Pm3 - proxmark easy - iceman - electra dont copy to 55xx from 410x

Hello,

I have just started to this journeu with rfid and have a problem that i dont understand.

This is the card a want to copy:

[usb|script] pm3 → lf search

[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] [+] EM 410x ID 0110185C5B
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 8008183ADA
[=] HoneyWell IdentKey
[+] DEZ 8 : 01596507
[+] DEZ 10 : 0270031963
[+] DEZ 5.5 : 04120.23643
[+] DEZ 3.5A : 001.23643
[+] DEZ 3.5B : 016.23643
[+] DEZ 3.5C : 024.23643
[+] DEZ 14/IK2 : 00004564999259
[+] DEZ 15/IK3 : 000549891619546
[+] DEZ 20/ZK : 08000008010803101310
[=]
[+] Other : 23643_024_01596507
[+] Pattern Paxton : 19700315 [0x12C9A5B]
[+] Pattern 1 : 4507500 [0x44C76C]
[+] Pattern Sebury : 23643 24 1596507 [0x5C5B 0x18 0x185C5B]
[+] VD / ID : 001 / 0270031963
[+] Pattern ELECTRA : 272 1596507
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[=] Couldn’t identify a chipset
and i use:

[usb|script] pm3 → lf em 410x clone --id 0110185C5B --electra
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0110185C5B (RF/64)
[=] Encoded to FF 80 63 00 E2 AC 2A FC
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff806300e2ac2afc
[#] Electra 0x7e1eaaaaaaaaaaaa

[+] Done!
[?] Hint: Try lf em 410x reader to verify
[usb|script] pm3 → lf em410x reader

and get this result:

[+] EM 410x ID 0110185C5B
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 8008183ADA
[=] HoneyWell IdentKey
[+] DEZ 8 : 01596507
[+] DEZ 10 : 0270031963
[+] DEZ 5.5 : 04120.23643
[+] DEZ 3.5A : 001.23643
[+] DEZ 3.5B : 016.23643
[+] DEZ 3.5C : 024.23643
[+] DEZ 14/IK2 : 00004564999259
[+] DEZ 15/IK3 : 000549891619546
[+] DEZ 20/ZK : 08000008010803101310
[=]
[+] Other : 23643_024_01596507
[+] Pattern Paxton : 19700315 [0x12C9A5B]
[+] Pattern 1 : 4507500 [0x44C76C]
[+] Pattern Sebury : 23643 24 1596507 [0x5C5B 0x18 0x185C5B]
[+] VD / ID : 001 / 0270031963
[+] Pattern ELECTRA : 272 1596507
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] Chipset… T55xx

soo far so good:

when dump memory it looks like this from orginal card:

usb|script] pm3 → lf t5 dump

[=] ------------------------- T55xx tag memory -----------------------------

[+] Page 0
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[+] 00 | 31807156 | 00110001100000000111000101010110 | 1.qV
[+] 01 | 038AB0AB | 00000011100010101011000010101011 | …
[+] 02 | 31807156 | 00110001100000000111000101010110 | 1.qV
[+] 03 | 2AFCFF80 | 00101010111111001111111110000000 | *…
[+] 04 | CFF80630 | 11001111111110000000011000110000 | …0
[+] 05 | 806300E2 | 10000000011000110000000011100010 | .c..
[+] 06 | 6300E2AC | 01100011000000001110001010101100 | c…
[+] 07 | 1C55855F | 00011100010101011000010101011111 | .U._

[+] Page 1
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[+] 00 | AC2AFCFF | 10101100001010101111110011111111 | ...
[+] 01 | 6300E2AC | 01100011000000001110001010101100 | c…
[+] 02 | 0E2AC2AF | 00001110001010101100001010101111 | ...
[+] 03 | 6300E2AC | 01100011000000001110001010101100 | c…

and like this from clone and the card dosent work:

[+] Page 0
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[+] 00 | 00148080 | 00000000000101001000000010000000 | …
[+] 01 | FF806300 | 11111111100000000110001100000000 | ..c.
[+] 02 | E2AC2AFC | 11100010101011000010101011111100 | ..*.
[+] 03 | 7E1EAAAA | 01111110000111101010101010101010 | ~…
[+] 04 | AAAAAAAA | 10101010101010101010101010101010 | …
[+] 05 | 00000000 | 00000000000000000000000000000000 | …
[+] 06 | 00000000 | 00000000000000000000000000000000 | …
[+] 07 | 00000000 | 00000000000000000000000000000000 | …

[+] Page 1
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[+] 00 | 00148080 | 00000000000101001000000010000000 | …
[+] 01 | E0150A18 | 11100000000101010000101000011000 | …
[+] 02 | A7A19171 | 10100111101000011001000101110001 | …q
[+] 03 | 00000000 | 00000000000000000000000000000000 | …

I have tried to write it block by block but i always bricking the card.

What am i doing wrong?

Merry christmas!

Have you tried using lf t5 restore?

No i have not, u mean that i dump the info and after the clone i restore it to the clone?

dump the original and restore it to the blank, instead of using the em 410x clone

Thx i will try that when i got the time!

i did and it bricked the rfid card

Are you running lf t5 detect beforehand?

How exactly is it bricked?

Yes i did the use lf t5 detect,

It became bricked when i use the any lf search it says.

[usb|script] pm3 → lf search

[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[-] No known 125/134 kHz tags found!
[=] Couldn’t identify a chipset

i tried do wipe but no diffrence.

well if you used the dump that you originally made, no wonder it’s bricked. you didn’t do detect on it beforehand, and i know that because the block 0 data is entirely garbled and the wiegand data is nonfunctional.

How should i write it then?

1.Lt t5 detect

2.Lt t5 dump

yes

I mean.. to be clear;

Source chip;

• lf t5 detect
• lf t5 dump

Target chip;

• lf t5 detect (may not actually be necessary but whatever)
• lf t5 restore

Thx, i will try it out!

I did get another dump file, but it still bricked the tag.
Does it matter if i use the bin och json file?

Sourice chip:

[usb|script] pm3 → lf search

[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 0110185C5B
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 8008183ADA
[=] HoneyWell IdentKey
[+] DEZ 8 : 01596507
[+] DEZ 10 : 0270031963
[+] DEZ 5.5 : 04120.23643
[+] DEZ 3.5A : 001.23643
[+] DEZ 3.5B : 016.23643
[+] DEZ 3.5C : 024.23643
[+] DEZ 14/IK2 : 00004564999259
[+] DEZ 15/IK3 : 000549891619546
[+] DEZ 20/ZK : 08000008010803101310
[=]
[+] Other : 23643_024_01596507
[+] Pattern Paxton : 19700315 [0x12C9A5B]
[+] Pattern 1 : 4507500 [0x44C76C]
[+] Pattern Sebury : 23643 24 1596507 [0x5C5B 0x18 0x185C5B]
[+] VD / ID : 001 / 0270031963
[+] Pattern ELECTRA : 272 1596507
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[=] Couldn’t identify a chipset
[usb|script] pm3 → lf t5 detect
[=] Chip type… T55x7
[=] Modulation… BIPHASE
[=] Bit rate… 5 - RF/64
[=] Inverted… No
[=] Offset… 51
[=] Seq. terminator… No
[=] Block0… B01701F5 (auto detect)
[=] Downlink mode… default/fixed bit length
[=] Password set… No

[usb|script] pm3 → lf t5 dump

[=] ------------------------- T55xx tag memory -----------------------------

[+] Page 0
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[+] 00 | B01701F5 | 10110000000101110000000111110101 | …
[+] 01 | C05C07D7 | 11000000010111000000011111010111 | …
[+] 02 | 02E03EBF | 00000010111000000011111010111111 | ..>.
[+] 03 | 01F5FEFE | 00000001111101011111111011111110 | …
[+] 04 | 0FAFF7F5 | 00001111101011111111011111110101 | …
[+] 05 | 7D7FBFAD | 01111101011111111011111110101101 | }…
[+] 06 | FB602E03 | 11111011011000000010111000000011 | .`..
[+] 07 | B602E03E | 10110110000000101110000000111110 | …>

[+] Page 1
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[+] 00 | B01701F5 | 10110000000101110000000111110101 | …
[+] 01 | C05C07D7 | 11000000010111000000011111010111 | …
[+] 02 | 02E03EBF | 00000010111000000011111010111111 | ..>.
[+] 03 | 2E03EBFD | 00101110000000111110101111111101 | …

Target chip

[usb|script] pm3 → lf t5 detect
[=] Chip type… T55x7
[=] Modulation… ASK
[=] Bit rate… 2 - RF/32
[=] Inverted… No
[=] Offset… 32
[=] Seq. terminator… Yes
[=] Block0… 000880E8 (auto detect)
[=] Downlink mode… default/fixed bit length
[=] Password set… No

[usb|script] pm3 → lf t5 restore -f C:\ProxSpace\pm3/lf-t55xx-C05C07D7-02E03EBF-01F5FEFE-0FAFF7F5-7D7FBFAD-FB602E03-B602E03E-dump.bin
[+] Loaded 48 bytes from binary file C:\ProxSpace\pm3/lf-t55xx-xxxxx-xxxxx-xxxxxxE-xxxxxx-dump.bin
[=] Starting to write…
[=] Writing page 0 block: 01 data: 0xC05C07D7
[=] Writing page 0 block: 02 data: 0x02E03EBF
[=] Writing page 0 block: 03 data: 0x01F5FEFE
[=] Writing page 0 block: 04 data: 0x0FAFF7F5
[=] Writing page 0 block: 05 data: 0x7D7FBFAD
[=] Writing page 0 block: 06 data: 0xFB602E03
[=] Writing page 0 block: 07 data: 0xB602E03E
[=] Writing page 1 block: 01 data: 0xC05C07D7
[=] Writing page 1 block: 02 data: 0x02E03EBF
[=] Writing page 1 block: 03 data: 0x2E03EBFD
[=] Writing page 0 block: 00 data: 0xB01701F5
[=] Done!

[usb|script] pm3 → lf t5 detect
[!] Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
[usb|script] pm3 → lf search

[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[-] No known 125/134 kHz tags found!
[+] Chipset… T55xx
[?] Hint: Try lf t55xx commands
[usb|script] pm3 → lf t5 search

I have brought the tags from amazon, could it be that the are not good enough?

EDit:

Does i brick the card because the clonecard cant handle the BIPHASE format or do i have the wrong tags to clone to?

I think I misunderstood the original issue, I thought something had gone wrong with the lf em 410x clone command, but if you were basing that off untrustworthy t5 dumps to begin with, I say try that again and trust the em 410x reader command if it says it’s correct, don’t worry about the underlying T5 data

The rest of this is the deranged rantings of a lunatic trying to figure out T5577s, so don’t trust it very much

This last set of data still doesn’t seem like a valid dump to me, the block 0 data is different than the one created via em 401x clone

I don’t think its damaging to the chip on it’s own, however:

The reason this didn’t work is that you set the password bit in block 0, and then didn’t auth with a password. The card may not be bricked, just locked

Screenshot_20251226_203242531×356 28.8 KB

lf t5 detect -p B602E03E should work?

And if that works then lf t5 wipe -p B602E03E should reset it to default config?

It kind of worked, i can access the card but i need not it they way you are proposition.

But think i need to check someting on the proxmark3 easy because the data in the dump dosent come over when i clone or restore the dumps.

Edit i did get read back after and u where right it did become a password set on them.
[usb] pm3 → lf t5 detect -p 000638D6
[=] Chip type… T55x7
[=] Modulation… FSK2a
[=] Bit rate… 3 - RF/40
[=] Inverted… Yes
[=] Offset… 52
[=] Seq. terminator… No
[=] Block0… 000C71AC (auto detect)
[=] Downlink mode… default/fixed bit length
[=] Password set… Yes
[=] Password… 000638D6

Well i have thought much about the information in the dump files and as some of u said i might not be “correct” i did this and got some other data out.

now i did found a password mode and a password but it says it still reading without a password…

[=] — T55x7 Configuration & Information ---------
[=] Safer key : 11
[=] reserved : 0
[=] Data bit rate : 5 - RF/12
[=] eXtended mode : Yes - Warning
[=] Modulation : 16 - Biphase
[=] PSK clock frequency : 0 - RF/2
[=] AOR - Answer on Request : No
[=] OTP - One Time Pad : Yes - Warning
[=] Max block : 7
[=] Password mode : Yes
[=] Sequence Start Marker : No
[=] Fast Write : Yes
[=] Inverse data : No
[=] POR-Delay : Yes
[=] -------------------------------------------------------------
[=] Raw Data - Page 0, block 0
[=] B01701F5 - 10110000000101110000000111110101
[=] — Fingerprint ------------

[usb] pm3 → lf t5 chk
[=] Press to exit

[+] Loaded 125 keys from dictionary file C:\ProxSpace\pm3\proxmark3\client\dictionaries/t55xx_default_pwds.dic
[=] Press to exit
[=] testing 00000000
[=] Chip type… T55x7
[=] Modulation… BIPHASE
[=] Bit rate… 5 - RF/64
[=] Inverted… No
[=] Offset… 38
[=] Seq. terminator… No
[=] Block0… B01701F5 (auto detect)
[=] Downlink mode… default/fixed bit length
[=] Password set… Yes
[=] Password… 00000000

[+] found valid password: [ 00000000 ]

[+] time in check pwd 0 seconds

[usb] pm3 → lf t5 dump -p 00000000 --ns
Page 0
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[!] Safety check: PWD bit is NOT set in config block. Reading without password…
[+] 00 | FF7F5AFE | 11111111011111110101101011111110 | ..Z.
[!] Safety check: PWD bit is NOT set in config block. Reading without password…
[+] 01 | FEFEB5FD | 11111110111111101011010111111101 | …
[!] Safety check: PWD bit is NOT set in config block. Reading without password…
[+] 02 | B01701F5 | 10110000000101110000000111110101 | …
[!] Safety check: PWD bit is NOT set in config block. Reading without password…
[+] 03 | 701F5FEF | 01110000000111110101111111101111 | p._.
[!] Safety check: Could not detect if PWD bit is set in config block. Exits.
[?] Hint: Consider using the override parameter to force read.
[!] Safety check: Could not detect if PWD bit is set in config block. Exits.
[?] Hint: Consider using the override parameter to force read.
[!] Safety check: PWD bit is NOT set in config block. Reading without password…
[+] 06 | B01701F5 | 10110000000101110000000111110101 | …
[!] Safety check: Could not detect if PWD bit is set in config block. Exits.
[?] Hint: Consider using the override parameter to force read.

[+] Page 1
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[!] Safety check: PWD bit is NOT set in config block. Reading without password…
[+] 00 | B01701F5 | 10110000000101110000000111110101 | …
[!] Safety check: PWD bit is NOT set in config block. Reading without password…
[+] 01 | B01701F5 | 10110000000101110000000111110101 | …
[!] Safety check: PWD bit is NOT set in config block. Reading without password…
[+] 02 | B80FAFF7 | 10111000000011111010111111110111 | …
[!] Safety check: PWD bit is NOT set in config block. Reading without password…
[+] 03 | B01701F5 | 10110000000101110000000111110101 | …