apombo
September 29, 2023, 2:25pm
1
Hi guys, I am brand new. I followed the videos and used the “auto” function and then the “lf t5 detect”. I get the following results:
[=] lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[!] Specify one authentication mode
[!!] CRC Error! Calculated CRC is 190 but card CRC is 110.
[=] Paradox - ID: 100303e45 FC: 48 Card: 15941, Checksum: 6e, Raw: 0f6669a5a555aa9656669a95
[+] Valid Paradox ID found!
[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
[usb] pm3 --> lf t5 detect
[=] Chip type......... T55x7
[=] Modulation........ FSK2a
[=] Bit rate.......... 4 - RF/50
[=] Inverted.......... Yes
[=] Offset............ 33
[=] Seq. terminator... No
[=] Block0............ 101070E0 (auto detect)
[=] Downlink mode..... default/fixed bit length
[=] Password set...... No
I ordered some t5577 tags to clone this into, but have no idea how to proceed. Any leads? Thanks!
apombo
September 29, 2023, 2:29pm
2
to add more info to this, the tag I am trying to clone looks like this:
and running the hw ver gives this:
[usb] pm3 --> hw ver
[ Proxmark3 RFID instrument ]
[ Client ]
Iceman/master/v4.17140-53-g1234b0813-suspect 2023-09-28 12:13:40 8e91a4a65
compiled with............. MinGW-w64 13.2.0
platform.................. Windows (64b) / x86_64
Readline support.......... present
QT GUI support............ present
native BT support......... absent
Python script support..... present
Lua SWIG support.......... present
Python SWIG support....... present
[ Proxmark3 ]
firmware.................. PM3 GENERIC
[ ARM ]
bootrom: Iceman/master/v4.17140-53-g1234b0813-suspect 2023-09-28 12:11:40 8e91a4a65
os: Iceman/master/v4.17140-53-g1234b0813-suspect 2023-09-28 12:12:41 8e91a4a65
compiled with GCC 12.2.0
[ FPGA ]
fpga_pm3_lf.ncd image 2s30vq100 2023-08-29 16:44:07
fpga_pm3_hf.ncd image 2s30vq100 2023-08-29 16:44:19
fpga_pm3_felica.ncd image 2s30vq100 2023-08-29 16:44:43
fpga_pm3_hf_15.ncd image 2s30vq100 2023-08-29 16:44:31
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 61% used )
have a look under lf paradox clone -h
apombo
September 29, 2023, 3:26pm
4
have a look under lf paradox clone -h
-h, --help This help
-r, --raw <hex> raw hex data. 12 bytes max
--fc <dec> facility code
--cn <dec> card number
--q5 optional - specify writing to Q5/T5555 tag
--em optional - specify writing to EM4305/4469 tag
examples/notes:
lf paradox clone --fc 96 --cn 40426 -> encode for T55x7 tag with fc and cn
lf paradox clone --raw 0f55555695596a6a9999a59a -> encode for T55x7 tag
Thanks! Which one of the two would you use to clone to a T5577 tag? Or would you run the first and then the second one?
apombo
September 29, 2023, 3:35pm
5
I did both ways, and this came out:
[usb] pm3 --> lf paradox clone --fc 48 --cn 15941
[=] Preparing to clone Paradox to T55x7 with raw hex
[+] Blk | Data
[+] ----+------------
[+] 00 | 00107060
[+] 01 | 0F555555
[+] 02 | A555AA96
[+] 03 | 5669AA9A
[+] Done
[?] Hint: try `lf paradox read` to verify
[usb] pm3 --> lf paradox read
[usb] pm3 --> lf paradox clone --raw 0f6669a5a555aa9656669a95
[=] Preparing to clone Paradox to T55x7 with raw hex
[+] Blk | Data
[+] ----+------------
[+] 00 | 00107060
[+] 01 | 0F6669A5
[+] 02 | A555AA96
[+] 03 | 56669A95
[+] Done
[?] Hint: try `lf paradox read` to verify
[usb] pm3 --> lf paradox read
I then did a lf t55xx dump as the two methods above apparently cloned different values on [01] and [03] to check what was inside the original tag and this came out:
[usb] pm3 --> lf t55xx dump
[+] Page 0
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 08083870 | 00001000000010000011100001110000 | ..8p
[+] 01 | 7B334D2D | 01111011001100110100110100101101 | {3M-
[+] 02 | 2AAD54B2 | 00101010101011010101010010110010 | *.T.
[+] 03 | 3334D4AB | 00110011001101001101010010101011 | 34..
[+] 04 | 4D4D354A | 01001101010011010011010101001010 | MM5J
[+] 05 | 554AD332 | 01010101010010101101001100110010 | UJ.2
[+] 06 | 552ACD2A | 01010101001010101100110100101010 | U*.*
[+] 07 | 00000000 | 00000000000000000000000000000000 | ....
[+] Page 1
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 08083870 | 00001000000010000011100001110000 | ..8p
[+] 01 | 700A8546 | 01110000000010101000010101000110 | p..F
[+] 02 | 01A89990 | 00000001101010001001100110010000 | ....
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
Any idea how to proceed?
amal
September 30, 2023, 4:25pm
7
There’s one general rule that applies here.
your source tag is a T5577 chip
your target tag is a T5577 chip
In this case, you should only bother with the dump and restore commands. Do a dump of the source tag and restore it to the target tag. That should always make a complete clone of the source tag, regardless of its decoding. If it doesn’t, then you’ll need to check things like having a good coupling to avoid data errors, software client and firmware versions match, etc.
2 Likes
apombo
October 1, 2023, 3:26pm
8
Gotcha will try it out later today and let you know how it went. Do you think the CRC error will create any issues? Thanks!
apombo
October 1, 2023, 9:11pm
9
Ok, Im back, so I did the following:
Dump of the original T55XX:
[usb] pm3 --> lf t55xx dump
[+] Page 0
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 08083870 | 00001000000010000011100001110000 | ..8p
[+] 01 | 7B334D2D | 01111011001100110100110100101101 | {3M-
[+] 02 | 2AAD54B2 | 00101010101011010101010010110010 | *.T.
[+] 03 | 3334D4AB | 00110011001101001101010010101011 | 34..
[+] 04 | 4D4D354A | 01001101010011010011010101001010 | MM5J
[+] 05 | 554AD332 | 01010101010010101101001100110010 | UJ.2
[+] 06 | 552ACD2A | 01010101001010101100110100101010 | U*.*
[+] 07 | 00000000 | 00000000000000000000000000000000 | ....
[+] Page 1
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 08083870 | 00001000000010000011100001110000 | ..8p
[+] 01 | 700A8546 | 01110000000010101000010101000110 | p..F
[+] 02 | 01A89990 | 00000001101010001001100110010000 | ....
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
[+] saved to json file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-7B334D2D-2AAD54B2-3334D4AB-4D4D354A-554AD332-552ACD2A-dump-004.json
[+] saved 12 blocks to text file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-7B334D2D-2AAD54B2-3334D4AB-4D4D354A-554AD332-552ACD2A-dump-004.eml
[+] saved 48 bytes to binary file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-7B334D2D-2AAD54B2-3334D4AB-4D4D354A-554AD332-552ACD2A-dump-004.bin
<pace\ProxSpace\pm3/lf-t55xx-7B334D2D-2AAD54B2-3334D4AB-4D4D354A-554AD332-552ACD2A-dump-004.json
I put the new T55X7 on the Proxmark3 , and ran an auto command:
[!] Specify one authentication mode
[-] No known 125/134 kHz tags found!
[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
Proceeded to do a lf detect, which asked me to do a lf t55xx config:
[usb] pm3 --> lf t55xx detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t55xx config
[=] --- current t55xx config --------------------------
[=] Chip type......... T55x7
[=] Modulation........ FSK2a
[=] Bit rate.......... 4 - RF/50
[=] Inverted.......... Yes
[=] Offset............ 0
[=] Seq. terminator... No
[=] Block0............ 00107060 (auto detect)
[=] Downlink mode..... default/fixed bit length
[=] Password set...... No
Did a wipe of the T55X7 to prepare it for restoring:
[usb] pm3 --> lf t55xx wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0
[=] Begin wiping...
[=] Writing page 0 block: 00 data: 0x000880E0
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
Did a dump just to check if it was empty:
[usb] pm3 --> lf t55xx dump
[+] Page 0
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00000000 | 00000000000000000000000000000000 | ....
[+] 01 | 80000000 | 10000000000000000000000000000000 | ....
[+] 02 | 80000000 | 10000000000000000000000000000000 | ....
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
[+] 04 | 80000000 | 10000000000000000000000000000000 | ....
[+] 05 | 80000000 | 10000000000000000000000000000000 | ....
[+] 06 | 80000000 | 10000000000000000000000000000000 | ....
[+] 07 | 00000000 | 00000000000000000000000000000000 | ....
[+] Page 1
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00000000 | 00000000000000000000000000000000 | ....
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
[+] saved to json file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-80000000-80000000-dump-001.json
[+] saved 12 blocks to text file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-80000000-80000000-dump-001.eml
[+] saved 48 bytes to binary file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-80000000-80000000-dump-001.bin
Dumped the original T55XX again to be double sure no file mixups:
[usb] pm3 --> lf t55xx dump
[+] Page 0
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 08083870 | 00001000000010000011100001110000 | ..8p
[+] 01 | 7B334D2D | 01111011001100110100110100101101 | {3M-
[+] 02 | 2AAD54B2 | 00101010101011010101010010110010 | *.T.
[+] 03 | 3334D4AB | 00110011001101001101010010101011 | 34..
[+] 04 | 4D4D354A | 01001101010011010011010101001010 | MM5J
[+] 05 | 554AD332 | 01010101010010101101001100110010 | UJ.2
[+] 06 | 552ACD2A | 01010101001010101100110100101010 | U*.*
[+] 07 | 00000000 | 00000000000000000000000000000000 | ....
[+] Page 1
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 08083870 | 00001000000010000011100001110000 | ..8p
[+] 01 | 700A8546 | 01110000000010101000010101000110 | p..F
[+] 02 | 01A89990 | 00000001101010001001100110010000 | ....
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
[+] saved to json file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-7B334D2D-2AAD54B2-3334D4AB-4D4D354A-554AD332-552ACD2A-dump-005.json
[+] saved 12 blocks to text file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-7B334D2D-2AAD54B2-3334D4AB-4D4D354A-554AD332-552ACD2A-dump-005.eml
[+] saved 48 bytes to binary file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-7B334D2D-2AAD54B2-3334D4AB-4D4D354A-554AD332-552ACD2A-dump-005.bin
Proceeded to do the restore on the new T55XX:
<pace\ProxSpace\pm3/lf-t55xx-7B334D2D-2AAD54B2-3334D4AB-4D4D354A-554AD332-552ACD2A-dump-005.json
[+] loaded from JSON file `D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-7B334D2D-2AAD54B2-3334D4AB-4D4D354A-554AD332-552ACD2A-dump-005.json`
[=] Starting to write...
[=] Writing page 0 block: 01 data: 0x7B334D2D
[=] Writing page 0 block: 02 data: 0x2AAD54B2
[=] Writing page 0 block: 03 data: 0x3334D4AB
[=] Writing page 0 block: 04 data: 0x4D4D354A
[=] Writing page 0 block: 05 data: 0x554AD332
[=] Writing page 0 block: 06 data: 0x552ACD2A
[=] Writing page 0 block: 07 data: 0x00000000
[=] Writing page 1 block: 01 data: 0x700A8546
[=] Writing page 1 block: 02 data: 0x01A89990
[=] Writing page 1 block: 03 data: 0x00000000
[=] Writing page 0 block: 00 data: 0x08083870
[=] Done!
Still didnt work
I did a dump of the “cloned” FOB and it returned something totally different form the original:
[usb] pm3 --> lf t55 dump
[+] Page 0
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 01020120 | 00000001000000100000000100100000 | ...
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
[+] 04 | 00000002 | 00000000000000000000000000000010 | ....
[+] 05 | 00000000 | 00000000000000000000000000000000 | ....
[+] 06 | 00000000 | 00000000000000000000000000000000 | ....
[+] 07 | 00000000 | 00000000000000000000000000000000 | ....
[+] Page 1
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00000000 | 00000000000000000000000000000000 | ....
[+] 01 | 00084100 | 00000000000010000100000100000000 | ..A.
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
[+] 03 | 00000010 | 00000000000000000000000000010000 | ....
[+] saved to json file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-dump-001.json
[+] saved 12 blocks to text file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-dump-001.eml
[+] saved 48 bytes to binary file D:\Gdrive\Proxmark3\ProxSpace\ProxSpace\pm3/lf-t55xx-dump-001.bin
amal
October 1, 2023, 9:21pm
10
No idea. What is the device you’re trying to write to? Is it a fob or implant or card or ring or something else? The only thing I can think of is a coupling issue that is good enough to read but not reliably write.
Coupling can also be “overpowered” in some cases where timings are off. Try putting some space between the device and LF antenna… like 5mm increments.
Maybe post pictures of the target device on the proxmark3 . That would also help answer what kind of proxmark are you using.
any ideas?