Need Help Unbricking JakCom R5 w/ PM3EZ

PineappleCrush · December 28, 2022, 10:36pm

I’m pretty new to the Proxmark 3 game and am using the EZ with the Iceman firmware. I got a JakCom smart ring that supposedly has two T55xx chips in it and was trying to clone some tags to it. I was able to write one HID tag to the ring, but in my attempts to write to the second chip I believe I bricked both chips and now I can only detect the T55xx chips using a password of ‘00000000’.

I have two questions:

Is there an easy way to tell if there are two T55 chips in this and clone to each individually?
Is it possible to save this ring or have I already bricked the chips beyond repair?

I have tried rewriting the block 0 to default multiple times and still just get the same ‘detect’ output.

lf t55xx write b 0 d 000880E0 p 00000000

I have also tried using test mode and wasn’t able to wipe anything.

I tried using the instructions from TomHarkness from this thread: Can't write xEM tag any more - #11 by TomHarkness

1. lf t55xx wipe
2. lf t55xx config d ASK b 32
3. lf t55xx detect
4. lf hid clone 2004840534
5. lf t55xx detect
6. lf search

It worked once to get the first tag in, but after wiping to try to get the second tag it no longer works.

Here is the lf t55xx detect command output for reference:

[=]  Chip type......... T55x7
[=]  Modulation........ DIRECT/NRZ
[=]  Bit rate.......... 1 - RF/16
[=]  Inverted.......... Yes
[=]  Offset............ 40
[=]  Seq. terminator... No
[=]  Block0............ 00040000 (auto detect)
[=]  Downlink mode..... leading zero reference
[=]  Password set...... Yes
[=]  Password.......... 00000000

Please let me know if anymore diagnostic information would be helpful or if there’s another thread that’s worth looking at.

Pilgrimsmaster · December 28, 2022, 11:23pm

This seems like an odd design feature.
As I imagine the antenna is wrapped around tge circumference if the ring, and if there were 2 chips of the same frequency, with antennas running parallel, this would cause nothing but problems.
IF however they were “folded” and took up half the space each, it might be usable, but you would need to present it perfectly to a reader to get the right chip.

Could you post a link from where you got it?

This is what I would try You can also try without the -t

lf t5 wipe --p 00000000 -t

from there just write whatever you want to it

eg.

lf em 41 clone --id 1122334455

Depending on what you end up with, THIS may be of interest

good luck

Equipter · December 28, 2022, 11:35pm

this is caused by the R5 having jakcoms DRM damage applied.

they have a proprietary (lol) programmer that sets THEIR password.

when the lf t55 detect says password 0000000 and it still doesn’t work it means the proxmark doesn’t know the password.

edit-to-add: btw this means you didn’t brick it

Pilgrimsmaster · December 28, 2022, 11:38pm

Do you happen to know it?
Is it in the Flipper password library?

Equipter · December 28, 2022, 11:41pm

yes
no, getting sued is not something they want (proprietary keys of any public kind ie iclass elite key dict that has shit loads don’t go on flips)

Pilgrimsmaster · December 28, 2022, 11:44pm

Cool, I’ve just started looking for it for @PineappleCrush ,so Its good to know the search won’t be futile

Pilgrimsmaster · December 29, 2022, 12:11am

Nothing found in my initial search

But you could also try
51243648
which is a prevalent password on Chinese products.

You could also try sniffing the password

Pilgrimsmaster · December 29, 2022, 12:44am

Not an answer for you, but I did find this

6 chips

I eat my words

I guess its similar to these and similar fobs

PineappleCrush · December 29, 2022, 1:04am

Thanks so much for the info so far, that’s super helpful! So, if I understand correctly the JakCom password is my golden ticket? It’s so weird that it shows the password as 00000000. Even when I run bruteforce it says that 00000000 is found as a correct password which is very interesting.

Is it worth trying to have the PM guess the password or should I just look around online?

Here’s the diagram that they have on the manual and on their site.

Here’s the link to the online manual (which includes an ad for their proprietary cloner lol). Chrome shows it as not secure jsyk:
http://www.jakcom.com/ins/r5/r5en.html

Pilgrimsmaster · December 29, 2022, 3:18am

Yeah, that makes more sense that way, I would assume the “best” way to use the LF side would be to remove the ring, or flip 180⁰ to read the side closest to the knuckles.

If you had one, you could likely sniff the password.

If that specific password was on this forum, I would probably be able to find it for you,; it may be one of the common ones, used by the white cloner, however, I assume they are all in the Flipper dictionary, and therefore not likely.

You may be best jumping on the RFID discord, and seeing if somebody there can point you in the right direction.

Heres an invite

Pilgrimsmaster · December 29, 2022, 7:06am

Oh, I should have pre-fixed with; Do your own searches BEFORE asking your question

Pilgrimsmaster · December 30, 2022, 9:12am

Any progress or luck with this?

tproenca · November 8, 2023, 9:23pm

it worked for me using the following command:

lf t5 detect -p 51243648
lf t5 restore -f <dump_file> -p 51243648

Carl · March 1, 2024, 7:04pm

The Default Passwords for R5

ID1 = 5469616E
ID2 = 51243648

Pilgrimsmaster · March 1, 2024, 9:27pm

First post

and its a stunner
Thanks for the info

Hamspiced · March 2, 2024, 2:42am

Comes out of the woodwork to drop knowledge

Carl · March 3, 2024, 1:55pm

I ran into a few problems when trying to Program ID 1 and ID 2 with it seaming to be bricked and would not read anything from either ID 1 or ID 2
I am using Proxmark 3 to Write and Flipper Zero to Read.
The Flipper Zero reads anything but it wouldn’t Read anything from my initial problem.
To get out of this i used the instructions on here, basically you need to clear the blocks 0 - 7 to 0x00000000 using this comand:
lf t5 wipe --p 00000000
and then your program code. Mine is Pac/Stanley so i use this code.
lf pac clone --cn XXXXXXXX (XXXXXXXX = my Code)

Doing this will work everytime. A question i have though is: Are there 4 RFID chips or just 2 and why can we only seam to be able to program one ? (A bit of a waste)
I have several RFID tags. Another thought is can more than one tag be combined together ? ie sending out two or more codes to the reciever.

Pilgrimsmaster · March 3, 2024, 5:24pm

I think ( I don’t have one ) the R5 has 6 Chips in total

2 x IC ( Mifare Classic 1k not sure if gen1a or gen2 )
2 x NFC ( Assuming NTAG 213, 215, 216??)

Now for your question
2 x RFID , I would assume T5577, however, since you can only seem to be able to program one, my GUESSES are:

1 is faulty on yours
1 is T5577 known from your PM3 T5 write command, the other is possibly EM, HID Prox etc???
Your placement is not quite just right ( this on less likely, you know what you are doing)

Have you tried another writer like the blue cloner or white cloner? (another password on it?)

Have you also tried writing OTHER LF modes with the PM3?
Have you tried using the Flipper to write to it in various other modes ( easier placement than PM3 )

It’s always good to drop this as a reminder to everybody occasionally, because manufacturers/ vendors perpetuate the misconception through the use of “RFID” to refer to Low Frequency