RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-12-29 11:52:59 +08:00
Code Issues Projects Releases Packages Wiki Activity

updated text

Browse source
This commit is contained in:
iceman1001 2021-03-07 20:38:51 +01:00
parent a3b42e27cf
commit 214fe8ce74
1 changed files with 120 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

234
doc/T5577_Guide.md
View file

@ -1,8 +1,9 @@
# T5577 Introduction Guide # T5577 Introduction Guide
### Based on RRG proxmark3 fork. ### Based on RRG/Iceman Proxmark3 repo
### Ver.1 8 Sep 2019 ### Ver.1 8 Sep 2019
### Ver.2 7 March 2021
| Contents | | Contents |
| ----------------------------------------------------------------------------------- | | ----------------------------------------------------------------------------------- |
@ -79,14 +80,16 @@ examples shown, it will be assumed you have run the detect command.
``` ```
You should see a results simular to the following: You should see a results simular to the following:
``` ```
Chip Type : T55x7 [=] Chip type......... T55x7
Modulation : ASK [=] Modulation........ ASK
Bit Rate : 2 - RF/32 [=] Bit rate.......... 2 - RF/32
Inverted : No [=] Inverted.......... No
Offset : 32 [=] Offset............ 33
Seq. Term. : Yes [=] Seq. terminator... Yes
Block0 : 0x000880E0 [=] Block0............ 000880E0 (auto detect)
Downlink Mode : default/fixed bit length [=] Downlink mode..... default/fixed bit length
[=] Password set...... No
``` ```
Now that the proxmark3 has detected a T55x7 chip, and found some Now that the proxmark3 has detected a T55x7 chip, and found some
information about it, we should be able to see all the data on the chip. information about it, we should be able to see all the data on the chip.
@ -140,7 +143,7 @@ can see the card)
as, run a low frequency (lf) command for the T55xx chip (t55xx) and as, run a low frequency (lf) command for the T55xx chip (t55xx) and
read block (b) number 1. read block (b) number 1.
``` ```
[usb] pm3 --> lf t55xx read b 1 [usb] pm3 --> lf t55xx read -b 1
``` ```
result: result:
``` ```
@ -164,7 +167,7 @@ can see the card)
``` ```
3) Now, lets check if the data was written. 3) Now, lets check if the data was written.
``` ```
[usb] pm3 --> lf t55xx read b 1 [usb] pm3 --> lf t55xx read -b 1
``` ```
result: result:
``` ```
@ -210,7 +213,7 @@ can see the card)
``` ```
and check and check
``` ```
[usb] pm3 --> lf t55xx read b 1 [usb] pm3 --> lf t55xx read -b 1
``` ```
result: result:
``` ```
@ -272,9 +275,10 @@ required, please do not proceed.
``` ```
Result: Result:
``` ```
[=] Begin wiping T55x7 tag [=] Target T55x7 tag
[=] Default configuration block 000880E0
[=] Default configation block 000880E0 [=] Begin wiping...
[=] Writing page 0 block: 00 data: 0x000880E0 [=] Writing page 0 block: 00 data: 0x000880E0
[=] Writing page 0 block: 01 data: 0x00000000 [=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000 [=] Writing page 0 block: 02 data: 0x00000000
@ -291,14 +295,15 @@ required, please do not proceed.
``` ```
result: result:
``` ```
Chip Type : T55x7 [=] Chip type......... T55x7
Modulation : ASK [=] Modulation........ ASK
Bit Rate : 2 - RF/32 [=] Bit rate.......... 2 - RF/32
Inverted : No [=] Inverted.......... No
Offset : 32 [=] Offset............ 33
Seq. Term. : Yes [=] Seq. terminator... Yes
Block0 : 0x000880E0 [=] Block0............ 000880E0 (auto detect)
Downlink Mode : default/fixed bit length [=] Downlink mode..... default/fixed bit length
[=] Password set...... No
``` ```
If block 0 does not hold the hex data **0x00088040 resolve this If block 0 does not hold the hex data **0x00088040 resolve this
@ -412,18 +417,20 @@ required, please do not proceed.
Lets try again, but this time supply the password. We use the option Lets try again, but this time supply the password. We use the option
p followed by the password. p followed by the password.
``` ```
[usb] pm3 --> lf t55 detect p 12345678 [usb] pm3 --> lf t55 detect -p 12345678
``` ```
result: result:
``` ```
Chip Type : T55x7 [=] Chip type......... T55x7
Modulation : ASK [=] Modulation........ ASK
Bit Rate : 2 - RF/32 [=] Bit rate.......... 2 - RF/32
Inverted : No [=] Inverted.......... No
Offset : 32 [=] Offset............ 33
Seq. Term. : Yes [=] Seq. terminator... Yes
Block0 : 0x00088050 [=] Block0............ 00088050 (auto detect)
Downlink Mode : default/fixed bit length [=] Downlink mode..... default/fixed bit length
[=] Password set...... Yes
[=] Password.......... 00000000
``` ```
7) Write a block of data with a password 7) Write a block of data with a password
@ -445,7 +452,7 @@ required, please do not proceed.
The proxmark3 has a safety check\! The proxmark3 has a safety check\!
``` ```
[usb] pm3 --> lf t55xx read b 1 p 12345678 [usb] pm3 --> lf t55xx read -b 1 -p 12345678
``` ```
result: result:
``` ```
@ -453,6 +460,7 @@ required, please do not proceed.
[+] blk | hex data | binary | ascii [+] blk | hex data | binary | ascii
[+] ----+----------+----------------------------------+------- [+] ----+----------+----------------------------------+-------
[!] Safety check: Could not detect if PWD bit is set in config block. Exits. [!] Safety check: Could not detect if PWD bit is set in config block. Exits.
[?] Consider using the override parameter to force read.
``` ```
Note that the proxmark3 did not read the block, the safty kicked in Note that the proxmark3 did not read the block, the safty kicked in
@ -460,7 +468,7 @@ required, please do not proceed.
Lets try again with the o option as we know the password is set. Lets try again with the o option as we know the password is set.
``` ```
[usb] pm3 --> lf t55xx read b 1 p 12345678 o [usb] pm3 --> lf t55xx read -b 1 -p 12345678 -o
``` ```
result: result:
``` ```
@ -498,14 +506,15 @@ required, please do not proceed.
``` ```
result: result:
``` ```
Chip Type : T55x7 [=] Chip type......... T55x7
Modulation : ASK [=] Modulation........ ASK
Bit Rate : 2 - RF/32 [=] Bit rate.......... 2 - RF/32
Inverted : No [=] Inverted.......... No
Offset : 32 [=] Offset............ 33
Seq. Term. : Yes [=] Seq. terminator... Yes
Block0 : 0x00088040 [=] Block0............ 00088040 (auto detect)
Downlink Mode : default/fixed bit length [=] Downlink mode..... default/fixed bit length
[=] Password set...... No
``` ```
Yes we can and we can see Block 0 is the correct config 00088040 Yes we can and we can see Block 0 is the correct config 00088040
@ -571,14 +580,16 @@ password set (if not, review and get you card back to this state).
1) Lets turn you T5577 into an EM4100 with ID 1122334455 1) Lets turn you T5577 into an EM4100 with ID 1122334455
``` ```
[usb] pm3 --> lf em 410x_write 1122334455 1 [usb] pm3 --> lf em 410x clone --id 1122334455
``` ```
result: result:
``` ```
[+] Writing T55x7 tag with UID 0x1122334455 (clock rate: 64) [+] Preparing to clone EM4102 to T55x7 tag with ID 0F0368568B (RF/64)
#db# Started writing T55x7 tag ... [#] Clock rate: 64
#db# Clock rate: 64 [#] Tag T55x7 written with 0xff83c03322a646e4
#db# Tag T55x7 written with 0xff8c65298c94a940
[+] Done
[?] Hint: try `lf em 410x reader` to verify
``` ```
2) Check this has work. 2) Check this has work.
@ -586,42 +597,38 @@ password set (if not, review and get you card back to this state).
[usb] pm3 --> lf search [usb] pm3 --> lf search
``` ```
result: result:
``` ```
[=] NOTE: some demods output possible binary [=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag [=] if it finds something that looks like a tag
[=] False Positives ARE possible [=] False Positives ARE possible
[=] [=]
[=] Checking for known tags... [=] Checking for known tags...
[=]
[+] EM410x pattern found [+] EM 410x ID 0F0368568B
[+] EM410x ( RF/64 )
EM TAG ID : 1122334455 [=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : F0C0166AD1
Possible de-scramble patterns [=] HoneyWell IdentKey
[+] DEZ 8 : 06837899
Unique TAG ID : 8844CC22AA [+] DEZ 10 : 0057169547
HoneyWell IdentKey { [+] DEZ 5.5 : 00872.22155
DEZ 8 : 03359829 [+] DEZ 3.5A : 015.22155
DEZ 10 : 0573785173 [+] DEZ 3.5B : 003.22155
DEZ 5.5 : 08755.17493 [+] DEZ 3.5C : 104.22155
DEZ 3.5A : 017.17493 [+] DEZ 14/IK2 : 00064481678987
DEZ 3.5B : 034.17493 [+] DEZ 15/IK3 : 001034014845649
DEZ 3.5C : 051.17493 [+] DEZ 20/ZK : 15001200010606101301
DEZ 14/IK2 : 00073588229205 [=]
DEZ 15/IK3 : 000585269781162 [+] Other : 22155_104_06837899
DEZ 20/ZK : 08080404121202021010 [+] Pattern Paxton : 259822731 [0xF7C948B]
} [+] Pattern 1 : 9750181 [0x94C6A5]
Other : 17493_051_03359829 [+] Pattern Sebury : 22155 104 6837899 [0x568B 0x68 0x68568B]
Pattern Paxton : 289899093 [0x11478255] [=] ------------------------------------------------
Pattern 1 : 5931804 [0x5A831C]
Pattern Sebury : 17493 51 3359829 [0x4455 0x33 0x334455] [+] Valid EM410x ID found!
[+] Valid EM410x ID found! [+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
[+] Chipset detection : T55xx found
[+] Try `lf t55xx` commands
``` ```
Looks good. Looks good.
@ -631,44 +638,43 @@ password set (if not, review and get you card back to this state).
``` ```
result: result:
``` ```
[usb] pm3 --> lf t55 detect [=] Chip type......... T55x7
Chip Type : T55x7 [=] Modulation........ ASK
Modulation : ASK [=] Bit rate.......... 5 - RF/64
Bit Rate : 5 - RF/64 [=] Inverted.......... No
Inverted : No [=] Offset............ 33
Offset : 32 [=] Seq. terminator... Yes
Seq. Term. : Yes [=] Block0............ 00148040 (auto detect)
Block0 : 0x00148040 [=] Downlink mode..... default/fixed bit length
Downlink Mode : default/fixed bit length [=] Password set...... No
``` ```
``` ```
[usb] pm3 --> lf t55xx info [usb] pm3 --> lf t55xx info
``` ```
result: result:
``` ```
-- T55x7 Configuration & Tag Information -------------------- [=] --- T55x7 Configuration & Information ---------
------------------------------------------------------------- [=] Safer key : 0
Safer key : 0 [=] reserved : 0
reserved : 0 [=] Data bit rate : 5 - RF/64
Data bit rate : 5 - RF/64 [=] eXtended mode : No
eXtended mode : No [=] Modulation : 8 - Manchester
Modulation : 8 - Manchester [=] PSK clock frequency : 0 - RF/2
PSK clock frequency : 0 - RF/2 [=] AOR - Answer on Request : No
AOR - Answer on Request : No [=] OTP - One Time Pad : No
OTP - One Time Pad : No [=] Max block : 2
Max block : 2 [=] Password mode : No
Password mode : No [=] Sequence Terminator : No
Sequence Terminator : No [=] Fast Write : No
Fast Write : No [=] Inverse data : No
Inverse data : No [=] POR-Delay : No
POR-Delay : No [=] -------------------------------------------------------------
------------------------------------------------------------- [=] Raw Data - Page 0, block 0
Raw Data - Page 0 [=] 00148040 - 00000000000101001000000001000000
Block 0 : 0x00148040 00000000000101001000000001000000 [=] --- Fingerprint ------------
[+] Config block match : EM unique, Paxton
Config block match : EM unique, Paxton
-------------------------------------------------------------
``` ```
We can see that the info gave us more information and confirmed what We can see that the info gave us more information and confirmed what
we decoded by hand. But remember, the detect is still needed so the we decoded by hand. But remember, the detect is still needed so the