Reviving a bricked T5577

The T5577 chip is a great wonder of the world.

That said, it is sensitive. The chip’s memory is arranged in blocks, and block 0 is a critical block that holds configuration data for how the chip should behave, if a password is set or not, and other critical settings. It is vulnerable to tearing - the act of leaving writable memory corrupted if the write operation is interrupted or suffers from insufficient power available to complete properly.

If you have a T5577 chip based product that appears to have stopped working, you will need a proxmark3 in order to perform some diagnostics and attempt a recovery.

The first thing to do is to try to diagnose if the connection between chip and antenna has failed. You do this by using the lf tune command. When running, you will see a voltage reading constantly updating. This is the voltage of the proxmark’s LF antenna. As you put a transponder into position over the antenna, the voltage will drop because the transponder is absorbing some energy from the field to power itself. The larger the voltage drop, the better the coupling is between transponder and proxmark3 antenna.

The starting voltage is different for everyone, and the maximum drop (lowest voltage observed) is different for everyone, so it’s not important what your “lowest voltage” was. The important thing is the amount of drop (the maximum difference between starting voltage and lowest observed voltage).

If you present your T5577 chip based product to the LF antenna and do not observe much of a drop, then there might be a problem with the mechanical connections within the product. However, if you do observe a drop of more than 100mV at least, then chances are your product is physically ok… the chip may have just experienced a hiccup… and it might even be recoverable.

Step 1 - Try to detect the T5577 chip

Now that you’ve used lf tune you should know the best way to present your T5577 to the proxmark to get the best coupling. Once you position your product, try to detect the chip.

lf t5 detect

Run the command lf t5 detect to try to do standard chip detection. successful detection should return information about the chip. Here is an example output;

	[=]  Chip type......... T55x7
	[=]  Modulation........ FSK2a
	[=]  Bit rate.......... 4 - RF/50
	[=]  Inverted.......... Yes
	[=]  Offset............ 33
	[=]  Seq. terminator... No
	[=]  Block0............ 00107060 (auto detect)
	[=]  Downlink mode..... long leading reference
	[=]  Password set...... No

If the chip is in a bad way, or you do not have a good coupling, you will see an error like this;

[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

The next step is to try to use a page 1 detection scheme.

lf t5 p1detect

If you don’t see anything with the standard detection method, try using lf t5 p1detect instead. Successful detection will include the line;

[+] T55xx chip found!

Failure to detect the chip will return the familiar

[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

Step 2 - Force block 0 write (test mode)

Even if your chip is still not detected, we can still try throwing commands at it to see if it will come back to life. Run these commands one after another. These just scream the write commands at the chip, the chip will not respond success or failure, so there is no way to know if they have worked until later… but we are going to try all options and hopefully one will stick.

lf t55 write -b 0 -d 000880E0 -t
lf t55 write -b 0 -d 000880E0 --r0 -t
lf t55 write -b 0 -d 000880E0 --r1 -t
lf t55 write -b 0 -d 000880E0 --r2 -t
lf t55 write -b 0 -d 000880E0 --r3 -t

Clone a standard EM ID

Now hopefully we have “reset” the T5577 block 0 and it’s alive again. The best thing to do now is to just do a standard EM clone command to set it up as an EM410x chip with a basic ID we can read.

lf em 410x clone --id 0102030405

lf search

Run the lf search command now and you should see something like this;

[=] Checking for known tags...
[=]
[+] EM 410x ID 0102030405
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : 8040C020A0
[=] HoneyWell IdentKey
[+]     DEZ 8          : 00197637
[+]     DEZ 10         : 0033752069
[+]     DEZ 5.5        : 00515.01029
[+]     DEZ 3.5A       : 001.01029
[+]     DEZ 3.5B       : 002.01029
[+]     DEZ 3.5C       : 003.01029
[+]     DEZ 14/IK2     : 00004328719365
[+]     DEZ 15/IK3     : 000550842146976
[+]     DEZ 20/ZK      : 08000400120002001000
[=]
[+] Other              : 01029_003_00197637
[+] Pattern Paxton     : 18301445 [0x1174205]
[+] Pattern 1          : 655892 [0xA0214]
[+] Pattern Sebury     : 1029 3 197637  [0x405 0x3 0x30405]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] Chipset detection: T55xx

Try different positions

Remember, the trick with these small transponders is getting the correct position. If you try this and it doesn’t work, try moving your device slightly… change the position it is resting on the antenna… then try the whole process again.

5 Likes