Did I brick my T5577 while trying to set up a password?

elaith · December 26, 2023, 6:00pm

Hello all,

I was trying to copy my keyfob (Em410x) to a T5577 rewritable keyfob

I first put my existing keyfob and ran the auto command

[usb|script] pm3 --> auto
[=] lf search

[=] Note: False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 
[!] Specify one authentication mode
[+] EM 410x ID 15004AD56A
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : A80052AB56
[=] HoneyWell IdentKey
[+]     DEZ 8          : 04904298
[+]     DEZ 10         : 0004904298
[+]     DEZ 5.5        : 00074.54634
[+]     DEZ 3.5A       : 021.54634
[+]     DEZ 3.5B       : 000.54634
[+]     DEZ 3.5C       : 074.54634
[+]     DEZ 14/IK2     : 00090199217514
[+]     DEZ 15/IK3     : 000721559923542
[+]     DEZ 20/ZK      : 10080000050210110506
[=] 
[+] Other              : 54634_074_04904298
[+] Pattern Paxton     : 358552426 [0x155F136A]
[+] Pattern 1          : 9235750 [0x8CED26]
[+] Pattern Sebury     : 54634 74 4904298  [0xD56A 0x4A 0x4AD56A]
[+] VD / ID            : 021 / 0004904298
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[=] Couldn't identify a chipset

then I put the T55xx, ran the clone command, and validated with an auto command

[usb|script] pm3 --> lf em 410x clone --id 15004AD56A
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 15004AD56A (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff8d400269b5329c

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb|script] pm3 --> auto
[=] lf search

[=] Note: False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 
[!] Specify one authentication mode
[+] EM 410x ID 15004AD56A
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : A80052AB56
[=] HoneyWell IdentKey
[+]     DEZ 8          : 04904298
[+]     DEZ 10         : 0004904298
[+]     DEZ 5.5        : 00074.54634
[+]     DEZ 3.5A       : 021.54634
[+]     DEZ 3.5B       : 000.54634
[+]     DEZ 3.5C       : 074.54634
[+]     DEZ 14/IK2     : 00090199217514
[+]     DEZ 15/IK3     : 000721559923542
[+]     DEZ 20/ZK      : 10080000050210110506
[=] 
[+] Other              : 54634_074_04904298
[+] Pattern Paxton     : 358552426 [0x155F136A]
[+] Pattern 1          : 9235750 [0x8CED26]
[+] Pattern Sebury     : 54634 74 4904298  [0xD56A 0x4A 0x4AD56A]
[+] VD / ID            : 021 / 0004904298
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands

At this point, the T5577 didn’t work (the door didn’t even respond) and I read somewhere that setting a password could help so I decided to set up a password.

I first dumped the contents with the dump command

[usb|script] pm3 --> lf t55xx dump

[+] Page 0
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00148040 | 00000000000101001000000001000000 | ...@
[+]  01 | FF8D4002 | 11111111100011010100000000000010 | ..@.
[+]  02 | 69B5329C | 01101001101101010011001010011100 | i.2.
[+]  03 | 00000000 | 00000000000000000000000000000000 | ....
[+]  04 | 00000000 | 00000000000000000000000000000000 | ....
[+]  05 | 00000000 | 00000000000000000000000000000000 | ....
[+]  06 | 00000000 | 00000000000000000000000000000000 | ....
[+]  07 | 00000000 | 00000000000000000000000000000000 | ....

[+] Page 1
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00148040 | 00000000000101001000000001000000 | ...@
[+]  01 | E03900D0 | 11100000001110010000000011010000 | .9..
[+]  02 | D293302B | 11010010100100110011000000101011 | ..0+
[+]  03 | 00A00003 | 00000000101000000000000000000011 | ....
[+] saved 48 bytes to binary file C:\Projects\proxmark\rrg_other-20231225-5e06656580fde18e7389f762f9838db0d1b2c282\client\/lf-t55xx-FF8D4002-69B5329C-dump.bin
[+] saved to json file C:\Projects\proxmark\rrg_other-20231225-5e06656580fde18e7389f762f9838db0d1b2c282\client\/lf-t55xx-FF8D4002-69B5329C-dump.json

And then I’ve written block 7 with a password (12345678 )

[usb|script] pm3 --> lf t55xx write -b 7 -d 12345678
[=] Writing page 0  block: 07  data: 0x12345678

Then I also read that I needed to set the 28th bit to 1, so I ran the following command but the hex value was incorrect, I think that was because as I started from right instead of left. If I’m not mistaken it should be 148050, right?

[usb|script] pm3 --> lf t55xx write -b 0 -d 00014250
[=] Writing page 0  block: 00  data: 0x00014250

After that when I ran the lf search or auto command it didn’t detect the 5577 fob.

[usb|script] pm3 --> lf t55xx detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb|script] pm3 --> lf t55 detect -p 12345678
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb|script] pm3 --> lf t55xx detect -p 12345678
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

So I tried wiping it but still couldn’t detect it.

[usb|script] pm3 --> lf t55xx wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0 
[=] Writing page 0  block: 01  data: 0x00000000 
[=] Writing page 0  block: 02  data: 0x00000000 
[=] Writing page 0  block: 03  data: 0x00000000 
[=] Writing page 0  block: 04  data: 0x00000000 
[=] Writing page 0  block: 05  data: 0x00000000 
[=] Writing page 0  block: 06  data: 0x00000000 
[=] Writing page 0  block: 07  data: 0x00000000 

[usb|script] pm3 --> lf t55xx detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb|script] pm3 --> lf t55 detect -p 12345678
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb|script] pm3 --> lf t55xx detect -p 12345678
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

Is it possible to reset the 5577 fob, and reuse it?

amal · December 26, 2023, 9:26pm

Your block 0 programming is incorrect. This is also the configuration block, so setting this incorrectly means the chip could brick due to misconfiguration.

Hex data is represented in pairs, so 40 at the end of the block 0 value is a single byte representing 16 bits. There is no way setting that byte value to 50 affected the 28th bit.

To try to recover at this point you’ll have to use some undocumented test mode commands.

elaith · December 27, 2023, 7:28am

Thanks a lot amal , I’ll try the methods in the link. Meanwhile do you have any idea why the cloned T5577 didn’t work? Because I followed the same procedure with another T5577, and set the password correctly this time, but it didn’t work with/without the password (there were no sounds or blinks from the reader). Is there something that I can do different or any resources you can direct me. Thank you again…

amal · December 27, 2023, 9:21am

You’ll have to sniff the activities between the reader and t5477 card or fob (better sniffable performance) to maybe get an idea.

elaith · December 27, 2023, 4:12pm

I could get response from the following command.

[usb] pm3 --> lf t5 p1detect -p 12345678
[+] T55xx chip found!
[+] Downlink Mode used : default/fixed bit length

but none of the other commands worked.

lf t55 write -b 0 -d 000880E0 -t
lf t55 write -b 0 -d 000880E0 --r0 -t
lf t55 write -b 0 -d 000880E0 --r1 -t
lf t55 write -b 0 -d 000880E0 --r2 -t
lf t55 write -b 0 -d 000880E0 --r3 -t
lf t55 write -b 0 -d 000880E0 -t -p 12345678
lf t55 write -b 0 -d 000880E0 --r0 -t -p 12345678
lf t55 write -b 0 -d 000880E0 --r1 -t -p 12345678
lf t55 write -b 0 -d 000880E0 --r2 -t -p 12345678
lf t55 write -b 0 -d 000880E0 --r3 -t -p 12345678

Then I used the commands without the -t command and voile it worked

[usb] pm3 --> lf t55 write -b 0 -d 000880E0
[=] Writing page 0  block: 00  data: 0x000880E0
[usb] pm3 --> lf t55 write -b 0 -d 000880E0 -p 12345678
[=] Writing page 0  block: 00  data: 0x000880E0 pwd: 0x12345678

[usb] pm3 --> lf t55x detect
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
[=]  Bit rate.......... 2 - RF/32
[=]  Inverted.......... No
[=]  Offset............ 33
[=]  Seq. terminator... Yes
[=]  Block0............ 000880E0 (auto detect)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... No

[usb] pm3 --> lf t55x wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000

[usb] pm3 --> lf t55x detect
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
[=]  Bit rate.......... 2 - RF/32
[=]  Inverted.......... No
[=]  Offset............ 33
[=]  Seq. terminator... Yes
[=]  Block0............ 000880E0 (auto detect)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... No

Thank you very much for the help Now back to sniffing