Ok. I will pull out my pm3 tonight and run through the entire sequence I expect to work and document it.
(The lf hid read 1 came from a web site, I haven’t tried that)
It could also be a coupling issue with the fob so I will show you an example lf tune as well.
At this point I think I’m willing to donate an implant to @Zwack to finally get him on team cyborg fer realz
I can afford to pay for one… I am just waiting for the Apex ultra mega max which I hear might be available SOON™
Amal sitting on his hoard of implants:
OK, so if you aren’t interested in lots of proxmark3 output you will want to skip this post…
First I updated my version of the proxmark3 client, and flashed the latest version to my proxmark3 easy… You don’t need to do this, but if a command I use doesn’t exist then you should update.
./pm3
[=] Session log /home/kali/.proxmark3/logs/log_20210726.txt
[+] loaded from JSON file /home/kali/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC
██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ Iceman ☕
╚═╝ ╚═╝ ╚═╝╚════╝ ❄ bleeding edge
https://github.com/rfidresearchgroup/proxmark3/
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:20:20
compiled with GCC 10.2.1 20210110 OS:Linux ARCH:aarch64
[ PROXMARK3 ]
firmware.................. PM3 GENERIC
[ ARM ]
bootrom: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:19:52
os: RRG/Iceman/master/v4.13441-289-g9f08a7088 2021-07-26 04:22:06
compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]
[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDM
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 53% used )
Now I put a T5577 that I had previously wiped on the lf antenna and ran lf t5 info
[usb] pm3 --> lf t5 info
[usb] pm3 -->
As you can see I get absolutely no output…
So let’s make this into an HID card for further testing.
[usb] pm3 --> lf hid clone -w H10301 --fc 118 --cn 1603
[=] Preparing to clone HID tag
[+] [H10301 ] HID H10301 26-bit FC: 118 CN: 1603 parity ( ok )
[=] Done
[?] Hint: try `lf hid reader` to verify
[usb] pm3 --> lf hid read
[+] [H10301 ] HID H10301 26-bit FC: 118 CN: 1603 parity ( ok )
[+] [ind26 ] Indala 26-bit FC: 1888 CN: 1603 parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D5559555569A9A555A59569
[=] raw: 000000000000002006ec0c86
[usb] pm3 --> lf t5 info
[=] --- T55x7 Configuration & Information ---------
[=] Safer key : 8
[=] reserved : 0
[=] Data bit rate : 0 - RF/8
[=] eXtended mode : No
[=] Modulation : 0 - DIRECT (ASK/NRZ)
[=] PSK clock frequency : 0 - RF/2
[=] AOR - Answer on Request : No
[=] OTP - One Time Pad : No
[=] Max block : 0
[=] Password mode : No
[=] Sequence Terminator : No
[=] Fast Write : No
[=] Inverse data : No
[=] POR-Delay : No
[=] -------------------------------------------------------------
[=] Raw Data - Page 0, block 0
[=] 80000000 - .0000000000000000000000000000000
[=] --- Fingerprint ------------
[usb] pm3 -->
So I now have a t5577 pretending to be an hid card, and lf t5 info actually gives me some info. Now onto the cloning.
First we need information from the card we are wanting to clone…
[usb] pm3 --> lf hid read
[+] [H10301 ] HID H10301 26-bit FC: 118 CN: 1603 parity ( ok )
[+] [ind26 ] Indala 26-bit FC: 1888 CN: 1603 parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D5559555569A9A555A59569
[=] raw: 000000000000002006ec0c86
[usb] pm3 -->
Now I’m going to grab the entire raw string and use that…
[usb] pm3 --> lf hid clone -r 000000000000002006ec0c86
[=] Preparing to clone HID tag using raw 000000000000002006ec0c86
[=] Done
[?] Hint: try `lf hid reader` to verify
[usb] pm3 --> lf hid read
[+] [H10301 ] HID H10301 26-bit FC: 118 CN: 1603 parity ( ok )
[+] [ind26 ] Indala 26-bit FC: 1888 CN: 1603 parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D5559555569A9A555A59569
[=] raw: 000000000000002006ec0c86
[usb] pm3 -->
Now so far it has worked, but your card uses a different format. So I’ll try and create one of those…
usb] pm3 --> lf hid clone -r 000000000000002100760643
[=] Preparing to clone HID tag using raw 000000000000002100760643
[=] Done
[?] Hint: try `lf hid reader` to verify
[usb] pm3 --> lf hid read
[+] [HCP32 ] HID Check Point 32-bit FC: 0 CN: 60428
[+] [HPP32 ] HID Hewlett-Packard 32-bit FC: 14 CN: 404294656
[+] [Kantech ] Indala/Kantech KFS 32-bit FC: 59 CN: 801
[+] [WIE32 ] Wiegand 32-bit FC: 118 CN: 1603
[=] found 4 matching formats
[+] DemodBuffer:
[+] 1D55595655556A695569655A
[=] raw: 000000000000002100760643
[usb] pm3 -->
I also tried to clone using the other formats but neither HCP32 nor HPP32 would encode properly.
I could use both lf hid clone -w Kantech --fc 59 --cn 801 and lf hid clone -w WIE32 --fc 118 --cn 1603
Sorry for that long and boring post, but that was a complete run through of a read and clone of a couple of “HID cards”. I would suggest trying to run the exact clone commands I ran with one of those fobs. If it doesn’t work then either it is not a T55xx card, or we have something else going on here.
Out of curiosity, can you try putting a fob on the HF antenna and trying an hf search? I am wondering if your fobs are all NFC ones.
If you need me to run through using lf tune @ to find the best position for the tag on the antenna then let me know…
I know I am replying to myself but I just had a look at the initial post again.
In that you take an alleged T55x7, wipe it using lf t5 wipe and can still see a config on it. When I do that I see nothing until I write a new configuration to the T5577. I am wondering if somehow these T5577 have been somehow modified to only emulate an EM 410x.
Can you try cloning a different EM 410x ID to one of the fobs?
I read everything you posted and even tried all of it… nothing works. Yes when I wipe the FOB I can only read it with the lf t5 config command. Looking like just gunna have to give up on these fobs. Anyone want me to send you one and you mess around with it? Anyways… weird thing is the FOB’s and the T5577 cards both have the same “type” of data on them.
reading the T5577 card
[usb] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 1E00EA809C
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 7800570139
[=] HoneyWell IdentKey
[+] DEZ 8 : 15368348
[+] DEZ 10 : 0015368348
[+] DEZ 5.5 : 00234.32924
[+] DEZ 3.5A : 030.32924
[+] DEZ 3.5B : 000.32924
[+] DEZ 3.5C : 234.32924
[+] DEZ 14/IK2 : 00128864387228
[+] DEZ 15/IK3 : 000515401777465
[+] DEZ 20/ZK : 07080000050700010309
[=]
[+] Other : 32924_234_15368348
[+] Pattern Paxton : 520011420 [0x1EFEBE9C]
[+] Pattern 1 : 12330009 [0xBC2419]
[+] Pattern Sebury : 32924 106 6979740 [0x809C 0x6A 0x6A809C]
[=] ------------------------------------------------
[+] Valid EM410x ID found!
[=] Couldn’t identify a chipset
[usb] pm3 →
now reading the FOB
[usb] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 3D00D51E2C
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : BC00AB7834
[=] HoneyWell IdentKey
[+] DEZ 8 : 13966892
[+] DEZ 10 : 0013966892
[+] DEZ 5.5 : 00213.07724
[+] DEZ 3.5A : 061.07724
[+] DEZ 3.5B : 000.07724
[+] DEZ 3.5C : 213.07724
[+] DEZ 14/IK2 : 00262006971948
[+] DEZ 15/IK3 : 000807465089076
[+] DEZ 20/ZK : 11120000101107080304
[=]
[+] Other : 07724_213_13966892
[+] Pattern Paxton : 1038703660 [0x3DE95C2C]
[+] Pattern 1 : 14896340 [0xE34CD4]
[+] Pattern Sebury : 7724 85 5578284 [0x1E2C 0x55 0x551E2C]
[=] ------------------------------------------------
[+] Valid EM410x ID found!
[=] Couldn’t identify a chipset
[usb] pm3 →
Now what’s really crazy is I can easily clone my HID prox work card to the one of the T5577 cards… but when I try to clone to the FOB its a no go! Only thing I haven’t tried is to clone to the FOB using the default password cheap cloner uses when it writes. I know it looks like it doesn’t have a password on the FOB’s but seem like I should at least try. I however, do not know how to use the password to clone the HID prox card to the fob.
so I got a hold of some blank t5577 key fob. They were from Amazon :
YARONGTECH-10 PCS Writable 125kHz RFID Key Fob Proximity ID Card Token Tag Rewritable T5577 Universal
It states the following on amazon page for the FOBs:
Ok… so these are reading just like the other FOB’s I was having issues with. The exact same type of data and the exact same type of issue. So let’s get noobish! WTF does it mean write the ID. Does that mean you have to make the FOB into for instance a em 410x ID? If so, then I should be able to make the FOB into an Prox HID ID yes? Then I could clone my work card. Hmm, well guess what I tried and still it won’t friggin clone! Starting to think something up with the antenna? Not have it tuned properly… I don’t get why these don’t work just a regular T5577 card it should be the same! Frustrated now!
If the antenna wasn’t tuned properly then you would be likely to have the same issue with the cards.
So, let’s start at the beginning, can you post the output of hw tune with nothing on the antenna.
What sort of surface is your Proxmark3 sitting on?
Proxmark3 sitting on my computer desk… nothing around it other than monitor and keyboard. Table is a thick wood table the kind used in college classes in lab’s and that sort of thing.
results of “hw tune”
[usb] pm3 → hw tune
[=] ---------- Reminder ------------------------
[=] hw tune doesn’t actively tune your antennas,
[=] it’s only informative.
[=] Measuring antenna characteristics, please wait…
[-] 9
[=] ---------- LF Antenna ----------
[+] LF antenna: 65.78 V - 125.00 kHz
[+] LF antenna: 33.93 V - 134.83 kHz
[+] LF optimal: 65.78 V - 125.00 kHz
[+] Approx. Q factor (): 10.9 by frequency bandwidth measurement
[+] Approx. Q factor (): 19.1 by peak voltage measurement
[!] Contradicting measures seem to indicate you’re running a PM3_GENERIC firmware on a RDV4
[!] False positives is possible but please check your setup
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 36.28 V - 13.56 MHz
[+] Approx. Q factor (*): 10.5 by peak voltage measurement
[+] HF antenna is OK
(*) Q factor must be measured without tag on the antenna
[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.
[usb] pm3 →
first i found out my antenna was not set on the back to the correct voltage. I also found out that some of the FOBs were password protected (which was my fault) I had used these as test subjects trying to learn. Did not realize I put password on them I was able to remove password and get them working. I however do still have a few FOB’s that I did not password them and for the life of me cannot get the lf t55xx detect command to work. They just refuse to show me their chipset. Anyways… for now i got accomplished what I needed… soo going to give it a rest for a day or two… then I will resume to find out why these few FOB’s just refuse to respond.
Sorry if I missed it, but did you try a simple
lf search
is there a possibility that some could be HF fobs (some fobs, like cards look visually identical)
if so
hf search
Sorry, I didn’t realise that you are using a a Proxmark3 RDV4.
In that case you also have a firmware mismatch (you can change the platform in Makefile.platform to PM3RDV4).
As for the cards that don’t show up, I discovered that a blank T55XX does not respond to lf t5 info so you might want to write a tag to them first and try again.
I did this once b4 … and when i finished installing and flashing… the loaded it told me I had a hardware firmware mismatch. When i install and flash with pm4generic i don’t get that error and I know I have a proxmark3RDV4 because i bought from https://hackerwarehouse.com/
sorry not they are not High Frequency fobs… but to answer your questions I have done lf search and they respond as if they are emulating a em410x however I cannot actually access the FOB because I need to be able to lf t55xx detect to them first in order to send commands. At least this is my understanding
No, you can send commands anyway. But if they are currently claiming to be an em401x and are not responding to lf t5 info then they might well be an em401x.
Yeah, what Zwak said…
You could also try just writing a new id and seeing if that takes.
depending on your firmware version, something like ( co firm syntax with your proxmark)
lf em 410x clone --id 0FB68543F0