Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I have a chinese card writer http://www.aliexpress.com/item/Handhold-Portable-125khz-RFID-H-ID-PROX-CARD-PROX-KEY-Card-Reader-Writer-Copier-Duplicate-Duplicator/32599892297.html
and when I copy a HID card using it, I can no longer clone the card using proxmark3. Reading the forums I discovered that the device may set a password on the card and then I'm unable to use proxmark to write to it.
proxmark3> lf search
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
HID Prox TAG ID: 2007fc00f7 (123) - Format Len: 26bit - FC: 254 - Card: 123
Valid HID Prox ID Found!
proxmark3> lf hid clone 1122334455
Cloning tag with ID 1122334455
#db# DONE!
proxmark3> lf search
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
HID Prox TAG ID: 2007fc00f7 (123) - Format Len: 26bit - FC: 254 - Card: 123
So my question is: is this possible to sniff the data writter to the card using lf snoop?
if I type lf snoop nothing happens... what's the correct way of using it?
Offline
its known that some cloners sets the password on the t55xx card, locking it.
However due to some users there is two known passwords you can use to see if you can re-write your block0 on the t55xx card with.
Search and you will find here on the forum.
Offline
Found it, but they don't work... Sniffing is not possible the?
Offline
I tried:
lf t55xx wr b 0 d 0 p 51243648
lf t55xx wr b 0 d 0 p 000D8787
btw, I posted the wrong link to the card writer, the correct is: http://www.aliexpress.com/item/Updated-Version-English-10-Frequency-ID-IC-RFID-Copier-Reader-Writer-Copy-125KHZ-Keyfbobs-HID-Cards/32654441916.html?spm=2114.13010608.0.72.Ymg7fn
Last edited by bruno84 (2016-07-26 11:30:59)
Offline
in case someone is interested...
I tried to manually enter the card number on the writer, and then I read using proxmark and here is the result:
proxmark3> lf hid fskdemod
#db# DownloadFPGA(len: 42096)
#db# TAG ID: 2007fc0002 (1) - Format Len: 26bit - FC: 254 - Card: 1
#db# TAG ID: 2007fc0004 (2) - Format Len: 26bit - FC: 254 - Card: 2
#db# TAG ID: 2007fc0064 (50) - Format Len: 26bit - FC: 254 - Card: 50
#db# TAG ID: 2007fc0379 (444) - Format Len: 26bit - FC: 254 - Card: 444
#db# TAG ID: 2007fc07cf (999) - Format Len: 26bit - FC: 254 - Card: 999
//here I entered 1234567890
#db# TAG ID: 2004721264 (2354) - Format Len: 26bit - FC: 57 - Card: 2354
#db# Stopped
Offline
Snooping the password is possible, but it is not automatic. It will take a bit of manual work to demod the wave snooped. Dig into the lf snoop cmd. I helped someone use it in a post on here somewhere. Sorry can't look for it atm.
Offline
No, don't do what you did there.
Never write all zeros to the block0 (configuration) that could render your tag perma locked.
However, do the snoop as @marshmellow mentioned, thats how we found the previous passwords for cloners.
Offline
@iceman, I believe he is referring to writing the tag from his cloner not the pm3
Offline
That looks like PM3 commands to me...
I tried:
lf t55xx wr b 0 d 0 p 51243648
lf t55xx wr b 0 d 0 p 000D8787
Offline
yes yes... I tried those commands on the tags that I copied using the hand held writer but no success.
thanks for the hint about writing 0s
Offline
@op, since you have both a PM3 and the cloner, this will be an perfect time to practise LF. Go for the snoop while the cloner writes to a tag, save the trace, post it here (via a filesharing place, please) so we all can join in.
Offline
that's the problem iceman...
lf snoop does nothing:
proxmark3> lf snoop
proxmark3>
what am I missing here to capture the trace?
btw I have 3 different cloners...
Offline
three cloners, sweet, even more to play with your PM3 then.
You'll need to configure the LF first.
"lf configure h" will give you good starting point.
Offline
That looks like PM3 commands to me...
I tried:
lf t55xx wr b 0 d 0 p 51243648
lf t55xx wr b 0 d 0 p 000D8787
yep sorry. missed that.
Offline
Pages: 1