OK, so if you aren’t interested in lots of proxmark3 output you will want to skip this post…
HID cloning
First I updated my version of the proxmark3 client, and flashed the latest version to my proxmark3 easy… You don’t need to do this, but if a command I use doesn’t exist then you should update.
./pm3
[=] Session log /home/kali/.proxmark3/logs/log_20210726.txt
[+] loaded from JSON file /home/kali/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC
██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ Iceman ☕
╚═╝ ╚═╝ ╚═╝╚════╝ ❄ bleeding edge
https://github.com/rfidresearchgroup/proxmark3/
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:20:20
compiled with GCC 10.2.1 20210110 OS:Linux ARCH:aarch64
[ PROXMARK3 ]
firmware.................. PM3 GENERIC
[ ARM ]
bootrom: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:19:52
os: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:22:06
compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]
[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDM
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 53% used )
Now I put a T5577 that I had previously wiped on the lf antenna and ran lf t5 info
[usb] pm3 --> lf t5 info
[usb] pm3 -->
As you can see I get absolutely no output…
So let’s make this into an HID card for further testing.
[usb] pm3 --> lf hid clone -w H10301 --fc 118 --cn 1603
[=] Preparing to clone HID tag
[+] [H10301 ] HID H10301 26-bit FC: 118 CN: 1603 parity ( ok )
[=] Done
[?] Hint: try `lf hid reader` to verify
[usb] pm3 --> lf hid read
[+] [H10301 ] HID H10301 26-bit FC: 118 CN: 1603 parity ( ok )
[+] [ind26 ] Indala 26-bit FC: 1888 CN: 1603 parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D5559555569A9A555A59569
[=] raw: 000000000000002006ec0c86
[usb] pm3 --> lf t5 info
[=] --- T55x7 Configuration & Information ---------
[=] Safer key : 8
[=] reserved : 0
[=] Data bit rate : 0 - RF/8
[=] eXtended mode : No
[=] Modulation : 0 - DIRECT (ASK/NRZ)
[=] PSK clock frequency : 0 - RF/2
[=] AOR - Answer on Request : No
[=] OTP - One Time Pad : No
[=] Max block : 0
[=] Password mode : No
[=] Sequence Terminator : No
[=] Fast Write : No
[=] Inverse data : No
[=] POR-Delay : No
[=] -------------------------------------------------------------
[=] Raw Data - Page 0, block 0
[=] 80000000 - .0000000000000000000000000000000
[=] --- Fingerprint ------------
[usb] pm3 -->
So I now have a t5577 pretending to be an hid card, and lf t5 info actually gives me some info. Now onto the cloning.
First we need information from the card we are wanting to clone…
Sorry for that long and boring post, but that was a complete run through of a read and clone of a couple of “HID cards”. I would suggest trying to run the exact clone commands I ran with one of those fobs. If it doesn’t work then either it is not a T55xx card, or we have something else going on here.
Out of curiosity, can you try putting a fob on the HF antenna and trying an hf search? I am wondering if your fobs are all NFC ones.
If you need me to run through using lf tune @ to find the best position for the tag on the antenna then let me know…
I know I am replying to myself but I just had a look at the initial post again.
In that you take an alleged T55x7, wipe it using lf t5 wipe and can still see a config on it. When I do that I see nothing until I write a new configuration to the T5577. I am wondering if somehow these T5577 have been somehow modified to only emulate an EM 410x.
Can you try cloning a different EM 410x ID to one of the fobs?
I read everything you posted and even tried all of it… nothing works. Yes when I wipe the FOB I can only read it with the lf t5 config command. Looking like just gunna have to give up on these fobs. Anyone want me to send you one and you mess around with it? Anyways… weird thing is the FOB’s and the T5577 cards both have the same “type” of data on them.
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 1E00EA809C
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 7800570139
[=] HoneyWell IdentKey
[+] DEZ 8 : 15368348
[+] DEZ 10 : 0015368348
[+] DEZ 5.5 : 00234.32924
[+] DEZ 3.5A : 030.32924
[+] DEZ 3.5B : 000.32924
[+] DEZ 3.5C : 234.32924
[+] DEZ 14/IK2 : 00128864387228
[+] DEZ 15/IK3 : 000515401777465
[+] DEZ 20/ZK : 07080000050700010309
[=]
[+] Other : 32924_234_15368348
[+] Pattern Paxton : 520011420 [0x1EFEBE9C]
[+] Pattern 1 : 12330009 [0xBC2419]
[+] Pattern Sebury : 32924 106 6979740 [0x809C 0x6A 0x6A809C]
[=] ------------------------------------------------
[+] Valid EM410x ID found!
[=] Couldn’t identify a chipset
[usb] pm3 →
now reading the FOB
[usb] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 3D00D51E2C
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : BC00AB7834
[=] HoneyWell IdentKey
[+] DEZ 8 : 13966892
[+] DEZ 10 : 0013966892
[+] DEZ 5.5 : 00213.07724
[+] DEZ 3.5A : 061.07724
[+] DEZ 3.5B : 000.07724
[+] DEZ 3.5C : 213.07724
[+] DEZ 14/IK2 : 00262006971948
[+] DEZ 15/IK3 : 000807465089076
[+] DEZ 20/ZK : 11120000101107080304
[=]
[+] Other : 07724_213_13966892
[+] Pattern Paxton : 1038703660 [0x3DE95C2C]
[+] Pattern 1 : 14896340 [0xE34CD4]
[+] Pattern Sebury : 7724 85 5578284 [0x1E2C 0x55 0x551E2C]
[=] ------------------------------------------------
[+] Valid EM410x ID found!
[=] Couldn’t identify a chipset
[usb] pm3 →
Now what’s really crazy is I can easily clone my HID prox work card to the one of the T5577 cards… but when I try to clone to the FOB its a no go! Only thing I haven’t tried is to clone to the FOB using the default password cheap cloner uses when it writes. I know it looks like it doesn’t have a password on the FOB’s but seem like I should at least try. I however, do not know how to use the password to clone the HID prox card to the fob.
so I got a hold of some blank t5577 key fob. They were from Amazon :
YARONGTECH-10 PCS Writable 125kHz RFID Key Fob Proximity ID Card Token Tag Rewritable T5577 Universal
It states the following on amazon page for the FOBs:
Original T5577 Chip,it doesn’t have pre-programmed id number,so need to write the id on it before you read
it’s rewritable chip,and it can write in 125khz id format and H ID WG 125khz format
Please note it can’t be read before you program the chip
Ok… so these are reading just like the other FOB’s I was having issues with. The exact same type of data and the exact same type of issue. So let’s get noobish! WTF does it mean write the ID. Does that mean you have to make the FOB into for instance a em 410x ID? If so, then I should be able to make the FOB into an Prox HID ID yes? Then I could clone my work card. Hmm, well guess what I tried and still it won’t friggin clone! Starting to think something up with the antenna? Not have it tuned properly… I don’t get why these don’t work just a regular T5577 card it should be the same! Frustrated now!
Proxmark3 sitting on my computer desk… nothing around it other than monitor and keyboard. Table is a thick wood table the kind used in college classes in lab’s and that sort of thing.
results of “hw tune”
[usb] pm3 → hw tune
[=] ---------- Reminder ------------------------
[=] hw tune doesn’t actively tune your antennas,
[=] it’s only informative.
[=] Measuring antenna characteristics, please wait…
[-] 9
[=] ---------- LF Antenna ----------
[+] LF antenna: 65.78 V - 125.00 kHz
[+] LF antenna: 33.93 V - 134.83 kHz
[+] LF optimal: 65.78 V - 125.00 kHz
[+] Approx. Q factor (): 10.9 by frequency bandwidth measurement
[+] Approx. Q factor (): 19.1 by peak voltage measurement
[!] Contradicting measures seem to indicate you’re running a PM3_GENERIC firmware on a RDV4
[!] False positives is possible but please check your setup
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 36.28 V - 13.56 MHz
[+] Approx. Q factor (*): 10.5 by peak voltage measurement
[+] HF antenna is OK
(*) Q factor must be measured without tag on the antenna
[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.
first i found out my antenna was not set on the back to the correct voltage. I also found out that some of the FOBs were password protected (which was my fault) I had used these as test subjects trying to learn. Did not realize I put password on them I was able to remove password and get them working. I however do still have a few FOB’s that I did not password them and for the life of me cannot get the lf t55xx detect command to work. They just refuse to show me their chipset. Anyways… for now i got accomplished what I needed… soo going to give it a rest for a day or two… then I will resume to find out why these few FOB’s just refuse to respond.
Sorry, I didn’t realise that you are using a a Proxmark3 RDV4.
In that case you also have a firmware mismatch (you can change the platform in Makefile.platform to PM3RDV4).
As for the cards that don’t show up, I discovered that a blank T55XX does not respond to lf t5 info so you might want to write a tag to them first and try again.
I did this once b4 … and when i finished installing and flashing… the loaded it told me I had a hardware firmware mismatch. When i install and flash with pm4generic i don’t get that error and I know I have a proxmark3RDV4 because i bought from https://hackerwarehouse.com/
sorry not they are not High Frequency fobs… but to answer your questions I have done lf search and they respond as if they are emulating a em410x however I cannot actually access the FOB because I need to be able to lf t55xx detect to them first in order to send commands. At least this is my understanding
No, you can send commands anyway. But if they are currently claiming to be an em401x and are not responding to lf t5 info then they might well be an em401x.
You could also try just writing a new id and seeing if that takes.
depending on your firmware version, something like ( co firm syntax with your proxmark)
By the way, if you really want to make sure you never forget your pass you might want to consider a Flex Em or a XEm both of which are implantable T5577 chips, the difference is in the packaging. The XEm would be easier to install, but the FlexEm should have better connectivity.