I’m having some trouble with getting my detect and trace commands to work - I know you should try and get a good trace before writing to a NExT, so figured I’d play with some full ISO size T5577 cards and learn the gear. The issue I’m having is that detect doesn’t work for me, and trace doesn’t give an output.
I’m attempting to use a Chinese PM3 Easy running the latest Iceman on my Mac, I’ve included below the output from the CLI client, hoping someone can help point me in the right direction!
I’ve done a hw tune and it says ‘OK’, but I’m not sure what I should expect to see there otherwise, thanks for any help you can give!
Proxmark output
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman
compiled with Clang/LLVM 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.10.44.4) OS:OSX ARCH:x86_64
[ PROXMARK3 ]
[ ARM ]
bootrom: RRG/Iceman/master/688fb78 2020-01-23 20:26:14
os: RRG/Iceman/master/688fb78 2020-01-23 20:26:28
compiled with GCC 5.4.1 20160919 (release) [ARM/embedded-5-branch revision 240496]
[ FPGA ]
LF image built for 2s30vq100 on 2020-01-12 at 15:31: 2
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 254528 bytes (49%) Free: 269760 bytes (51%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 --> hw status
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........28000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............10
#db# Currently loaded FPGA image
#db# mode.................... LF image built for 2s30vq100 on 2020-01-12 at 15:31: 2
#db# LF Sampling config
#db# [q] divisor.............95 ( 125.00 kHz )
#db# [b] bits per sample.....8
#db# [d] decimation..........1
#db# [a] averaging...........No
#db# [t] trigger threshold...0
#db# [s] samples to skip.....0
#db# LF T55XX config
#db# [r] [a] [b] [c] [d] [e] [f] [g]
#db# mode |start|write|write|write| read|write|write
#db# | gap | gap | 0 | 1 | gap | 2 | 3
#db# ---------------------------+-----+-----+-----+-----+-----+-----+------
#db# fixed bit length (default) | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
#db# long leading reference | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
#db# leading zero | 31 | 20 | 18 | 40 | 15 | N/A | N/A |
#db# 1 of 4 coding reference | 31 | 20 | 18 | 34 | 15 | 50 | 66 |
#db#
#db# Transfer Speed
#db# Sending packets to client...
#db# Time elapsed............500ms
#db# Bytes transferred.......354304
#db# Transfer Speed PM3 -> Client = 708608 bytes/s
#db# Various
#db# DBGLEVEL................1
#db# ToSendMax...............24
#db# ToSendBit...............8
#db# ToSend BUFFERSIZE.......2308
#db# Slow clock..............32088 Hz
#db# Installed StandAlone Mode
#db# LF HID26 standalone - aka SamyRun (Samy Kamkar)
[usb] pm3 --> hw tune
[=] Measuring antenna characteristics, please wait...
..
[+] LF antenna: 46.03 V - 125.00 kHz
[+] LF antenna: 45.32 V - 134.83 kHz
[+] LF optimal: 56.51 V - 130.43 kHz
[+] LF antenna is OK
[+] HF antenna: 33.41 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 88 is 134.83 kHz, 95 is 125.00 kHz.
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
#db# Starting Hitag reader family
#db# Configured for hitag2 reader
#db# Detected incorrect header, the bit [1] is zero instead of one, abort
#db# TX/RX frames recorded: 1
[+] EM410x pattern found
EM TAG ID : BDBDBDBDBD
Possible de-scramble patterns
Unique TAG ID : BDBDBDBDBD
HoneyWell IdentKey {
DEZ 8 : 12434877
DEZ 10 : 3183328701
DEZ 5.5 : 48573.48573
DEZ 3.5A : 189.48573
DEZ 3.5B : 189.48573
DEZ 3.5C : 189.48573
DEZ 14/IK2 : 00814932147645
DEZ 15/IK3 : 000814932147645
DEZ 20/ZK : 11131113111311131113
}
Other : 48573_189_12434877
Pattern Paxton : 3184655293 [0xBDD1FBBD]
Pattern 1 : 7831135 [0x777E5F]
Pattern Sebury : 48573 61 4046269 [0xBDBD 0x3D 0x3DBDBD]
[+] Valid EM410x ID found!
[usb] pm3 --> lf t55xx detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
SOOO I am a very basic user of Proxmark, so unable to help you directly, BUUUTTTT
I will through a couple of names out to get their attention, The ones that I can think of that I’m pretty sure have the PM easy and are quite knowledgeable, I’m sure there are many more but here goes @Emumanx@cinja@fraggersparks@Satur9
If you’ve got a spare card, run lf t55xx wipe on it - I’ve had weirdness with detecting em emulating T5577 chips. When you scan you should find your t55xx chip. I’ve also used this to unbrick an xEM.
I’ll add that you can also try lf t55xx read and lf t55xx info and report back if you prefer. Also lf t55xx dump will give us all pages
Wipe didn’t help me, I’ve tried on 3 different cards from 3 different suppliers. I’ve tried straight after a wipe, in EM mode and in HID mode - all the normal clone operations work perfectly. (EDIT: Just clarifying, the wipe did complete successfully, card went back to not responding to search, and would write again fine, just didn’t change the results on other commands)
I tried the commands you suggested and included dumps below, but I’m not getting the expected response to those commands either
Proxmark Output
[usb] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=] #db# Starting Hitag reader family #db# Configured for hitag2 reader #db# Detected incorrect header, the bit [0] is zero instead of one, abort #db# TX/RX frames recorded: 1
[+] EM410x pattern found
I’m struggling with the normal fork, seems the Mac instructions I found are a bit incomplete as I’m getting commands failing. Maybe a fresh start tomorrow is on the cards, but I’ll also try reaching out to Iceman and others on the Proxmark forums and see if they have any advice.
I’m not sure if you have been on the Proxmark forum before, and probably telling you to suck eggs, but Just make sure your do you due diligence and thoroughly research your question before you ask it.
You only need to read some of their comments and you will see they are not particularly forgiving of people who ask questions that are covered elsewhere in the forum.
Just a friendly “heads up”
Iceman IS the man though.
Iceman is to Proxmark What Amal is to…Well, ALL OF THIS!!!
Hi iam at work right now but as soon as I get home I’ll try and work with you on re writing the blocks manually to setup basic EM410x (as they came from DT) . Also I’ll try to make sure with you as to how you created the iceman1001 rrg firmware (did you change to PM3OTHER?)… WE WILL GET YOU BACK WORK IF POSS.
All I’ve done over there so far is post an introduction, in my googling efforts I couldn’t find anyone else with these issues, but I’ll make sure to search their forums and if I can’t find anything I’ll make sure my post is nice and detailed.
[ ARM ]
bootrom: RRG/Iceman/master/cb8d589f 2020-05-19 09:31:06
os: RRG/Iceman/master/cb8d589f 2020-05-19 09:31:14
compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]
[ FPGA ]
LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[ Hardware ]
–= uC: AT91SAM7S512 Rev A
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 288754 bytes (55%) Free: 235534 bytes (45%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 → hw tune
[=] Measuring antenna characteristics, please wait… 8
[+] LF antenna: 75,49 V - 125,00 kHz
[+] LF antenna: 35,20 V - 134,83 kHz
[+] LF optimal: 75,49 V - 125,00 kHz
[+] LF antenna is OK
[+] HF antenna: 47,16 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 88 is 134,83 kHz, 95 is 125,00 kHz.
[usb] pm3 → lf sea
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM410x pattern found
@teeny So I don’t think this will be super useful to you but I tried to see if I got the same result.
I have a PM3 easy with the Iceman fork on Mac and I was able to use lf t55xx detect without any problem.
Like I said, I don’t think this helps you other than saying it’s probably not the firmware. There was a previous bug using that command that @TomHarkness posted to GitHub and they fixed it in 2018. Your version isn’t that old right?
It was a bad release of the Iceman firmware that didn’t have it working reliably. Delete your old client, download the latest Iceman release, then reflash your hardware and try again.
made a new pull and flash my proxmark with the latest and the problem is still there.
Proxmark
[=] Session log /home/teeny/.proxmark3/logs/log_20200723.txt
[+] loaded from JSON file /home/teeny/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC
[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-618-g84a49bf0 2020-07-23 11:19:39
os: RRG/Iceman/master/v4.9237-618-g84a49bf0 2020-07-23 11:19:50
compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]
[ FPGA ]
LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
[ Hardware ]
–= uC: AT91SAM7S512 Rev A
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 259976 bytes (50%) Free: 264312 bytes (50%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 → lf sea
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM410x pattern found
[usb] pm3 → lf t55 detect
[!] Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
[usb] pm3 →
its still the same version
[ FPGA ]
LF image built for 2s30vq100 on 2020-02-22 at 12:51:14 @Compgeek can you check your FPGA version? @Locutus it was a 2020 version. But i found some lua scripts for testing t55x7 that i will try out
8
Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
