Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I need some help with the data that i need to program T5557 with.
I have the below, can anyone assist
proxmark3> data fskawiddemod
AWID Found - BitLength: 50 -unknown BitLength- (24432) - Wiegand: 1f400016bee1, Raw: 0128817e4111114dbebd1811
Best regards,
Hi,
Trying to program a t5577 key fob to a HID prox with lf hid clone 2006bxxxxx. I previously successfully done indalaclone on the same t5577 key fob.Now after doing a lf hid clone, the lf hid fskdemod is not working on the t5577. When doing a lf search I get Indala UID=0000000000000000000000000000000000000000000000000000000010001001 (000000089). I also do not seem to be able to do lf indalaclone again on the same key fob. What is going on here?
#db# bootrom: master/v2.0.0-133-g9f9b6b7-suspect 2015-06-19 05:14:06
#db# os: master/v2.0.0-133-g9f9b6b7-suspect 2015-06-19 05:14:07
#db# LF FPGA image built on 2015/03/06 at 07:38:04
proxmark3> lf t55xx dump
[0] 0xF0000000 11110000000000000000000000000000
[1] 0xF0000000 11110000000000000000000000000000
[2] 0xF0000000 11110000000000000000000000000000
[3] 0xF0000000 11110000000000000000000000000000
[4] 0xFFFFFFFF 11111111111111111111111111111111
[5] 0xF0000000 11110000000000000000000000000000
[6] 0xF0000000 11110000000000000000000000000000
[7] 0xF0000000 11110000000000000000000000000000
Last edited by meccan (2015-06-22 02:11:18)
try the code changes that are pending:
https://github.com/marshmellow42/proxma … 7b9e5e25c4
Thx for the feedback, I'll see if we can get that code in the next release.
looks to me like a copy paste of their HID write up and forgot to edit that section. while cloning a mifare uid is possible with uid changeable cards it IS NOT with a t5557 chip.
That article deals with Mifare tags, not t55x7, the only reference to t55x7 is this line:
T5557 cards can potentially clone hardcoded UID
So no, Pentura didn't say it could be done, that is a mixup.
Hi, I am trying a way to add this feature on PM3. This converts SC and CN into Hex number for HID 26(tested), 34 (tested) and 37 standard (not test). Can someone help to test it please.
All credits to the original author(s)
Last edited by Go_tus (2016-01-07 12:57:13)
if you need to compile my fork on linux, use the extra parameter:
make clean && make all UBUNTU_1404_QT4=1
And as @marshmellow says here: http://www.proxmark.org/forum/viewtopic … 824#p18824
Last edited by iceman (2016-02-09 08:16:20)
if you need to compile my fork on linux, use the extra parameter:
make clean && make all UBUNTU_1404_QT4=1
And as @marshmellow says here: http://www.proxmark.org/forum/viewtopic … 824#p18824
Thank you.
I got the 'calculator' from the hex ID to raw ID working too.
What is strange is that when using the viking clone command, the tag does not work ( the proxmark won't recognise it)
When I write it manually, it works..
I'll have to dig around in marshmellow's code to see why..
"lf viking clone" takes your printed id,
adds a 0xF2 in the beginning,
adds a checksum in the end,
and sends it to device side, where it write to a t55x7 (or q5) configblock and block1, 2...
quite simple.
Question is if you were using a raw id from another lf read or you used the printed id...
"lf viking clone" takes your printed id,
adds a 0xF2 in the beginning,
adds a checksum in the end,
and sends it to device side, where it write to a t55x7 (or q5) configblock and block1, 2...quite simple.
Question is if you were using a raw id from another lf read or you used the printed id...
I was using the printed ID - which is why I found it weird that it wouldn't work.
might be better in a new thread or in the viking thread.
i'm not aware of any bugs there, but i didn't make the original clone routine.
not sure where it came from but the bug is the mask of line 77 applied to rawID. should be 0xFFFFFFFF not 0xFFFF.
C15001 Keyscan HID 36bits
thanks @mnelson for the sample. Without it we wouldn't know.
RAW 3708b43459
preamble 0x3 = bin 11
a) OEM 900 10bits
f) FC 90 8bits
c) CN 6700 16bits
e) even parity bits
o) odd parity bits
E O
P aaaaaaaaaa ffffffff cccc cccc cccc cccc P
11 0 1110000100 01011010 0001 1010 0010 1100 1
eeeeeeeeee eeeeeeeo oooo oooo oooo oooo
I know how to write em ids to t55xx tags with the 'lf em4x em410xwrite xxxxxxx 1'. But how would I do this 1 block at a time with the 'lf t55xx writeblock' commands? I want to understand this format at a lower level.
Does anyone have an example of writing a em format to t55xx tag with block commands?
You need to understand T55XX datasheet and you will need to understand the EM410xx datasheet, if you want to learn the protocol and how to program a t55xx tag.
Another source of information is to read the code, but that is a longer way of to understanding.
Thanks Iceman. So I understand the em format parities and I end up with a 64 bit binary string. I convert that to a manchester string now its 128 bits long. That is 4 blocks on a t55xx.
The 'EM4102 1.pm3 Walkthrough' on the wiki says em format is ASK encoded underneath the manchester encoding. Does the t55xx config string for manchester take care of the ASK encoding?
Here is what I have so far for the config block:
0x00148080
64 bit
manchester
4 blocks
With the t55xx Manchester stands for ask/Manchester so the Manchester encoding is done by the chip config, no need to have it part of the binary.
Last edited by marshmellow (2016-07-04 02:24:24)
You can also write one tag using the em command then read back with the t55xx commands (after t55xx detect) to see what it programmed on blocks 1 and 2 for the em Id.
Have you looked at the files section on the proxmark site?!? Start there.
there is a excel sheet for t55xx configuration, so you can easily see which configuration you're entered.
the tag will take care of ask,fsk,psk modulation, the rest is up to you in the data blocks.
Is this file still up at http://www.proxmark.org/files?
I can't find it for the life of me