There are two changes that need to be made to your chip in order to set or remove a password. These changes are in block 7 (password) and block 0 (configuration data). Writing a password to block 7 does not activate password protection, it is only where the password is stored.
Start off with the command hw tune
[=] Measuring antenna characteristics, please wait...
[/] 9
[+] LF antenna: 36.58 V - 125.00 kHz
[+] LF antenna: 26.68 V - 134.83 kHz
[+] LF optimal: 36.44 V - 123.71 kHz
[+] LF antenna is OK
[+] HF antenna: 47.85 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 88 is 134.83 kHz, 95 is 125.00 kHz.
To set a password
Enter the command lf t55xx detect
[=] Chip Type : T55x7
[=] Modulation : FSK2a
[=] Bit Rate : 4 - RF/50
[=] Inverted : Yes
[=] Offset : 33
[=] Seq. Term. : No
[=] Block0 : 0x00107060
[=] Downlink Mode : default/fixed bit length
[=] Password Set : No
Set a password to block 7. In this case the password will be β12345678β. lf t55xx write b 7 d 12345678
[=] Writing page 0 block: 07 data: 0x12345678
Check that the correct data was written. lf t55xx read b 7
If the data matches we can make the required changes to the configuration block.
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 07 | 12345678 | 00010010001101000101011001111000 | .4Vx
Grab the configuration data. lf t55xx read b 0
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 00 | 00107060 | 00000000000100000111000001100000 | ..p`
The 28th bit needs to be changed to enable password mode on your chip.
This:
00000000000100000111000001100000
becomes this
00000000000100000111000001110000
Convert the binary string to hex. Converted string: 00107070
Enable password mode by writing the modified configuration data. lf t55xx write b 0 d 00107070
[=] Writing page 0 block: 00 data: 0x00107070
Verify your changes to the configuration data and check that password mode is now enabled. lf t55xx detect p 12345678
[=] Chip Type : T55x7
[=] Modulation : FSK2a
[=] Bit Rate : 4 - RF/50
[=] Inverted : Yes
[=] Offset : 34
[=] Seq. Term. : No
[=] Block0 : 0x00107070
[=] Downlink Mode : default/fixed bit length
[=] Password Set : Yes
[=] Password : 12345678
You can still read and write to your chip but you will need to include a password in your commands.
To remove a password
Enter the command lf t55xx detect p [password]. In this case the password is β12345678β. lf t55xx detect p 12345678
[=] Chip Type : T55x7
[=] Modulation : FSK2a
[=] Bit Rate : 4 - RF/50
[=] Inverted : Yes
[=] Offset : 33
[=] Seq. Term. : No
[=] Block0 : 0x00107070
[=] Downlink Mode : default/fixed bit length
[=] Password Set : Yes
[=] Password : 12345678
Grab the configuration data. lf t55xx read b 0 p 12345678 o
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[=] Safety check overridden - proceeding despite risk
[+] 00 | 00107070 | 00000000000100000111000001110000 | ..pp
The 28th bit needs to be changed to disable password mode on your chip.
This:
00000000000100000111000001110000
becomes this
00000000000100000111000001100000
Convert the binary string to hex. Converted string: 00107060
Disable password mode by writing the modified configuration data: lf t55xx write b 0 d 00107060 p 12345678
[=] Writing page 0 block: 00 data: 0x00107060 pwd: 0x12345678
Verify your changes to the configuration data and check that password mode is now disabled. lf t55xx detect
[=] Chip Type : T55x7
[=] Modulation : FSK2a
[=] Bit Rate : 4 - RF/50
[=] Inverted : Yes
[=] Offset : 33
[=] Seq. Term. : No
[=] Block0 : 0x00107060
[=] Downlink Mode : default/fixed bit length
[=] Password Set : No
Remove your current password from memory. lf t55xx write b 7 d 00000000
[=] Writing page 0 block: 07 data: 0x00000000
Check that the correct data was written. lf t55xx read b 7
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+-------
[+] 07 | 00000000 | 00000000000000000000000000000000 | ....
Resources:
T5557 Protocol Description
Binary to Hex Converter