Hello all,
I was trying to copy my keyfob (Em410x) to a T5577 rewritable keyfob
I first put my existing keyfob and ran the auto command
[usb|script] pm3 --> auto
[=] lf search
[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[!] Specify one authentication mode
[+] EM 410x ID 15004AD56A
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : A80052AB56
[=] HoneyWell IdentKey
[+] DEZ 8 : 04904298
[+] DEZ 10 : 0004904298
[+] DEZ 5.5 : 00074.54634
[+] DEZ 3.5A : 021.54634
[+] DEZ 3.5B : 000.54634
[+] DEZ 3.5C : 074.54634
[+] DEZ 14/IK2 : 00090199217514
[+] DEZ 15/IK3 : 000721559923542
[+] DEZ 20/ZK : 10080000050210110506
[=]
[+] Other : 54634_074_04904298
[+] Pattern Paxton : 358552426 [0x155F136A]
[+] Pattern 1 : 9235750 [0x8CED26]
[+] Pattern Sebury : 54634 74 4904298 [0xD56A 0x4A 0x4AD56A]
[+] VD / ID : 021 / 0004904298
[=] ------------------------------------------------
[+] Valid EM410x ID found!
[=] Couldn't identify a chipset
then I put the T55xx, ran the clone command, and validated with an auto command
[usb|script] pm3 --> lf em 410x clone --id 15004AD56A
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 15004AD56A (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff8d400269b5329c
[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb|script] pm3 --> auto
[=] lf search
[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[!] Specify one authentication mode
[+] EM 410x ID 15004AD56A
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : A80052AB56
[=] HoneyWell IdentKey
[+] DEZ 8 : 04904298
[+] DEZ 10 : 0004904298
[+] DEZ 5.5 : 00074.54634
[+] DEZ 3.5A : 021.54634
[+] DEZ 3.5B : 000.54634
[+] DEZ 3.5C : 074.54634
[+] DEZ 14/IK2 : 00090199217514
[+] DEZ 15/IK3 : 000721559923542
[+] DEZ 20/ZK : 10080000050210110506
[=]
[+] Other : 54634_074_04904298
[+] Pattern Paxton : 358552426 [0x155F136A]
[+] Pattern 1 : 9235750 [0x8CED26]
[+] Pattern Sebury : 54634 74 4904298 [0xD56A 0x4A 0x4AD56A]
[+] VD / ID : 021 / 0004904298
[=] ------------------------------------------------
[+] Valid EM410x ID found!
[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
At this point, the T5577 didn’t work (the door didn’t even respond) and I read somewhere that setting a password could help so I decided to set up a password.
I first dumped the contents with the dump command
[usb|script] pm3 --> lf t55xx dump
[+] Page 0
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00148040 | 00000000000101001000000001000000 | ...@
[+] 01 | FF8D4002 | 11111111100011010100000000000010 | ..@.
[+] 02 | 69B5329C | 01101001101101010011001010011100 | i.2.
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
[+] 04 | 00000000 | 00000000000000000000000000000000 | ....
[+] 05 | 00000000 | 00000000000000000000000000000000 | ....
[+] 06 | 00000000 | 00000000000000000000000000000000 | ....
[+] 07 | 00000000 | 00000000000000000000000000000000 | ....
[+] Page 1
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00148040 | 00000000000101001000000001000000 | ...@
[+] 01 | E03900D0 | 11100000001110010000000011010000 | .9..
[+] 02 | D293302B | 11010010100100110011000000101011 | ..0+
[+] 03 | 00A00003 | 00000000101000000000000000000011 | ....
[+] saved 48 bytes to binary file C:\Projects\proxmark\rrg_other-20231225-5e06656580fde18e7389f762f9838db0d1b2c282\client\/lf-t55xx-FF8D4002-69B5329C-dump.bin
[+] saved to json file C:\Projects\proxmark\rrg_other-20231225-5e06656580fde18e7389f762f9838db0d1b2c282\client\/lf-t55xx-FF8D4002-69B5329C-dump.json
And then I’ve written block 7 with a password (12345678 )
[usb|script] pm3 --> lf t55xx write -b 7 -d 12345678
[=] Writing page 0 block: 07 data: 0x12345678
Then I also read that I needed to set the 28th bit to 1, so I ran the following command but the hex value was incorrect, I think that was because as I started from right instead of left. If I’m not mistaken it should be 148050, right?
[usb|script] pm3 --> lf t55xx write -b 0 -d 00014250
[=] Writing page 0 block: 00 data: 0x00014250
After that when I ran the lf search or auto command it didn’t detect the 5577 fob.
[usb|script] pm3 --> lf t55xx detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb|script] pm3 --> lf t55 detect -p 12345678
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb|script] pm3 --> lf t55xx detect -p 12345678
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
So I tried wiping it but still couldn’t detect it.
[usb|script] pm3 --> lf t55xx wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0
[=] Begin wiping...
[=] Writing page 0 block: 00 data: 0x000880E0
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
[usb|script] pm3 --> lf t55xx detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb|script] pm3 --> lf t55 detect -p 12345678
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb|script] pm3 --> lf t55xx detect -p 12345678
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
Is it possible to reset the 5577 fob, and reuse it?