T5577 discs on proxmark

I bought some of these T5577 tags:

I can detect them in proxmark, but I can’t clone anything on them. Anyone tried these and got any tips?

Put a 1mm spacer between the coil and the tag works for me

1 Like

A couple slabs of cardboard sometimes works too… but yes put space.

The other thing I wanted to ask was what you meant by detect… LF T5 detect? Or LF search?

Lf t5 detect, yes. Does not show up in LF search.

I’ll try the space trick, thanks.

Think I give up on these. Space trick did not work, tried from 1 to 10mm.

[usb] pm3 --> lf t5 detect
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
[=]  Bit rate.......... 2 - RF/32
[=]  Inverted.......... No
[=]  Offset............ 32
[=]  Seq. terminator... Yes
[=]  Block0............ 000880E8 (auto detect)
[=]  Downlink mode..... long leading reference
[=]  Password set...... No

[usb] pm3 --> lf t5 config
[=] --- current t55xx config --------------------------
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
[=]  Bit rate.......... 2 - RF/32
[=]  Inverted.......... No
[=]  Offset............ 32
[=]  Seq. terminator... Yes
[=]  Block0............ 000880E8 (auto detect)
[=]  Downlink mode..... long leading reference
[=]  Password set...... No

[usb] pm3 --> lf t5 info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 0
[=]  reserved                  : 0
[=]  Data bit rate             : 2 - RF/32
[=]  eXtended mode             : No
[=]  Modulation                : 8 - Manchester
[=]  PSK clock frequency       : 0 - RF/2
[=]  AOR - Answer on Request   : No
[=]  OTP - One Time Pad        : No
[=]  Max block                 : 7
[=]  Password mode             : No
[=]  Sequence Terminator       : Yes
[=]  Fast Write                : No
[=]  Inverse data              : No
[=]  POR-Delay                 : No
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  000880E8 - 00000000000010001000000011101000
[=] --- Fingerprint ------------
[+] Config block match        : T55x7 Default

[usb] pm3 --> lf em 41 clone --id 1122334455
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 1122334455 (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff8c65298c94a940

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf sea

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] ⛔ No known 125/134 kHz tags found!
[=] Couldn't identify a chipset

Thats good

Thats strange

What have you tried?
Something like

lf em 410x clone --id 0102030405

Yes, exactly. See output above.

Try lf tune that will give you a voltage reading try moving the tag around until you see the smallest voltage that is the best place for coupling.

Just to double check you have the tag on the round coil right?

1 Like

Apologies, I didnt scroll down in your block.

a couple of things

@Devilclarke comment above :arrow_up:

Also
Can you try with the full 410x if there are others with a 41 prefix, it won’t “know” whic to write.

Do you have an actual tag you can clone and reader to test it on, like the xEM xAC?

1 Like

disregard, there isn’t
So yeah, what you tried should have worked (command wise at least)

I would still try on some equipment

There should be only one entry for lf em 41:

[usb] pm3 --> lf em
help             This help
410x             { EM 4102 commands... }
4x05             { EM 4205 / 4305 / 4369 / 4469 commands... }
4x50             { EM 4350 / 4450 commands... }
4x70             { EM 4070 / 4170 commands... }

Nevertheless I tried lf em 410x with no difference.
Right from the start I did a lf tune to find the lowest voltage, so I think placement is optimal.
And yes, I have it on the lf antenna :slight_smile:

1 Like

Ha yeah, I realised, See post above yours…
Do you have an xAC or similar with an operation tag you can clone?

Yes, this tag is not recognized by xAC, I assumed this was because it is not written as an EM chip yet.
And yes I have a bucket of EM chips for the xAC, but cloning is just a matter writing the T5577 with EM config bits and a selectable ID, isnt’t it? You don’t really need a physical EM chip?

Can you replicate the fault with other T5577 fobs

My thought was, If you havent already, do the same write to one of the xAC fobs ( im not sure if they at T5577 fobs.)
Do you have any similar t5577 fobs you can test and compare against?

I wrote to a fob just yesterday, ( one of the common blue t5577 fobs ) and it was being a dick, and took a number of tries to write and read back with the correct info ( I was getting different UIDs)

so I did a wipe

lf t5 wipe
Wrote and it worked after the 2nd time, I moved its position between tries…

otherwise

not for any other real reason try maybe an HID clone

lf hid clone --r 1122334455

:man_shrugging:

Seems like the chips I have are native EM chips, not 5577.
Only other T5577 I have is my NeXT, and I’m not doing any experiments on that. I do however have it successfully cloned in the past.
Tried the wipe command several times, I have also been able to write successfully to blocks 1-6, and read them back. Also tried your hid clone test without success.
Think these are going in the bin, thanks for your tips, though.

Hmmm… can you confirm firmware and client version and hw tune output?

Also any chance these have had a password set or something?

Finally, have you considered test mode commands?

[usb] pm3 --> hw tune
[=] ---------- Reminder ------------------------
[=] `hw tune` doesn't actively tune your antennas,
[=] it's only informative.
[=] Measuring antenna characteristics, please wait...
 🕛   9
[=] ---------- LF Antenna ----------
[+] LF antenna: 26.65 V - 125.00 kHz
[+] LF antenna: 22.18 V - 134.83 kHz
[+] LF optimal: 27.76 V - 127.66 kHz
[+] Approx. Q factor (*): 7.2 by frequency bandwidth measurement
[+] Approx. Q factor (*): 8.1 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 15.13 V - 13.56 MHz
[+] Approx. Q factor (*): 4.4 by peak voltage measurement
[+] HF antenna is OK

 [ CLIENT ]
  RRG/Iceman/master/v4.14434-106-g0bcaf5b47 2021-11-26 11:26:58
  compiled with............. GCC 10.2.1 20210110
  platform.................. Linux / arm
  Readline support.......... present
  QT GUI support............ present
  native BT support......... present
  Python script support..... present
  Lua SWIG support.......... present
  Python SWIG support....... present

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.14434-106-g0bcaf5b47 2021-11-26 07:17:57
       os: RRG/Iceman/master/v4.14434-106-g0bcaf5b47 2021-11-26 11:49:24
  compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]

 [ FPGA ]
  LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
  HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
  HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev A
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 53% used )

There is of course a posibility that these are not as the ali store says, but lf t5 detect says there is no password set. That’s the only info I have.

I’m not aware of any test modes, what are these?

Try- Lf t55xx write -b 0 -d 000880E0 -t
Then- Lf t55xx wipe

I don’t know much about it but would the bit rate have anything to do with anything? Your tag shows RF/32 but it looks like your proxmark is going with RF/64

I’ve goofed up these T5577 coins before to a point where they are unpredictable and/or seem trashed, I’ve been able to bring them back with a blue cloner of all tools :grinning_face_with_smiling_eyes:

1 Like

Doesn’t seem to help.

Yes, I am aware of the bitrate difference, so I have tried

lf em 41 clone --id 1122334455 --clk 32

Doesn’t seem to help either.

That’s the only test mode I know, usually fixes things for me, sorry I couldn’t help.

1 Like