Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Im trying to clone a keri card (I believe to be t55), info down below. I'm trying to go through block by block and write to the blank, and each line does well except the block 0. When I try to write the block 0 from the actual card onto the blank, it leaves the string of 1's below. I have tried writing over and over, as well as writing from block 3 and going backwards to block 0 as suggested in another forum - issue persists.
I'm brand new to the scene, so I'm truly sorry for my naivety but I'm trying to catch up as fast as I can and thought I was getting close to cloning this card. Also important to note that the blank card mod is ASK/Manchester while the actual card is PSK1, hence the config setup (that Im not entirely sure is doing anything since it still detects the blank as ASK right after I set it up as PSK1).
Do I have to maybe go through and try all the stock passwords from https://github.com/Proxmark/proxmark3/b … lt_pwd.dic? Any advice helps, thanks.
Also if it helps my card looks and is wired exactly like the one from http://www.proxmark.org/forum/viewtopic.php?id=5806 and the post itself seems like a similar situation, albeit somewhat unclear on what to add to block 0/why that's added.
Blank card info and writing attempt:
proxmark3> lf t55 detect
Chip Type : T55x7
Modulation : ASK
Bit Rate : 2 - RF/32
Inverted : No
Offset : 31
Seq. Term. : No
Block0 : 0x00088040
Downlink Mode used : default/fixed bit length
proxmark3> lf search u p
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 32 repeating samples
Using Clock:32, Invert:0, Bits Found:513
ASK/Manchester - Clock: 32 - Decoded bitstream:
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
0000000000000000
Unknown ASK Modulated and Manchester encoded Tag Found!
if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'
Valid T55xx Chip Found
Try lf t55xx ... commands
proxmark3> lf t55 config b 32 d PSK1 o 28
Chip Type : T55x7
Modulation : PSK1
Bit Rate : 2 - RF/32
Inverted : No
Offset : 28
Seq. Term. : No
Block0 : 0x00000000
proxmark3> lf t55 write b 0 d 6000F014
Writing page 0 block: 00 data: 0x6000F014
proxmark3> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 256 repeating samples
Using Clock:128, Invert:0, Bits Found:235
ASK/Manchester - Clock: 128 - Decoded bitstream:
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
1111111111111111
11111111111
Unknown ASK Modulated and Manchester encoded Tag Found!
if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'
proxmark3> lf t55 read b 0
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 68976897 | 01101000100101110110100010010111
Info on card to be cloned:
proxmark3> lf t55 detect
Chip Type : T5555(Q5)
Modulation : PSK1
Bit Rate : 2 - RF/32
Inverted : No
Offset : 57
Seq. Term. : No
Block0 : 0x6000F014
Downlink Mode used : default/fixed bit length
proxmark3> lf search u
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
No Known Tags Found!
Checking for Unknown tags:
Possible Auto Correlation of 2048 repeating samples
Using Clock:32, invert:0, Bits Found:938
PSK1 demoded bitstream:
0111110000000000
0000000000000000
0001011000010110
1010011001010111
0111110000000000
0000000000000000
0001011000010110
1010011001010111
0111110000000000
0000000000000000
0001011000010110
1010011001010111
0111110000000000
0000000000000000
0001011000010110
1010011001010111
0111110000000000
0000000000000000
0001011000010110
1010011001010111
0111110000000000
0000000000000000
0001011000010110
1010011001010111
0111110000000000
0000000000000000
0001011000010110
1010011001010111
0111110000000000
0000000000000000
0001011000010110
1010011001010111
Possible unknown PSK1 Modulated Tag Found above!
Could also be PSK2 - try 'data rawdemod p2'
Could also be PSK3 - [currently not supported]
Could also be NRZ - try 'data rawdemod nr'
Last edited by kevindacentom (2019-10-10 03:54:47)
Nevermind, solved
Sure, I ended up not using the demodulation setup: lf t55 config b 32 d PSK1 o 28 and just set the config block to 00081040 seen below. I noticed a bit of lag with the reader before denying me (it didnt work at first) so I rewrote some of the lines especially block1 and it worked.
:::::Blank card original info:::::
proxmark3> lf t55 detect
Chip Type : T55x7
Modulation : ASK
Bit Rate : 2 - RF/32
Inverted : No
Offset : 31
Seq. Term. : No
Block0 : 0x00088040
:::::Switch to PSK1:::::
proxmark3> lf t55 write b 0 d 00081040
Writing page 0 block: 00 data: 0x00081040
proxmark3> lf t55 detect
Chip Type : T55x7
Modulation : PSK1
Bit Rate : 2 - RF/32
Inverted : No
Offset : 57
Seq. Term. : No
Block0 : 0x00081040 <----- worked with no overflow
:::::Writing the blocks from the t5555 Q5 card of interest onto the blank with the 81040 config block:::::
Downlink Mode used : default/fixed bit length
proxmark3> lf t55 write b 1 d E0000000
Writing page 0 block: 01 data: 0xE0000000
proxmark3> lf t55 write b 2 d B0B532BB
Writing page 0 block: 02 data: 0xB0B532BB
proxmark3> lf t55 write b 3 d 00000000
Writing page 0 block: 03 data: 0x00000000
proxmark3> lf t55 write b 4 d 00000000
Writing page 0 block: 04 data: 0x00000000
proxmark3> lf t55 write b 5 d 00000000
Writing page 0 block: 05 data: 0x00000000
proxmark3> lf t55 write b 6 d 72103807
Writing page 0 block: 06 data: 0x72103807
proxmark3> lf t55 write b 7 d 00000000
Writing page 0 block: 07 data: 0x00000000
:::::checking to see block 0 integrity post write :::::
proxmark3> lf t55 detect
Chip Type : T55x7
Modulation : PSK1
Bit Rate : 2 - RF/32
Inverted : No
Offset : 57
Seq. Term. : No
Block0 : 0x00081040
Downlink Mode used : default/fixed bit length
:::::checking all blocks of newly written clone, they all check out:::::
proxmark3> lf t55 dump
Reading Page 0:
blk | hex data | binary
----+----------+---------------------------------
0 | 00081040 | 00000000000010000001000001000000
1 | E0000000 | 11100000000000000000000000000000
2 | B0B532BB | 10110000101101010011001010111011
3 | 00000000 | 00000000000000000000000000000000
4 | 00000000 | 00000000000000000000000000000000
5 | 00000000 | 00000000000000000000000000000000
6 | 72103807 | 01110010000100000011100000000111
7 | 00000000 | 00000000000000000000000000000000
Reading Page 1:
blk | hex data | binary
----+----------+---------------------------------
0 | 00081040 | 00000000000010000001000001000000
1 | E0150603 | 11100000000101010000011000000011
2 | 2A47B363 | 00101010010001111011001101100011
3 | 00A00003 | 00000000101000000000000000000011
Needs a little bit of listening and rewriting to get the clone to work but it really only took one extra try.
My wave form if youre interested: https://imgur.com/IT7998T
Last edited by kevindacentom (2019-10-10 04:39:00)
Yep, well done.
For reference:
lf t55 config b 32 d PSK1 o 28
This will set the config of the proxmark3 software to help it decode the data from the chip/card, and does not set the config of the card/chip itself. This is normally set/loaded off the card via the lf t55 detect command.
As you found writing the correct config block to the the card (for the card in use) was the fix, when done, the lf t55 detect showed the correct settings/values.
One the little take away is that while many cards can emulate different "cards", the config for each can vary (e.g. the T5555 config is different to that of the T55x7).
Makes sense, is there any go-to spreadsheet with possible configs to try writing? For future reference
Last edited by kevindacentom (2019-10-10 04:46:04)
I am a big fan of looking for and reading the data sheets (google is your friend)
In your case the chip data sheets would have all the information you needed to convert between the T5555 and T55x7.
i.e. decode the original based on the T5555 datasheet, then re-enocde based on the T55x7 and you would get the answer.
If you can learn to do that, you will be able to work it out for any other chip where they have published data sheets.
e.g.
your 5555 config block : 6000F014
convert to binary : 0110 0000 0000 0000 1111 0000 0001 0100
decode based on the datasheet for the 5555 (q5)
011000000000 - Fixed Data
0 - Page Select
0 - Fast write
001111 - data bit rate RF/(2n+2), n = 15, so RF/32
0 - No AOR
0 - Dont use password
00 - PSK Freq. RF/2
0 - Not inverted
001 - Modulation PSK1
010 - Max block : 2
0 - no ST
then for a t55x7
0000 - No master key
0000000 - Fixed
010 - RF/32
0 - Not extend config
00001 - PSK1
00 - RF/2
0 - No AOR
0 - Fixed
010 - Max block 2
0 - no password
0 - no ST
00 - fixed
0 - no init delay
Binary : 00000000000010000001000001000000
Convert back to Hex : 00081040
While reading the datasheets can be a bit of an art form, it is well worth the time. If you need help understanding things, you can post here and people will try to help.
Note: What you should see the the lf t55xx detect would do most of the decode work for you
Last edited by mwalker (2019-10-10 05:27:34)