search

RfidResearchGroup / proxmark3

Iceman Fork - Proxmark3
http://www.icedev.se
GNU General Public License v3.0
3.67k stars 981 forks source link

Can't detect T5577 tag #2097

Closed Ultimator14 closed 10 months ago

Ultimator14 commented 10 months ago

Describe the bug

I recently bought a bunch of T5577 tags.

I was trying to read the tags but they were not detected.

[usb] pm3 --> lf t55xx detect
[!] ⚠️  Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t55xx wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0 
[=] Writing page 0  block: 01  data: 0x00000000 
[=] Writing page 0  block: 02  data: 0x00000000 
[=] Writing page 0  block: 03  data: 0x00000000 
[=] Writing page 0  block: 04  data: 0x00000000 
[=] Writing page 0  block: 05  data: 0x00000000 
[=] Writing page 0  block: 06  data: 0x00000000 
[=] Writing page 0  block: 07  data: 0x00000000 
[usb] pm3 --> [usb] pm3 --> lf t55xx detect
[!] ⚠️  Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf t55xx info
[usb] pm3 --> lf t55xx config
[=] --- current t55xx config --------------------------
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
[=]  Bit rate.......... 0 - RF/8
[=]  Inverted.......... No
[=]  Offset............ 0
[=]  Seq. terminator... No
[=]  Block0............ 00000000 (n/a)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... No

I cloned a em410x tag on the chip using flipper zero (ID 0x123456789). Afterwards the t55xx was still not detected but I was able to read the tag using lf em 410x reader and lf search.

[usb] pm3 --> lf t55xx detect
[!] ⚠️  Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf em 410x reader
[+] EM 410x ID 0123456789
[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=] 
[=] Checking for known tags...
[=] 
[!] ⚠️  Specify one authentication mode
[+] EM 410x ID 0123456789
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : 80C4A2E691
[=] HoneyWell IdentKey
[+]     DEZ 8          : 04548489
[+]     DEZ 10         : 0591751049
[+]     DEZ 5.5        : 09029.26505
[+]     DEZ 3.5A       : 001.26505
[+]     DEZ 3.5B       : 035.26505
[+]     DEZ 3.5C       : 069.26505
[+]     DEZ 14/IK2     : 00004886718345
[+]     DEZ 15/IK3     : 000553054824081
[+]     DEZ 20/ZK      : 08001204100214060901
[=] 
[+] Other              : 26505_069_04548489
[+] Pattern Paxton     : 22652297 [0x159A589]
[+] Pattern 1          : 8623751 [0x839687]
[+] Pattern Sebury     : 26505 69 4548489  [0x6789 0x45 0x456789]
[+] VD / ID            : 001 / 0591751049
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[=] Couldn't identify a chipset

To Reproduce

  1. Put tag on proxmark
  2. Run lf t55xx detect
  3. Tag is not detected
  4. Write em410x data to tag using any other tool
  5. Run lf em 410x reader
  6. em410x tag is detected
  7. Run lf t55xx detect again
  8. Tag is still not detected as T5577

Expected behavior Tag should be detected as t55xx using lf t55xx detect or lf t55xx info.

Desktop (please complete the following information): OS: Gentoo Linux

hw version ``` [ Proxmark3 RFID instrument ] [ CLIENT ] Iceman/HEAD/v4.16717-385-gb156f4a5c-suspect 2023-08-28 12:38:58 67e55921e compiled with............. GCC 13.2.0 platform.................. Linux / x86_64 Readline support.......... present QT GUI support............ present native BT support......... absent Python script support..... absent Lua SWIG support.......... present Python SWIG support....... absent [ PROXMARK3 ] device.................... RDV4 firmware.................. RDV4 external flash............ present smartcard reader.......... present FPC USART for BT add-on... present [ ARM ] bootrom: Iceman/HEAD/v4.16717-385-gb156f4a5c-suspect 2023-08-28 12:39:09 67e55921e os: Iceman/HEAD/v4.16717-385-gb156f4a5c-suspect 2023-08-28 12:39:15 67e55921e compiled with GCC 12.2.1 20221205 [ FPGA ] fpga_pm3_lf.ncd image 2s30vq100 2023-08-28 11:48:08 fpga_pm3_hf.ncd image 2s30vq100 2023-08-28 11:48:19 fpga_pm3_felica.ncd image 2s30vq100 2023-08-28 11:48:40 fpga_pm3_hf_15.ncd image 2s30vq100 2023-08-28 11:48:29 [ Hardware ] --= uC: AT91SAM7S512 Rev A --= Embedded Processor: ARM7TDMI --= Internal SRAM size: 64K bytes --= Architecture identifier: AT91SAM7Sxx Series --= Embedded flash memory 512K bytes ( 68% used ) ```
hw status ``` [#] Memory [#] BigBuf_size............. 38128 [#] Available memory........ 38128 [#] Tracing [#] tracing ................ 1 [#] traceLen ............... 0 [#] Current FPGA image [#] mode.................... fpga_pm3_lf.ncd image 2s30vq100 2023-08-28 11:48:08 [#] Flash memory [#] Baudrate................ 24 MHz [#] Init.................... OK [#] Memory size............. 2 mbits / 256 kb [#] Unique ID (be).......... 0x26C740A782A867D5 [#] Smart card module (ISO 7816) [#] version................. v4.13 [#] LF Sampling config [#] [q] divisor............. 95 ( 125.00 kHz ) [#] [b] bits per sample..... 8 [#] [d] decimation.......... 1 [#] [a] averaging........... yes [#] [t] trigger threshold... 0 [#] [s] samples to skip..... 0 [#] [#] LF T55XX config [#] [r] [a] [b] [c] [d] [e] [f] [g] [#] mode |start|write|write|write| read|write|write [#] | gap | gap | 0 | 1 | gap | 2 | 3 [#] ---------------------------+-----+-----+-----+-----+-----+-----+------ [#] fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | N/A | N/A | [#] long leading reference | 29 | 17 | 18 | 50 | 15 | N/A | N/A | [#] leading zero | 29 | 17 | 18 | 40 | 15 | N/A | N/A | [#] 1 of 4 coding reference | 29 | 17 | 15 | 31 | 15 | 47 | 63 | [#] [#] HF 14a config [#] [a] Anticol override.... std ( follow standard ) [#] [b] BCC override........ std ( follow standard ) [#] [2] CL2 override........ std ( follow standard ) [#] [3] CL3 override........ std ( follow standard ) [#] [r] RATS override....... std ( follow standard ) [#] Transfer Speed [#] Sending packets to client... [#] Time elapsed................... 500ms [#] Bytes transferred.............. 277504 [#] Transfer Speed PM3 -> Client... 555008 bytes/s [#] Various [#] Max stack usage......... 4088 / 8480 bytes [#] Debug log level......... 1 ( error ) [#] ToSendMax............... -1 [#] ToSend BUFFERSIZE....... 2308 [#] Slow clock.............. 32421 Hz [#] Installed StandAlone Mode [#] HF - Reading Visa cards & Emulating a Visa MSD Transaction(ISO14443) - (Salvador Mendoza) [#] Flash memory dictionary loaded [#] Mifare.................. 1625 / 2047 keys [#] T55x7................... 123 / 1023 keys [#] iClass.................. 28 / 511 keys [#] ```
data tune ``` [=] ---------- Reminder ------------------------ [=] `hw tune` doesn't actively tune your antennas, [=] it's only informative. [=] Measuring antenna characteristics, please wait... 🕛 9 [=] ---------- LF Antenna ---------- [+] LF antenna: 68,25 V - 125,00 kHz [+] LF antenna: 33,70 V - 134,83 kHz [+] LF optimal: 68,25 V - 125,00 kHz [+] Approx. Q factor (*): 11,5 by frequency bandwidth measurement [+] Approx. Q factor (*): 11,9 by peak voltage measurement [+] LF antenna is OK [=] ---------- HF Antenna ---------- [+] HF antenna: 48,80 V - 13.56 MHz [+] Approx. Q factor (*): 8,5 by peak voltage measurement [+] HF antenna is OK (*) Q factor must be measured without tag on the antenna [+] Displaying LF tuning graph. Divisor 88 (blue) is 134,83 kHz, 95 (red) is 125,00 kHz. ```

Additional context

I also tried playing around with lf t55xx config and got the info command to work with various options. However depending on the option, different data was returned. I wrote a script for testing that brute forces all modulation and rate options but there was no configuration that successfully wrote and read the data.

Script and output Script ```lua #!/usr/bin/env -S pm3 -l local cmds = require('commands') local TIMEOUT = 500 test_cmd = "lf t55xx config --%s --rate %s" local rates = { 8, 16, 32, 40, 50, 64, 100, 128 } local modulations = { "FSK", "FSK1", "FSK1A", "FSK2", "FSK2A", "ASK", "PSK1", "PSK2", "PSK3", "NRZ", "BI", "BIA" } local function test(modulation, rate) config = test_cmd:format(modulation, rate) print(config) core.console(config) core.console("lf t55xx write -b 1 -d 11223344") local data, msg -- blockno, page1, override, pwd data, msg = core.t55xx_readblock(1, '0', '0', '') if data then hex_data = string.format("%x", data) return hex_data end return "" end local function main() print(string.rep('--', 20)) successful_mods = {} successful_rates = {} successful_data = {} for mnum = 1, #modulations do mod = modulations[mnum] for rnum = 1, #rates do rate = rates[rnum] core.clearCommandBuffer() local response = "" response = test(mod, rate) core.clearCommandBuffer() if response ~= "" then table.insert(successful_mods, mod) table.insert(successful_rates, rate) table.insert(successful_data, response) print(response) end end end print(string.rep('--', 30)) print("Result:") print() for i = 1, #successful_mods do mod = successful_mods[i] rate = successful_rates[i] data = successful_data[i] output = string.format("%s, %s: %s", mod, rate, data) print(output) end end main() ``` Output (modulation, rate, data of block 0 if any), correct output should be `11223344` ``` FSK, 8: 0 FSK, 16: 0 FSK, 32: 0 FSK, 40: 0 FSK, 50: 0 FSK, 64: 0 FSK, 100: 0 FSK, 128: 0 ASK, 50: 59c1cde8 ASK, 64: 59c1cde8 ASK, 100: 0 ASK, 128: 0 NRZ, 8: 1fe01fe NRZ, 16: f0f30cf NRZ, 32: 334b52ab NRZ, 40: 55555555 NRZ, 50: 55555555 NRZ, 64: 55555555 BI, 50: aded4e3 BI, 64: aded4e3 BI, 100: ffffffff BI, 128: ffffffff BIA, 50: f5212b1c BIA, 64: f5212b1c BIA, 100: 0 BIA, 128: 0 ``` Similar (non-matching) resuilts when using `--r2,3,4` or `--st`. Some readings were not consistent when executing the command twice.

I think the writing didn't do anything because I was still able to read the em tag id using lf em 410x reader afterwards.

iceman1001 commented 10 months ago

I don't believe there is anything wrong with the source code.

I suggest you head over to the discord server and ask there. In the end there is no guarantee you got real t5577 cards, it can be simple EM4100 or others.

iceman1001 commented 10 months ago

Since you on a RDV4, make sure the Q switch on your antenna is set to 7 and freq to 125.

Ultimator14 commented 10 months ago

I don't believe there is anything wrong with the source code.

I suggest you head over to the discord server and ask there. In the end there is no guarantee you got real t5577 cards, it can be simple EM4100 or others.

Thanks, I'll do that.

Since you on a RDV4, make sure the Q switch on your antenna is set to 7 and freq to 125.

I'm on RDV4.0 with the old antenna that doesn't have the switches.

iceman1001 commented 10 months ago

Then you will have some issues writing to your t5577 tag.

iceman1001 commented 10 months ago

since I am sure this is not an issue with the source code I will close this issue.

OP will take the discussion in the discord server.

Ultimator14 commented 10 months ago

I just wanted to report back here in case someone else has the same problem. It was indeed the antenna. I bought the RDV4.01 replacement antenna and flipped the switches accordingly.

hw tune now reports

[+] Approx. Q factor (*): 5,3 by frequency bandwidth measurement
[+] Approx. Q factor (*): 6,1 by peak voltage measurement

Previously that was

[+] Approx. Q factor (*): 11,5 by frequency bandwidth measurement
[+] Approx. Q factor (*): 11,9 by peak voltage measurement

The detect command and also all other commands now work flawlessly.

iceman1001 commented 10 months ago

Glad you found a solution!