T55x7 password problem

Support
1

Hi.
I have a T55x7 card that is password protected from a blue cloner. I have snifft the cloners write data and got password 51243648

Version info and hw tune

[=] Session log /home/teeny/.proxmark3/logs/log_20201224.txt
[+] loaded from JSON file /home/teeny/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC

██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ Iceman :coffee:
╚═╝ ╚═╝ ╚═╝╚════╝ :snowflake: bleeding edge

GitHub - RfidResearchGroup/proxmark3: Iceman Fork - Proxmark3

[ Proxmark3 RFID instrument ]

[ CLIENT ]
client: RRG/Iceman/master/v4.9237-2649-g83eea0532 2020-12-23 01:50:53
compiled with GCC 9.3.0 OS:Linux ARCH:x86_64

[ PROXMARK3 ]
firmware… PM3RDV4
external flash… present
smartcard reader… present
FPC USART for BT add-on… absent

[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-2649-g83eea0532 2020-12-23 01:51:16
os: RRG/Iceman/master/v4.9237-2649-g83eea0532 2020-12-23 01:51:28
compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev A
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 309684 bytes (59%) Free: 214604 bytes (41%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory

[usb] pm3 → hw tune
[=] REMINDER: ‘hw tune’ doesn’t actively tune your antennas, it’s only informative
[=] Measuring antenna characteristics, please wait…
:clock12: 9
[=] ---------- LF Antenna ----------
[+] LF antenna: 37,59 V - 125,00 kHz
[+] LF antenna: 27,32 V - 134,83 kHz
[+] LF optimal: 37,59 V - 125,00 kHz
[+] Approx. Q factor (): 5,8 by frequency bandwidth measurement
[+] Approx. Q factor (): 6,6 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 47,07 V - 13.56 MHz
[+] Approx. Q factor (*): 8,2 by peak voltage measurement
[+] HF antenna is OK

(*) Q factor must be measured without tag on the antenna

[+] Displaying LF tuning graph. Divisor 88 (blue) is 134,83 kHz, 95 (red) is 125,00 kHz.

[usb] pm3

Sniff data

+] Downlink mode | password | Data | blk | page | 0 | 1 | raw
[+] ----------------------±---------±---------±----±-----±----±----±------------------------------------------------------------
[+] Default pwd write | 51243648 | 51243648 | 7 | 0 | 18 | 43 | 1001010001001001000011011001001000001010001001001000011011001001000111
[+] -----------------------------------------------------------------------------------------------------------------------------------------------------

But when i try and detect the card i get.

Detect

[usb] pm3 → lf t55xx detect
[!] :warning: Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
[usb] pm3 → lf t55xx detect p 51243648
[!] :warning: Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
[usb] pm3 → lf t55xx p1detect p 51243648
[!] :warning: Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’

i have tested to write to block 0 with lf t55 write b 0 d 00088048 p 51243648 with and without test mode
but i cant remove the password bit but when i try and change the id with the blue cloner i can change it.

Blue Cloner

[usb] pm3 → lf sea

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 3100F87DDE
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 8C001FBE7B
[=] HoneyWell IdentKey
[+] DEZ 8 : 16285150
[+] DEZ 10 : 0016285150
[+] DEZ 5.5 : 00248.32222
[+] DEZ 3.5A : 049.32222
[+] DEZ 3.5B : 000.32222
[+] DEZ 3.5C : 248.32222
[+] DEZ 14/IK2 : 00210469682654
[+] DEZ 15/IK3 : 000601297501819
[+] DEZ 20/ZK : 08120000011511140711
[=]
[+] Other : 32222_248_16285150
[+] Pattern Paxton : 839695326 [0x320CBBDE]
[+] Pattern 1 : 16045439 [0xF4D57F]
[+] Pattern Sebury : 32222 120 7896542 [0x7DDE 0x78 0x787DDE]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

Couldn’t identify a chipset
[usb] pm3 → lf sea

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 010C8BE4A9
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 8030D12795
[=] HoneyWell IdentKey
[+] DEZ 8 : 09168041
[+] DEZ 10 : 0210494633
[+] DEZ 5.5 : 03211.58537
[+] DEZ 3.5A : 001.58537
[+] DEZ 3.5B : 012.58537
[+] DEZ 3.5C : 139.58537
[+] DEZ 14/IK2 : 00004505461929
[+] DEZ 15/IK3 : 000550574827413
[+] DEZ 20/ZK : 08000300130102070905
[=]
[+] Other : 58537_139_09168041
[+] Pattern Paxton : 27271849 [0x1A022A9]
[+] Pattern 1 : 3063301 [0x2EBE05]
[+] Pattern Sebury : 58537 11 779433 [0xE4A9 0xB 0xBE4A9]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

Couldn’t identify a chipset

i have played with lf t55 config to try and set it and get it to work but im a bit stuck and runing out of ides.

2

Let me know if this helps (unlock selection)

Good luck

3

I’m actually shocked how pervasive this “password” is on the internet…

https://www.google.com/search?q=51243648

4

Stop buying (later selling) blue cloners, force us to use proper hardware.

2 Likes
5

Unfortunately, that does not help. I can lock a new tag with proxmark and unlock it but not that tag.

Summary

teeny@ubuntu:~$ pm3
[=] Session log /home/teeny/.proxmark3/logs/log_20201224.txt
[+] loaded from JSON file /home/teeny/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC

██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ Iceman :coffee:
╚═╝ ╚═╝ ╚═╝╚════╝ :snowflake: bleeding edge

GitHub - RfidResearchGroup/proxmark3: Iceman Fork - Proxmark3

[ Proxmark3 RFID instrument ]

[ CLIENT ]
client: RRG/Iceman/master/v4.9237-2649-g83eea0532 2020-12-23 01:50:53
compiled with GCC 9.3.0 OS:Linux ARCH:x86_64

[ PROXMARK3 ]
firmware… PM3RDV4
external flash… present
smartcard reader… present
FPC USART for BT add-on… absent

[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-2649-g83eea0532 2020-12-23 01:51:16
os: RRG/Iceman/master/v4.9237-2649-g83eea0532 2020-12-23 01:51:28
compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev A
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 309684 bytes (59%) Free: 214604 bytes (41%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory

[usb] pm3 → hw tune
[=] REMINDER: ‘hw tune’ doesn’t actively tune your antennas, it’s only informative
[=] Measuring antenna characteristics, please wait…
:clock12: 9
[=] ---------- LF Antenna ----------
[+] LF antenna: 37,74 V - 125,00 kHz
[+] LF antenna: 27,38 V - 134,83 kHz
[+] LF optimal: 37,74 V - 125,00 kHz
[+] Approx. Q factor (): 5,8 by frequency bandwidth measurement
[+] Approx. Q factor (): 6,6 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 47,49 V - 13.56 MHz
[+] Approx. Q factor (*): 8,3 by peak voltage measurement
[+] HF antenna is OK

(*) Q factor must be measured without tag on the antenna

[+] Displaying LF tuning graph. Divisor 88 (blue) is 134,83 kHz, 95 (red) is 125,00 kHz.

[usb] pm3 → lf t55 det
[=] Chip Type : T55x7
[=] Modulation : ASK
[=] Bit Rate : 5 - RF/64
[=] Inverted : No
[=] Offset : 33
[=] Seq. Term. : Yes
[=] Block0 : 0x00148041 (Auto detect)
[=] Downlink Mode : default/fixed bit length
[=] Password Set : No

[usb] pm3 → lf t55 dump
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[+] 00 | 00148041 | 00000000000101001000000001000001 | …A
[+] 01 | FF8060C4 | 11111111100000000110000011000100 | …. [+] 02 | 6FD4D24E | 01101111110101001101001001001110 | o..N [+] 03 | A99AA96A | 10101001100110101010100101101010 | ...j [+] 04 | 00000000 | 00000000000000000000000000000000 | .... [+] 05 | 00000000 | 00000000000000000000000000000000 | .... [+] 06 | 00000000 | 00000000000000000000000000000000 | .... [+] 07 | 00000000 | 00000000000000000000000000000000 | .... [+] Reading Page 1: [+] blk | hex data | binary | ascii [+] ----+----------+----------------------------------+------- [+] 00 | 00148041 | 00000000000101001000000001000001 | ...A [+] 01 | 00000000 | 00000000000000000000000000000000 | .... [+] 02 | 00000000 | 00000000000000000000000000000000 | .... [+] 03 | 00000000 | 00000000000000000000000000000000 | .... [+] saved to json file lf-t55xx-FF8060C4-6FD4D24E-A99AA96A-dump-3.json [+] saved 12 blocks to text file lf-t55xx-FF8060C4-6FD4D24E-A99AA96A-dump-3.eml [+] saved 48 bytes to binary file lf-t55xx-FF8060C4-6FD4D24E-A99AA96A-dump-3.bin [usb] pm3 --> lf t55xx write b 7 d 51243648 [=] Writing page 0 block: 07 data: 0x51243648 [usb] pm3 --> lf t55 dump [+] Reading Page 0: [+] blk | hex data | binary | ascii [+] ----+----------+----------------------------------+------- [+] 00 | 00148041 | 00000000000101001000000001000001 | ...A [+] 01 | FF8060C4 | 11111111100000000110000011000100 | ...
[+] 02 | 6FD4D24E | 01101111110101001101001001001110 | o…N
[+] 03 | A99AA96A | 10101001100110101010100101101010 | …j
[+] 04 | 00000000 | 00000000000000000000000000000000 | …
[+] 05 | 00000000 | 00000000000000000000000000000000 | …
[+] 06 | 00000000 | 00000000000000000000000000000000 | …
[+] 07 | 51243648 | 01010001001001000011011001001000 | Q$6H
[+] Reading Page 1:
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[+] 00 | 00148041 | 00000000000101001000000001000001 | …A
[+] 01 | 00000000 | 00000000000000000000000000000000 | …
[+] 02 | 00000000 | 00000000000000000000000000000000 | …
[+] 03 | 00000000 | 00000000000000000000000000000000 | …
[+] saved to json file lf-t55xx-FF8060C4-6FD4D24E-A99AA96A-dump-4.json
[+] saved 12 blocks to text file lf-t55xx-FF8060C4-6FD4D24E-A99AA96A-dump-4.eml
[+] saved 48 bytes to binary file lf-t55xx-FF8060C4-6FD4D24E-A99AA96A-dump-4.bin
[usb] pm3 → lf t55xx write b 0 d 00148051
[=] Writing page 0 block: 00 data: 0x00148051
[usb] pm3 → lf t55 det
[!] :warning: Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
[usb] pm3 → lf t55 det p 51243648
[=] Chip Type : T55x7
[=] Modulation : ASK
[=] Bit Rate : 5 - RF/64
[=] Inverted : No
[=] Offset : 33
[=] Seq. Term. : Yes
[=] Block0 : 0x00148051 (Auto detect)
[=] Downlink Mode : default/fixed bit length
[=] Password Set : Yes
[=] Password : 51243648

[usb] pm3 → lf t55xx write b 0 d 00148041 p 51243648
[=] Writing page 0 block: 00 data: 0x00148041 pwd: 0x51243648
[usb] pm3 → lf t55 det
[=] Chip Type : T55x7
[=] Modulation : ASK
[=] Bit Rate : 5 - RF/64
[=] Inverted : No
[=] Offset : 33
[=] Seq. Term. : Yes
[=] Block0 : 0x00148041 (Auto detect)
[=] Downlink Mode : default/fixed bit length
[=] Password Set : No

6

Check the link @Pilgrimsmaster posted… @TomHarkness sorted out a way to use test mode commands to wipe the t5577s

7

Someone’s supposed to be on holiday.
tenor (2)

5 Likes
8

I checkt the link form @Pilgrimsmaster but it dident work. And i have Followed @TomHarkness link to

Summary

[usb] pm3 → lf t55xx detect
[!] :warning: Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
[usb] pm3 → lf t55 trace
[usb] pm3 → lf t55xx wipe

[=] Begin wiping T55x7 tag

[=] Default configation block 000880E0
[=] Writing page 0 block: 00 data: 0x000880E0
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
[usb] pm3 → lf t55xx write b 1 d E0150A48 1
[=] Writing page 1 block: 01 data: 0xE0150A48
[usb] pm3 → lf t55xx write b 2 d 2D782308 1
[=] Writing page 1 block: 02 data: 0x2D782308
[usb] pm3 → lf t55xx write b 0 d 00088040 p 51243648
[=] Writing page 0 block: 00 data: 0x00088040 pwd: 0x51243648
[usb] pm3 → lf sea

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 010C8BE4A9
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 8030D12795
[=] HoneyWell IdentKey
[+] DEZ 8 : 09168041
[+] DEZ 10 : 0210494633
[+] DEZ 5.5 : 03211.58537
[+] DEZ 3.5A : 001.58537
[+] DEZ 3.5B : 012.58537
[+] DEZ 3.5C : 139.58537
[+] DEZ 14/IK2 : 00004505461929
[+] DEZ 15/IK3 : 000550574827413
[+] DEZ 20/ZK : 08000300130102070905
[=]
[+] Other : 58537_139_09168041
[+] Pattern Paxton : 27271849 [0x1A022A9]
[+] Pattern 1 : 3063301 [0x2EBE05]
[+] Pattern Sebury : 58537 11 779433 [0xE4A9 0xB 0xBE4A9]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

Couldn’t identify a chipset
[usb] pm3

9

One thing to try is different distances and orientations of tag to the antenna. The t5577 works exclusively on pulse timings and I’ve noticed that just having a good coupling isn’t enough… for some functions I literally have to move the tag further away from the antenna… for example when writing a t5577 to fdx-b I must move it away but to read it after I must move it slightly closer.

10

Hah…

One thing I see here; you haven’t used test mode to rewrite a config block to this tag? The summary you provided basically shows that, yes, you did the traceability data, but that’s only needed when you, specifically have used test mode. You don’t need to rewrite page 1 without it.

Try and rewrite the bare config block 0 data using this command:

lf t55xx write b 0 d 000880E0 p 51243648 t

Then run a:

lf t55xx wipe

After this, see if you can run a:

lf t55 trace

and report back.

2 Likes
11

As i said i have already tested it. And it does not work. But it does not hurt to try again.

Summary

[+] loaded from JSON file /home/teeny/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC

██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ Iceman :coffee:
╚═╝ ╚═╝ ╚═╝╚════╝ :snowflake: bleeding edge

GitHub - RfidResearchGroup/proxmark3: Iceman Fork - Proxmark3

[ Proxmark3 RFID instrument ]

[ CLIENT ]
client: RRG/Iceman/master/v4.9237-2649-g83eea0532 2020-12-23 01:50:53
compiled with GCC 9.3.0 OS:Linux ARCH:x86_64

[ PROXMARK3 ]
firmware… PM3RDV4
external flash… present
smartcard reader… present
FPC USART for BT add-on… absent

[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-2649-g83eea0532 2020-12-23 01:51:16
os: RRG/Iceman/master/v4.9237-2649-g83eea0532 2020-12-23 01:51:28
compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev A
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 309684 bytes (59%) Free: 214604 bytes (41%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory

[usb] pm3 → hw tune
[=] REMINDER: ‘hw tune’ doesn’t actively tune your antennas, it’s only informative
[=] Measuring antenna characteristics, please wait…
:clock12: 9
[=] ---------- LF Antenna ----------
[+] LF antenna: 37,79 V - 125,00 kHz
[+] LF antenna: 27,22 V - 134,83 kHz
[+] LF optimal: 37,79 V - 125,00 kHz
[+] Approx. Q factor (): 5,8 by frequency bandwidth measurement
[+] Approx. Q factor (): 6,6 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 47,61 V - 13.56 MHz
[+] Approx. Q factor (*): 8,3 by peak voltage measurement
[+] HF antenna is OK

(*) Q factor must be measured without tag on the antenna

[+] Displaying LF tuning graph. Divisor 88 (blue) is 134,83 kHz, 95 (red) is 125,00 kHz.

[usb] pm3 → lf t55xx write b 0 d 000880E0 p 51243648 t
[=] Writing page 0 block: 00 data: 0x000880E0 pwd: 0x51243648
[#] Using Test Mode
[usb] pm3 → lf t55xx wipe

[=] Begin wiping T55x7 tag

[=] Default configation block 000880E0
[=] Writing page 0 block: 00 data: 0x000880E0
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
[usb] pm3 → lf t55 trace
[usb] pm3 → lf t55 det
[!] :warning: Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’

12

One thing which could be happening is that you’re not actually getting a good coupling, and thus are unable to properly write block 0.

Unfortunately, with a password set, you cannot usually use the traceability / detection to check coupling. If its a full size card, consider moving it a bit further away from the antenna, sometimes further away is actually better.