Broken T5577 - Modulation 0x1F unknown

I recently bought a Magic Ring and I fear I’ve broken it. A few days ago I cloned an HID Prox card to it. When it failed to read today I ran
lf t5 wipe
to start fresh and try again. Now lf t5 detect returns nothing.

lf t5 info output:

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 8
[=]  reserved                  : 0
[=]  Data bit rate             : 3 - RF/8
[=]  eXtended mode             : Yes - Warning
[=]  Modulation                : 0x1F (Unknown)
[=]  PSK clock frequency       : 3 - (Unknown)
[=]  AOR - Answer on Request   : No
[=]  OTP - One Time Pad        : Yes - Warning
[=]  Max block                 : 7
[=]  Password mode             : Yes
[=]  Sequence Start Marker     : No
[=]  Fast Write                : No
[=]  Inverse data              : No
[=]  POR-Delay                 : No
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  800FFDF0 - .0000000000000...0.00.000...0000
[=] --- Fingerprint ------------

lf t5 dump output:

[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 800FFF7E | .0000000000000.00..0.00.000.00.0 | ...~
[+]  01 | 800FFDF0 | .0000000000000....0.0.000...0000 | ....
[+]  02 | 800FFC7F | .0000000000000..0..0..00000..0.. | ....
[+]  03 | 800EEFDC | .0000000000000.000.000.00.000.00 | ....
[+]  04 | 800FBEFE | .0000000000000.0.000.0.000.00..0 | ....
[+]  05 | 800FFE3C | .0000000000000...0..0..00000..00 | ...<
[+]  06 | 800FFC1E | .0000000000000..0..0..0000000..0 | ....
[+]  07 | 800FFF1E | .0000000000000...0..0...00000..0 | ....
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | FFE003FF | .0......0..0000000000000....0... | ....
[+]  01 | FE003FE0 | .0..0..0000000000000....0..00000 | ..?.
[+]  02 | FE003F80 | .0..0..0000000000000..0..0000000 | ..?.
[+]  03 | FFFFC007 | .0.00.0.0..0...0..0000000000000. | ....

I’m no expert but that dump output doesn’t seem right. Any ideas where I went wrong? lf t5 wipe does not change the dump output at all, and writing manually to any block has no effect. I’ve seen people mentioning test mode, but I haven’t seen any explanation of what that is and the danger next to the option in proxmark 3 is scary.

I have noticed that lf t5 info doesn’t seem to work on a blank t5577. Try cloning a chip onto it (you can just use one of the examples in the help output)

And then checking it again.

1 Like

I would also be trying what Zwack suggested.

the example will be something very much like this

lf em 410x_clone 0F0368568B 1

The chip still isn’t readable, lf search tells me

[-] No known 125/134 kHz tags found!
[+] Chipset detection: T55xx

but the data on the chip appears to have changed slightly

lf t55 dump
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 800FF1FF | .0000000000000..0...00000..0..0. | ....
[+]  01 | 800FFC7F | .0000000000000..0..0..00000..0.. | ....
[+]  02 | 8007FC7F | .00000000000000....0..00000..0.. | ....
[+]  03 | 800FFC7F | .0000000000000..0..0..00000..0.. | ....
[+]  04 | 800FFCFF | .0000000000000..0..0..0000..0... | ....
[+]  05 | 800FF8FF | .0000000000000..0....00000...0.. | ....
[+]  06 | 8007FFF8 | .00000000000000...0.00..0.0..000 | ....
[+]  07 | 800FF8FE | .0000000000000..0....00000..0..0 | ....
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | FE003F80 | .0.....0000000000000..0..0000000 | ..?.
[+]  01 | FE003F00 | .0..0..0000000000000.0..00000000 | ..?.
[+]  02 | FC007F00 | .0..0.0000000000000..0..00000000 | ....
[+]  03 | FC00FE00 | .0....000000000000..0..000000000 | ....

So at least something is being written?

Can you try lf t5 info on a known working chip, attempt to clone to the ring and then try lf t5 info on that?

Are you sure you have the ring oriented the right way over the right antenna? Is hw tune showing both antennas are working ok? Does the firmware/software match?

I am assuming you have tried cloning to a test card and it worked?

So lf t5 info doesn’t work with blank T5577s, good to know, I know I have the ring on the LF antenna but I’m not sure how to orient it optimally… I’ve just noticed every time I get a dump on the ring, I get completely different data back. This doesn’t happen with any other card I have. No form of writing to the ring is working either.

EDIT: I just restarted the proxmark and now the ring is consistently dumping as entirely FF. Progress?

Check out this video about 4:22

You could also try the MCT App

The single dot marks the t5577 so you will want that down. I think you will want the ring itself at right angles to the part of the antenna, but if that doesn’t work turn it 90 degrees and try again.

Even with the single dot down, at all angles I am reading seemingly random data every dump. Also, in most reads it is missing at least one block.

EDIT: I ran lf search -u, which told me that the ring is FSK modulated. After setting t5577 confg modulation to FSK, I am now consistently reading all zeros from the ring. Writing and cloning still not working.

Try " lf t55xx write -b 0 -d 000880E8 -p 00000000 "as a recovery
or if you have access to a blue cloner or something similar, sometimes they can force a t55 in a normal state

No data on the tag changes when trying to write.

I have access to the white cloner, but I found it to be one that did not work on HID Prox so I have no card to clone. Should I try manually inputting an ID and writing it to the T55 with the white cloner?

ok let’s start from scratch here. can you issue the following commands and post screen shots of the results…

  1. place the ring on the proxmark3 (please post a photo)

  2. put t5577 back into ASK modulation

lf t5 config --ASK

  1. clone a basic EM type 410x ID to the ring (single dot side down over the LF antenna)

lf em 410x clone --id 0102030405

  1. perform a search

lf search

Can I jump I here also!?

Do the stuff that Amal asked first, but can you answer this AFTER you have tried that?

Firstly, I don’t know of this would be causing you the issues you are experiencing.

Did you try to use the white cloner on the ring?

if so

check out this.

The syntax may have changed due to the updates on the proxmark between then and now, but the principle will be the same and you should be able to follow it through to get the same result.

1 Like

Sorry it took me a while but midterm season at school :slight_smile:

This clone was successful! The ring now reads as an EM410x ID on lf search! When I get to the bottom of cloning my access card I will see if it works on this ring. Thank you so much for your help!

1 Like

image

Bad news, today when I tried an lf search on the ring, I got

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 
[-] No known 125/134 kHz tags found!
[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands

And no cloning is working again. I’ve checked the logs from last night and I haven’t made a single write to the chip since it last worked. What? I’m holding the ring on the proxmark as in the video(vertically with single dot side down)

That’s so strange… odd as it sounds can you put a couple bits of cardboard between the ring and proxmark3 or just hold it a few mm off the antenna?

Amal

With distance or cardboard writes are still doing nothing. I’ve noticed that lf t5 dump is mostly empty, except randomly a block of nonsense will be read.

[usb] pm3 --> lf t5 dump
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[usb] pm3 -->                                                                                                        [usb] pm3 --> lf t5 dump
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  01 | FFFFFFFF | ..1111111111111111111111111111.. | ....
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  01 | E0000000 | .1.00000000000000000000000000000 | ....
[usb] pm3 -->                                                                                                        [usb] pm3 --> lf t5 dump
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 80000000 | .0000000000000000000000000000000 | ....
[+]  01 | E0000000 | .0.00000000000000000000000000000 | ....
[+]  02 | FFFFFFFF | .1.11111111111111111111111111111 | ....
[usb] pm3 -->                                                                                                        [usb] pm3 --> lf t5 dump
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  03 | FFFFFFFF | .11....1....1....111.1.11111.1.1 | ....
[+]  05 | C0000000 | 0.000000000000000000000000000000 | ....
[+]  06 | FFFFFFFF | ..111111111111111111111111111111 | ....
[+]  07 | FFFFFFFF | .1.11111111111111111111111111111 | ....
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | FFFFFFFF | ..111111111111111111111111111111 | ....
[+]  01 | FFFFFFFF | .1.11111111111111111111111111111 | ....

When I put the ring sideways on the reader (so the dots are facing outward and the ring is parallel to the coil), I consistently get a read from every block but the contents of those blocks is still inconsistent.

[usb] pm3 --> lf t5 dump
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | F0000000 | .0..0000000000000000000000000000 | ....
[+]  01 | E0000000 | .0.00000000000000000000000000000 | ....
[+]  02 | F0000000 | .0..0000000000000000000000000000 | ....
[+]  03 | F0000000 | .0..0000000000000000000000000000 | ....
[+]  04 | F0000000 | .0..0000000000000000000000000000 | ....
[+]  05 | F0000000 | .0..0000000000000000000000000000 | ....
[+]  06 | F0000000 | .0..0000000000000000000000000000 | ....
[+]  07 | F0000000 | .0..0000000000000000000000000000 | ....
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | FF800FF0 | .0...0...0000000000000...0..0000 | ....
[+]  01 | FC00FE00 | .0....000000000000..0..000000000 | ....
[+]  02 | FE003FC0 | .0..0..0000000000000...0..000000 | ..?.
[+]  03 | FE003FE0 | .0..0..0000000000000....0..00000 | ..?.
[+] saved to json file lf-t55xx-E0000000-F0000000-F0000000-F0000000-F0000000-F0000000-F0000000-dump.json
[+] saved 12 blocks to text file lf-t55xx-E0000000-F0000000-F0000000-F0000000-F0000000-F0000000-F0000000-dump.eml
[+] saved 48 bytes to binary file lf-t55xx-E0000000-F0000000-F0000000-F0000000-F0000000-F0000000-F0000000-dump.bin
[usb] pm3 -->                                                                                                        [usb] pm3 --> lf t5 dump
[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | E0000000 | .0.00000000000000000000000000000 | ....
[+]  01 | F8000000 | .00..000000000000000000000000000 | ....
[+]  02 | E0000000 | .0.00000000000000000000000000000 | ....
[+]  03 | F0000000 | .0..0000000000000000000000000000 | ....
[+]  04 | E0000000 | .0.00000000000000000000000000000 | ....
[+]  05 | F0000000 | .0..0000000000000000000000000000 | ....
[+]  06 | F0000000 | .0..0000000000000000000000000000 | ....
[+]  07 | F8000000 | .00..000000000000000000000000000 | ....
[+] Reading Page 1:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | FC007F80 | .0....0000000000000...0..0000000 | ....
[+]  01 | FFF800FF | .0.0.0.0..0..0000000000000...0.. | ....
[+]  02 | FFC00FFE | .0....0...000000000000......0..0 | ....
[+]  03 | FF001FE0 | .00..0..0000000000000...0..00000 | ....
[+] saved to json file lf-t55xx-F8000000-E0000000-F0000000-E0000000-F0000000-F0000000-F8000000-dump.json
[+] saved 12 blocks to text file lf-t55xx-F8000000-E0000000-F0000000-E0000000-F0000000-F0000000-F8000000-dump.eml
[+] saved 48 bytes to binary file lf-t55xx-F8000000-E0000000-F0000000-E0000000-F0000000-F0000000-F8000000-dump.bin

Interesting…

UPDATE: okay I just ran lf t55xx write -b 0 -d 000880E8 -p 00000000 as iahimsogard recommended a while ago and now my ring is successfully reading as an EM410x ID. Baffling, I won’t touch it until I’m ready to clone my credential to it now. :slight_smile:

3 Likes