Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

  • Logged in as ikarus
  • Last visit: Today 11:22:42

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-01-25 01:12:42

Compgeek
Contributor
Registered: 2020-01-24
Posts: 7

t55xx detect commands not working for me - Chinese PM3 Easy

Hi guys,

Hoping someone can point me in the right direction on this one, I tried googling and searching the forums and didn't have any luck finding an answer.

I've just purchased a Chinese clone of a PM3 Easy, I've flashed the latest RRG/Iceman fork, and I'm having trouble working with T55xx cards.

Wipe commands complete successfully, and the various clone commands work (I've written and read EM410x and HID data, which is detected properly with lf search and on separate reader hardware) but I can't get 'lf t55xx detect' to work - I've tried 3 different tags from different suppliers, in various stages of config (After wipe, with EM data, with HID data) and always get the below result.

[usb] pm3 --> lf t55xx detect
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

I'm suspecting I may have just gotten a bad antenna that isn't coupling well, but I'd love if anyone had suggestions of things to try! These are full ISO size cards sitting directly on top of the antenna, but being a clone I could have got the dud.


hw info

 [ Proxmark3 RFID instrument ]           

 [ CLIENT ]           
  client: RRG/Iceman          
  compiled with Clang/LLVM 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.10.44.4) OS:OSX ARCH:x86_64          

 [ PROXMARK3 ]           
          
 [ ARM ]
  bootrom: RRG/Iceman/master/688fb782 2020-01-24 20:59:28
       os: RRG/Iceman/master/688fb782 2020-01-24 20:59:42
  compiled with GCC 5.4.1 20160919 (release) [ARM/embedded-5-branch revision 240496]

 [ FPGA ]
  LF image built for 2s30vq100 on 2020-01-12 at 15:31: 2
  HF image built for 2s30vq100 on 2020-01-12 at 15:31:16          

 [ Hardware ]           
  --= uC: AT91SAM7S512 Rev B          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 254528 bytes (49%) Free: 269760 bytes (51%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory          

hw status

#db# Memory           
#db#   BIGBUF_SIZE.............40000          
#db#   Available memory........28000          
#db# Tracing           
#db#   tracing ................1          
#db#   traceLen ...............10          
#db# Currently loaded FPGA image           
#db#   mode.................... LF image built for 2s30vq100 on 2020-01-12 at 15:31: 2          
#db# LF Sampling config           
#db#   [q] divisor.............95 ( 125.00 kHz )          
#db#   [b] bits per sample.....8          
#db#   [d] decimation..........1          
#db#   [a] averaging...........No          
#db#   [t] trigger threshold...0          
#db#   [s] samples to skip.....0           
#db# LF T55XX config           
#db#            [r]               [a]   [b]   [c]   [d]   [e]   [f]   [g]          
#db#            mode            |start|write|write|write| read|write|write          
#db#                            | gap | gap |  0  |  1  | gap |  2  |  3          
#db# ---------------------------+-----+-----+-----+-----+-----+-----+------          
#db# fixed bit length (default) |  29 |  17 |  15 |  47 |  15 | N/A | N/A |           
#db#     long leading reference |  29 |  17 |  15 |  47 |  15 | N/A | N/A |           
#db#               leading zero |  29 |  17 |  15 |  40 |  15 | N/A | N/A |           
#db#    1 of 4 coding reference |  29 |  17 |  15 |  31 |  15 |  47 |  63 |           
#db#           
#db# Transfer Speed           
#db#   Sending packets to client...          
#db#   Time elapsed............500ms          
#db#   Bytes transferred.......354816          
#db#   Transfer Speed PM3 -> Client = 709632 bytes/s          
#db# Various           
#db#   DBGLEVEL................1          
#db#   ToSendMax...............-1          
#db#   ToSendBit...............0          
#db#   ToSend BUFFERSIZE.......2308          
#db#   Slow clock..............32080 Hz          
#db# Installed StandAlone Mode           
#db#   LF HID26 standalone - aka SamyRun (Samy Kamkar)   

hw tune

[=] Measuring antenna characteristics, please wait...
          
[=] You can cancel this operation by pressing the pm3 button          
..
          
[+] LF antenna: 45.89 V - 125.00 kHz          
[+] LF antenna: 45.46 V - 134.83 kHz          
[+] LF optimal: 56.65 V - 130.43 kHz          
[+] LF antenna is OK  
          
[+] HF antenna: 33.48 V - 13.56 MHz          
[+] HF antenna is OK           
          
[+] Displaying LF tuning graph. Divisor 88 is 134.83 kHz, 95 is 125.00 kHz.

Thanks for your time!
Compgeek

Offline

#2 2020-01-25 10:41:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: t55xx detect commands not working for me - Chinese PM3 Easy

hm, your LF timing settings is the ones for RDV4...  Normally they should automatically detect that and select another setting.

https://github.com/RfidResearchGroup/pr … ops.c#L149

Are you sure you compile the repo for PM3OTHER?

Offline

#3 2020-01-25 11:12:47

Compgeek
Contributor
Registered: 2020-01-24
Posts: 7

Re: t55xx detect commands not working for me - Chinese PM3 Easy

iceman wrote:

hm, your LF timing settings is the ones for RDV4...

Oops, that's my bad! I tried resetting my timings to default using lf t55xx deviceconfig z p - just incase I had messed them up at some point.
I've now restored manually to the PM3OTHER timings

#db# LF T55XX config           
#db#            [r]               [a]   [b]   [c]   [d]   [e]   [f]   [g]          
#db#            mode            |start|write|write|write| read|write|write          
#db#                            | gap | gap |  0  |  1  | gap |  2  |  3          
#db# ---------------------------+-----+-----+-----+-----+-----+-----+------          
#db# fixed bit length (default) |  31 |  20 |  18 |  50 |  15 | N/A | N/A |           
#db#     long leading reference |  31 |  20 |  18 |  50 |  15 | N/A | N/A |           
#db#               leading zero |  31 |  20 |  18 |  50 |  15 | N/A | N/A |           
#db#    1 of 4 coding reference |  31 |  20 |  18 |  50 |  15 |  50 |  66 |
iceman wrote:

Are you sure you compile the repo for PM3OTHER?

Compiling on Mac OS using Homebrew, I definitely ran

export HOMEBREW_PROXMARK3_PLATFORM=PM3OTHER

where it is listed as 'optional' on the Github installation instructions.


After resetting the timings, I tried to tune and detect again, still no luck. I've been told that detect and trace commands require better coupling than just lf search or a clone command - did I possibly just get the short straw on my antenna?

Offline

#4 2020-01-25 11:20:44

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: t55xx detect commands not working for me - Chinese PM3 Easy

I doubt that,  45v looks good.   Try some different positions / distance between tag and antenna.

Offline

#5 2020-01-25 11:30:35

Compgeek
Contributor
Registered: 2020-01-24
Posts: 7

Re: t55xx detect commands not working for me - Chinese PM3 Easy

iceman wrote:

Try some different positions / distance between tag and antenna.

Still no joy, tried 2 different cards and a fob, all distances ranging from right on the antenna to about 15cm above, in all sorts of orientations and positions over the antenna, in blank, EM and HID modes.

Offline

#6 2020-01-25 12:13:48

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: t55xx detect commands not working for me - Chinese PM3 Easy

Yr device can't read 15cm.  Keep it 1-2cm to the antenna.
How does the signal look like?

lf read
data plot

Offline

#7 2020-01-25 12:14:46

art445
Contributor
Registered: 2020-01-02
Posts: 11

Re: t55xx detect commands not working for me - Chinese PM3 Easy

You probably don’t take into account the wind direction on the street;)  This is a joke. I have 3 different devices and 2 different Chinese T55xx cards. There is no logic in the work - all through the ass.  In my Chinese, PM3 essentially differs from RDV4 only in the extension of the I / O system. Mac, Linux or Windows - this refers to the client side, and not to the device.

Offline

#8 2020-01-25 12:50:14

Compgeek
Contributor
Registered: 2020-01-24
Posts: 7

Re: t55xx detect commands not working for me - Chinese PM3 Easy

iceman wrote:

How does the signal look like?

W3WnhzO.jpg
kIl3SVI.jpg

art445 wrote:

You probably don’t take into account the wind direction on the street;)

Fair enough mate, i've made the mistake before of not giving enough detail when explaining a problem so just wanted to dot my m's and cross my v's wink

Offline

#9 2020-01-25 13:39:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: t55xx detect commands not working for me - Chinese PM3 Easy

That looks like strong lf signals.
It might not be a t55x7 card, hence the detect fails..  Since it looks like a ASK modulation.
Just run  lf search

or save a sample set and share.  replace xxx in filename with printed cardnumbers if any

lf read
data save f lf_unk_xxxxx.pm3

Offline

#10 2020-01-25 14:39:20

Compgeek
Contributor
Registered: 2020-01-24
Posts: 7

Re: t55xx detect commands not working for me - Chinese PM3 Easy

The printing on this card just says T5577, and it responds to the clone and wipe commands as expected so I didn't have a reason to doubt it, lf search below and a link to the save

[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary          
[=] if it finds something that looks like a tag          
[=] False Positives ARE possible          
[=]           
[=] Checking for known tags...          
[=]           
#db# Starting Hitag reader family          
#db# Configured for hitag2 reader          
#db# Detected incorrect header, the bit [1] is zero instead of one, abort          
#db# TX/RX frames recorded: 1          
[+] EM410x pattern found          

EM TAG ID      : BDBDBDBDBD           

Possible de-scramble patterns
          
Unique TAG ID  : BDBDBDBDBD          
HoneyWell IdentKey {          
DEZ 8          : 12434877          
DEZ 10         : 3183328701          
DEZ 5.5        : 48573.48573          
DEZ 3.5A       : 189.48573          
DEZ 3.5B       : 189.48573          
DEZ 3.5C       : 189.48573          
DEZ 14/IK2     : 00814932147645          
DEZ 15/IK3     : 000814932147645          
DEZ 20/ZK      : 11131113111311131113          
}
Other          : 48573_189_12434877          
Pattern Paxton : 3184655293 [0xBDD1FBBD]          
Pattern 1      : 7831135 [0x777E5F]          
Pattern Sebury : 48573 61 4046269  [0xBDBD 0x3D 0x3DBDBD]          
          
[+] Valid EM410x ID found!

Saved Data on Pastebin

Offline

#11 2020-01-25 14:56:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,468
Website

Re: t55xx detect commands not working for me - Chinese PM3 Easy

And there is nothing wrong with your easy clone nor the card, nor the software.

Search this forum for more info about t55xx problematics. The user @mrwalker  has written some well worded posts about it.

Offline

#12 2020-01-26 12:16:12

Compgeek
Contributor
Registered: 2020-01-24
Posts: 7

Re: t55xx detect commands not working for me - Chinese PM3 Easy

iceman wrote:

And there is nothing wrong with your easy clone nor the card, nor the software.

Search this forum for more info about t55xx problematics. The user @mrwalker  has written some well worded posts about it.

Definitely good to know, thanks for your time and checking into my dumps for me! Intriguing that it's not responding as expected even though everything checks out, but seems to be just the way it sometimes is with these chips.

Appreciate your help!
-Compgeek

Offline

Quick reply

Write your message and submit

Board footer

Powered by FluxBB