Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-05-14 02:44:49

mcd1992
Contributor
Registered: 2019-05-13
Posts: 3

LF Cloner Changing T5577 Page 1 traceability data

There's a LF cloner out called the Keysy that uses its own proprietary tags which just seem to be ATA5577M1 tags. But the cloner itself is able to detect the difference between some of the plain T5577s I have and the branded ones that they sell.

Digging into the cards it looks like the cloner is using the T5577 test mode to change data in page1 blk1/2.
Here is a blank, genuine keysys branded, T5577 tag that was erased by the cloner.

pm3 --> lf t55 det    
Chip Type  : T55x7          
Modulation : ASK          
Bit Rate   : 2 - RF/32          
Inverted   : No          
Offset     : 32          
Seq. Term. : Yes           
Block0     : 0x00088000          
          
pm3 --> lf t55 info
          
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 0          
 reserved                  : 0          
 Data bit rate             : 2 - RF/32          
 eXtended mode             : No          
 Modulation                : 8 - Manchester          
 PSK clock frequency       : 0 - RF/2          
 AOR - Answer on Request   : No          
 OTP - One Time Pad        : No          
 Max block                 : 0          
 Password mode             : No          
 Sequence Terminator       : No          
 Fast Write                : No          
 Inverse data              : No          
 POR-Delay                 : No          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x00088000  00000000000010001000000000000000          
-------------------------------------------------------------          
pm3 --> lf t55 dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 00088000 | 00000000000010001000000000000000 | ....          
 01 | 1D555955 | 00011101010101010101100101010101 | .UYU          
 02 | 5569A9A5 | 01010101011010011010100110100101 | Ui..          
 03 | 55A59569 | 01010101101001011001010101101001 | U..i          
 04 | FFFFFFFF | 11111111111111111111111111111111 | ....          
 05 | FFFFFFFF | 11111111111111111111111111111111 | ....          
 06 | FFFFFFFF | 11111111111111111111111111111111 | ....          
 07 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 00088000 | 00000000000010001000000000000000 | ....          
 01 | E0150A84 | 11100000000101010000101010000100 | ....          
 02 | 57819A51 | 01010111100000011001101001010001 | W..Q          
 03 | FFFFFFFF | 11111111111111111111111111111111 | ....          
pm3 --> lf t55 trac
-- T55x7 Trace Information ----------------------------------          
-------------------------------------------------------------          
 ACL Allocation class (ISO/IEC 15963-1)  : 0xE0 (224)          
 MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x15 (21) - ATMEL France          
 CID                                     : 0x01 (1) - ATA5577M1          
 ICR IC Revision                         : 2          
 Manufactured          
     Year/Quarter : 2018/1          
     Lot ID       : 3585          
     Wafer number : 10          
     Die Number   : 2692          
-------------------------------------------------------------          
 Raw Data - Page 1          
     Block 1  : 0xE0150A84  11100000000101010000101010000100          
     Block 2  : 0xE0150A84  11100000000101010000101010000100          
-------------------------------------------------------------          

The blank tags show up with good traceability data. But if I clone a HIDProx with the Keysy and re-read the T5577 data.

pm3 --> lf t55 det
Chip Type  : T55x7          
Modulation : FSK2a          
Bit Rate   : 24 - RF/50          
Inverted   : Yes           
Offset     : 32          
Seq. Term. : No          
Block0     : 0x60625062          
          
pm3 --> lf t55 info
          
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 6 - passwd           
 reserved                  : 0          
 Data bit rate             : 24 - RF/50          
 eXtended mode             : Yes - Warning           
 Modulation                : 5 - FSK 2 RF/8  RF/10          
 PSK clock frequency       : 0 - RF/2          
 AOR - Answer on Request   : No          
 OTP - One Time Pad        : No          
 Max block                 : 3          
 Password mode             : No          
 Sequence Start Marker     : No          
 Fast Write                : No          
 Inverse data              : Yes           
 POR-Delay                 : No          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x60625062  01100000011000100101000001100010          
-------------------------------------------------------------          
pm3 --> lf t55 dump
Reading Page 0:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 60625062 | 01100000011000100101000001100010 | `bPb          
 01 | 1D555955 | 00011101010101010101100101010101 | .UYU          
 02 | 5569A9A5 | 01010101011010011010100110100101 | Ui..          
 03 | 55A59569 | 01010101101001011001010101101001 | U..i          
 04 | 00000000 | 00000000000000000000000000000000 | ....          
 05 | 00000000 | 00000000000000000000000000000000 | ....          
 06 | FFFFFFFF | 11111111111111111111111111111111 | ....          
 07 | FFFFFFFF | 11111111111111111111111111111111 | ....          
Reading Page 1:          
blk | hex data | binary                           | ascii          
----+----------+----------------------------------+-------          
 00 | 60625062 | 01100000011000100101000001100010 | `bPb          
 01 | 700A8542 | 01110000000010101000010101000010 | p..B          
 02 | 57819A51 | 01010111100000011001101001010001 | W..Q          
 03 | 00000000 | 00000000000000000000000000000000 | ....          

Now page1 block1 contains a different ACL instead of 0xE0, with a few other changes as well. I'm curious as to how the Keysy is changing page1 data as from what I've read it can only be used to force-overwrite the config block. I've tried to get a trace of the erase/program operation but the Keysy reads the card before it writes so the proxmark triggers on the read first. I might need to add code for a timed delay to the threshold in `lf config` unless someone has a better idea.

QhNXXPR.jpg

Offline

#2 2019-05-14 04:20:56

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: LF Cloner Changing T5577 Page 1 traceability data

Interesting,

lf t55 trace   should give you the output for trace info on page 1.


I meet the guy who designed and produce keysy, at that time he said he used a custom pwd algo to look down the t5577.
You can also have a look at write helptext and read about  lf t55 write t  testmode writes.

Offline

#3 2019-05-14 16:41:59

mcd1992
Contributor
Registered: 2019-05-13
Posts: 3

Re: LF Cloner Changing T5577 Page 1 traceability data

The t55 trace command works when the tag is blank but when written with a tag the ACL isn't set to 0xE0 so the it throws a "The modulation is most likely wrong since the ACL is not 0xE0." error. I guess I can throw a 'force' option into cmdlft55xx.c to try and unpack regardless of ACL value.

Although another thing I've noticed is when a tag is written the option/master key or 'safer key' as proxmark calls it, gets set to 0x06 which according to the ATA5577C doc should disable test mode writes. But somehow the Keysy is still able to write page1:block1 back to 700A8542.

Am I misunderstanding how the T5577 test mode works or should this not be possible? Is test mode just a magical 'always able to write' mode for T5577 cards? I tested test mode with a card and it fully bricked it (doesn't even trigger the RF field/threshold anymore) so I feel like I'm missing something.

Offline

#4 2019-05-14 16:58:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: LF Cloner Changing T5577 Page 1 traceability data

Search on this forum about test mode,  marshmellow did some findings.  It wipes the tag and fills it with a rotating default pattern.

Offline

#5 2021-04-04 23:02:34

zeppi
Contributor
Registered: 2021-03-07
Posts: 36

Re: LF Cloner Changing T5577 Page 1 traceability data

Any summary or outcome of this research?
Did you try to groom a regular T5577 card into one that would be accepted by Keysy?

I think it is outrageous that TinyLabs artificially limit Keysy's use to some cheap cards that have been re-configured to be able to sell them for a steep price.

There would be interest in how to re-configure regular T5577 cards so they can be used with Keysy (yes you could do it with PM, but Keysy is light, small and easy to use on the go)

Offline

#6 2021-04-05 09:20:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: LF Cloner Changing T5577 Page 1 traceability data

The business model...   somewhere they want to make money back.  Its like printer cartridges.

Offline

#7 2021-04-05 12:27:15

zeppi
Contributor
Registered: 2021-03-07
Posts: 36

Re: LF Cloner Changing T5577 Page 1 traceability data

They are selling Keysy for how long? 10 years? At some point they cetainly broke even, I do not see any problem in trying to use other tags with Keysy. That could not even be illegal.

Was anyone successful in that? Or even has a lua script for that?

Offline

Board footer

Powered by FluxBB