2020-11-24 14:25:46 +08:00
|
|
|
|
# T5577 Introduction Guide
|
|
|
|
|
|
2021-03-08 03:38:51 +08:00
|
|
|
|
### Based on RRG/Iceman Proxmark3 repo
|
2020-11-24 14:25:46 +08:00
|
|
|
|
|
|
|
|
|
### Ver.1 8 Sep 2019
|
2021-03-08 03:38:51 +08:00
|
|
|
|
### Ver.2 7 March 2021
|
2020-11-24 14:25:46 +08:00
|
|
|
|
|
|
|
|
|
| Contents |
|
|
|
|
|
| ----------------------------------------------------------------------------------- |
|
|
|
|
|
| [Part 1](#part-1) |
|
|
|
|
|
| [Introduction](#introduction) |
|
|
|
|
|
| [T5577 Overview](#t5577-overview) |
|
|
|
|
|
| [What data is on my T5577](#what-data-is-on-my-t5577) |
|
|
|
|
|
| [Read and Write Blocks of Data](#read-and-write-blocks-of-data) |
|
|
|
|
|
| [Exercise 1](#exercise-1) |
|
|
|
|
|
| [How do I use a password](#how-do-i-use-a-password) |
|
|
|
|
|
| |
|
|
|
|
|
| [Part 2 – Configuration Blocks](#part-2-configuration-blocks) |
|
|
|
|
|
| [The configuration Block – Block 0 Page 0](#the-configuration-block-block-0-page-0) |
|
|
|
|
|
| [Exercise 2](#exercise-2) |
|
|
|
|
|
| [The configuration Block – Block 3 Page 1](#the-configuration-block-block-3-page-1) |
|
|
|
|
|
|
|
|
|
|
# Part 1
|
|
|
|
|
|
|
|
|
|
## Introduction
|
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
The T5577 is a generic LF (Low Frequency) RFID card that is used in the
|
2020-11-24 14:25:46 +08:00
|
|
|
|
125 Khz frequency space. It is a good card to use to learn about RFID and
|
|
|
|
|
learn how to use the proxmark3.
|
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
It is highly recommended that when learning about RFID that learning how
|
2020-11-24 14:25:46 +08:00
|
|
|
|
to read the data sheets be near the top of the list. It can be very hard
|
|
|
|
|
as the data sheet will hold the information you need, but you don’t yet
|
|
|
|
|
know what it means. As such, I will attempt to point to sections of the
|
|
|
|
|
data sheet and would highly advise that you look at the data sheet as
|
|
|
|
|
you go. Overtime the data sheet may change, as a result things may not
|
2021-03-09 08:51:57 +08:00
|
|
|
|
always be referenced correctly.
|
2020-11-24 14:25:46 +08:00
|
|
|
|
|
|
|
|
|
As at writing this guide, the data sheet can be found at :
|
|
|
|
|
|
|
|
|
|
<http://ww1.microchip.com/downloads/en/DeviceDoc/Atmel-9187-RFID-ATA5577C_Datasheet.pdf>
|
|
|
|
|
|
|
|
|
|
This guide is not a how do I clone document. It is meant to help people
|
|
|
|
|
learn how to use the T5577 and in the process learn about rfid and the
|
|
|
|
|
proxmark3.
|
|
|
|
|
|
|
|
|
|
Throughout this guide I will give examples. It is recommended that you
|
|
|
|
|
try these as we go. To do so, have a blank T5577 card that you can use
|
|
|
|
|
for this purpose.
|
|
|
|
|
|
|
|
|
|
## T5577 Overview
|
|
|
|
|
|
|
|
|
|
The T5577 is a chip that can hold data and a configuration (Section
|
|
|
|
|
4.12).
|
|
|
|
|
|
|
|
|
|
In the diagram below, all white blocks can hold data. Some can be used
|
|
|
|
|
for a second purpose, such as the ‘password’ and ‘traceability data’.
|
|
|
|
|
The ‘Configuration Data’ and ‘Analog front end option setup’ will tell
|
|
|
|
|
the chip how to behave.
|
|
|
|
|
|
|
|
|
|
![](./t55xx_mem_map.png)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## What data is on my T5577
|
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
Let’s have a look and see what a card might look like in the proxmark3
|
2020-11-24 14:25:46 +08:00
|
|
|
|
software. Since we can change the configuration of how the T5577 will
|
2021-03-09 08:51:57 +08:00
|
|
|
|
output data, the proxmark3 software needs to work out how to interpret
|
2020-11-24 14:25:46 +08:00
|
|
|
|
the data it receives, we do this with the following command.
|
|
|
|
|
|
|
|
|
|
It should be noted that the T5577 has many clones. As such the default
|
|
|
|
|
setup of each card may be different. If the tractability data is
|
|
|
|
|
present, then this will vary based on the batch of cards.
|
|
|
|
|
|
|
|
|
|
Always run this command when you place a t5577 on the proxmark3. In all
|
|
|
|
|
examples shown, it will be assumed you have run the detect command.
|
|
|
|
|
```
|
|
|
|
|
[usb] pm3 --> lf t55xx detect
|
|
|
|
|
```
|
2021-03-09 19:32:59 +08:00
|
|
|
|
You should see a results similar to the following:
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[=] Chip type......... T55x7
|
|
|
|
|
[=] Modulation........ ASK
|
|
|
|
|
[=] Bit rate.......... 2 - RF/32
|
|
|
|
|
[=] Inverted.......... No
|
|
|
|
|
[=] Offset............ 33
|
|
|
|
|
[=] Seq. terminator... Yes
|
|
|
|
|
[=] Block0............ 000880E0 (auto detect)
|
|
|
|
|
[=] Downlink mode..... default/fixed bit length
|
|
|
|
|
[=] Password set...... No
|
|
|
|
|
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
Now that the proxmark3 has detected a T55x7 chip, and found some
|
|
|
|
|
information about it, we should be able to see all the data on the chip.
|
|
|
|
|
```
|
|
|
|
|
[usb] pm3 --> lf t55xx dump
|
|
|
|
|
```
|
|
|
|
|
Your results should look similar to the following:
|
|
|
|
|
```
|
|
|
|
|
[+] Reading Page 0:
|
|
|
|
|
[+] blk | hex data | binary | ascii
|
|
|
|
|
[+] ----+----------+----------------------------------+-------
|
|
|
|
|
[+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
|
2021-03-09 08:51:57 +08:00
|
|
|
|
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 04 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 05 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 06 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 07 | 00000000 | 00000000000000000000000000000000 | ....
|
2020-11-24 14:25:46 +08:00
|
|
|
|
[+] Reading Page 1:
|
|
|
|
|
[+] blk | hex data | binary | ascii
|
|
|
|
|
[+] ----+----------+----------------------------------+-------
|
|
|
|
|
[+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
|
2021-03-09 08:51:57 +08:00
|
|
|
|
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
I will cover the meaning of this data as we go, but for now, lets keep
|
|
|
|
|
it simple.
|
|
|
|
|
|
|
|
|
|
## Read and Write Blocks of Data
|
|
|
|
|
|
|
|
|
|
The basic function of using the proxmark3 with rfid cards is to read and
|
|
|
|
|
write data. This reading and writing must be done in the correct way
|
|
|
|
|
needed for the chip (and its configuration). Lucky for us, the
|
|
|
|
|
developers have done a great job and gave us commands. What we need to
|
2021-03-09 08:51:57 +08:00
|
|
|
|
know is that with the T5577, data is read/written one complete block at a
|
2020-11-24 14:25:46 +08:00
|
|
|
|
time. Each block holds 32 bits of data (hence the binary output shown)
|
|
|
|
|
|
|
|
|
|
Since we know that the card has data and configuration blocks, lets say
|
|
|
|
|
away from those while we learn how to read and write. I suggest you
|
|
|
|
|
follow along and perform each command and check the results as we go.
|
|
|
|
|
|
|
|
|
|
We can store our own data in blocks 1-7 (remember that block 7 will be
|
|
|
|
|
needed if we want to set a password).
|
|
|
|
|
|
|
|
|
|
(Don’t forget to run the detect command: lf t55xx detect, and ensure you
|
|
|
|
|
can see the card)
|
|
|
|
|
|
|
|
|
|
1) Check what is stored in block 1. The following command can be read
|
|
|
|
|
as, run a low frequency (lf) command for the T55xx chip (t55xx) and
|
|
|
|
|
read block (b) number 1.
|
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[usb] pm3 --> lf t55xx read -b 1
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[+] Reading Page 0:
|
|
|
|
|
[+] blk | hex data | binary | ascii
|
|
|
|
|
[+] ----+----------+----------------------------------+-------
|
2021-03-09 08:51:57 +08:00
|
|
|
|
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
2021-03-09 08:51:57 +08:00
|
|
|
|
Note: Depending on the history of your card, your data may vary, but
|
2020-11-24 14:25:46 +08:00
|
|
|
|
should match the dump data.
|
|
|
|
|
|
|
|
|
|
2) Write some new data into block 1 on the card.
|
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
We use the -d option to supply the data ‘12345678’
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
2021-03-08 05:00:33 +08:00
|
|
|
|
[usb] pm3 --> lf t55xx write -b 1 -d 12345678
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[=] Writing page 0 block: 01 data: 0x12345678
|
|
|
|
|
```
|
|
|
|
|
3) Now, lets check if the data was written.
|
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[usb] pm3 --> lf t55xx read -b 1
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[+] Reading Page 0:
|
|
|
|
|
[+] blk | hex data | binary | ascii
|
|
|
|
|
[+] ----+----------+----------------------------------+-------
|
|
|
|
|
[+] 01 | 12345678 | 00010010001101000101011001111000 | .4Vx
|
|
|
|
|
```
|
|
|
|
|
4) The data is written in Hexadecimal. A single hex digit holds 4 bits
|
2021-03-09 08:51:57 +08:00
|
|
|
|
of data. So to store 32 bits in a block, we need to supply 8 hex
|
|
|
|
|
digits (8 \* 4 = 32). If you are not familiar with hex and binary do a
|
2020-11-24 14:25:46 +08:00
|
|
|
|
little bit of home work to learn. The following is a quick start.
|
|
|
|
|
|
|
|
|
|
| Hex | Binary | Decimal |
|
|
|
|
|
|:---:|:------:|:-------:|
|
|
|
|
|
| 0 | 0000 | 0 |
|
|
|
|
|
| 1 | 0001 | 1 |
|
|
|
|
|
| 2 | 0010 | 2 |
|
|
|
|
|
| 3 | 0011 | 3 |
|
|
|
|
|
| 4 | 0100 | 4 |
|
|
|
|
|
| 5 | 0101 | 5 |
|
|
|
|
|
| 6 | 0110 | 6 |
|
|
|
|
|
| 7 | 0111 | 7 |
|
|
|
|
|
| 8 | 1000 | 8 |
|
|
|
|
|
| 9 | 1001 | 9 |
|
|
|
|
|
| A | 1010 | 10 |
|
|
|
|
|
| B | 1011 | 11 |
|
|
|
|
|
| C | 1100 | 12 |
|
|
|
|
|
| D | 1101 | 13 |
|
|
|
|
|
| E | 1110 | 14 |
|
|
|
|
|
| F | 1111 | 15 |
|
|
|
|
|
|
|
|
|
|
To use all the bits we supply the data in Hex format and it will
|
|
|
|
|
always be 8 hex digits.
|
|
|
|
|
|
|
|
|
|
Lets try and write 89ABCDEF
|
|
|
|
|
```
|
2021-03-08 05:00:33 +08:00
|
|
|
|
[usb] pm3 --> lf t55xx write -b 1 -d 89abcdef
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[=] Writing page 0 block: 01 data: 0x89ABCDEF
|
|
|
|
|
```
|
|
|
|
|
and check
|
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[usb] pm3 --> lf t55xx read -b 1
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[+] Reading Page 0:
|
|
|
|
|
[+] blk | hex data | binary | ascii
|
|
|
|
|
[+] ----+----------+----------------------------------+-------
|
|
|
|
|
[+] 01 | 89ABCDEF | 10001001101010111100110111101111 | ....
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Exercise 1
|
|
|
|
|
|
|
|
|
|
Using the read and write commands you have learnt see if you can make
|
|
|
|
|
the lf t55 dump command show the following data for blocks 1-7 (Page 0).
|
|
|
|
|
Do not write to block 0 or try and change the data on page 1.
|
|
|
|
|
```
|
|
|
|
|
[usb] pm3 --> lf t55 dump
|
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[+] Reading Page 0:
|
|
|
|
|
[+] blk | hex data | binary | ascii
|
|
|
|
|
[+] ----+----------+----------------------------------+-------
|
|
|
|
|
[+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
|
|
|
|
|
[+] 01 | 89ABCDEF | 10001001101010111100110111101111 | ....
|
2021-03-09 08:51:57 +08:00
|
|
|
|
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 04 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 05 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 06 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 07 | 00000000 | 00000000000000000000000000000000 | ....
|
2020-11-24 14:25:46 +08:00
|
|
|
|
[+] Reading Page 1:
|
|
|
|
|
[+] blk | hex data | binary | ascii
|
|
|
|
|
[+] ----+----------+----------------------------------+-------
|
|
|
|
|
[+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
|
2021-03-09 08:51:57 +08:00
|
|
|
|
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
Practice reading and writing to blocks 1 to 6 until you are happy you
|
2020-11-24 14:25:46 +08:00
|
|
|
|
can do it and get the results you wanted (i.e. the data you want stored
|
2021-03-09 08:51:57 +08:00
|
|
|
|
is written to the block you want it stored in). I recommend staying
|
2021-03-09 19:32:59 +08:00
|
|
|
|
away from block 7 as this is where the password is stored, if used.
|
2021-03-09 08:51:57 +08:00
|
|
|
|
If you forget this data/password, you wont be able to read or write
|
|
|
|
|
to the card.
|
2020-11-24 14:25:46 +08:00
|
|
|
|
|
|
|
|
|
## How do I use a password
|
|
|
|
|
|
|
|
|
|
This can be a little tricky for beginners.
|
|
|
|
|
***If you forget your password you will lose access to your card***.
|
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
To tell the T5577 to use a password, we have to change the data in the
|
2020-11-24 14:25:46 +08:00
|
|
|
|
configuration block (0). To help learn this and make it as simple as I
|
|
|
|
|
can, please read and follow exactly. If your results DON’T match 100% as
|
|
|
|
|
required, please do not proceed.
|
|
|
|
|
|
|
|
|
|
1) Lets start with a known card state and wipe the card. This will set
|
|
|
|
|
a default configuration to block 0 and set all the data in blocks
|
|
|
|
|
1-7 to a default.
|
|
|
|
|
```
|
|
|
|
|
[usb] pm3 --> lf t55xx wipe
|
|
|
|
|
```
|
|
|
|
|
Result:
|
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[=] Target T55x7 tag
|
|
|
|
|
[=] Default configuration block 000880E0
|
2020-11-24 14:25:46 +08:00
|
|
|
|
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[=] Begin wiping...
|
2020-11-24 14:25:46 +08:00
|
|
|
|
[=] Writing page 0 block: 00 data: 0x000880E0
|
|
|
|
|
[=] Writing page 0 block: 01 data: 0x00000000
|
|
|
|
|
[=] Writing page 0 block: 02 data: 0x00000000
|
|
|
|
|
[=] Writing page 0 block: 03 data: 0x00000000
|
|
|
|
|
[=] Writing page 0 block: 04 data: 0x00000000
|
|
|
|
|
[=] Writing page 0 block: 05 data: 0x00000000
|
|
|
|
|
[=] Writing page 0 block: 06 data: 0x00000000
|
|
|
|
|
[=] Writing page 0 block: 07 data: 0x00000000
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
2) Check that the card is in the desired state.
|
|
|
|
|
```
|
|
|
|
|
[usb] pm3 --> lf t55xx detect
|
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[=] Chip type......... T55x7
|
|
|
|
|
[=] Modulation........ ASK
|
|
|
|
|
[=] Bit rate.......... 2 - RF/32
|
|
|
|
|
[=] Inverted.......... No
|
|
|
|
|
[=] Offset............ 33
|
|
|
|
|
[=] Seq. terminator... Yes
|
|
|
|
|
[=] Block0............ 000880E0 (auto detect)
|
|
|
|
|
[=] Downlink mode..... default/fixed bit length
|
|
|
|
|
[=] Password set...... No
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
If block 0 does not hold the hex data **0x00088040 resolve this
|
|
|
|
|
first before proceeding.**
|
|
|
|
|
|
|
|
|
|
3) Set the password we want to use. For this example lets use the
|
|
|
|
|
password : ***12345678***
|
|
|
|
|
|
|
|
|
|
The password is saved in block 7 of page 0.
|
|
|
|
|
```
|
2021-03-08 05:00:33 +08:00
|
|
|
|
[usb] pm3 --> lf t55xx write -b 7 -d 12345678
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[=] Writing page 0 block: 07 data: 0x12345678
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
4) Lets verify both block 0 and block 7
|
|
|
|
|
```
|
|
|
|
|
[usb] pm3 --> lf t55xx dump
|
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[+] Reading Page 0:
|
|
|
|
|
[+] blk | hex data | binary | ascii
|
|
|
|
|
[+] ----+----------+----------------------------------+-------
|
|
|
|
|
[+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
|
2021-03-09 08:51:57 +08:00
|
|
|
|
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 04 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 05 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 06 | 00000000 | 00000000000000000000000000000000 | ....
|
2020-11-24 14:25:46 +08:00
|
|
|
|
[+] 07 | 12345678 | 00010010001101000101011001111000 | .4Vx
|
|
|
|
|
[+] Reading Page 1:
|
|
|
|
|
[+] blk | hex data | binary | ascii
|
|
|
|
|
[+] ----+----------+----------------------------------+-------
|
|
|
|
|
[+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
|
2021-03-09 08:51:57 +08:00
|
|
|
|
[+] 01 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 02 | 00000000 | 00000000000000000000000000000000 | ....
|
|
|
|
|
[+] 03 | 00000000 | 00000000000000000000000000000000 | ....
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
***Important : If block 0 and block 7 don’t match exactly, do not continue.***
|
|
|
|
|
|
|
|
|
|
5) Now we have a known configuration block and a known password of
|
|
|
|
|
12345678, we are ready to tell the card to use the password.
|
|
|
|
|
|
|
|
|
|
To do this the datasheet tells us we need to set the 28<sup>th</sup>
|
|
|
|
|
bit “PWD”. Check your datasheet and see the entire table (remember
|
|
|
|
|
the data sheet is your friend).
|
|
|
|
|
|
|
|
|
|
![](./t55xx_block0.png)
|
|
|
|
|
|
|
|
|
|
We will cover other things in the configuration later. But the key
|
2021-03-09 08:51:57 +08:00
|
|
|
|
note here, is we ONLY want to change bit 28 and nothing else.
|
2020-11-24 14:25:46 +08:00
|
|
|
|
|
|
|
|
|
Current Block 0 : ***00088040***
|
|
|
|
|
New Block 0 : ***00088050***
|
|
|
|
|
|
|
|
|
|
To understand what happened to get from 00088040 to 00088050 we need
|
|
|
|
|
to look at the binary data.
|
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
While this can be confusing, it is important to understand this as we
|
2020-11-24 14:25:46 +08:00
|
|
|
|
do more advanced things.
|
|
|
|
|
|
|
|
|
|
Bit Location (28)
|
|
|
|
|
000000000011111111112222222 ***2*** 2233
|
|
|
|
|
123456789012345678901234567 ***8*** 9012
|
|
|
|
|
|
|
|
|
|
| Hex Data | Binary Data |
|
|
|
|
|
|:--------:|:---------------------------------------|
|
|
|
|
|
| 00088040 | 000000000000100010000000010***0***0000 |
|
|
|
|
|
| 00088050 | 000000000000100010000000010***1***0000 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
See how in the above we changed the bit in location 28 from a 0 to 1
|
2020-11-24 14:25:46 +08:00
|
|
|
|
0 = No Password, 1 = Use Password
|
|
|
|
|
|
|
|
|
|
Note how we did NOT change any other part of the configuration, only bit 28.
|
|
|
|
|
|
|
|
|
|
To re-cap.
|
|
|
|
|
We put the card into a known configuration Block 0 : 00088040
|
|
|
|
|
We set the a known password Block 7 : 12345678
|
|
|
|
|
We altered the config data to tell the T5577 to use the password.
|
|
|
|
|
New Block 0 : 00088050
|
|
|
|
|
|
|
|
|
|
If you have completed all steps and have the exact same results, we are
|
|
|
|
|
ready to apply the new configuration.
|
|
|
|
|
```
|
2021-03-08 05:00:33 +08:00
|
|
|
|
[usb] pm3 --> lf t55xx write -b 0 -d 00088050
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[=] Writing page 0 block: 00 data: 0x00088050
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
6) Lets check what happens when the password is set.
|
|
|
|
|
```
|
|
|
|
|
[usb] pm3 --> lf t55 detect
|
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
|
|
|
|
|
```
|
|
|
|
|
Note how the lf t55 detect no longer seems to work\!
|
|
|
|
|
|
|
|
|
|
In this case, this is due to needing a password to read/write to the
|
|
|
|
|
card.
|
|
|
|
|
|
|
|
|
|
Lets try again, but this time supply the password. We use the option
|
2021-03-09 08:51:57 +08:00
|
|
|
|
-p followed by the password.
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[usb] pm3 --> lf t55 detect -p 12345678
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
2021-03-09 08:51:57 +08:00
|
|
|
|
[=] Chip type......... T55x7
|
|
|
|
|
[=] Modulation........ ASK
|
|
|
|
|
[=] Bit rate.......... 2 - RF/32
|
|
|
|
|
[=] Inverted.......... No
|
|
|
|
|
[=] Offset............ 33
|
|
|
|
|
[=] Seq. terminator... Yes
|
|
|
|
|
[=] Block0............ 00088050 (auto detect)
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[=] Downlink mode..... default/fixed bit length
|
|
|
|
|
[=] Password set...... Yes
|
2021-03-09 08:51:57 +08:00
|
|
|
|
[=] Password.......... 12345678
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
7) Write a block of data with a password
|
|
|
|
|
```
|
2021-03-08 05:00:33 +08:00
|
|
|
|
[usb] pm3 --> lf t55xx write -b 1 -d 1234abcd -p 12345678
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[=] Writing page 0 block: 01 data: 0x1234ABCD pwd: 0x12345678
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
8) Read a block of data with a password
|
|
|
|
|
|
|
|
|
|
***\*\*\*\* Important \*\*\*\****
|
|
|
|
|
|
|
|
|
|
***Reading a T5577 block with a password when a password is not
|
|
|
|
|
enabled can result in locking the card. Please only use read with a
|
|
|
|
|
password when it is known that a password is in use.***
|
|
|
|
|
|
|
|
|
|
The proxmark3 has a safety check\!
|
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[usb] pm3 --> lf t55xx read -b 1 -p 12345678
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[+] Reading Page 0:
|
|
|
|
|
[+] blk | hex data | binary | ascii
|
|
|
|
|
[+] ----+----------+----------------------------------+-------
|
|
|
|
|
[!] Safety check: Could not detect if PWD bit is set in config block. Exits.
|
|
|
|
|
```
|
|
|
|
|
|
2021-03-09 19:32:59 +08:00
|
|
|
|
Note that the proxmark3 did not read the block, the safety kicked in
|
2021-03-09 08:51:57 +08:00
|
|
|
|
and wants us to confirm by supply the override option ‘-o’.
|
2020-11-24 14:25:46 +08:00
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
Lets try again with the ‘-o’ option as we know the password is set.
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[usb] pm3 --> lf t55xx read -b 1 -p 12345678 -o
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[+] Reading Page 0:
|
|
|
|
|
[+] blk | hex data | binary | ascii
|
|
|
|
|
[+] ----+----------+----------------------------------+-------
|
|
|
|
|
[=] Safety check overridden - proceeding despite risk
|
|
|
|
|
[+] 01 | 1234ABCD | 00010010001101001010101111001101 | .4..
|
|
|
|
|
```
|
|
|
|
|
This time, we can see the data we wrote to block 1 is found with the
|
|
|
|
|
read command.
|
|
|
|
|
|
|
|
|
|
9) Remove the need to supply the password.
|
|
|
|
|
|
|
|
|
|
To do this we need to clear Bit 28 (set to 0) in the config. We have
|
|
|
|
|
this from above.
|
|
|
|
|
|
|
|
|
|
Remember if we don’t know the config and write this config to the
|
2021-03-09 08:51:57 +08:00
|
|
|
|
card, it will overwrite all other settings. This can recover the
|
2020-11-24 14:25:46 +08:00
|
|
|
|
card, but will lose any settings you may want. So it’s a good idea
|
|
|
|
|
to read the config, and set bit 28 to 0, rather than just overwrite
|
|
|
|
|
the config and change the way the card works.
|
|
|
|
|
|
|
|
|
|
In our examples we know what it should be : 00088040
|
|
|
|
|
```
|
2021-03-08 05:00:33 +08:00
|
|
|
|
[usb] pm3 --> lf t55xx write -b 0 -d 00088040 -p 12345678
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
|
|
|
|
[=] Writing page 0 block: 00 data: 0x00088040 pwd: 0x12345678
|
|
|
|
|
```
|
|
|
|
|
Now check if we can detect without a password
|
|
|
|
|
```
|
|
|
|
|
[usb] pm3 --> lf t55 detect
|
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[=] Chip type......... T55x7
|
|
|
|
|
[=] Modulation........ ASK
|
|
|
|
|
[=] Bit rate.......... 2 - RF/32
|
|
|
|
|
[=] Inverted.......... No
|
|
|
|
|
[=] Offset............ 33
|
|
|
|
|
[=] Seq. terminator... Yes
|
|
|
|
|
[=] Block0............ 00088040 (auto detect)
|
|
|
|
|
[=] Downlink mode..... default/fixed bit length
|
|
|
|
|
[=] Password set...... No
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
2021-03-09 08:51:57 +08:00
|
|
|
|
Yes we can! We can see Block 0 is the correct config 00088040
|
2020-11-24 14:25:46 +08:00
|
|
|
|
|
|
|
|
|
# Part 2 – Configuration Blocks
|
|
|
|
|
|
|
|
|
|
One of the things a lot of people have trouble with or miss, is that the
|
|
|
|
|
T5577 has two different and separate communications protocols, each with
|
|
|
|
|
their own sub-protocols.
|
|
|
|
|
|
|
|
|
|
- Card to Reader
|
|
|
|
|
- Reader to Card
|
|
|
|
|
|
|
|
|
|
In Card to Reader, the T5577 will encode its data using the settings
|
|
|
|
|
from Block 0 in Page 0. It will use this in both default read mode
|
|
|
|
|
(where is sends out the blocks from 1 to x on power up), as well as when
|
|
|
|
|
it responds to commands.
|
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
In the Reader To Card, the T5577 will encode the data using the settings
|
2020-11-24 14:25:46 +08:00
|
|
|
|
from Block 3 Page 1. If the command is not encoded correctly it will
|
|
|
|
|
ignore the command and revert back to default read mode.
|
|
|
|
|
|
|
|
|
|
## The configuration Block – Block 0 Page 0
|
|
|
|
|
|
|
|
|
|
For this configuration the settings chosen will be for the purpose of
|
|
|
|
|
the card when used in production. E.G. If you want the card to act like
|
|
|
|
|
an EM4100, then we need to choose the settings that work like the
|
|
|
|
|
EM4100; same goes for others like HID. I am not going to cover these
|
2021-03-09 08:51:57 +08:00
|
|
|
|
here, rather use an example. Others have collected these and posted on the
|
|
|
|
|
forum or can be found by searching the web.
|
2020-11-24 14:25:46 +08:00
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
To get started lets look back at the data sheet.
|
2020-11-24 14:25:46 +08:00
|
|
|
|
|
|
|
|
|
![](./t55xx_clock0_cfg.png)
|
|
|
|
|
|
|
|
|
|
The non-password protect EM4100 could have a block 0 config of 00148040,
|
|
|
|
|
so what does it mean.
|
|
|
|
|
|
|
|
|
|
To decode this config, we need to look at it in binary
|
|
|
|
|
00000000000101001000000001000000. Note that it had 32 bits and the
|
|
|
|
|
config block 0 is 32 bits. Now we can break it down.
|
|
|
|
|
|
|
|
|
|
| Bits | Purpose | Value |
|
|
|
|
|
| ------- | ---------------------- | ----------- |
|
|
|
|
|
| 0000 | Master Key | Nothing Set |
|
|
|
|
|
| 0000000 | Not used in Basic Mode | |
|
|
|
|
|
| 101 | Data Bit Rate | RF/64 |
|
|
|
|
|
| 0 | Not used in Basic Mode | |
|
|
|
|
|
| 01000 | Modulation | Manchester |
|
|
|
|
|
| 00 | PSKCF | RF/2 |
|
|
|
|
|
| 0 | AOR | Not Set |
|
|
|
|
|
| 0 | Not used in Basic Mode | |
|
|
|
|
|
| 010 | Max Block | 2 |
|
|
|
|
|
| 0 | Password | Not Set |
|
|
|
|
|
| 0 | ST Sequence Terminator | Not Set |
|
|
|
|
|
| 00 | Not used in Basic Mode | |
|
|
|
|
|
| 0 | Init Delay | Not Set |
|
|
|
|
|
|
|
|
|
|
To get more detail on each item, read through the data sheet.
|
|
|
|
|
|
|
|
|
|
Lets see how the proxmark3 can help us learn. We will assume the T5577
|
|
|
|
|
is in the same state from Part 1, where we can write to the card with no
|
|
|
|
|
password set (if not, review and get you card back to this state).
|
|
|
|
|
|
|
|
|
|
1) Lets turn you T5577 into an EM4100 with ID 1122334455
|
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[usb] pm3 --> lf em 410x clone --id 1122334455
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
2021-03-09 08:51:57 +08:00
|
|
|
|
[+] Preparing to clone EM4102 to T55x7 tag with ID 1122334455 (RF/64)
|
|
|
|
|
[#] Clock rate: 64
|
|
|
|
|
[#] Tag T55x7 written with 0xff8c65298c94a940
|
|
|
|
|
|
|
|
|
|
[+] Done
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
2) Check this has work.
|
|
|
|
|
```
|
|
|
|
|
[usb] pm3 --> lf search
|
|
|
|
|
```
|
|
|
|
|
result:
|
2021-03-08 03:38:51 +08:00
|
|
|
|
```
|
|
|
|
|
[=] NOTE: some demods output possible binary
|
|
|
|
|
[=] if it finds something that looks like a tag
|
|
|
|
|
[=] False Positives ARE possible
|
|
|
|
|
[=]
|
|
|
|
|
[=] Checking for known tags...
|
|
|
|
|
[=]
|
|
|
|
|
[+] EM 410x ID 0F0368568B
|
|
|
|
|
[+] EM410x ( RF/64 )
|
|
|
|
|
[=] -------- Possible de-scramble patterns ---------
|
|
|
|
|
[+] Unique TAG ID : F0C0166AD1
|
|
|
|
|
[=] HoneyWell IdentKey
|
|
|
|
|
[+] DEZ 8 : 06837899
|
|
|
|
|
[+] DEZ 10 : 0057169547
|
|
|
|
|
[+] DEZ 5.5 : 00872.22155
|
|
|
|
|
[+] DEZ 3.5A : 015.22155
|
|
|
|
|
[+] DEZ 3.5B : 003.22155
|
|
|
|
|
[+] DEZ 3.5C : 104.22155
|
|
|
|
|
[+] DEZ 14/IK2 : 00064481678987
|
|
|
|
|
[+] DEZ 15/IK3 : 001034014845649
|
|
|
|
|
[+] DEZ 20/ZK : 15001200010606101301
|
|
|
|
|
[=]
|
|
|
|
|
[+] Other : 22155_104_06837899
|
|
|
|
|
[+] Pattern Paxton : 259822731 [0xF7C948B]
|
|
|
|
|
[+] Pattern 1 : 9750181 [0x94C6A5]
|
|
|
|
|
[+] Pattern Sebury : 22155 104 6837899 [0x568B 0x68 0x68568B]
|
|
|
|
|
[=] ------------------------------------------------
|
|
|
|
|
|
|
|
|
|
[+] Valid EM410x ID found!
|
|
|
|
|
|
|
|
|
|
[+] Chipset detection: T55xx
|
|
|
|
|
[?] Hint: try `lf t55xx` commands
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
Looks good.
|
|
|
|
|
|
2021-03-09 08:51:57 +08:00
|
|
|
|
3) Now lets see what the T5577 detect and info shows
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
[usb] pm3 --> lf t55 detect
|
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
[=] Chip type......... T55x7
|
|
|
|
|
[=] Modulation........ ASK
|
|
|
|
|
[=] Bit rate.......... 5 - RF/64
|
|
|
|
|
[=] Inverted.......... No
|
|
|
|
|
[=] Offset............ 33
|
|
|
|
|
[=] Seq. terminator... Yes
|
|
|
|
|
[=] Block0............ 00148040 (auto detect)
|
|
|
|
|
[=] Downlink mode..... default/fixed bit length
|
|
|
|
|
[=] Password set...... No
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
```
|
|
|
|
|
[usb] pm3 --> lf t55xx info
|
|
|
|
|
```
|
|
|
|
|
result:
|
|
|
|
|
```
|
2021-03-08 03:38:51 +08:00
|
|
|
|
|
|
|
|
|
[=] --- T55x7 Configuration & Information ---------
|
|
|
|
|
[=] Safer key : 0
|
|
|
|
|
[=] reserved : 0
|
|
|
|
|
[=] Data bit rate : 5 - RF/64
|
|
|
|
|
[=] eXtended mode : No
|
|
|
|
|
[=] Modulation : 8 - Manchester
|
|
|
|
|
[=] PSK clock frequency : 0 - RF/2
|
|
|
|
|
[=] AOR - Answer on Request : No
|
|
|
|
|
[=] OTP - One Time Pad : No
|
|
|
|
|
[=] Max block : 2
|
|
|
|
|
[=] Password mode : No
|
|
|
|
|
[=] Sequence Terminator : No
|
|
|
|
|
[=] Fast Write : No
|
|
|
|
|
[=] Inverse data : No
|
|
|
|
|
[=] POR-Delay : No
|
|
|
|
|
[=] -------------------------------------------------------------
|
|
|
|
|
[=] Raw Data - Page 0, block 0
|
|
|
|
|
[=] 00148040 - 00000000000101001000000001000000
|
|
|
|
|
[=] --- Fingerprint ------------
|
|
|
|
|
[+] Config block match : EM unique, Paxton
|
|
|
|
|
|
2020-11-24 14:25:46 +08:00
|
|
|
|
```
|
|
|
|
|
We can see that the info gave us more information and confirmed what
|
|
|
|
|
we decoded by hand. But remember, the detect is still needed so the
|
|
|
|
|
proxmark3 software will know how to decode the info block.
|
|
|
|
|
|
|
|
|
|
We can see that for the EM4100 emulation we have two blocks of data
|
|
|
|
|
(Max Block = 2). On the T5577 these will be Blocks 1 and 2.
|
|
|
|
|
|
|
|
|
|
## Exercise 2
|
|
|
|
|
|
|
|
|
|
Using the skills form part 1, see if you can view the data in blocks 1 and 2.
|
|
|
|
|
|
|
|
|
|
Note: the EM4100 ID of 1122334455 is encoded, so don’t expect to see
|
|
|
|
|
those bytes as such. To learn how to do that, you guessed it, find the
|
|
|
|
|
datasheet and review.
|
|
|
|
|
|
|
|
|
|
At this point we have an EM4100 card. If we wanted to password protect
|
|
|
|
|
it, we can follow the password section and update the config from
|
|
|
|
|
00148040 to 00148050.
|
|
|
|
|
|
|
|
|
|
***Important : Don’t forget to set a valid password in block 7 and remember it.***
|
|
|
|
|
|
|
|
|
|
## The configuration Block – Block 3 Page 1
|