 | 15 | 47 | 15 | N/A | N/A |
#db# leading zero | 29 | 17 | 15 | 40 | 15 | N/A | N/A |
#db# 1 of 4 coding reference | 29 | 17 | 15 | 31 | 15 | 47 | 63 |
#db#
#db# Transfer Speed
#db# Sending packets to client...
#db# Time elapsed............500ms
#db# Bytes transferred.......354816
#db# Transfer Speed PM3 -> Client = 709632 bytes/s
#db# Various
#db# DBGLEVEL................1
#db# ToSendMax...............-1
#db# ToSendBit...............0
#db# ToSend BUFFERSIZE.......2308
#db# Slow clock..............32080 Hz
#db# Installed StandAlone Mode
#db# LF HID26 standalone - aka SamyRun (Samy Kamkar)
hw tune
[=] Measuring antenna characteristics, please wait...
[=] You can cancel this operation by pressing the pm3 button
..
[+] LF antenna: 45.89 V - 125.00 kHz
[+] LF antenna: 45.46 V - 134.83 kHz
[+] LF optimal: 56.65 V - 130.43 kHz
[+] LF antenna is OK
[+] HF antenna: 33.48 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 88 is 134.83 kHz, 95 is 125.00 kHz.
Thanks for your time!
Compgeek
Offline
hm, your LF timing settings is the ones for RDV4... Normally they should automatically detect that and select another setting.
https://github.com/RfidResearchGroup/pr … ops.c#L149
Are you sure you compile the repo for PM3OTHER?
Offline
hm, your LF timing settings is the ones for RDV4...
Oops, that's my bad! I tried resetting my timings to default using lf t55xx deviceconfig z p - just incase I had messed them up at some point.
I've now restored manually to the PM3OTHER timings
#db# LF T55XX config
#db# [r] [a] [b] [c] [d] [e] [f] [g]
#db# mode |start|write|write|write| read|write|write
#db# | gap | gap | 0 | 1 | gap | 2 | 3
#db# ---------------------------+-----+-----+-----+-----+-----+-----+------
#db# fixed bit length (default) | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
#db# long leading reference | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
#db# leading zero | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
#db# 1 of 4 coding reference | 31 | 20 | 18 | 50 | 15 | 50 | 66 |
Are you sure you compile the repo for PM3OTHER?
Compiling on Mac OS using Homebrew, I definitely ran
export HOMEBREW_PROXMARK3_PLATFORM=PM3OTHER
where it is listed as 'optional' on the Github installation instructions.
After resetting the timings, I tried to tune and detect again, still no luck. I've been told that detect and trace commands require better coupling than just lf search or a clone command - did I possibly just get the short straw on my antenna?
Offline
I doubt that, 45v looks good. Try some different positions / distance between tag and antenna.
Offline
Try some different positions / distance between tag and antenna.
Still no joy, tried 2 different cards and a fob, all distances ranging from right on the antenna to about 15cm above, in all sorts of orientations and positions over the antenna, in blank, EM and HID modes.
Offline
Yr device can't read 15cm. Keep it 1-2cm to the antenna.
How does the signal look like?
lf read
data plot
Offline
You probably don’t take into account the wind direction on the street;) This is a joke. I have 3 different devices and 2 different Chinese T55xx cards. There is no logic in the work - all through the ass. In my Chinese, PM3 essentially differs from RDV4 only in the extension of the I / O system. Mac, Linux or Windows - this refers to the client side, and not to the device.
Offline
How does the signal look like?
You probably don’t take into account the wind direction on the street;)
Fair enough mate, i've made the mistake before of not giving enough detail when explaining a problem so just wanted to dot my m's and cross my v's
Offline
That looks like strong lf signals.
It might not be a t55x7 card, hence the detect fails.. Since it looks like a ASK modulation.
Just run lf search
or save a sample set and share. replace xxx in filename with printed cardnumbers if any
lf read
data save f lf_unk_xxxxx.pm3
Offline
The printing on this card just says T5577, and it responds to the clone and wipe commands as expected so I didn't have a reason to doubt it, lf search below and a link to the save
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
#db# Starting Hitag reader family
#db# Configured for hitag2 reader
#db# Detected incorrect header, the bit [1] is zero instead of one, abort
#db# TX/RX frames recorded: 1
[+] EM410x pattern found
EM TAG ID : BDBDBDBDBD
Possible de-scramble patterns
Unique TAG ID : BDBDBDBDBD
HoneyWell IdentKey {
DEZ 8 : 12434877
DEZ 10 : 3183328701
DEZ 5.5 : 48573.48573
DEZ 3.5A : 189.48573
DEZ 3.5B : 189.48573
DEZ 3.5C : 189.48573
DEZ 14/IK2 : 00814932147645
DEZ 15/IK3 : 000814932147645
DEZ 20/ZK : 11131113111311131113
}
Other : 48573_189_12434877
Pattern Paxton : 3184655293 [0xBDD1FBBD]
Pattern 1 : 7831135 [0x777E5F]
Pattern Sebury : 48573 61 4046269 [0xBDBD 0x3D 0x3DBDBD]
[+] Valid EM410x ID found!
Offline
And there is nothing wrong with your easy clone nor the card, nor the software.
Search this forum for more info about t55xx problematics. The user @mrwalker has written some well worded posts about it.
Offline
And there is nothing wrong with your easy clone nor the card, nor the software.
Search this forum for more info about t55xx problematics. The user @mrwalker has written some well worded posts about it.
Definitely good to know, thanks for your time and checking into my dumps for me! Intriguing that it's not responding as expected even though everything checks out, but seems to be just the way it sometimes is with these chips.
Appreciate your help!
-Compgeek
Offline