Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I am trying to do two different things.
One is trying to work out what these weird blue fobs I have are, they are suppose to be T5577's but I have tried all sorts of things to reset them but nothing seems to work and i can't write to them with the proxmark3-easy. I have tried all the usual passwords/etc. I do have this NFC-PM5 reader/writer that does write to them, so i want to record the lf sniff of that writing process and save those traces continuously. Is there a way to get lf sniff to keep running and saving the traces to files so i can do a few writes to the fobs and compare the sets of traces to try and work out what it is ?
The other thing I am trying to do is a friend has two fobs for building access one one of those fobs is dead so I am trying to work out what kind of fob the other one is. I'm having trouble working out what the working fob is so i wanted to essentially do the same thing except do a continuous lf read saving the results to separate files. So I can go through later an analyse the files.
Offline
Fixing the friends fob, I took the working one and read the blocks in the T5577 chip and this is what I wrote to a replacement one:
lf t55xx write -b 1 -d FF0F0009 --verify
lf t55xx write -b 2 -d 00010909 --verify
lf t55xx write -b 0 -d F01480E8
Breaking down the configuration block,
[usb] pm3 --> lf t55xx info
[=] --- T55x7 Configuration & Information ---------
[=] Safer key : 15
[=] reserved : 0
[=] Data bit rate : 5 - RF/64
[=] eXtended mode : No
[=] Modulation : 8 - Manchester
[=] PSK clock frequency : 0 - RF/2
[=] AOR - Answer on Request : No
[=] OTP - One Time Pad : No
[=] Max block : 7
[=] Password mode : No
[=] Sequence Terminator : Yes
[=] Fast Write : No
[=] Inverse data : No
[=] POR-Delay : No
[=] -------------------------------------------------------------
[=] Raw Data - Page 0, block 0
[=] F01480E8 - 11110000000101001000000011101000
[=] --- Fingerprint ------------
So ASK/Manchester, RF/64 and 7 blocks long, considering that only blocks 1 and 2 have data it seems odd?
I did some searching and i can't find anything with a master key set to F so i had a look into the DATA sheet and all i could find is that if the master key is not either 6 or 9 then it prevents activate of the extended mode options.
Still no idea what kind of tag the T5577 is emulating but the new tag spits out the same signal as the old tag:
[usb] pm3 --> lf read
[usb] pm3 --> data rawdemod --am
[+] ASK/Manchester - clock 64 - decoded bitstream
[=] ---------------------------------------------
[+] DemodBuffer:
[+] 11111111000011110000000000001001
[+] 00000000000000010000100100001001
[+] 00000000000000000000000000000000
[+] 00000000000000000000000000000000
[+] 00000000000000000000000000000000
[+] 00000000000000000000000000000000
[+] 00000000000000000000000000000000
[+] 11111111000011110000000000001001
[+] 00000000000000010000100100001001
[+] 00000000000000000000000000000000
[+] 00000000000000000000000000000000
[+] 00000000000000000000000000000000
[+] 00000000000000000000000000000000
[+] 00000000000000000000000000000000
[+] 11111111000011110000000000001001
[+] 00000000000000010000100100001001
At the least hopefully this will be useful to some one else.
Offline
Pages: 1