Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-06-23 09:23:02

underlive
Contributor
Registered: 2020-06-23
Posts: 7

Not able to write block 0 of t55xx card, and dead card

I'm trying to write Block 0 of a t55xx card with no success.

I've been able to change the EM TAG ID with this command:
lf em 410x_write 3700333333 1

However, I can't change the Block0 value.

When I detect the target tag, I get this:

[usb] pm3 --> lf t55 detect
[=]      Chip Type      : T55x7
[=]      Modulation     : ASK
[=]      Bit Rate       : 5 - RF/64
[=]      Inverted       : No
[=]      Offset         : 32
[=]      Seq. Term.     : Yes
[=]      Block0         : 0x00323240
[=]      Downlink Mode  : default/fixed bit length
[=]      Password Set   : No


And the search command:

[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] EM410x pattern found

EM TAG ID      : 3700333333

Possible de-scramble patterns

Unique TAG ID  : XXXXXXXXXX (not real)
HoneyWell IdentKey {
DEZ 8          : 03904599
DEZ 10         : 0003904599
DEZ 5.5        : 00059.37975
DEZ 3.5A       : 055.37975
DEZ 3.5B       : 000.37975
DEZ 3.5C       : 059.37975
DEZ 14/IK2     : 00236227105879
DEZ 15/IK3     : 001013626710506
DEZ 20/ZK      : 14120000131202091410
}
Other          : 37975_059_03904599
Pattern Paxton : 927978071 [0x374FD257]
Pattern 1      : 6185788 [0x5E633C]
Pattern Sebury : 37975 59 3904599  [0x9457 0x3B 0x3B9457]

[+] Valid EM410x ID found!


However, I've tried writing Block 0 with these commands in the target key (after reading with the 'lf t55 read b 0' command):

lf t55 write b 0 d 0014FFFF

lf t55xx wr b 0 d 0014FFFF

After any of the commands, when I use 'lf t55 read b 0' I get an error:

[usb] pm3 --> lf t55 read b 0
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------

And not only that, detect and search doesn't work either:
[usb] pm3 --> lf t55 detect
[!] ⚠️  Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] ⛔ No data found!
[=] Signal looks like noise. Maybe not an LF tag?

Only when I set the UID again (with this command --> 'lf em 410x_write 3700333333 1'), it seems to work again, but the Block 0 is not changed. Is still the original from the target key.

And..., worse. One of the keys, after this procedure, is not working any more. I've tried wiping and anything, and still dead.

Any clues why I can't write block 0?
How can I recover the dead key?

Offline

#2 2020-06-28 21:36:43

underlive
Contributor
Registered: 2020-06-23
Posts: 7

Re: Not able to write block 0 of t55xx card, and dead card

I've managed to unbrick one of the tags.

I guess to write UID I should just use this:
lf em 410x_write 0F0368568B 1
And block 0 shouldn't be touched.
Is that right?

But..., card is EM4305.
And there is no similar to 'lf em 4x05_write'.
It isn't specific to ID.

Then, which command should I use?

Last edited by underlive (2020-06-28 22:32:46)

Offline

#3 2020-06-29 07:13:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Not able to write block 0 of t55xx card, and dead card

You should take some time reading the helptexts properly and maybe even the datasheet for t5577 in order to understand what you are doing wrong.

Offline

Board footer

Powered by FluxBB