Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-09-28 23:14:02

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Indala car wash

Hello my friends
I have a card for a car wash. Proxmark tells me it's Indala, but I've also tried other t55xx commands.
Do you have any ideas to give me?


Prox/RFID mark3 RFID instrument         
bootrom: master/v3.0.1-422-gb8a9231-suspect 2018-09-24 14:33:05
os: master/v3.0.1-422-gb8a9231-suspect 2018-09-24 14:33:08
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/09/12 at 15:18:46
SmartCard Slot: not available
         
uC: AT91SAM7S256 Rev C         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes. Used: 193327 bytes (74%). Free: 68817 bytes (26%).         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory         
proxmark3> lf t55xx config
Chip Type  : T55x7         
Modulation : ASK         
Bit Rate   : 0 - RF/8         
Inverted   : No         
Offset     : 0         
Seq. Term. : No         
Block0     : 0x00000000         
         
proxmark3> lf t55xx detect
Chip Type  : T55x7         
Modulation : ASK         
Bit Rate   : 5 - RF/64         
Inverted   : No         
Offset     : 32         
Seq. Term. : No         
Block0     : 0x00148010         
         
proxmark3> lf t55xx info
         
-- T55x7 Configuration & Tag Information --------------------         
-------------------------------------------------------------         
Safer key                 : 0         
reserved                  : 0         
Data bit rate             : 5 - RF/64         
eXtended mode             : No         
Modulation                : 8 - Manchester         
PSK clock frequency       : 0         
AOR - Answer on Request   : No         
OTP - One Time Pad        : No         
Max block                 : 0         
Password mode             : Yes         
Sequence Start Terminator : No         
Fast Write                : No         
Inverse data              : No         
POR-Delay                 : No         
-------------------------------------------------------------         
Raw Data - Page 0         
     Block 0  : 0x00148010  00000000000101001000000000010000         
-------------------------------------------------------------   


proxmark3> lf t55xx special
OFFSET | DATA       | BINARY         
----------------------------------------------------         
    00 | 0x00148010 | 00000000000101001000000000010000         
    01 | 0x00290020 | 00000000001010010000000000100000         
    02 | 0x00520040 | 00000000010100100000000001000000         
    03 | 0x00A40080 | 00000000101001000000000010000000         
    04 | 0x01480100 | 00000001010010000000000100000000         
    05 | 0x02900200 | 00000010100100000000001000000000         
    06 | 0x05200400 | 00000101001000000000010000000000         
    07 | 0x0A400800 | 00001010010000000000100000000000         
    08 | 0x14801000 | 00010100100000000001000000000000         
    09 | 0x29002000 | 00101001000000000010000000000000         
    10 | 0x52004000 | 01010010000000000100000000000000         
    11 | 0xA4008000 | 10100100000000001000000000000000         
    12 | 0x48010001 | 01001000000000010000000000000001         
    13 | 0x90020002 | 10010000000000100000000000000010         
    14 | 0x20040005 | 00100000000001000000000000000101         
    15 | 0x4008000A | 01000000000010000000000000001010         
    16 | 0x80100014 | 10000000000100000000000000010100         
    17 | 0x00200029 | 00000000001000000000000000101001         
    18 | 0x00400052 | 00000000010000000000000001010010         
    19 | 0x008000A4 | 00000000100000000000000010100100         
    20 | 0x01000148 | 00000001000000000000000101001000         
    21 | 0x02000290 | 00000010000000000000001010010000         
    22 | 0x04000520 | 00000100000000000000010100100000         
    23 | 0x08000A40 | 00001000000000000000101001000000         
    24 | 0x10001480 | 00010000000000000001010010000000         
    25 | 0x20002900 | 00100000000000000010100100000000         
    26 | 0x40005200 | 01000000000000000101001000000000         
    27 | 0x8000A400 | 10000000000000001010010000000000         
    28 | 0x00014801 | 00000000000000010100100000000001         
    29 | 0x00029002 | 00000000000000101001000000000010         
    30 | 0x00052004 | 00000000000001010010000000000100         
    31 | 0x000A4008 | 00000000000010100100000000001000         
    32 | 0x00148010 | 00000000000101001000000000010000         
    33 | 0x00290020 | 00000000001010010000000000100000         
    34 | 0x00520040 | 00000000010100100000000001000000         
    35 | 0x00A40080 | 00000000101001000000000010000000         
    36 | 0x01480100 | 00000001010010000000000100000000         
    37 | 0x02900200 | 00000010100100000000001000000000         
    38 | 0x05200400 | 00000101001000000000010000000000         
    39 | 0x0A400800 | 00001010010000000000100000000000         
    40 | 0x14801000 | 00010100100000000001000000000000         
    41 | 0x29002000 | 00101001000000000010000000000000         
    42 | 0x52004000 | 01010010000000000100000000000000         
    43 | 0xA4008000 | 10100100000000001000000000000000         
    44 | 0x48010001 | 01001000000000010000000000000001         
    45 | 0x90020002 | 10010000000000100000000000000010         
    46 | 0x20040005 | 00100000000001000000000000000101         
    47 | 0x4008000A | 01000000000010000000000000001010         
    48 | 0x80100014 | 10000000000100000000000000010100         
    49 | 0x00200029 | 00000000001000000000000000101001         
    50 | 0x00400052 | 00000000010000000000000001010010         
    51 | 0x008000A4 | 00000000100000000000000010100100         
    52 | 0x01000148 | 00000001000000000000000101001000         
    53 | 0x02000290 | 00000010000000000000001010010000         
    54 | 0x04000520 | 00000100000000000000010100100000         
    55 | 0x08000A40 | 00001000000000000000101001000000         
    56 | 0x10001480 | 00010000000000000001010010000000         
    57 | 0x20002900 | 00100000000000000010100100000000         
    58 | 0x40005200 | 01000000000000000101001000000000         
    59 | 0x8000A400 | 10000000000000001010010000000000         
    60 | 0x00014801 | 00000000000000010100100000000001         
    61 | 0x00029002 | 00000000000000101001000000000010         
    62 | 0x00052004 | 00000000000001010010000000000100         
    63 | 0x000A4008 | 00000000000010100100000000001000

Offline

#2 2018-09-28 23:16:24

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Indala car wash

proxmark3> lf t55xx read
Reading Page 0:         
blk | hex data | binary         
----+----------+---------------------------------         
  255 | 00148010 | 00000000000101001000000000010000

Offline

#3 2018-09-28 23:19:20

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Indala car wash

proxmark3> lf t55xx dump
Reading Page 0:         
blk | hex data | binary         
----+----------+---------------------------------         
  0 | 00148010 | 00000000000101001000000000010000         
  1 | 00148010 | 00000000000101001000000000010000         
  2 | 00148010 | 00000000000101001000000000010000         
  3 | 00148010 | 00000000000101001000000000010000         
  4 | 00148010 | 00000000000101001000000000010000         
  5 | 00148010 | 00000000000101001000000000010000         
  6 | 00148010 | 00000000000101001000000000010000         
  7 | 00148010 | 00000000000101001000000000010000         
Reading Page 1:         
blk | hex data | binary         
----+----------+---------------------------------         
  0 | 2537887C | 00100101001101111000100001111100         
  1 | 2537887C | 00100101001101111000100001111100         
  2 | 2537887C | 00100101001101111000100001111100         
  3 | 2537887C | 00100101001101111000100001111100

Offline

#4 2018-09-28 23:21:03

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Indala car wash

proxmark3> lf search u
NOTE: some demods output possible binary
  if it finds something that looks like a tag         
False Positives ARE possible
         

Checking for known tags:
         

No Known Tags Found!
         

Checking for Unknown tags:
         
Possible Auto Correlation of 2048 repeating samples         

Using Clock:64, Invert:0, Bits Found:466         
ASK/Manchester - Clock: 64 - Decoded bitstream:         
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
1001000000000010
0000000000000010
10         

Unknown ASK Modulated and Manchester encoded Tag Found!         

if it does not look right it could instead be ASK/Biphase - try 'data rawdemod ab'         

Valid T55xx Chip Found
Try lf t55xx ... commands

Offline

#5 2018-10-11 22:13:48

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Indala car wash

pm3 --> lf t55xx trace         
-- T55x7 Trace Information ----------------------------------         
-------------------------------------------------------------         
ACL Allocation class (ISO/IEC 15963-1)  : 0xE0 (224)         
MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x15 (21) - ATMEL France         
CID                                     : 0x01 (1) - ATA5577M1         
ICR IC Revision                         : 2         
Manufactured         
     Year/Quarter : 2017/1         
     Lot ID       : 595         
     Wafer number : 15         
     Die Number   : 2165         
-------------------------------------------------------------         
Raw Data - Page 1         
     Block 1  : 0xE0150A74  11100000000101010000101001110100         
     Block 2  : 0x25378875  00100101001101111000100001110101         
-------------------------------------------------------------

Offline

#6 2018-10-13 00:42:19

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Indala car wash

Hello my friends
I have a card for a car wash. Proxmark tells me it's Indala, but I've also tried other t55xx commands.
Do you have any ideas to give me?

You have not expressed what you'd like to do or know...  this is why no one has offered any help.

Offline

#7 2018-10-13 06:32:02

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Indala car wash

ok, thanks Marshmellow. I can not figure out where the credit is written and why the blocks are all the same.

Offline

#8 2018-10-13 10:17:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Indala car wash

....  lf t55 dump  ...  and share it...

Offline

#9 2018-10-13 19:16:40

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Indala car wash

pm3 --> lf t55 dump         
Reading Page 0:         
blk | hex data | binary                           | ascii         
----+----------+----------------------------------+-------         
00 | 00148010 | 00000000000101001000000000010000 | ....         
01 | 00148010 | 00000000000101001000000000010000 | ....         
02 | 00148010 | 00000000000101001000000000010000 | ....         
03 | 00148010 | 00000000000101001000000000010000 | ....         
04 | 00148010 | 00000000000101001000000000010000 | ....         
05 | 00148010 | 00000000000101001000000000010000 | ....         
06 | 00148010 | 00000000000101001000000000010000 | ....         
07 | 00148010 | 00000000000101001000000000010000 | ....         
Reading Page 1:         
blk | hex data | binary                           | ascii         
----+----------+----------------------------------+-------         
00 | 2537887C | 00100101001101111000100001111100 | %7.|         
01 | 2537887C | 00100101001101111000100001111100 | %7.|         
02 | 2537887C | 00100101001101111000100001111100 | %7.|         
03 | 2537887C | 00100101001101111000100001111100 | %7.|

Offline

#10 2018-10-14 08:03:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Indala car wash

that looks like someone wrote the config block over the whole card....  Your dump data looks just wrong

Offline

#11 2019-02-20 18:17:57

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Indala car wash

proxmark3> lf t55xx dump
Reading Page 0:         
blk | hex data | binary         
----+----------+---------------------------------         
  0 | 00148010 | 00000000000101001000000000010000         
  1 | 00148010 | 00000000000101001000000000010000         
  2 | 00148010 | 00000000000101001000000000010000         
  3 | 00148010 | 00000000000101001000000000010000         
  4 | 00148010 | 00000000000101001000000000010000         
  5 | 00148010 | 00000000000101001000000000010000         
  6 | 00148010 | 00000000000101001000000000010000         
  7 | 00148010 | 00000000000101001000000000010000         
Reading Page 1:         
blk | hex data | binary         
----+----------+---------------------------------         
  0 | 2536840F | 00100101001101101000010000001111         
  1 | 2536840F | 00100101001101101000010000001111         
  2 | 2536840F | 00100101001101101000010000001111         
  3 | 2536840F | 00100101001101101000010000001111         
proxmark3> lf t55xx trace
-- T55x7 Trace Information ----------------------------------         
-------------------------------------------------------------         
ACL Allocation class (ISO/IEC 15963-1)  : 0xE0 (224)         
MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x15 (21) - ATMEL France         
CID                                     : 0x01 (1) - ATA5577M1         
ICR IC Revision                         : 2         
Manufactured         
     Year/Quarter : 2017/1         
     Lot ID       : 595         
     Wafer number : 13         
     Die Number   : 1039         
-------------------------------------------------------------         
Raw Data - Page 1         
     Block 1  : 0xE0150A74  11100000000101010000101001110100         
     Block 2  : 0x2536840F  00100101001101101000010000001111         
-------------------------------------------------------------

Offline

#12 2019-02-20 18:19:04

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Indala car wash

This is other card. Any idea?

Offline

#13 2019-02-20 19:00:30

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Indala car wash

same thing,  the config block is all over the dump..

Offline

#14 2019-02-20 22:22:04

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Indala car wash

what could be the reason?

Offline

#15 2019-02-20 22:44:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,495
Website

Re: Indala car wash

I have no idea but maybe a bad programmed tag?

Offline

#16 2019-02-20 23:53:14

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Indala car wash

That is how a password protected t55xx tag responds..  page 0 block 1 is displayed for all page 0 blocks on a page 0 read block cmds, and page 1 block 1 is displayed for all page 1 read block cmds.

It just happens that your block 1 data looks like block 0 (config) data

Offline

#17 2019-02-21 18:37:31

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Indala car wash

How can I find out the password? if I try to do a bruteforce, I always have the first password in the list, but then it does not turn out to be the valid one.
proxmark3> lf t55xx bruteforce aaaaaaaa bbbbbbbb
Search password range [AAAAAAAA -> BBBBBBBB]         
.Chip Type  : T55x7         
Modulation : ASK         
Bit Rate   : 5 - RF/64         
Inverted   : No         
Offset     : 32         
Seq. Term. : No         
Block0     : 0x00148010         
         
         
Found valid password: [aaaaaaaa] 
-----------------------------------------------------------------------------
proxmark3> lf t55xx bruteforce i default_pwd.dic
chk custom pwd[ 0] 51243648         
chk custom pwd[ 1] 000D8787         
chk custom pwd[ 2] 00000000         
chk custom pwd[ 3] 11111111         
chk custom pwd[ 4] 22222222         
chk custom pwd[ 5] 33333333         
chk custom pwd[ 6] 44444444         
chk custom pwd[ 7] 55555555         
chk custom pwd[ 8] 66666666         
chk custom pwd[ 9] 77777777         
chk custom pwd[10] 88888888         
chk custom pwd[11] 99999999         
chk custom pwd[12] AAAAAAAA         
chk custom pwd[13] BBBBBBBB         
chk custom pwd[14] CCCCCCCC         
chk custom pwd[15] DDDDDDDD         
chk custom pwd[16] EEEEEEEE         
chk custom pwd[17] FFFFFFFF         
chk custom pwd[18] A0A1A2A3         
chk custom pwd[19] B0B1B2B3         
chk custom pwd[20] AABBCCDD         
chk custom pwd[21] BBCCDDEE         
chk custom pwd[22] CCDDEEFF         
chk custom pwd[23] 00000001         
chk custom pwd[24] 00000002         
chk custom pwd[25] 0000000A         
chk custom pwd[26] 0000000B         
chk custom pwd[27] 01020304         
chk custom pwd[28] 02030405         
chk custom pwd[29] 03040506         
chk custom pwd[30] 04050607         
chk custom pwd[31] 05060708         
chk custom pwd[32] 06070809         
chk custom pwd[33] 0708090A         
chk custom pwd[34] 08090A0B         
chk custom pwd[35] 090A0B0C         
chk custom pwd[36] 0A0B0C0D         
chk custom pwd[37] 0B0C0D0E         
chk custom pwd[38] 0C0D0E0F         
chk custom pwd[39] 01234567         
chk custom pwd[40] 12345678         
chk custom pwd[41] 10000000         
chk custom pwd[42] 20000000         
chk custom pwd[43] 30000000         
chk custom pwd[44] 40000000         
chk custom pwd[45] 50000000         
chk custom pwd[46] 60000000         
chk custom pwd[47] 70000000         
chk custom pwd[48] 80000000         
chk custom pwd[49] 90000000         
chk custom pwd[50] A0000000         
chk custom pwd[51] B0000000         
chk custom pwd[52] C0000000         
chk custom pwd[53] D0000000         
chk custom pwd[54] E0000000         
chk custom pwd[55] F0000000         
chk custom pwd[56] 10101010         
chk custom pwd[57] 01010101         
chk custom pwd[58] 11223344         
chk custom pwd[59] 22334455         
chk custom pwd[60] 33445566         
chk custom pwd[61] 44556677         
chk custom pwd[62] 55667788         
chk custom pwd[63] 66778899         
chk custom pwd[64] 778899AA         
chk custom pwd[65] 8899AABB         
chk custom pwd[66] 99AABBCC         
chk custom pwd[67] AABBCCDD         
chk custom pwd[68] BBCCDDEE         
chk custom pwd[69] CCDDEEFF         
chk custom pwd[70] 0CB7E7FC         
chk custom pwd[71] FABADA11         
chk custom pwd[72] 65857569         
Loaded 73 keys         
Testing 51243648         
Chip Type  : T55x7         
Modulation : ASK         
Bit Rate   : 5 - RF/64         
Inverted   : No         
Offset     : 32         
Seq. Term. : No         
Block0     : 0x00148010         
         
Found valid password: [51243648]

Offline

#18 2019-02-22 01:14:29

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Indala car wash

Lol, yeah it would do that (output false positive) as coded currently for your tag... 

Best way to get the password is to Snoop a genuine reader reading that card

Offline

#19 2019-02-28 14:13:12

tristanik
Contributor
Registered: 2014-11-25
Posts: 96

Re: Indala car wash

What is the exact procedure for doing the snoop? I can not understand

Offline

#20 2019-03-08 20:22:28

merlok
Contributor
Registered: 2011-05-16
Posts: 132

Re: Indala car wash

The t5577 just sends code from its memory when it powered by field.
and when it dont see command it just sends that code
so
if we see not changing wave after several lf t55 read b X - it looks like the t5577 have password or have some other type reader-chip communication (it have 4 types)

Offline

Board footer

Powered by FluxBB