(This is based on working with the data sheets and 1’s and 0’s, with the gyms being shut I can’t fully verify if it’ll work on their readers, but the math and logic check out)
The thing that had me stumped is that the FSK bitstream is inverted to what is in the T5577 memory… should have looked closer at the config block (its FSK2a, Proxmark can’t detect inversion since theres no reference)
For anyone wanting to clone one of these: lf search u
It should return as FSK2 - grab 4 lines from the middle of the dump
Invert them (change 0’s to 1’s and 1’s to 0’s) then convert to Hex
Then write to your T5577 (xEM or NExT - but use a test card first!) as follows…
Block 0: 00107080
Block 1-4: The Hex digits you found earlier
Still can’t figure out how this relates to the printed numbers with a sample size of 1, but if you have one that isn’t a T5577 you should still be able to copy it.
Hi this text topic has kinda been down. Im new to this. Im currently using the iCopy to read and write but it doesnt seem to be reading the AF keyfob. Was thinking of purchasing Proxmark3 but im scared it might not work as well. I would not want to spend another money knowing it might fail again. Someone could enlighten me on this please thank you!
Read this article and this guy manages to copy the RFID of the AF keyfob using keysy. Unfortunately i live in Singapore and keysy is not available in my country.
Im new to all this rfid i have not purchase proxmark myself and i zero knowledge on using the proxmark. Could u lay out the instructions on doing so? Would definitely appreciate it thank you!!!
I have the same looking source tag as yours but having the same issue as @HewhoHax. lf search works on a random t5577 card. but when run on the purple fob it shows(lf search -u also gives the same thing):
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[!] Error Manchester at 120
[!] Error Manchester at 122
[!] Error Manchester at 128
[!] Error Manchester at 134
[!] Error Manchester at 136
[!] Error Manchester at 138
[!] Error Manchester at 140
[!] Error Manchester at 142
[!] Error Manchester at 144
[!] Error Manchester at 146
[!] Error Manchester at 150
[!] Error Manchester at 152
[!] Error Manchester at 154
[!] Error Manchester at 158
[!] Error Manchester at 160
[!] Error Manchester at 162
[!] Error Manchester at 166
[!] Error Manchester at 168
[!] Error Manchester at 170
[!] Error Manchester at 174
[!] Error Manchester at 176
[!] Error Manchester at 178
[!] Error Manchester at 182
[!] Error Manchester at 184
[!] Error Manchester at 188
[!] Error Manchester at 190
[!] Error Manchester at 192
[!] Error Manchester at 196
[!] Error Manchester at 198
[!] Error Manchester at 202
[!] Error Manchester at 204
[!] Total Manchester Errors... 31
[=] Paradox - ID: 000000001 FC: 0 Card: 1, Checksum: 00, Raw: 0ffa24000704040404ec1041
[+] Valid Paradox ID found!
[=] Couldn't identify a chipset
which means the dump and restore method didn’t work. cloning the paradox raw to t5577 didn’t work either. funny thing is lf search and lf para reader gives different raws
pm3 --> lf paradox reader
[!] Error Manchester at 120
[!] Error Manchester at 122
[!] Error Manchester at 128
[!] Error Manchester at 134
[!] Error Manchester at 136
[!] Error Manchester at 138
[!] Error Manchester at 140
[!] Error Manchester at 142
[!] Error Manchester at 144
[!] Error Manchester at 146
[!] Error Manchester at 150
[!] Error Manchester at 152
[!] Error Manchester at 154
[!] Error Manchester at 158
[!] Error Manchester at 160
[!] Error Manchester at 162
[!] Error Manchester at 166
[!] Error Manchester at 168
[!] Error Manchester at 170
[!] Error Manchester at 174
[!] Error Manchester at 176
[!] Error Manchester at 178
[!] Error Manchester at 182
[!] Error Manchester at 184
[!] Error Manchester at 188
[!] Error Manchester at 190
[!] Error Manchester at 192
[!] Error Manchester at 196
[!] Error Manchester at 200
[!] Error Manchester at 202
[!] Error Manchester at 204
[!] Error Manchester at 206
[!] Total Manchester Errors... 32
[=] Paradox - ID: 000000001 FC: 0 Card: 1, Checksum: 00, Raw: 0ffa24000704040404ec11ff
lf t55xx detect gives:
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
Do you think this is a reader issue or they changed the fob? Thank you
for those who might come across this later. in summary
lf read
data rawdemod --fs
take the first 4 lines to convert to hex to write to block 1-4 later
put new card on
lf t5 det
lf t5 wipe
lf t5 det
lf t5 write -b 0 -d 00105080
lf t5 det
lf t5 write -b 1 -d “first line of converted hex from rawdemod”
lf t5 write -b 2 -d “second line of converted hex from rawdemod”
lf t5 write -b 3 -d “third line of converted hex from rawdemod”
lf t5 write -b 4 -d “fourth line of converted hex from rawdemod”
done
you can check by
lf t5 dump
and should look something like this
[+] ----±---------±---------------------------------±------
[+] 00 | 00105080 | 00000000000100000101000010000000 | …P.
[+] 01 | “hex 1” | “line 1 from rawdemod” |
[+] 02 | “hex 2” | “line 2 from rawdemod”|
[+] 03 | “hex 3”| “line 3 from rawdemod”|
[+] 04 | “hex 4”| “line 4 from rawdemod”|
im still kinda a noob. I came up with the block 0 from reading the t5577 datasheet. and just did my best educated guess lol
i wrote the block 0 based on the modulation, rate , max block. there are a few more variables I dont understand(psk-cf) and just left as 0.
Block 0 on the T5577 is the configuration block. The data dictates how the analog front end of the chip will behave, if the password bit is set, etc. I believe 00105080 is what is used for setting the EM style analog front end… though it doesn’t feel familiar actually. Might edit this post later.
I have just started my journey in relation to all things RFID and this is possibly one of the many use cases I want to try during my tinkering and research time.
I’m assuming that the PM3 will be the best tool to accomplish this clone to a T5577 chip. I was wondering because my initial purchase was going to be a Flipper Zero as a multiple-use case RFID tool.
As a Flipper owner, I can say that it’s possible to dump raw LF data and emulate it by turning debug mode on (at least with Xtreme firmware), but I don’t know if there’s any way to attempt writing a raw dump to a T5577. (Maybe using the command-line interface? I’m honestly not sure.) So if you encounter a similar situation where it’s a LF tag but it’s not understood yet, then the Flipper might not be able to help you unless support gets added later.
i have not purchase proxmark myself and i zero knowledge on using the proxmark. Could u lay out the instructions on doing so? Would definitely appreciate it thank you!!!
