Proxmark 3 - Manually setting and removing passwords on T55xx chips

There are two changes that need to be made to your chip in order to set or remove a password. These changes are in block 7 (password) and block 0 (configuration data). Writing a password to block 7 does not activate password protection, it is only where the password is stored.

Start off with the command hw tune

[=] Measuring antenna characteristics, please wait...
[/]  9
[+] LF antenna: 36.58 V - 125.00 kHz
[+] LF antenna: 26.68 V - 134.83 kHz
[+] LF optimal: 36.44 V - 123.71 kHz
[+] LF antenna is OK

[+] HF antenna: 47.85 V - 13.56 MHz
[+] HF antenna is OK


[+] Displaying LF tuning graph. Divisor 88 is 134.83 kHz, 95 is 125.00 kHz.
To set a password

Enter the command lf t55xx detect

[=]      Chip Type      : T55x7
[=]      Modulation     : FSK2a
[=]      Bit Rate       : 4 - RF/50
[=]      Inverted       : Yes
[=]      Offset         : 33
[=]      Seq. Term.     : No
[=]      Block0         : 0x00107060
[=]      Downlink Mode  : default/fixed bit length
[=]      Password Set   : No

Set a password to block 7. In this case the password will be β€œ12345678”. lf t55xx write b 7 d 12345678

[=] Writing page 0  block: 07  data: 0x12345678

Check that the correct data was written. lf t55xx read b 7
If the data matches we can make the required changes to the configuration block.

[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  07 | 12345678 | 00010010001101000101011001111000 | .4Vx

Grab the configuration data. lf t55xx read b 0

[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00107060 | 00000000000100000111000001100000 | ..p`

The 28th bit needs to be changed to enable password mode on your chip.

This:

00000000000100000111000001100000

becomes this

00000000000100000111000001110000

Convert the binary string to hex. Converted string: 00107070

Enable password mode by writing the modified configuration data. lf t55xx write b 0 d 00107070

[=] Writing page 0  block: 00  data: 0x00107070

Verify your changes to the configuration data and check that password mode is now enabled. lf t55xx detect p 12345678

[=]      Chip Type      : T55x7
[=]      Modulation     : FSK2a
[=]      Bit Rate       : 4 - RF/50
[=]      Inverted       : Yes
[=]      Offset         : 34
[=]      Seq. Term.     : No
[=]      Block0         : 0x00107070
[=]      Downlink Mode  : default/fixed bit length
[=]      Password Set   : Yes
[=]      Password       : 12345678

You can still read and write to your chip but you will need to include a password in your commands.

To remove a password

Enter the command lf t55xx detect p [password]. In this case the password is β€œ12345678”. lf t55xx detect p 12345678

[=]      Chip Type      : T55x7
[=]      Modulation     : FSK2a
[=]      Bit Rate       : 4 - RF/50
[=]      Inverted       : Yes
[=]      Offset         : 33
[=]      Seq. Term.     : No
[=]      Block0         : 0x00107070
[=]      Downlink Mode  : default/fixed bit length
[=]      Password Set   : Yes
[=]      Password       : 12345678

Grab the configuration data. lf t55xx read b 0 p 12345678 o

[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[=] Safety check overridden - proceeding despite risk
[+]  00 | 00107070 | 00000000000100000111000001110000 | ..pp

The 28th bit needs to be changed to disable password mode on your chip.

This:

00000000000100000111000001110000

becomes this

00000000000100000111000001100000

Convert the binary string to hex. Converted string: 00107060

Disable password mode by writing the modified configuration data: lf t55xx write b 0 d 00107060 p 12345678

[=] Writing page 0  block: 00  data: 0x00107060 pwd: 0x12345678

Verify your changes to the configuration data and check that password mode is now disabled. lf t55xx detect

[=]      Chip Type      : T55x7
[=]      Modulation     : FSK2a
[=]      Bit Rate       : 4 - RF/50
[=]      Inverted       : Yes
[=]      Offset         : 33
[=]      Seq. Term.     : No
[=]      Block0         : 0x00107060
[=]      Downlink Mode  : default/fixed bit length
[=]      Password Set   : No

Remove your current password from memory. lf t55xx write b 7 d 00000000

[=] Writing page 0  block: 07  data: 0x00000000

Check that the correct data was written. lf t55xx read b 7

[+] Reading Page 0:
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  07 | 00000000 | 00000000000000000000000000000000 | ....

Resources:
T5557 Protocol Description
Binary to Hex Converter

11 Likes

What happens if block zero is FFFFFFFF or some other value that can’t be changed? I think i soft bricked a tag, but curious how to get it up again. Block 7 is 00000000 which is fine, no password. But block 0 i am trying to write 0017060 to it but cant

Excellent write up! Great for beginners trying to remove/change password set by blue cloner.

Note: On the latest version of iceman the command would be lf t55xx detect -p 12345678

2 Likes