xEM (and 2 test cards) giving garbage

non-bin · September 28, 2021, 9:33am

I just got off a call with Our Lord And Savior @Amal Graafstra and we have no idea what’s going on.

@Amal the implant is giving a signal, I was wrong about it just giving off noise

TLDR

Three t5577s are non-functional, all in different ways. I don’t know if I got really unlucky, my proxmark is broken, or I broke them all.

Proxmark

I have a PM3 Easy, and the 2 t5577 cards I talk about came with it from DT

Here's the PM3 startup stuff if you want it

[=] Session log D:\ProxSpace\pm3/.proxmark3/logs/log_20210928.txt
[+] loaded from JSON file D:\ProxSpace\pm3/.proxmark3/preferences.json
[=] Using UART port com8
[=] Communicating with PM3 over USB-CDC


	██████╗ ███╗   ███╗█████╗
	██╔══██╗████╗ ████║╚═══██╗
	██████╔╝██╔████╔██║ ████╔╝
	██╔═══╝ ██║╚██╔╝██║ ╚══██╗
	██║     ██║ ╚═╝ ██║█████╔╝
	╚═╝     ╚═╝     ╚═╝╚════╝     [  Iceman  ]




[ Proxmark3 RFID instrument ]

[ CLIENT ]
	client: RRG/Iceman/master/v4.14434-14-g1850e9fa4 2021-09-28 17:11:53
	compiled with MinGW-w64 10.3.0 OS:Windows (64b) ARCH:x86_64

[ PROXMARK3 ]
	firmware.................. PM3 GENERIC

[ ARM ]
	bootrom: RRG/Iceman/master/v4.14434-14-g1850e9fa4 2021-09-28 17:14:34
			os: RRG/Iceman/master/v4.14434-14-g1850e9fa4 2021-09-28 17:15:16
	compiled with GCC 10.1.0

[ FPGA ]
	LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
	HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
	HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

[ Hardware ]
	--= uC: AT91SAM7S512 Rev B
	--= Embedded Processor: ARM7TDMI
	--= Internal SRAM size: 64K bytes
	--= Architecture identifier: AT91SAM7Sxx Series
	--= Embedded flash memory 512K bytes ( 53% used )

[usb] pm3 --> hw tune
[=] ---------- Reminder ------------------------
[=] `hw tune` doesn't actively tune your antennas,
[=] it's only informative.
[=] Measuring antenna characteristics, please wait...
[/] 10
[=] ---------- LF Antenna ----------
[+] LF antenna: 24.47 V - 125.00 kHz
[+] LF antenna: 15.95 V - 134.83 kHz
[+] LF optimal: 26.90 V - 120.00 kHz
[+] Approx. Q factor (*): 6.8 by frequency bandwidth measurement
[+] Approx. Q factor (*): 7.8 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 15.20 V - 13.56 MHz
[+] Approx. Q factor (*): 4.4 by peak voltage measurement
[+] HF antenna is OK

(*) Q factor must be measured without tag on the antenna

[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.

Cards

I have an NExT and 2 t5577 test cards which do the following

Implant LF side

(HF side works flawlessly)
300mV drop on lf tune
lf search says No known 125/134 kHz tags found! Couldn't identify a chipset
data plot shows a repeating sin-like wave but it only peaks at around 15 units at best (120 for other cards)

Implant data plot

Card A

theoretically a t5577, from DT
lf search finds an Indala ID but it changes every time I scan (most likely an error) and doesn’t find any chipset
data plot shows a repeating heartbeat-like pattern

Card A data plot

Card B

theoretically a t5577, from DT
lf search doesn’t find any tags, but does identify a t55xx chipset
I don’t really know how to describe this ones data plot
the plot changes to what looks like an EM410x and back during an ld search

Card B data plot

Zoomed out:

Door card

card from an LF access system
Shows up as an EM410x

Door card plot

Tests

I’ve done everything on my NExT and the two t5577 cards

Card A

lf t5 detect

Says this only when the antenna is touching the card, but dump returns 00040004 for all blocks in page 0, and 096B2184 in page 1, and writes don’t work

[=]  Chip type......... T55x7
[=]  Modulation........ DIRECT/NRZ
[=]  Bit rate.......... 1 - RF/16
[=]  Inverted.......... No
[=]  Offset............ 33
[=]  Seq. terminator... No
[=]  Block0............ 00040004 (auto detect)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... No

lf t5 p1detect

Nothing

lf t5 info

Nothing

lf t5 brute -s 00000000 -e ffffffff

Succeeds on any password, saying:

[=]  Chip type......... T55x7
[=]  Modulation........ DIRECT/NRZ
[=]  Bit rate.......... 1 - RF/16
[=]  Inverted.......... No
[=]  Offset............ 33
[=]  Seq. terminator... No
[=]  Block0............ 00040004 (auto detect)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... Yes
[=]  Password.......... 00000200

I think this is just because it’s reading 00040004 for the config block

Test mode

this with password 11111111, 00000000, and no password; and all those at different distances:

lf t5 write -b 0 -d 00107071 -p 11111111 -t
lf t5 wipe
lf em 41 clone --id 0F0368568B
lf search

No change.

Card B

lf t5 detect

Nope

lf t5 p1detect

[+] T55xx chip found! Downlink Mode used : default/fixed bit length

lf t5 info

Nothing

lf t5 brute -s 00000000 -e ffffffff

Nup

Test mode

Same script as before, tried alt passwords and different distances.
Nothing at all.

Implant

lf t5 detect

Nufin

lf t5 p1detect

Zilch

lf t5 info

literally nothing but a linefeed

lf t5 brute -s 00000000 -e ffffffff

Noop

Test mode

Same , and you guessed it, nothing.

Raw input/output

Script

lf t5 write -b 0 -d 00107071 -p 11111111 -t
lf t5 wipe
lf em 41 clone --id 0F0368568B
lf search

lf t5 write -b 0 -d 00107071 -p 00000000 -t
lf t5 wipe
lf em 41 clone --id 0F0368568B
lf search

lf t5 write -b 0 -d 00107071 -t
lf t5 wipe
lf em 41 clone --id 0F0368568B
lf search

lf t5 detect
lf t5 p1detect
lf t5 info
lf t5 recover

Card A (2cm)

[usb] pm3 --> lf t5 write -b 0 -d 00107071 -p 11111111 -t
[=] Writing page 0  block: 00  data: 0x00107071 pwd: 0x11111111
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] Indala (len 118)  Raw: 7ffffffffffffffffffffffffffffc00000200000002000000020000

[+] Valid Indala ID found!

[=] Couldn't identify a chipset
[usb] pm3 -->
[usb] pm3 --> lf t5 write -b 0 -d 00107071 -p 00000000 -t
[=] Writing page 0  block: 00  data: 0x00107071 pwd: 0x00000000
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] No known 125/134 kHz tags found!
[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
[usb] pm3 -->
[usb] pm3 --> lf t5 write -b 0 -d 00107071 -t
[=] Writing page 0  block: 00  data: 0x00107071
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] Indala (len 141)  Raw: 80000000000000000000000000000bfffffdffffff02000000020000

[+] Valid Indala ID found!

[=] Couldn't identify a chipset
[usb] pm3 -->
[usb] pm3 --> lf t5 detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t5 p1detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t5 info
[usb] pm3 --> lf t5 recover
[=] press <Enter> to exit
[=] Trying password 00000001
[=] Trying password 00000002
[=] Trying password 00000004
[=] Trying password 00000008
[=] Trying password 00000010
[=] Trying password 00000020
[=] Trying password 00000040
[=] Trying password 00000080
[=] Trying password 00000100
[=] Trying password 00000200
[=] Trying password 00000400
[=] Trying password 00000800
[=] Trying password 00001000
[=] Trying password 00002000
[=] Trying password 00004000
[=] Trying password 00008000
[=] Trying password 00010000
[=] Trying password 00020000
[=] Trying password 00040000
[=] Trying password 00080000
[=] Trying password 00100000
[=] Trying password 00200000
[=] Trying password 00400000
[=] Trying password 00800000
[=] Trying password 01000000
[=] Trying password 02000000
[=] Trying password 04000000
[=] Trying password 08000000
[=] Trying password 10000000
[=] Trying password 20000000
[=] Trying password 40000000
[=] Trying password 80000000
[=] Trying password 00000000

[-] Recover password failed
[usb] pm3 -->

Card A (Touching)

[usb] pm3 --> lf t5 write -b 0 -d 00107071 -p 11111111 -t
[=] Writing page 0  block: 00  data: 0x00107071 pwd: 0x11111111
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] Indala (len 173)  Raw: 80000000000000000000000000003fefffefffefffeffdfffdfffdff

[+] Valid Indala ID found!

[=] Couldn't identify a chipset
[usb] pm3 -->
[usb] pm3 --> lf t5 write -b 0 -d 00107071 -p 00000000 -t
[=] Writing page 0  block: 00  data: 0x00107071 pwd: 0x00000000
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] Indala (len 143)  Raw: 80000000000000000000000000000ff7fff7fefffef0010001000100

[+] Valid Indala ID found!

[=] Couldn't identify a chipset
[usb] pm3 -->
[usb] pm3 --> lf t5 write -b 0 -d 00107071 -t
[=] Writing page 0  block: 00  data: 0x00107071
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] Indala (len 187)  Raw: 80000000000000000000000000007ffbfffbfffbfffbfffffefffeff

[+] Valid Indala ID found!

[=] Couldn't identify a chipset
[usb] pm3 -->
[usb] pm3 -->
[usb] pm3 --> lf t5 detect
[=]  Chip type......... T55x7
[=]  Modulation........ DIRECT/NRZ
[=]  Bit rate.......... 1 - RF/16
[=]  Inverted.......... No
[=]  Offset............ 33
[=]  Seq. terminator... No
[=]  Block0............ 00040004 (auto detect)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... No

[usb] pm3 --> lf t5 p1detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t5 info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 0
[=]  reserved                  : 0
[=]  Data bit rate             : 1 - RF/16
[=]  eXtended mode             : No
[=]  Modulation                : 0 - DIRECT (ASK/NRZ)
[=]  PSK clock frequency       : 0 - RF/2
[=]  AOR - Answer on Request   : No
[=]  OTP - One Time Pad        : No
[=]  Max block                 : 0
[=]  Password mode             : No
[=]  Sequence Terminator       : No
[=]  Fast Write                : Yes - Warning
[=]  Inverse data              : No
[=]  POR-Delay                 : No
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  00040004 - 00000000000001000000000000000100
[=] --- Fingerprint ------------

[usb] pm3 --> lf t5 recover
[=] press <Enter> to exit
[=] Trying password 00000001
[=]  Chip type......... T55x7
[=]  Modulation........ DIRECT/NRZ
[=]  Bit rate.......... 1 - RF/16
[=]  Inverted.......... No
[=]  Offset............ 33
[=]  Seq. terminator... No
[=]  Block0............ 00040004 (auto detect)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... Yes
[=]  Password.......... 00000001


[+] Found valid password: [ 00000001 ]
Downlink Mode used : default/fixed bit length
[usb] pm3 -->

Card B

[usb] pm3 --> lf t5 write -b 0 -d 00107071 -p 11111111 -t
[=] Writing page 0  block: 00  data: 0x00107071 pwd: 0x11111111
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] No known 125/134 kHz tags found!
[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
[usb] pm3 -->
[usb] pm3 --> lf t5 write -b 0 -d 00107071 -p 00000000 -t
[=] Writing page 0  block: 00  data: 0x00107071 pwd: 0x00000000
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] No known 125/134 kHz tags found!
[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
[usb] pm3 -->
[usb] pm3 --> lf t5 write -b 0 -d 00107071 -t
[=] Writing page 0  block: 00  data: 0x00107071
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] No known 125/134 kHz tags found!
[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
[usb] pm3 -->
[usb] pm3 -->
[usb] pm3 --> lf t5 detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t5 p1detect
[+] T55xx chip found!
Downlink Mode used : default/fixed bit length
[usb] pm3 --> lf t5 info
[usb] pm3 --> lf t5 recover
[=] press <Enter> to exit
[=] Trying password 00000001
[=] Trying password 00000002
[=] Trying password 00000004
[=] Trying password 00000008
[=] Trying password 00000010
[=] Trying password 00000020
[=] Trying password 00000040
[=] Trying password 00000080
[=] Trying password 00000100
[=] Trying password 00000200
[=] Trying password 00000400
[=] Trying password 00000800
[=] Trying password 00001000
[=] Trying password 00002000
[=] Trying password 00004000
[=] Trying password 00008000
[=] Trying password 00010000
[=] Trying password 00020000
[=] Trying password 00040000
[=] Trying password 00080000
[=] Trying password 00100000
[=] Trying password 00200000
[=] Trying password 00400000
[=] Trying password 00800000
[=] Trying password 01000000
[=] Trying password 02000000
[=] Trying password 04000000
[=] Trying password 08000000
[=] Trying password 10000000
[=] Trying password 20000000
[=] Trying password 40000000
[=] Trying password 80000000
[=] Trying password 00000000

[-] Recover password failed
[usb] pm3 -->

Implant

How are you reading this?! Well done, have a cookie

[usb] pm3 --> lf t5 write -b 0 -d 00107071 -p 11111111 -t
[=] Writing page 0  block: 00  data: 0x00107071 pwd: 0x11111111
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] No known 125/134 kHz tags found!
[=] Couldn't identify a chipset
[usb] pm3 -->
[usb] pm3 --> lf t5 write -b 0 -d 00107071 -p 00000000 -t
[=] Writing page 0  block: 00  data: 0x00107071 pwd: 0x00000000
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] No known 125/134 kHz tags found!
[=] Couldn't identify a chipset
[usb] pm3 -->
[usb] pm3 --> lf t5 write -b 0 -d 00107071 -t
[=] Writing page 0  block: 00  data: 0x00107071
[#] Using Test Mode
[usb] pm3 --> lf t5 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 --> lf em 41 clone --id 0F0368568B
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 0F0368568B (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff83c03322a646e4

[+] Done
[?] Hint: try `lf em 410x reader` to verify
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] No known 125/134 kHz tags found!
[=] Couldn't identify a chipset
[usb] pm3 -->
[usb] pm3 -->
[usb] pm3 --> lf t5 detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t5 p1detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t5 info
[usb] pm3 --> lf t5 recover
[=] press <Enter> to exit
[=] Trying password 00000001
[=] Trying password 00000002
[=] Trying password 00000004
[=] Trying password 00000008
[=] Trying password 00000010
[=] Trying password 00000020
[=] Trying password 00000040
[=] Trying password 00000080
[=] Trying password 00000100
[=] Trying password 00000200
[=] Trying password 00000400
[=] Trying password 00000800
[=] Trying password 00001000
[=] Trying password 00002000
[=] Trying password 00004000
[=] Trying password 00008000
[=] Trying password 00010000
[=] Trying password 00020000
[=] Trying password 00040000
[=] Trying password 00080000
[=] Trying password 00100000
[=] Trying password 00200000
[=] Trying password 00400000
[=] Trying password 00800000
[=] Trying password 01000000
[=] Trying password 02000000
[=] Trying password 04000000
[=] Trying password 08000000
[=] Trying password 10000000
[=] Trying password 20000000
[=] Trying password 40000000
[=] Trying password 80000000
[=] Trying password 00000000

[-] Recover password failed
[usb] pm3 -->

I’m very impressed you got here, but I’m suffering so you should too

anon3825968 · September 28, 2021, 11:51am

…which screams faulty Proxmark. Because that’s the common denominator. Kind of like if you feel all the roads in your area are shot, perhaps you have a flat tire.

non-bin · September 28, 2021, 12:04pm

You might be right, but I have 2 basic em410 cards that both work fine (can’t test writes with them though)

I’m meeting up with @Compgeek at some point, and they have a pm3 with an LH glassie antenna. Hopefully that will help figure out what it is

non-bin · October 7, 2021, 9:08am

Ok, I got some more t5577 fobs today and set out straight away trying to break them. I succeeded in getting one to act like one of my broken cards by writing garbage to block 0, and after fixing it, I managed to fix the other two! they both had passwords and using lf t5 wipe -p 00000000 worked but the test mode commands didn’t work ¯_(ツ)_/¯ I guess it is undocumented. So I’ve tried all the passwords I can think of on the implant and got nothing, has anyone got any suggestions for a password recovery? I don’t have 4.7 years to brute force it

@amal I’m getting a 403 permission denied trying to edit the original post, is that because there are comments?

anon3825968 · October 7, 2021, 10:11am

See here:

The 403 is because your post contains evil-looking code.

Jirvin · October 12, 2021, 10:03pm

I have some strong opinions that you dont have T5577s but instead have T5200s. The key difference is that the 5200s dont support test mode and are usually pre-programmed with a blank password.

The proxmark does have some password recovery features for the T5577s.
The command for this is lf t5577 recoverpw -h.
Please heed the warning which states “WARNING this may brick non-password protected chips!”

In any case, Id highly recommend reading the following notes before trying anything to get some gather an overall understanding of the T55xx and its password functionality:

github.com

RfidResearchGroup/proxmark3/blob/master/doc/T5577_Guide.md#t5577-introduction-guide

# T5577 Introduction Guide

### Based on RRG/Iceman Proxmark3 repo

### Ver.1 8 Sep 2019
### Ver.2 7 March 2021

| Contents                                                                            |
| ----------------------------------------------------------------------------------- |
| [Part 1](#part-1)                                                                   |
| [Introduction](#introduction)                                                       |
| [T5577 Overview](#t5577-overview)                                                   |
| [What data is on my T5577](#what-data-is-on-my-t5577)                               |
| [Read and Write Blocks of Data](#read-and-write-blocks-of-data)                     |
| [Exercise 1](#exercise-1)                                                           |
| [How do I use a password](#how-do-i-use-a-password)                                 |
|                                                                                     |
| [Part 2 – Configuration Blocks](#part-2-configuration-blocks)                       |
| [The configuration Block – Block 0 Page 0](#the-configuration-block-block-0-page-0) |
| [Exercise 2](#exercise-2)                                                           |

This file has been truncated. show original

non-bin · October 13, 2021, 6:14am

Thanks so much, the proxmark identifies all my chips as t55x7 when I run lf t5 det, are is there a way I can be sure they’re not t5200s? anyway they’re all working now except my implant which is giving me nothing but a nice wave on the plot, I assume we’re sure they are actually t5577s in the NExT?
I think I’ve tried the recoverpw command before so maybe that’s what bricked it? It didn’t work this time either.
I had a read through the hithub page you sent too, it’s really well made but it sucks that it’s not finished

Jirvin · October 13, 2021, 6:23pm

The proxmark doesnt have detection for T5200s (yet…) so it will show as a T55xx from the proxmarks point of view.

The T5200s are strange in that they have no datasheet and are purely a product name used by card manufacturers. The key and really only difference between the two types is that the T5200 cards do not have a test mode.

The T5577 inside the NExT is a genuine Atmel T5577 and all of its functionality has been confirmed as such many times over previously; so no doubts there.

The Github page I linked was created by an extremely knowledgeable individual in LF cards and more specifically the T5577s/T5200s. It is sadly not finished and probably wont be anytime soon as I understand the author is quite the busy person already.

non-bin · October 13, 2021, 10:42pm

ok, well I’m kind of stumped as to what to do about my implant then. I feel like my only option is to brute force the password

Wolfizen · November 19, 2021, 10:01am

Hi!! I have something extremely similar with my NExT. The data plot is showing a pretty weak sin wave, and I can only get garbage when I dump the tag. I get lots of false positives as Indala but always with a random ID each time.

I get about a 100mV drop with lf tune. I’m thinking I might just need to wait a few more weeks to get better coupling.

Did you end up having any further successes?

non-bin · November 20, 2021, 7:44am

hopefully I’m meeting up with some people from the forum in person, and we’ll have a go then. I’ll let you know, and I just found out I did the same thing to my friends one as well

Wolfizen · November 20, 2021, 7:52am

Gotcha. I wish you luck then!!

I did eventually get mine working, here is the thread. Maybe it will help you!

non-bin · November 20, 2021, 8:03am

interesting, I’ll have a go with computer with a more powerful USB port

Wolfizen · November 20, 2021, 9:12am

It could be, but changing USB cables and ports did not work for me. I also never got the Proxmark to read. I suggest trying to just write to the tag anyways if you have a good waveform (see other thread) and then testing it out with the other readers you want to use it with.