Need Help Unbricking JakCom R5 w/ PM3EZ

I’m pretty new to the Proxmark 3 game and am using the EZ with the Iceman firmware. I got a JakCom smart ring that supposedly has two T55xx chips in it and was trying to clone some tags to it. I was able to write one HID tag to the ring, but in my attempts to write to the second chip I believe I bricked both chips and now I can only detect the T55xx chips using a password of ‘00000000’.

I have two questions:

  1. Is there an easy way to tell if there are two T55 chips in this and clone to each individually?
  2. Is it possible to save this ring or have I already bricked the chips beyond repair?

I have tried rewriting the block 0 to default multiple times and still just get the same ‘detect’ output.

lf t55xx write b 0 d 000880E0 p 00000000

I have also tried using test mode and wasn’t able to wipe anything.

I tried using the instructions from TomHarkness from this thread: Can't write xEM tag any more - #11 by TomHarkness

1. lf t55xx wipe
2. lf t55xx config d ASK b 32
3. lf t55xx detect
4. lf hid clone 2004840534
5. lf t55xx detect
6. lf search 

It worked once to get the first tag in, but after wiping to try to get the second tag it no longer works.

Here is the lf t55xx detect command output for reference:

[=]  Chip type......... T55x7
[=]  Modulation........ DIRECT/NRZ
[=]  Bit rate.......... 1 - RF/16
[=]  Inverted.......... Yes
[=]  Offset............ 40
[=]  Seq. terminator... No
[=]  Block0............ 00040000 (auto detect)
[=]  Downlink mode..... leading zero reference
[=]  Password set...... Yes
[=]  Password.......... 00000000

Please let me know if anymore diagnostic information would be helpful or if there’s another thread that’s worth looking at.

1 Like

This seems like an odd design feature.
As I imagine the antenna is wrapped around tge circumference if the ring, and if there were 2 chips of the same frequency, with antennas running parallel, this would cause nothing but problems.
IF however they were “folded” and took up half the space each, it might be usable, but you would need to present it perfectly to a reader to get the right chip.

Could you post a link from where you got it?

This is what I would try You can also try without the -t

lf t5 wipe --p 00000000 -t

from there just write whatever you want to it

eg.

lf em 41 clone --id 1122334455

Depending on what you end up with, THIS may be of interest

good luck

this is caused by the R5 having jakcoms DRM damage applied.

they have a proprietary (lol) programmer that sets THEIR password.

when the lf t55 detect says password 0000000 and it still doesn’t work it means the proxmark doesn’t know the password.

edit-to-add: btw this means you didn’t brick it

Do you happen to know it?
Is it in the Flipper password library?

  1. yes
  2. no, getting sued is not something they want (proprietary keys of any public kind ie iclass elite key dict that has shit loads don’t go on flips)

Cool, I’ve just started looking for it for @PineappleCrush ,so Its good to know the search won’t be futile

Nothing found in my initial search

But you could also try
51243648
which is a prevalent password on Chinese products.

You could also try sniffing the password

Not an answer for you, but I did find this

image

6 chips

I eat my words

I guess its similar to these and similar fobs

Thanks so much for the info so far, that’s super helpful! So, if I understand correctly the JakCom password is my golden ticket? It’s so weird that it shows the password as 00000000. Even when I run bruteforce it says that 00000000 is found as a correct password which is very interesting.

Is it worth trying to have the PM guess the password or should I just look around online?

Here’s the diagram that they have on the manual and on their site.

Here’s the link to the online manual (which includes an ad for their proprietary cloner lol). Chrome shows it as not secure jsyk:
http://www.jakcom.com/ins/r5/r5en.html

Yeah, that makes more sense that way, I would assume the “best” way to use the LF side would be to remove the ring, or flip 180⁰ to read the side closest to the knuckles.

If you had one, you could likely sniff the password.

If that specific password was on this forum, I would probably be able to find it for you,; it may be one of the common ones, used by the white cloner, however, I assume they are all in the Flipper dictionary, and therefore not likely.

You may be best jumping on the RFID discord, and seeing if somebody there can point you in the right direction.

Heres an invite

Oh, I should have pre-fixed with; Do your own searches BEFORE asking your question

1 Like

Any progress or luck with this?