Proxmark3 community

papayawhip

Contributor

Registered: 2022-03-23

Posts: 2

t5577 chips not responsible

Hello all,
I'm testing around on t5577 chips and have bricked quite a few now.
It's super weird.
With every command that involves the password, I can no longer read the chip. even if I put on a new chip and only used the recover function, the chip is no longer responsive afterwards. If I want to set a password and accidentally use the wrong key, the same thing happens. I made sure to call "lf t5 detect" beforehand.

From the data sheet "http://ww1.microchip.com/downloads/en/DeviceDoc/ATA5577C-Read-Write-LF-RFID-IDIC-100-to-150-kHz-Data-Sheet-DS70005357B.pdf" (ok, this will not be the exact chip - ordered from aliexpress) I can not figure it out. In principle, this should mean that the recover function writes in page 0 block 0 around?

(However, the same also happens when I have written em410x or nedap data. - "lf search" still provides valid data, but detect won't find any valid configuration)

Are there any ideas how I can get the chips running again - or might it be a vendor issue?

Many greetings, Björn

FW: (Compiled today) Iceman/master/v4.14831-477-gd851152fe 2022-03-23 15:22:08 756c0b5e5

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] Indala (len 1875)  Raw: 80000000000000000000000000000000000000000000000000000000

[+] Valid Indala ID found!

[=] Couldn't identify a chipset
[usb] pm3 --> lf t5 det
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
[=]  Bit rate.......... 2 - RF/32
[=]  Inverted.......... No
[=]  Offset............ 32
[=]  Seq. terminator... Yes
[=]  Block0............ 00088048 (auto detect)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... No

[usb] pm3 --> lf t5 dum
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00088048 | 00000000000010001000000001001000 | ...H
[+]  01 | 00000000 | 00000000000000000000000000000000 | ....
[+]  02 | 00000000 | 00000000000000000000000000000000 | ....
[+]  03 | 00000000 | 00000000000000000000000000000000 | ....
[+]  04 | 00000000 | 00000000000000000000000000000000 | ....
[+]  05 | 00000000 | 00000000000000000000000000000000 | ....
[+]  06 | 00000000 | 00000000000000000000000000000000 | ....
[+]  07 | 00000000 | 00000000000000000000000000000000 | ....
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00088048 | 00000000000010001000000001001000 | ...H
[+]  01 | E03900D0 | 11100000001110010000000011010000 | .9..
[+]  02 | CA73D0B5 | 11001010011100111101000010110101 | .s..
[+]  03 | 00A00003 | 00000000101000000000000000000011 | ....
[+] saved to json file lf-t55xx-dump-17.json
[+] saved 12 blocks to text file lf-t55xx-dump-17.eml
[+] saved 48 bytes to binary file lf-t55xx-dump-17.bin
[usb] pm3 --> lf t5 recover
[=] press <Enter> to exit
[=] Trying password 00000001
[=] Trying password 00000002
[....]
[=] Trying password 00000000

[-] Recover password failed

[usb] pm3 --> lf t5 det
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t5 dum
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 3FE3FE3F | 0000.1.1.1.00000.1.1.1.00000.1.1 | ?..?
[+]  01 | 1FF1FF1F | 00000.1.1.1.00000.1.1.1.00000.1. | ....
[+]  02 | 3FE3FE3F | 0000.1.1.1.00000.1.1.1.00000.1.1 | ?..?
[+]  03 | 1FF1FF1F | 00000.1.1.1.00000.1.1.1.00000.1. | ....
[usb] pm3 -->

[usb] pm3 --> hw status
[#] Memory
[#]   BigBuf_size............. 40904
[#]   Available memory........ 40904
[#] Tracing
[#]   tracing ................ 1
[#]   traceLen ............... 0
[#] Current FPGA image
[#]   mode.................... LF image 2s30vq100 2022-03-20 09:28:32
[#] Flash memory
[#]   Baudrate................ 24 MHz
[#]   Init.................... OK
[#]   Device ID...............  -->  Unknown  <--
[#]   Unique ID............... 0xE1605453273A8635
[#] Smart card module (ISO 7816)
[#]   version................. FAILED
[#] LF Sampling config
[#]   [q] divisor............. 95 ( 125.00 kHz )
[#]   [b] bits per sample..... 8
[#]   [d] decimation.......... 1
[#]   [a] averaging........... no
[#]   [t] trigger threshold... 0
[#]   [s] samples to skip..... 0
[#]
[#] LF T55XX config
[#]            [r]               [a]   [b]   [c]   [d]   [e]   [f]   [g]
[#]            mode            |start|write|write|write| read|write|write
[#]                            | gap | gap |  0  |  1  | gap |  2  |  3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) |  29 |  17 |  15 |  47 |  15 | N/A | N/A |
[#]     long leading reference |  29 |  17 |  15 |  47 |  15 | N/A | N/A |
[#]               leading zero |  29 |  17 |  15 |  40 |  15 | N/A | N/A |
[#]    1 of 4 coding reference |  29 |  17 |  15 |  31 |  15 |  47 |  63 |
[#]
[#] HF 14a config
[#]   [a] Anticol override.... std    ( follow standard )
[#]   [b] BCC override........ std    ( follow standard )
[#]   [2] CL2 override........ std    ( follow standard )
[#]   [3] CL3 override........ std    ( follow standard )
[#]   [r] RATS override....... std    ( follow standard )
[#] Transfer Speed
[#]   Sending packets to client...
[#]   Time elapsed................... 500ms
[#]   Bytes transferred.............. 279552
[#]   Transfer Speed PM3 -> Client... 559104 bytes/s
[#] Various
[#]   Max stack usage......... 4128 / 8480 bytes
[#]   Debug log level......... 1 ( error )
[#]   ToSendMax............... -1
[#]   ToSend BUFFERSIZE....... 2308
[#]   Slow clock.............. 30530 Hz
[#] Installed StandAlone Mode
[#]   LF HID26 standalone - aka SamyRun (Samy Kamkar)
[#] Flash memory dictionary loaded
[#]

Last edited by papayawhip (2022-03-23 20:22:39)

mwalker

Moderator

Registered: 2019-05-11

Posts: 318

Re: t5577 chips not responsible

To me it looks like you tried to "recover" a password when there is not a password set.
The lf t55 detect and dump looks like a valid card with no data in blocks 1..7
To a T5577 using a password for read, when the password flag has not been set, will turn into a "non password" write.

Given the recover try to use the password to read block 0 (the config block), there is a good chance what you a have done is set the password flag.

Given that the dump shows block 7 as 00000000
I would suggest the following

lf t55 write -b 0 -d 000880E0 -p 00000000

The see if the detect works.

alexl83

Contributor

Registered: 2022-07-20

Posts: 2

Re: t5577 chips not responsible

Same happened to me with 2 t5577 cards bundled with my pm3 easy v3: thanks to this post I've been able to "revive" them
I uncautiously (and newbie-ish) messed up with them without knowing what I was doing
I thought I bricked those!

Thanks  mwalker! You made my day
I'm learning many interesting things by following this forum/community, thanks all!