Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hello,
As it looks like the previous thread on this topic has disappear find here the link to the modified code and binaries supporting this (based on r497):
http://www.proxmark.org/files/index.php … _T55x7.zip
It features a new command to clone HID tags (the T55x7 card must be placed on the antenna before summiting the command):
lf hid clone <ID>, where <ID> is the 44-bit card ID to be cloned in HEX, as retruned by 'lf hid fskdemod'
Regards,
Cex.
Offline
I tried this but it didn't work
please send a command screenshot
thanks
Offline
Cex
Contact to Roel and ask him to gain access to SVN, please
Offline
The link worked for me and the clone feature is fantastic!
Offline
~/RFID/proxmark3-498/client$ ./proxmark3
Connected units:
1. SN: ChangeMe [003/003]
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 486-suspect 2011-07-31 00:16:23
#db# os: svn 498-unclean 2011-09-29 09:01:36
#db# FPGA image built on 2009/12/ 8 at 8: 3:54
proxmark3>
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait.
# LF antenna: 27,93 V @ 125.00 kHz
# LF antenna: 18,26 V @ 134.00 kHz
# LF optimal: 27,93 V @ 125,00 kHz
# HF antenna: 10,12 V @ 13.56 MHz
proxmark3>
proxmark3> lf em4x em410xwatch
#db# buffer samples: ff ff ff ff ff ff ff ff ...
Reading 2000 samples
Done!
Auto-detected clock rate: 64
EM410x Tag ID: 0000000001
proxmark3>
proxmark3> lf hid clone FFFFFFFFF
Cloning tag with ID fffffffff
#db# DONE!
proxmark3> lf hid fskdemod
proxmark3>
The orange LED is on and the red LED flashes but no response ... why ???
thanks
Offline
First of all, why would you try to clone FFFFFFFFF? That ID can't possibly be valid. What kind of blank tag are you using? Also, try reading an HID tag and write down the ID on paper. My HID LF tags have 10 digits, not 9 as you show above.
Offline
I use a T5577 tab, but do not have a HID tags ... you can give me a valid number to try?
thanks
Offline
I use a T5577 tab, but do not have a HID tags ... you can give me a valid number to try?
thanks
20042ea607
Tell me what decimal number it produces with the proxmark3 after the clone command and I'll let you know if it is right?
Offline
spinoinside wrote:I use a T5577 tab, but do not have a HID tags ... you can give me a valid number to try?
thanks20042ea607
Tell me what decimal number it produces with the proxmark3 after the clone command and I'll let you know if it is right?
proxmark3> lf hid clone 20042ea607
Cloning tag with ID 20042ea607
#db# DONE!
proxmark3>
proxmark3> lf hid fskdemod
proxmark3>
The orange LED is on and the red LED flashes but no response
Offline
Are you using the proxmark3.exe that came with the PM3_T55x7 zip file?
How do you know that you have a T5577 and not a T5567?
It appears that the blank tag is not being programmed. Or, it is not a T55x7 lf blank tag. Are you sure the lf tag is blank and can be programmed? I think the tags can be programmed to be protected so, if something went wrong when you tried an invalid ID then, the tag may not be able to be programmed again. I do not know what kind of checking that Cex put into the program.
Also, I do remember having trouble my first few tries. For me, I use the lf antennae that came with my PM3. It is the one that looks like a black CD/DVD. I was able to get results when I laid the blank tag on the antennae and just left it. Before, I was holding it above the antennae like I do when I want to read a tag.
I just tried to reprogram my T55x7 tag with 20042ea777 and it worked great! However, after I did the clone command and went into the lf hid fskdemod command and it did nothing until I picked up the card off of the antennae.
Hope that helps.
Offline
Are you using the proxmark3.exe that came with the PM3_T55x7 zip file?
How do you know that you have a T5577 and not a T5567?
It appears that the blank tag is not being programmed. Or, it is not a T55x7 lf blank tag. Are you sure the lf tag is blank and can be programmed? I think the tags can be programmed to be protected so, if something went wrong when you tried an invalid ID then, the tag may not be able to be programmed again. I do not know what kind of checking that Cex put into the program.
Also, I do remember having trouble my first few tries. For me, I use the lf antennae that came with my PM3. It is the one that looks like a black CD/DVD. I was able to get results when I laid the blank tag on the antennae and just left it. Before, I was holding it above the antennae like I do when I want to read a tag.
I just tried to reprogram my T55x7 tag with 20042ea777 and it worked great! However, after I did the clone command and went into the lf hid fskdemod command and it did nothing until I picked up the card off of the antennae.
Hope that helps.
I'm compiled under linux and tried it but no result, then i tried proxmark3.exe that came with the PM3_T55x7.zip file but nothing.
I'm not sure that the tag is T5577, on the card is printed "FOR HW688". I'm buy the card from the user laser
I'm use this homemade antenna
thanks for the quick response
I will do other tests
Offline
You have too many unknowns. The biggest unknown to me is your 'blank tag'. The "FOR HW688" means nothing to me. All my blank T55x7 cards are plain white and have nothing written on either side. Maybe you need to ask Laser what kind of tag it is?
Secondly, your antennae design looks good but, as I said before, the clone command is very picky as to how the tag is positioned next to the antennae. I don't why this is.
Confirm 'blank tag' first.
Offline
The "FOR HW688" means nothing
It means that the blank card you are using is Q5 or Hitag2:
http://www.proxmark.org/forum/viewtopic … 4458#p4458
Offline
I'm glad vivat pointed that out. It appears that the Hitag2 is ASK modulation and probably won't work. I'm not sure if the Q5 is the same as an ATMEL T5567 or not. I think the clone feature developed by CEX is probably just for 125KHz, FSK, and the ATMEL T5567. I'm guessing that each manufacturer has its own unique way of programming its tags. However, since he included the source code, I think it would be easy to modify for the other tags as well.
Offline
You have too many unknowns. The biggest unknown to me is your 'blank tag'. The "FOR HW688" means nothing to me. All my blank T55x7 cards are plain white and have nothing written on either side. Maybe you need to ask Laser what kind of tag it is?
Secondly, your antennae design looks good but, as I said before, the clone command is very picky as to how the tag is positioned next to the antennae. I don't why this is.Confirm 'blank tag' first.
laser told me that the tag is a T5557.
Today i have received a tag HID and the command "lf hid fskdemod" works:
#db# TAG ID: 2004dc9993 (19657)
#db# TAG ID: 2004dc9993 (19657)
#db# TAG ID: 2004dc9993 (19657)
#db# TAG ID: 2004dc9993 (19657)
#db# TAG ID: 2004dc9993 (19657)
#db# Stopped
Offline
The "FOR HW688" means nothing
It means that the blank card you are using is Q5 or Hitag2:
http://www.proxmark.org/forum/viewtopic … 4458#p4458
can i verify if the tag is a Q5 or Htag?
Offline
vivat wrote:The "FOR HW688" means nothing
It means that the blank card you are using is Q5 or Hitag2:
http://www.proxmark.org/forum/viewtopic … 4458#p4458can i verify if the tag is a Q5 or Htag?
If Laser verified that it is a T5557 then the clone command should work. So, the second thing is the antennae. Try clone the HID tag you have now. If it doesn't work then add non-metalic spacers between your blank tag and the antennae until you get results. Obviously, you may have to remove the spacers to read the tag once you programmed it.
Offline
Offline
Try limiting the ID to just 10 digits.
Have anybody encounter this before?
http://farm7.static.flickr.com/6049/6240835112_30682863b0.jpg
lf hid clone problem by raymond2017#db# unknown commND:: 0X0210
Offline
Shaved off one digits front & than one digits back.
lf hid clone problem 3 by raymond2017
For that HID card.
The hid reader not proxmark3 display:
ID = EDDEEEBBDEF
37-bit 6F775DEF7
I also try to emulating it from proxmark3, the hid reader was not able to detect also.
Arh.......
Offline
Could be a Windows 7 issue. Try using ID 20042ea5a0. If that doesn't work, it is a Windows 7 issue. Try again with XP.
Offline
Yes, I got that error sometimes when the card is not read properly.
The SW seems to be interpreting part of the card ID as a command.
Just ignore it.
Offline
Bugman1400, Try using XP.
T55x7 by raymond2017
Same result.
I download the zip file T55x7 and when i try to open the proxmark3.exe, it said that i'am missing some file. The files are those in the r486/win32, so i copy them over.
Or am i doing the wrong thing?
Cex
I try to clone the card i buy from proxmark3 also have the same error.
2006e23731
Also thanks for replying.
Offline
Yes, the DLLs are the same.
Surely your antenna do not provide enough voltage, but try out this version with programming times modified, that seems to work better (at least for me):
http://www.proxmark.org/files/index.php?dir=Uploads%2F&download=PM3_T55x7_extended_times.zip
EDIT: Also try to program the card from the other side (it should be the same for both sides, but I have noticed that cards tend to work better from one of its sides).
Regards.
Last edited by Cex (2011-10-14 11:21:11)
Offline
Have anybody encounter this before?
http://farm7.static.flickr.com/6049/6240835112_30682863b0.jpg
lf hid clone problem by raymond2017#db# unknown commND:: 0X0210
WAIT!
I have not realised it was complaining on cloning, not reading.
You have NOT updated the PM3 firmware.
you MUST update the firmware for the command to work. The cloning function requires the new CLIENT and the new OSIMAGE.ELF to work.
Update your firmware (copy osimage.elf to your client folder and type 'flasher osimage.elf' ) or your PM3 won't know how to program the card.
Offline
Why don't you put this neat feature into the main SVN?
Offline
I was waiting to make it work with keyfobs.
Finally I found the problem... as the antenna inductance makes the field decrease exponentially when creating a gap, the field ON times must be shorter than those in the datasheet and the gap time a little longer.
Now I have a version that works with keyfobs and ISO cards (don't have a clamshell to test with).
On the other hand there was no need to reset the tag when writting to a new block, so now the whole process takes around 1 second.
Do I have permission to upload to SVN or shall I ask Roel for it?
Offline
Cool! I'll try those features.
Ask Roel for SVN creds.
Thanks for this contribution!
Offline
Cool! I'll try those features.
Ask Roel for SVN creds.
Thanks for this contribution!
Ok, I'll send a message to Roel.
In the meantime you can find the working version in:
http://www.proxmark.org/files/index.php?dir=Uploads%2F&download=PM3_T55x7_v2.zip
It seems to work quite well on both ISO cards and keyfobs.
It is also supposed to be compatible with E5550 cards also (I extended programming time), but don't have any to test with.
Regards.
Offline
Raymond wrote:Have anybody encounter this before?
http://farm7.static.flickr.com/6049/6240835112_30682863b0.jpg
lf hid clone problem by raymond2017#db# unknown commND:: 0X0210
WAIT!
I have not realised it was complaining on cloning, not reading.You have NOT updated the PM3 firmware.
you MUST update the firmware for the command to work. The cloning function requires the new CLIENT and the new OSIMAGE.ELF to work.Update your firmware (copy osimage.elf to your client folder and type 'flasher osimage.elf' ) or your PM3 won't know how to program the card.
I got my proxmark3 with the firmware this month.
So where can i download or update my firmware?
By the way for the command , lf emx em410xwatch. Will it go on & on after you run it? Or by pressing the button will stop it? I try to stop it by pressing the button but got error and force close.
Offline
I got my proxmark3 with the firmware this month.
So where can i download or update my firmware?
You got the link in the previous post. Please read before ask...
Alternatively you can get release r499 from SVN repository.
Regards.
Offline
Thank for the reply Cex.
Offline
Why don't you put this neat feature into the main SVN?
Done (r499).
Made a stupid mistake when commiting and the Log Message field was empty.
I have asked Roel to fix that, but the version shall be working anyway.
Offline
Can it be possible to implement the following function to the Proxmark :
Write to a R/W T55x7 chip along with a password.
So that any rewriting is impossible unless the password is known...
Offline
It is possible (the T55x7 chip supports password), but it will take quite a huge effort.
You'll need to include commands to program the password (and checking it before enabling it to make sure you don't loose access to the card), to modify it, and to modify the stored ID with password.
It's quite improbable that the card get erased/modified by itself, so I think it's not worth the effort.
Offline
Hello,
As it looks like the previous thread on this topic has disappear find here the link to the modified code and binaries supporting this (based on r497):
http://www.proxmark.org/files/index.php … _T55x7.zip iphone 4 case
It features a new command to clone HID tags (the T55x7 card must be placed on the antenna before summiting the command):
lf hid clone <ID>, where <ID> is the 44-bit card ID to be cloned in HEX, as retruned by 'lf hid fskdemod'
Regards,
Cex.
thanks a lot,I'll try it!!
Offline
Hello all,
Can anybody tell me where I can find a place to buy T55x7 cards?? I only found places in China with a minimum lot of 200 uds for about 230$ shipment included. Anyplace recomendation??
Regards
Offline
If you are looking for small quantities in the US you can purchase some T5557 R/W cards from mdfly.com . They work great!! The cards are $1.59 each and they ship quickly from California.
Here is the link:
http://www.mdfly.com/index.php?main_page=product_info&cPath=16_62&products_id=170
Offline
Thanks Carl,
I will try them.
Regards
Offline
This worked for me with your firmware and a T5567 card, but with the latest svn 528 this doesn't work.
Last edited by urkis (2012-05-01 19:10:20)
Offline
This worked for me with your firmware and a T5567 card, but with the latest svn 528 this doesn't work.
Took a look at the new revision and there's an error in file lfopt.c line 1139 introduced in r528.
The correct modulation for HID is FSK2a, not manchester, so replace T55x7_MODULATION_MANCHESTER by T55x7_MODULATION_FSK2a
I'll correct it when possible (I'll also add cloning capabilities for 64/224 bits Indala cards).
Offline
Will this work with T5577 chip which replaces T5567?
Offline
urkis wrote:This worked for me with your firmware and a T5567 card, but with the latest svn 528 this doesn't work.
Took a look at the new revision and there's an error in file lfopt.c line 1139 introduced in r528.
The correct modulation for HID is FSK2a, not manchester, so replace T55x7_MODULATION_MANCHESTER by T55x7_MODULATION_FSK2aI'll correct it when possible (I'll also add cloning capabilities for 64/224 bits Indala cards).
Fixed bug in r582 (and Indala cloning added).
As far as I know it should also work on T5577, although I do not have any to test.
Offline
Hi Cex,
does this version also work in standalone mode?
I have not modified that part of the code.
If it was working on previous release, it should work in this release.
Offline
Hi Cex,
i meant wether cloning onto another card also works in stand alone mode. As far as i understood the stand alone mode description it does only card emulation, not copying onto another card. Is that right? It would be great to also be able to copy a card in stand alone mode.
I have not implemented that function.
If you are interested just replace the call to simulate tag by a call to clone tag. It should work.
Offline
Added support for long format (up to 84 bits) to clone command in r649.
If when using "lf hid fskdemod" you get an UID like TAG ID: 9exxxxxxxxxxxxxxxxxxxxx
you can clone using "lf hid clone xxxxxxxxxxxxxxxxxxxxx l" (the l specifies long format).
The 9E must NOT be included when cloning as it is part of the header and is automaticly added.
Regards.
Offline
Added support for long format (up to 84 bits) to clone command in r649.
If when using "lf hid fskdemod" you get an UID like TAG ID: 9exxxxxxxxxxxxxxxxxxxxx
you can clone using "lf hid clone xxxxxxxxxxxxxxxxxxxxx l" (the l specifies long format).The 9E must NOT be included when cloning as it is part of the header and is automaticly added.
Regards.
Nice, but there seems to be some trouble now when writing the short format
Example:
lf hid clone 2006EA19D2
And when I read the T55x7 using "data fskdemod" it shows:
hex: 00000021 06ea19d2
Seems like the second number always becoming a 1 instead of 0?
Offline
Nice, but there seems to be some trouble now when writing the short format
Example:
lf hid clone 2006EA19D2And when I read the T55x7 using "data fskdemod" it shows:
hex: 00000021 06ea19d2Seems like the second number always becoming a 1 instead of 0?
Functionallity was tested before committing changes. Anyway I tested again with your example and it works fine for me.
Maybe there's a bug in 'data fskdemod' (I did not modify that command). Try 'lf hid fskdemod' instead.
Also try to read/write with the card in another position or with an small spacer between the card and the PM3 as antenna coupling may modify the writing timings and the card may had been written with a wrong value.
Offline
I'm also having problems with "lf hid clone" after commit 649. I can use "lf hid fskdemod" with 648 and 650 and get the same correct read from my HID card. Cloning to a T5557 using 648 works well and the cloned card reads exactly the same as the original.
Cloning to a T5557 using 650, however, has bits missing from the written data. I get bad reads from that card from both 650 and 648. It also takes many seconds to get a read and when it does I get one UID that looks completely wrong and a second that's has the first 4-5 bits correct so that I can see the facility code, but the rest is wrong.
I'm using a Proxmark3 and LF antenna from xfpga.com. Firmware and client have been compiled on Windows 7 using the latest mingw-proxmark.zip env from Google Code and the 20121222 release of the YAGARTO ARM Toolchain.
Offline