Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
There are actrually a lot of people in china using proxmark3 to crack their RFID card. But it seems that most of them don't know this open source project.
Their just using a modified firmware and corresponding computer software with a very simple GUI from the sellers. The GUI is dedicated to crack & copy 125k and mifare classic cards. Basically you only need to click "auto crack" and "copy to card" to successfully clone a card. No command needed.
Note: the proxmark3s sold in China usually have a modified, close-source firmware. (are they violate the GPL agreement?) The firmware is said to have more function than the original(open source) one. Such as copying some special chinese 125kHz cards, supporting 125/250/500 kHz cards, and seems not having a breaking change!
Some sellers are selling "pm3 v5.0", which just an proxmark3 easy with an builtin ChameleonMini in the middle pcb. They say that the sniff function of the pm3 is just too weak, so they added the ChameleonMini.
A seller even added 3 buttons and an OLED display to the pm3, allowing you to copy lf cards 100% offline, just press the read button then write.
Some sellers classify the pm3 into "256MB" and "512MB" memory, which is actrually 256KB and 512KB.
A seller, called FuRui, is selling "NFC-PM3" and "NFC-PM5" which is not proxmark at all! I don't think them having more function than proxmark3. Some buyers are confused by the name and ask "Which is better, proxmark3 and pm5?"
Offline
yes, its a mess. Not much to do either. There will be the leechers who take and take but never give back to the community.
It is fun how they try to add things and call it improvements. The ones who buys that crap usually ends up or the GH repo asking why their device doesn't work with the firmware/client...
You get what you pay for.
Offline
Most of the buyers just want to copy their cards(mostly Mifare and EM4100) and have no interest in exploring RFID. Since the PM3 Easy is the cheapest device they can find on the market(PN532 only support HF cards), people just buy it and expect it works. PM3 is just a cloner for them, and they don't have the desire to contribute to the project. Most of the buyers don't have the ability to give back to the community. And most of them don't even have the ability to use the CLI. That's why some of the silly GUIs can be sold at a high price.
Offline
sad story indeed
Offline
They are just a combination of RDV2easy and chameleon, which is an older version and no longer has much meaning. They have no ability to change the firmware, just add a logo in the margins of the existing firmware without any functional significance.People buy them for the simple reason that they need to crack a gate card, and that's it.
The device is difficult to sell officially in China, and network restrictions make it difficult to find the data needed on Google.
The firmware changes they claim are just a means to sell.
Currently there is no obvious distinction between RDV2R and DV4, which is the main reason they stole it. The firmware they use is RRG [Proxmark3 generic]
Their device is more like a simple toy,As for the software just a few simple commands into the interface of the Chinese button, easy to operate.
Last edited by shuxiang2020 (2020-08-11 17:59:33)
Offline
There are improvements too.
There are A LOT OF weird LF cards in china, which are specially designed to bypass the reader. In China, some LF card readers will try to send T5577 erase commands every time they detected a card. That means if you clone a em410x card into a T5577 card, the new card won't work at all(or just work once).
The "weird LF cards" can be written, but using special, undocumented commands. When reading, they just behave as same as a em410x card.
Many non-free Chinese GUI have implemented some functions to write these cards.
These cards' datasheet are not opened to public. (If they don't do so, newer readers will probably erase these cards as well, I think).
Offline
With the T5577 you can disable the test write, then change the downlink mode and set a password. Add the page 0 blocks 1 and 2 to page 1 blocks 1 and 2 and you would have a fairly robust EM4100 clone.
Once the above is complete the reader would need to know the downlink mode used as well as the password without that been sent correctly it would just spit out the ID as per programmed.
Offline
@mwalker Hello. I'm playing the T5577 card(and the blue cloner) these days and I really want to know how to sniff the write command with the cloner. I tried the "lf snoop" and used "data rawdemod am" but then I got some error bits. I want to figure out the password and even the special write command to 8211/8310 card with a lot of data and z3-solver but I got stuck in the first step. Could you tell me someting about it?
@hallo1 I might be a little bit off-topic. Sorry for that.
Offline
@wh201906 how about you start a new thread (so as not to hijack this one) and we can go over what I do.
Offline
@mwalker wow that is intresting, any guide of this?
Offline
@hallo1, are you referring to locking down the T5577 ?
If so, first step is to read the datasheet.
Short version.
On the T5577 you write a password to block 7 page 1.
You update the config (block 0 page 1) to set the use password flag.
Then if you want to change the downlink mode, you write the correct config (see datasheet) to block 3 page 1.
Note: I prefer if people get used to used to using the datasheets (as the T55xx are freely available) then ask specific questions when needed.
Some notes: what I beleive is the T5200 is a T55xx clone that does not support the page 1 block 3 config (so no downlink modes).
Also for full protection you can disable the test write and lock the blocks (this will then make the card read-only). For a 2 block card ID, like the EM4100, its also good to copy blocks 1 and 2 (page 1) to blocks 1 and 2 (page 2). Sometimes the card be requested to send those blocks by a reader, so if it holds the ID, then all good.
Offline
Pages: 1