Closed assasinfil closed 5 years ago
Or need instruction for set password
Have a look at the data sheet for specific. Set the password in block 7 page 0, normal write. Set the max blocks as needed and make the password active by setting the bits in the config block 0 page 0 Once set remember to use the password for future writes.
how to set password in the t5577 datasheet. some systems checks for clones in very strange way. sometimes needs to change data in block0 and card will work as original. to check - needs to record exchange between t5577 and reader
@assasinfil did you get this working as needed ? I dont think there is an issue with the software, just what you may need to do to make the reader happy with the T55xx.
to activate the password on T5577 use this comands lf t55xx write b 7 d [password(8hex symbols)] lf t55xx write b 0 d 00148050 if you need to disable pass use it lf t55xx write b 0 d 00148040 p [password]
the block 0 data will need to match that needed for the application. so I would read the current block 0 and set the password bit.
to activate the password on T5577 use this comands lf t55xx write b 7 d [password(8hex symbols)] lf t55xx write b 0 d 00148050 if you need to disable pass use it lf t55xx write b 0 d 00148040 p [password]
That is, for a block of 0, I just read what is written there and overwrite with a password?
On a t5577 page 0 block 7 is where the password must be stored if used. If you need to send out data from block 7 then you wont be able to set a password. e.g. … Set the password you want to use (and remember it) lf t55xx write b 7 d [password(8hex symbols)]
… Tell the t5577 to use the password. This is the block 0 write. But an example that may or may not be what you need for your chip setup. lf t55xx write b 0 d 00148050
if you need to disable pass use it lf t55xx write b 0 d 00148040 p [password]
The password is enabled by setting is the 5th last bit (28) , the other bits need to be set for you application. Can I suggest you look at the datasheet (page 9 to start) http://ww1.microchip.com/downloads/en/DeviceDoc/Atmel-9187-RFID-ATA5577C_Datasheet.pdf
Then try to work out what to bit to change
If unsure, please post the output from lf t55xx read b 0 And what you think it should look like to enable the password, someone will confirm for you. (this way, you will learn what to do for other projects)
It’s just that the whole problem started with the fact that I wanted to copy my key for the intercom (em) on t5577, but the intercom refuses to accept it, although they are identical. Intercom Fermax
I understand your challenge.
First up, I don't think this is a software issue and more a how to question.
There are many unknowns here so what will and wont work will be found through testing and trying some things.
A few key unknowns.
From my perspective, the T5577 cards don't have a finalize as such. What you can do is change the config, to make it harder to detect it as a T5577, but your challenge may be that your clone is not setup up correctly yet. i.e. We dont know how it was setup or how it is meant to look.
We are trying to help you work the problem and find the solution.
can move this question to the forum?
Or maybe the key fob with the number on the case is read as t5577?
proxmark3> lf t55 info
-- T55x7 Configuration & Tag Information --------------------
-------------------------------------------------------------
Safer key : 0
reserved : 54
Data bit rate : 1 - RF/16
eXtended mode : No
Modulation : 0x0A (Unknown)
PSK clock frequency : 1
AOR - Answer on Request : No
OTP - One Time Pad : Yes - Warning
Max block : 7
Password mode : Yes
Sequence Start Terminator : Yes
Fast Write : Yes
Inverse data : Yes
POR-Delay : Yes
-------------------------------------------------------------
Raw Data - Page 0
Block 0 : 0x06C4A5FF 00000110110001001010010111111111
-------------------------------------------------------------
That does not look right.
So I repeat again: post the output from "lf t55xx detect" and "lf t55 read b 0"
I tried the LF sim mode and let me intercom, but when I copy the key fob, the intercom does not allow.
lfsnoopfromfermax(raw).zip from orig key
proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found:
EM TAG ID : 19004FC3C9
Possible de-scramble patterns
Unique TAG ID : 9800F2C393
HoneyWell IdentKey {
DEZ 8 : 05227465
DEZ 10 : 0005227465
DEZ 5.5 : 00079.50121
DEZ 3.5A : 025.50121
DEZ 3.5B : 000.50121
DEZ 3.5C : 079.50121
DEZ 14/IK2 : 00107379409865
DEZ 15/IK3 : 000652850938771
DEZ 20/ZK : 09080000150212030903
}
Other : 50121_079_05227465
Pattern Paxton : 425984457 [0x196401C9]
Pattern 1 : 9414531 [0x8FA783]
Pattern Sebury : 50121 79 5227465 [0xC3C9 0x4F 0x4FC3C9]
Valid EM410x ID Found!
proxmark3> lf t55 detect
Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
proxmark3> lf t55 read
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
proxmark3> lf t55 config b 64
Chip Type : T55x7
Modulation : ASK
Bit Rate : 5 - RF/64
Inverted : No
Offset : 0
Seq. Term. : No
Block0 : 0x00000000
proxmark3> lf t55 read
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
255 | 720013EC | 01110010000000000001001111101100
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 836252FF | 10000011011000100101001011111111
1 | 013EC1B1 | 00000001001111101100000110110001
2 | F1C8004F | 11110001110010000000000001001111
3 | 1297FC72 | 00010010100101111111110001110010
4 | FB06C4A5 | 11111011000001101100010010100101
5 | 40027D83 | 01000000000000100111110110000011
6 | FFC72001 | 71111111110001110010000000000001
7 | 36252FF8 | 00110110001001010010111111111000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 09F60D89 | 00001001111101100000110110001001
1 | 1C8004FB | 00011100100000000000010011111011
2 | 297FC720 | 00101001011111111100011100100000
3 | 60D894BF | 01100000110110001001010010111111
needs to sniff how intercom see that here not its key. basically, it needs to change some parameters in block0 of t5577 and it not see this) but what parameters - depends on what intercom to do to check
My intercom is FERMAX, but lf sim working to open door
and lf t55 dump
run it several times and look if they the same. looks like proxmark cant read modulation
on t5577
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 836252FF | 10000011011000100101001011111111
1 | 013EC1B1 | 00000001001111101100000110110001
2 | F1C8004F | 11110001110010000000000001001111
3 | 1297FC72 | 00010010100101111111110001110010
4 | FB06C4A5 | 11111011000001101100010010100101
5 | 40027D83 | 01000000000000100111110110000011
6 | FFC72001 | 71111111110001110010000000000001
7 | 36252FF8 | 00110110001001010010111111111000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 09F60D89 | 00001001111101100000110110001001
1 | 1C8004FB | 00011100100000000000010011111011
2 | 297FC720 | 00101001011111111100011100100000
3 | 60D894BF | 01100000110110001001010010111111
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 836252FF | 10000011011000100101001011111111
1 | 013EC1B1 | 00000001001111101100000110110001
2 | F1C8004F | 11110001110010000000000001001111
3 | 1297FC72 | 00010010100101111111110001110010
4 | FB06C4A5 | 11111011000001101100010010100101
5 | 40027D83 | 01000000000000100111110110000011
6 | FFC72001 | 71111111110001110010000000000001
7 | 6C4A5FF1 | 01101100010010100101111111110001
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 13EC1B12 | 00010011111011000001101100010010
1 | 1C8004FB | 00011100100000000000010011111011
2 | 297FC720 | 00101001011111111100011100100000
3 | C1B1297F | 11000001101100010010100101111111
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | C8004FB0 | 11001000000000000100111110110000
1 | 97FC7200 | 10010111111111000111001000000000
2 | 06C4A5FF | 00000110110001001010010111111111
3 | 013EC1B1 | 00000001001111101100000110110001
4 | F1C8004F | 11110001110010000000000001001111
5 | 1297FC72 | 00010010100101111111110001110010
6 | F60D894B | 11110110000011011000100101001011
7 | 8004FB06 | 10000000000001001111101100000110
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 7FC72001 | 01111111110001110010000000000001
1 | 6C4A5FF1 | 01101100010010100101111111110001
2 | 13EC1B12 | 00010011111011000001101100010010
3 | 390009F6 | 00111001000000000000100111110110
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 297FC720 | 00101001011111111100011100100000
1 | B06C4A5F | 10110000011011000100101001011111
2 | 0027D836 | 00000000001001111101100000110110
3 | FE390009 | 11111110001110010000000000001001
4 | 6252FF8E | 01100010010100101111111110001110
5 | 9F60D894 | 10011111011000001101100010010100
6 | C8004FB0 | 11001000000000000100111110110000
7 | 2FF8E400 | 00101111111110001110010000000000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 06C4A5FF | 00000110110001001010010111111111
1 | 027D8362 | 00000010011111011000001101100010
2 | E390009F | 11100011100100000000000010011111
3 | 4A5FF1C8 | 01001010010111111111000111001000
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | EC1B1297 | 11101100000110110001001010010111
1 | 8004FB06 | 10000000000001001111101100000110
2 | 7FC72001 | 01111111110001110010000000000001
3 | 6C4A5FF1 | 01101100010010100101111111110001
4 | 13EC1B12 | 00010011111011000001101100010010
5 | 390009F6 | 00111001000000000000100111110110
6 | 52FF8E40 | 01010010111111111000111001000000
7 | C1B1297F | 11000001101100010010100101111111
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 004FB06C | 00000000010011111011000001101100
1 | FC720013 | 11111100011100100000000000010011
2 | 894BFE39 | 10001001010010111111111000111001
3 | FB06C4A5 | 11111011000001101100010010100101
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 90009F60 | 10010000000000001001111101100000
1 | 2FF8E400 | 00101111111110001110010000000000
2 | 0D894BFE | 00001101100010010100101111111110
3 | 04FB06C4 | 00000100111110110000011011000100
4 | C720013E | 11000111001000000000000100111110
5 | 4A5FF1C8 | 01001010010111111111000111001000
6 | EC1B1297 | 11101100000110110001001010010111
7 | 0009F60D | 00000000000010011111011000001101
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | FF8E4002 | 11111111100011100100000000000010
1 | B1297FC7 | 10110001001010010111111111000111
2 | 4FB06C4A | 01001111101100000110110001001010
3 | E40027D8 | 11100100000000000010011111011000
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | FF8E4002 | 71111111100011100100000000000010
1 | D894BFE3 | 11011000100101001011111111100011
2 | 27D83625 | 00100111110110000011011000100101
3 | 390009F6 | 00111001000000000000100111110110
4 | 52FF8E40 | 01010010111111111000111001000000
5 | 60D894BF | 01100000110110001001010010111111
6 | 0027D836 | 00000000001001111101100000110110
7 | FC720013 | 11111100011100100000000000010011
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | C4A5FF1C | 11000100101001011111111100011100
1 | 3EC1B129 | 00111110110000011011000100101001
2 | C8004FB0 | 11001000000000000100111110110000
3 | 2FF8E400 | 00101111111110001110010000000000
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 0D894BFE | 00001101100010010100101111111110
1 | 013EC1B1 | 00000001001111101100000110110001
2 | F1C8004F | 11110001110010000000000001001111
3 | 1297FC72 | 00010010100101111111110001110010
4 | FB06C4A5 | 71111011000001101100010010100101
5 | 20013EC1 | 00100000000000010011111011000001
6 | BFE39000 | 10111111111000111001000000000000
7 | 36252FF8 | 00110110001001010010111111111000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 09F60D89 | 00001001111101100000110110001001
1 | 1C8004FB | 00011100100000000000010011111011
2 | 297FC720 | 00101001011111111100011100100000
3 | 60D894BF | 01100000110110001001010010111111
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 06C4A5FF | 00000110110001001010010111111111
1 | 009F60D8 | 00000000100111110110000011011000
2 | F8E40027 | 11111000111001000000000000100111
3 | 1297FC72 | 00010010100101111111110001110010
4 | 7D836252 | 01111101100000110110001001010010
5 | 20013EC1 | 00100000000000010011111011000001
6 | 5FF1C800 | 01011111111100011100100000000000
7 | 36252FF8 | 00110110001001010010111111111000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 04FB06C4 | 00000100111110110000011011000100
1 | 8E40027D | 10001110010000000000001001111101
2 | 94BFE390 | 10010100101111111110001110010000
3 | B06C4A5F | 10110000011011000100101001011111
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 0009F60D | 00000000000010011111011000001101
1 | FF8E4002 | 11111111100011100100000000000010
2 | D894BFE3 | 11011000100101001011111111100011
3 | 27D83625 | 00100111110110000011011000100101
4 | 390009F6 | 00111001000000000000100111110110
5 | 52FF8E40 | 01010010111111111000111001000000
6 | 60D894BF | 01100000110110001001010010111111
7 | 004FB06C | 00000000010011111011000001101100
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | FC720013 | 11111100011100100000000000010011
1 | C4A5FF1C | 71000100101001011111111100011100
2 | 7D836252 | 01111101100000110110001001010010
3 | 90009F60 | 10010000000000001001111101100000
lf t55 detect not working if password setuped on the key
And how do I record the communication between the intercom and the key?
lf sniff
if you set a password for t5577 - just remove it or put it to dump command. (very carefully!!!!)
its not zip, its dump from data dump
lol, I have the same doorphones, but everything works fine
how you clone to t5577?
yes, i use T5577 the sequence of my actions is lf em 410xread (read original tag) lf em 410xwrite [id] 1 (write clone) and set pass: lf t55xx write b 7 d [password(8hex symbols)] lf t55xx write b 0 d 00148050 To be honest, I did not check if the copy works without a password, but I write on T5577 maybe my intercom has other settings or another model here is a photo of my panel: https://pp.userapi.com/c858120/v858120643/f433/1r9vLZUiV1s.jpg
I did exactly the same thing, but the intercom does not accept, the panel looks like the photo. domophone
proxmark3> lf t55 config
Chip Type : T55x7
Modulation : ASK
Bit Rate : 5 - RF/64
Inverted : No
Offset : 32
Seq. Term. : No
Block0 : 0x00148050
proxmark3> lf t55 dump 65857569 o
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Safety Check Overriden - proceeding despite risk
0 | 00148050 | 00000000000101001000000001010000
Safety Check Overriden - proceeding despite risk
1 | FF8E4002 | 11111111100011100100000000000010
Safety Check Overriden - proceeding despite risk
2 | 7D836252 | 01111101100000110110001001010010
Safety Check Overriden - proceeding despite risk
3 | FFFFFFFF | 11111111111111111111111111111111
Safety Check Overriden - proceeding despite risk
4 | FFFFFFFF | 11111111111111111111111111111111
Safety Check Overriden - proceeding despite risk
5 | FFFFFFFF | 11111111111111111111111111111111
Safety Check Overriden - proceeding despite risk
6 | FFFFFFFF | 11111111111111111111111111111111
Safety Check Overriden - proceeding despite risk
7 | B2C2BAB4 | 10110010110000101011101010110100
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
Safety Check Overriden - proceeding despite risk
0 | 00148050 | 00000000000101001000000001010000
Safety Check Overriden - proceeding despite risk
1 | E03900D0 | 11100000001110010000000011010000
Safety Check Overriden - proceeding despite risk
2 | B82D4773 | 10111000001011010100011101110011
Safety Check Overriden - proceeding despite risk
3 | 00A00003 | 00000000101000000000000000000011
maybe because of page 1, the intercom does not start up, because it sees another code?
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 7D836252 | 01111101100000110110001001010010
1 | 7D836252 | 01111101100000110110001001010010
2 | 7D836252 | 01111101100000110110001001010010
3 | 7D836252 | 01111101100000110110001001010010
4 | 7D836252 | 01111101100000110110001001010010
5 | 7D836252 | 01111101100000110110001001010010
6 | 7D836252 | 01111101100000110110001001010010
7 | 7D836252 | 01111101100000110110001001010010
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | B82D4773 | 10111000001011010100011101110011
1 | B82D4773 | 10111000001011010100011101110011
2 | B82D4773 | 10111000001011010100011101110011
3 | B82D4773 | 10111000001011010100011101110011
00148040 RF/64, Manchester. all is ok ill look tomorrow at lf snoop
it looks like you did an lf em 410xwrite
Assuming the password is still set and is 65857569. lf t55 write b 3 1 d 00000000 p 65857569
Is the ID : 19004FC3C9 It also my be sending out the Page 1 data an not the page 0 data for some reason/condition, so lets set that to the same EM ID. (hinted by the data in the dump without the password, when a password is set and you use a t5577 command without the password, it will send out the "default read" data, which in this case should be the EM data) Again, assuming the password is still set lf t55 write b 1 1 d FF8E4002 p 65857569 lf t55 write b 2 1 d 7D836252 p 65857569
So three commands to run (and why). Then check the writes are ok with a new card dump lf t55 detect p 65857569 lf t55 dump p 65857569 o
if that looks ok, (block 1 page 1 = block 1 page 0, and block 2 page 1 = block 2 page 0) Check the ID is correct via lf search, run this on the original AND the clone, the results should be 100% the same, if not show both outputs
Place the original on the pm3 lf search Place the clone on the pm3 lf search
If all looks ok, they on the reader.
In theory, now everything is correct and should work.
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 7D836252 | 01111101100000110110001001010010
1 | 7D836252 | 01111101100000110110001001010010
2 | 7D836252 | 01111101100000110110001001010010
3 | 7D836252 | 01111101100000110110001001010010
4 | 7D836252 | 01111101100000110110001001010010
5 | 7D836252 | 01111101100000110110001001010010
6 | 7D836252 | 01111101100000110110001001010010
7 | 7D836252 | 01111101100000110110001001010010
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 7D836252 | 01111101100000110110001001010010
1 | 7D836252 | 01111101100000110110001001010010
2 | 7D836252 | 01111101100000110110001001010010
3 | 7D836252 | 01111101100000110110001001010010
proxmark3> lf t55 dump 65857569 o
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
Safety Check Overriden - proceeding despite risk
0 | 00148050 | 00000000000101001000000001010000
Safety Check Overriden - proceeding despite risk
1 | FF8E4002 | 11111111100011100100000000000010
Safety Check Overriden - proceeding despite risk
2 | 7D836252 | 01111101100000110110001001010010
Safety Check Overriden - proceeding despite risk
3 | FFFFFFFF | 11111111111111111111111111111111
Safety Check Overriden - proceeding despite risk
4 | FFFFFFFF | 11111111111111111111111111111111
Safety Check Overriden - proceeding despite risk
5 | FFFFFFFF | 11111111111111111111111111111111
Safety Check Overriden - proceeding despite risk
6 | FFFFFFFF | 11111111111111111111111111111111
Safety Check Overriden - proceeding despite risk
7 | B2C2BAB4 | 10110010110000101011101010110100
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
Safety Check Overriden - proceeding despite risk
0 | 00148050 | 00000000000101001000000001010000
Safety Check Overriden - proceeding despite risk
1 | FF8E4002 | 11111111100011100100000000000010
Safety Check Overriden - proceeding despite risk
2 | 7D836252 | 01111101100000110110001001010010
Safety Check Overriden - proceeding despite risk
3 | FFFFFFFF | 11111111111111111111111111111111
Could you give a link to the documentation about 1 sheet, I figured out the first sheet, there is a detailed analysis on the forum: t5577
or from the vendors site (who make the chip) as I already posted above. http://ww1.microchip.com/downloads/en/DeviceDoc/Atmel-9187-RFID-ATA5577C_Datasheet.pdf
And then you can add an article on the forum about 1 page?
That is, I should always duplicate 3 blocks to 1 page out of 0?
Before we start drawing conclusions about what should or should not be set, we need to confirm if the card works. In my opinion that changes I suggested should not make a difference to a standard read of an em4100 tag. I was trying to remove them as they MAY be an issue under some conditions which are unknown.
The config in block 0 page 0 is in block 0 page 1 and you cant change that (they will always match).
Block 1 and 2 of page 1 default hold the chip trackability data from the vendor. Normally used for quality control. i.e. a bad batch could be IDed by that data. But once in production you can store data there as needed. And I could see it was send out data from that area in the dump without a password (when a password was needed).
The block 3 page 1 config is more for advanced needs, and should only be set when you know you need it. For block 3 page 1 config to be active the first 4 bits should be set to 0110 or 1001 (read the datasheet for why). Any other value should mean any data there is not used. I was more interested in WHY there was invalid data there.
I think you are confusing what the EM4100 tag is and what the T5577 is. They are two very different cards. The EM4100 tag is a read only tag with a fixed ID that a system can use. The T5577 is a card that can emulate other codes (e.g. the EM4100). So to setup you need to know what the original card needs. The proxmark3 coders have done this work for you for a stock EM4100 (in this example), but if there is something weird it may need tweaking.
I will write when I check the key, it is very strange that the usual em4100 cloning did not work with my intercom
it not strange. many intercom checks if you place a clone. and the way they check is a very different.
Everything works fine, apparently there was a problem in the configuration of the first page. Why lf em 410x write does not clear the first page when cloning?
Because not all t5577 have it
Good to hear you got it working. Thanks merlokk, I would have said not all T55x7 have it, e.g. the T5567 looks to be just a page 0 chip.
Can I suggest that if its working, then this be closed and move questions about what it can and cant do to the forum.
I think I need to check the lf t55 wipe function (I suspect that it doesn’t clear 1 page) and the em 410xwrite cloning function with the t5577 mode.
Need finalise option for t55xx chip. My intercom does not accept a clone, apparently checks the chip for overwriting.