| blob | 61d926b22957c9cacf22e172f7a6610f52627c27 |
1 # T5577 Introduction Guide
3 ### Based on RRG/Iceman Proxmark3 repo
5 ### Ver.1 8 Sep 2019
6 ### Ver.2 7 March 2021
8 | Contents |
9 | ----------------------------------------------------------------------------------- |
10 | [Part 1](#part-1) |
11 | [Introduction](#introduction) |
12 | [T5577 Overview](#t5577-overview) |
13 | [What data is on my T5577](#what-data-is-on-my-t5577) |
14 | [Read and Write Blocks of Data](#read-and-write-blocks-of-data) |
15 | [Exercise 1](#exercise-1) |
16 | [How do I use a password](#how-do-i-use-a-password) |
17 | |
18 | [Part 2 – Configuration Blocks](#part-2-configuration-blocks) |
19 | [The configuration Block – Block 0 Page 0](#the-configuration-block-block-0-page-0) |
20 | [Exercise 2](#exercise-2) |
21 | [The configuration Block – Block 3 Page 1](#the-configuration-block-block-3-page-1) |
23 # Part 1
25 ## Introduction
27 The T5577 is a generic LF (Low Frequency) RFID card that is used in the
28 125 Khz frequency space. It is a good card to use to learn about RFID and
29 learn how to use the proxmark3.
31 It is highly recommended that when learning about RFID that learning how
32 to read the data sheets be near the top of the list. It can be very hard
33 as the data sheet will hold the information you need, but you don’t yet
34 know what it means. As such, I will attempt to point to sections of the
35 data sheet and would highly advise that you look at the data sheet as
36 you go. Overtime the data sheet may change, as a result things may not
37 always be referenced correctly.
39 As at writing this guide, the data sheet can be found at :
41 <http://ww1.microchip.com/downloads/en/DeviceDoc/Atmel-9187-RFID-ATA5577C_Datasheet.pdf>
43 This guide is not a how do I clone document. It is meant to help people
44 learn how to use the T5577 and in the process learn about rfid and the
45 proxmark3.
47 Throughout this guide I will give examples. It is recommended that you
48 try these as we go. To do so, have a blank T5577 card that you can use
49 for this purpose.
51 ## T5577 Overview
53 The T5577 is a chip that can hold data and a configuration (Section
54 4.12).
56 In the diagram below, all white blocks can hold data. Some can be used
57 for a second purpose, such as the ‘password’ and ‘traceability data’.
58 The ‘Configuration Data’ and ‘Analog front end option setup’ will tell
59 the chip how to behave.
61 
65 ## What data is on my T5577
67 Let’s have a look and see what a card might look like in the proxmark3
68 software. Since we can change the configuration of how the T5577 will
69 output data, the proxmark3 software needs to work out how to interpret
70 the data it receives, we do this with the following command.
72 It should be noted that the T5577 has many clones. As such the default
73 setup of each card may be different. If the tractability data is
74 present, then this will vary based on the batch of cards.
76 Always run this command when you place a t5577 on the proxmark3. In all
77 examples shown, it will be assumed you have run the detect command.
78 ```
79 [usb] pm3 --> lf t55xx detect
80 ```
81 You should see a results similar to the following:
82 ```
83 [=] Chip type......... T55x7
84 [=] Modulation........ ASK
85 [=] Bit rate.......... 2 - RF/32
86 [=] Inverted.......... No
87 [=] Offset............ 33
88 [=] Seq. terminator... Yes
89 [=] Block0............ 000880E0 (auto detect)
90 [=] Downlink mode..... default/fixed bit length
91 [=] Password set...... No
93 ```
94 Now that the proxmark3 has detected a T55x7 chip, and found some
95 information about it, we should be able to see all the data on the chip.
96 ```
97 [usb] pm3 --> lf t55xx dump
98 ```
99 Your results should look similar to the following:
100 ```
101 [+] Reading Page 0:
102 [+] blk | hex data | binary | ascii
103 [+] ----+----------+----------------------------------+-------
104 [+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
105 [+] 01 | 00000000 | 00000000000000000000000000000000 | ....
106 [+] 02 | 00000000 | 00000000000000000000000000000000 | ....
107 [+] 03 | 00000000 | 00000000000000000000000000000000 | ....
108 [+] 04 | 00000000 | 00000000000000000000000000000000 | ....
109 [+] 05 | 00000000 | 00000000000000000000000000000000 | ....
110 [+] 06 | 00000000 | 00000000000000000000000000000000 | ....
111 [+] 07 | 00000000 | 00000000000000000000000000000000 | ....
112 [+] Reading Page 1:
113 [+] blk | hex data | binary | ascii
114 [+] ----+----------+----------------------------------+-------
115 [+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
116 [+] 01 | 00000000 | 00000000000000000000000000000000 | ....
117 [+] 02 | 00000000 | 00000000000000000000000000000000 | ....
118 [+] 03 | 00000000 | 00000000000000000000000000000000 | ....
119 ```
120 I will cover the meaning of this data as we go, but for now, lets keep
121 it simple.
123 ## Read and Write Blocks of Data
125 The basic function of using the proxmark3 with rfid cards is to read and
126 write data. This reading and writing must be done in the correct way
127 needed for the chip (and its configuration). Lucky for us, the
128 developers have done a great job and gave us commands. What we need to
129 know is that with the T5577, data is read/written one complete block at a
130 time. Each block holds 32 bits of data (hence the binary output shown)
132 Since we know that the card has data and configuration blocks, lets say
133 away from those while we learn how to read and write. I suggest you
134 follow along and perform each command and check the results as we go.
136 We can store our own data in blocks 1-7 (remember that block 7 will be
137 needed if we want to set a password).
139 (Don’t forget to run the detect command: lf t55xx detect, and ensure you
140 can see the card)
142 1) Check what is stored in block 1. The following command can be read
143 as, run a low frequency (lf) command for the T55xx chip (t55xx) and
144 read block (b) number 1.
145 ```
146 [usb] pm3 --> lf t55xx read -b 1
147 ```
148 result:
149 ```
150 [+] Reading Page 0:
151 [+] blk | hex data | binary | ascii
152 [+] ----+----------+----------------------------------+-------
153 [+] 01 | 00000000 | 00000000000000000000000000000000 | ....
154 ```
155 Note: Depending on the history of your card, your data may vary, but
156 should match the dump data.
158 2) Write some new data into block 1 on the card.
160 We use the -d option to supply the data ‘12345678’
161 ```
162 [usb] pm3 --> lf t55xx write -b 1 -d 12345678
163 ```
164 result:
165 ```
166 [=] Writing page 0 block: 01 data: 0x12345678
167 ```
168 3) Now, lets check if the data was written.
169 ```
170 [usb] pm3 --> lf t55xx read -b 1
171 ```
172 result:
173 ```
174 [+] Reading Page 0:
175 [+] blk | hex data | binary | ascii
176 [+] ----+----------+----------------------------------+-------
177 [+] 01 | 12345678 | 00010010001101000101011001111000 | .4Vx
178 ```
179 4) The data is written in Hexadecimal. A single hex digit holds 4 bits
180 of data. So to store 32 bits in a block, we need to supply 8 hex
181 digits (8 \* 4 = 32). If you are not familiar with hex and binary do a
182 little bit of home work to learn. The following is a quick start.
184 | Hex | Binary | Decimal |
185 |:---:|:------:|:-------:|
186 | 0 | 0000 | 0 |
187 | 1 | 0001 | 1 |
188 | 2 | 0010 | 2 |
189 | 3 | 0011 | 3 |
190 | 4 | 0100 | 4 |
191 | 5 | 0101 | 5 |
192 | 6 | 0110 | 6 |
193 | 7 | 0111 | 7 |
194 | 8 | 1000 | 8 |
195 | 9 | 1001 | 9 |
196 | A | 1010 | 10 |
197 | B | 1011 | 11 |
198 | C | 1100 | 12 |
199 | D | 1101 | 13 |
200 | E | 1110 | 14 |
201 | F | 1111 | 15 |
203 To use all the bits we supply the data in Hex format and it will
204 always be 8 hex digits.
206 Lets try and write 89ABCDEF
207 ```
208 [usb] pm3 --> lf t55xx write -b 1 -d 89abcdef
209 ```
210 result:
211 ```
212 [=] Writing page 0 block: 01 data: 0x89ABCDEF
213 ```
214 and check
215 ```
216 [usb] pm3 --> lf t55xx read -b 1
217 ```
218 result:
219 ```
220 [+] Reading Page 0:
221 [+] blk | hex data | binary | ascii
222 [+] ----+----------+----------------------------------+-------
223 [+] 01 | 89ABCDEF | 10001001101010111100110111101111 | ....
224 ```
226 ### Exercise 1
228 Using the read and write commands you have learnt see if you can make
229 the lf t55 dump command show the following data for blocks 1-7 (Page 0).
230 Do not write to block 0 or try and change the data on page 1.
231 ```
232 [usb] pm3 --> lf t55 dump
233 ```
234 result:
235 ```
236 [+] Reading Page 0:
237 [+] blk | hex data | binary | ascii
238 [+] ----+----------+----------------------------------+-------
239 [+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
240 [+] 01 | 89ABCDEF | 10001001101010111100110111101111 | ....
241 [+] 02 | 00000000 | 00000000000000000000000000000000 | ....
242 [+] 03 | 00000000 | 00000000000000000000000000000000 | ....
243 [+] 04 | 00000000 | 00000000000000000000000000000000 | ....
244 [+] 05 | 00000000 | 00000000000000000000000000000000 | ....
245 [+] 06 | 00000000 | 00000000000000000000000000000000 | ....
246 [+] 07 | 00000000 | 00000000000000000000000000000000 | ....
247 [+] Reading Page 1:
248 [+] blk | hex data | binary | ascii
249 [+] ----+----------+----------------------------------+-------
250 [+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
251 [+] 01 | 00000000 | 00000000000000000000000000000000 | ....
252 [+] 02 | 00000000 | 00000000000000000000000000000000 | ....
253 [+] 03 | 00000000 | 00000000000000000000000000000000 | ....
254 ```
256 Practice reading and writing to blocks 1 to 6 until you are happy you
257 can do it and get the results you wanted (i.e. the data you want stored
258 is written to the block you want it stored in). I recommend staying
259 away from block 7 as this is where the password is stored, if used.
260 If you forget this data/password, you wont be able to read or write
261 to the card.
263 ## How do I use a password
265 This can be a little tricky for beginners.
266 ***If you forget your password you will lose access to your card***.
268 To tell the T5577 to use a password, we have to change the data in the
269 configuration block (0). To help learn this and make it as simple as I
270 can, please read and follow exactly. If your results DON’T match 100% as
271 required, please do not proceed.
273 1) Lets start with a known card state and wipe the card. This will set
274 a default configuration to block 0 and set all the data in blocks
275 1-7 to a default.
276 ```
277 [usb] pm3 --> lf t55xx wipe
278 ```
279 Result:
280 ```
281 [=] Target T55x7 tag
282 [=] Default configuration block 000880E0
284 [=] Begin wiping...
285 [=] Writing page 0 block: 00 data: 0x000880E0
286 [=] Writing page 0 block: 01 data: 0x00000000
287 [=] Writing page 0 block: 02 data: 0x00000000
288 [=] Writing page 0 block: 03 data: 0x00000000
289 [=] Writing page 0 block: 04 data: 0x00000000
290 [=] Writing page 0 block: 05 data: 0x00000000
291 [=] Writing page 0 block: 06 data: 0x00000000
292 [=] Writing page 0 block: 07 data: 0x00000000
293 ```
295 2) Check that the card is in the desired state.
296 ```
297 [usb] pm3 --> lf t55xx detect
298 ```
299 result:
300 ```
301 [=] Chip type......... T55x7
302 [=] Modulation........ ASK
303 [=] Bit rate.......... 2 - RF/32
304 [=] Inverted.......... No
305 [=] Offset............ 33
306 [=] Seq. terminator... Yes
307 [=] Block0............ 000880E0 (auto detect)
308 [=] Downlink mode..... default/fixed bit length
309 [=] Password set...... No
310 ```
312 If block 0 does not hold the hex data **0x00088040 resolve this
313 first before proceeding.**
315 3) Set the password we want to use. For this example lets use the
316 password : ***12345678***
318 The password is saved in block 7 of page 0.
319 ```
320 [usb] pm3 --> lf t55xx write -b 7 -d 12345678
321 ```
322 result:
323 ```
324 [=] Writing page 0 block: 07 data: 0x12345678
325 ```
327 4) Lets verify both block 0 and block 7
328 ```
329 [usb] pm3 --> lf t55xx dump
330 ```
331 result:
332 ```
333 [+] Reading Page 0:
334 [+] blk | hex data | binary | ascii
335 [+] ----+----------+----------------------------------+-------
336 [+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
337 [+] 01 | 00000000 | 00000000000000000000000000000000 | ....
338 [+] 02 | 00000000 | 00000000000000000000000000000000 | ....
339 [+] 03 | 00000000 | 00000000000000000000000000000000 | ....
340 [+] 04 | 00000000 | 00000000000000000000000000000000 | ....
341 [+] 05 | 00000000 | 00000000000000000000000000000000 | ....
342 [+] 06 | 00000000 | 00000000000000000000000000000000 | ....
343 [+] 07 | 12345678 | 00010010001101000101011001111000 | .4Vx
344 [+] Reading Page 1:
345 [+] blk | hex data | binary | ascii
346 [+] ----+----------+----------------------------------+-------
347 [+] 00 | 000880E0 | 00000000000010001000000011100000 | ....
348 [+] 01 | 00000000 | 00000000000000000000000000000000 | ....
349 [+] 02 | 00000000 | 00000000000000000000000000000000 | ....
350 [+] 03 | 00000000 | 00000000000000000000000000000000 | ....
351 ```
352 ***Important : If block 0 and block 7 don’t match exactly, do not continue.***
354 5) Now we have a known configuration block and a known password of
355 12345678, we are ready to tell the card to use the password.
357 To do this the datasheet tells us we need to set the 28<sup>th</sup>
358 bit “PWD”. Check your datasheet and see the entire table (remember
359 the data sheet is your friend).
361 
363 We will cover other things in the configuration later. But the key
364 note here, is we ONLY want to change bit 28 and nothing else.
366 Current Block 0 : ***00088040***
367 New Block 0 : ***00088050***
369 To understand what happened to get from 00088040 to 00088050 we need
370 to look at the binary data.
372 While this can be confusing, it is important to understand this as we
373 do more advanced things.
375 Bit Location (28)
376 000000000011111111112222222 ***2*** 2233
377 123456789012345678901234567 ***8*** 9012
379 | Hex Data | Binary Data |
380 |:--------:|:---------------------------------------|
381 | 00088040 | 000000000000100010000000010***0***0000 |
382 | 00088050 | 000000000000100010000000010***1***0000 |
386 See how in the above we changed the bit in location 28 from a 0 to 1
387 0 = No Password, 1 = Use Password
389 Note how we did NOT change any other part of the configuration, only bit 28.
391 To re-cap.
392 We put the card into a known configuration Block 0 : 00088040
393 We set the a known password Block 7 : 12345678
394 We altered the config data to tell the T5577 to use the password.
395 New Block 0 : 00088050
397 If you have completed all steps and have the exact same results, we are
398 ready to apply the new configuration.
399 ```
400 [usb] pm3 --> lf t55xx write -b 0 -d 00088050
401 ```
402 result:
403 ```
404 [=] Writing page 0 block: 00 data: 0x00088050
405 ```
407 6) Lets check what happens when the password is set.
408 ```
409 [usb] pm3 --> lf t55 detect
410 ```
411 result:
412 ```
413 [!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
414 ```
415 Note how the lf t55 detect no longer seems to work\!
417 In this case, this is due to needing a password to read/write to the
418 card.
420 Lets try again, but this time supply the password. We use the option
421 -p followed by the password.
422 ```
423 [usb] pm3 --> lf t55 detect -p 12345678
424 ```
425 result:
426 ```
427 [=] Chip type......... T55x7
428 [=] Modulation........ ASK
429 [=] Bit rate.......... 2 - RF/32
430 [=] Inverted.......... No
431 [=] Offset............ 33
432 [=] Seq. terminator... Yes
433 [=] Block0............ 00088050 (auto detect)
434 [=] Downlink mode..... default/fixed bit length
435 [=] Password set...... Yes
436 [=] Password.......... 12345678
437 ```
439 7) Write a block of data with a password
440 ```
441 [usb] pm3 --> lf t55xx write -b 1 -d 1234abcd -p 12345678
442 ```
443 result:
444 ```
445 [=] Writing page 0 block: 01 data: 0x1234ABCD pwd: 0x12345678
446 ```
448 8) Read a block of data with a password
450 ***\*\*\*\* Important \*\*\*\****
452 ***Reading a T5577 block with a password when a password is not
453 enabled can result in locking the card. Please only use read with a
454 password when it is known that a password is in use.***
456 The proxmark3 has a safety check\!
457 ```
458 [usb] pm3 --> lf t55xx read -b 1 -p 12345678
459 ```
460 result:
461 ```
462 [+] Reading Page 0:
463 [+] blk | hex data | binary | ascii
464 [+] ----+----------+----------------------------------+-------
465 [!] Safety check: Could not detect if PWD bit is set in config block. Exits.
466 ```
468 Note that the proxmark3 did not read the block, the safety kicked in
469 and wants us to confirm by supply the override option ‘-o’.
471 Lets try again with the ‘-o’ option as we know the password is set.
472 ```
473 [usb] pm3 --> lf t55xx read -b 1 -p 12345678 -o
474 ```
475 result:
476 ```
477 [+] Reading Page 0:
478 [+] blk | hex data | binary | ascii
479 [+] ----+----------+----------------------------------+-------
480 [=] Safety check overridden - proceeding despite risk
481 [+] 01 | 1234ABCD | 00010010001101001010101111001101 | .4..
482 ```
483 This time, we can see the data we wrote to block 1 is found with the
484 read command.
486 9) Remove the need to supply the password.
488 To do this we need to clear Bit 28 (set to 0) in the config. We have
489 this from above.
491 Remember if we don’t know the config and write this config to the
492 card, it will overwrite all other settings. This can recover the
493 card, but will lose any settings you may want. So it’s a good idea
494 to read the config, and set bit 28 to 0, rather than just overwrite
495 the config and change the way the card works.
497 In our examples we know what it should be : 00088040
498 ```
499 [usb] pm3 --> lf t55xx write -b 0 -d 00088040 -p 12345678
500 ```
501 result:
502 ```
503 [=] Writing page 0 block: 00 data: 0x00088040 pwd: 0x12345678
504 ```
505 Now check if we can detect without a password
506 ```
507 [usb] pm3 --> lf t55 detect
508 ```
509 result:
510 ```
511 [=] Chip type......... T55x7
512 [=] Modulation........ ASK
513 [=] Bit rate.......... 2 - RF/32
514 [=] Inverted.......... No
515 [=] Offset............ 33
516 [=] Seq. terminator... Yes
517 [=] Block0............ 00088040 (auto detect)
518 [=] Downlink mode..... default/fixed bit length
519 [=] Password set...... No
520 ```
521 Yes we can! We can see Block 0 is the correct config 00088040
523 # Part 2 – Configuration Blocks
525 One of the things a lot of people have trouble with or miss, is that the
526 T5577 has two different and separate communications protocols, each with
527 their own sub-protocols.
529 - Card to Reader
530 - Reader to Card
532 In Card to Reader, the T5577 will encode its data using the settings
533 from Block 0 in Page 0. It will use this in both default read mode
534 (where is sends out the blocks from 1 to x on power up), as well as when
535 it responds to commands.
537 In the Reader To Card, the T5577 will encode the data using the settings
538 from Block 3 Page 1. If the command is not encoded correctly it will
539 ignore the command and revert back to default read mode.
541 ## The configuration Block – Block 0 Page 0
543 For this configuration the settings chosen will be for the purpose of
544 the card when used in production. E.G. If you want the card to act like
545 an EM4100, then we need to choose the settings that work like the
546 EM4100; same goes for others like HID. I am not going to cover these
547 here, rather use an example. Others have collected these and posted on the
548 forum or can be found by searching the web.
550 To get started lets look back at the data sheet.
552 
554 The non-password protect EM4100 could have a block 0 config of 00148040,
555 so what does it mean.
557 To decode this config, we need to look at it in binary
558 00000000000101001000000001000000. Note that it had 32 bits and the
559 config block 0 is 32 bits. Now we can break it down.
561 | Bits | Purpose | Value |
562 | ------- | ---------------------- | ----------- |
563 | 0000 | Master Key | Nothing Set |
564 | 0000000 | Not used in Basic Mode | |
565 | 101 | Data Bit Rate | RF/64 |
566 | 0 | Not used in Basic Mode | |
567 | 01000 | Modulation | Manchester |
568 | 00 | PSKCF | RF/2 |
569 | 0 | AOR | Not Set |
570 | 0 | Not used in Basic Mode | |
571 | 010 | Max Block | 2 |
572 | 0 | Password | Not Set |
573 | 0 | ST Sequence Terminator | Not Set |
574 | 00 | Not used in Basic Mode | |
575 | 0 | Init Delay | Not Set |
577 To get more detail on each item, read through the data sheet.
579 Lets see how the proxmark3 can help us learn. We will assume the T5577
580 is in the same state from Part 1, where we can write to the card with no
581 password set (if not, review and get you card back to this state).
583 1) Lets turn you T5577 into an EM4100 with ID 1122334455
584 ```
585 [usb] pm3 --> lf em 410x clone --id 1122334455
586 ```
587 result:
588 ```
589 [+] Preparing to clone EM4102 to T55x7 tag with ID 1122334455 (RF/64)
590 [#] Clock rate: 64
591 [#] Tag T55x7 written with 0xff8c65298c94a940
593 [+] Done
594 ```
596 2) Check this has work.
597 ```
598 [usb] pm3 --> lf search
599 ```
600 result:
601 ```
602 [=] NOTE: some demods output possible binary
603 [=] if it finds something that looks like a tag
604 [=] False Positives ARE possible
605 [=]
606 [=] Checking for known tags...
607 [=]
608 [+] EM 410x ID 0F0368568B
609 [+] EM410x ( RF/64 )
610 [=] -------- Possible de-scramble patterns ---------
611 [+] Unique TAG ID : F0C0166AD1
612 [=] HoneyWell IdentKey
613 [+] DEZ 8 : 06837899
614 [+] DEZ 10 : 0057169547
615 [+] DEZ 5.5 : 00872.22155
616 [+] DEZ 3.5A : 015.22155
617 [+] DEZ 3.5B : 003.22155
618 [+] DEZ 3.5C : 104.22155
619 [+] DEZ 14/IK2 : 00064481678987
620 [+] DEZ 15/IK3 : 001034014845649
621 [+] DEZ 20/ZK : 15001200010606101301
622 [=]
623 [+] Other : 22155_104_06837899
624 [+] Pattern Paxton : 259822731 [0xF7C948B]
625 [+] Pattern 1 : 9750181 [0x94C6A5]
626 [+] Pattern Sebury : 22155 104 6837899 [0x568B 0x68 0x68568B]
627 [=] ------------------------------------------------
629 [+] Valid EM410x ID found!
631 [+] Chipset detection: T55xx
632 [?] Hint: try `lf t55xx` commands
633 ```
634 Looks good.
636 3) Now lets see what the T5577 detect and info shows
637 ```
638 [usb] pm3 --> lf t55 detect
639 ```
640 result:
641 ```
642 [=] Chip type......... T55x7
643 [=] Modulation........ ASK
644 [=] Bit rate.......... 5 - RF/64
645 [=] Inverted.......... No
646 [=] Offset............ 33
647 [=] Seq. terminator... Yes
648 [=] Block0............ 00148040 (auto detect)
649 [=] Downlink mode..... default/fixed bit length
650 [=] Password set...... No
651 ```
652 ```
653 [usb] pm3 --> lf t55xx info
654 ```
655 result:
656 ```
658 [=] --- T55x7 Configuration & Information ---------
659 [=] Safer key : 0
660 [=] reserved : 0
661 [=] Data bit rate : 5 - RF/64
662 [=] eXtended mode : No
663 [=] Modulation : 8 - Manchester
664 [=] PSK clock frequency : 0 - RF/2
665 [=] AOR - Answer on Request : No
666 [=] OTP - One Time Pad : No
667 [=] Max block : 2
668 [=] Password mode : No
669 [=] Sequence Terminator : No
670 [=] Fast Write : No
671 [=] Inverse data : No
672 [=] POR-Delay : No
673 [=] -------------------------------------------------------------
674 [=] Raw Data - Page 0, block 0
675 [=] 00148040 - 00000000000101001000000001000000
676 [=] --- Fingerprint ------------
677 [+] Config block match : EM unique, Paxton
679 ```
680 We can see that the info gave us more information and confirmed what
681 we decoded by hand. But remember, the detect is still needed so the
682 proxmark3 software will know how to decode the info block.
684 We can see that for the EM4100 emulation we have two blocks of data
685 (Max Block = 2). On the T5577 these will be Blocks 1 and 2.
687 ## Exercise 2
689 Using the skills form part 1, see if you can view the data in blocks 1 and 2.
691 Note: the EM4100 ID of 1122334455 is encoded, so don’t expect to see
692 those bytes as such. To learn how to do that, you guessed it, find the
693 datasheet and review.
695 At this point we have an EM4100 card. If we wanted to password protect
696 it, we can follow the password section and update the config from
697 00148040 to 00148050.
699 ***Important : Don’t forget to set a valid password in block 7 and remember it.***
701 ## The configuration Block – Block 3 Page 1