An honest account of a painful lesson learned πŸ˜₯

Just to set the scene, this post follows on from this 2019 post which details an unrecoverable xM1. I decided to start a new one here though because while my woes are essentially the same as the author, Zyonee, I feel that my decision to buy from a competitor was the cause in my case.

I bought an X3 Elite implant from I Am Robot.de. As such, I didn’t feel as though I could ask for help in the original discussion room which is for DT customers. Hence this new one in The Lounge.

Note that I had already bought and self-installed a NExT implant with great success and delight from KSEC Labs. Shortly after that I realised I would need something else if I were to clone my workplace access card. So I decided to look into the xM1. However this had (as still is at the time of writing) been out of stock. After a few months I became impatient and looked for alternative outlets. Eventually I came across I Am Robot which stocked what I felt was the same implant: backdoor commands, made by Fudan, 1k memory, Mifare emulator, gen 1a etc. In fact, it was cheaper (1st alarm bell?), arrived promptly, had more than enough accessories to provide for a sanitary installation – even including a quality mask. So I took the plunge and bought one.

The install was challenging, chiefly because I’m right handed and the implant was going in the right hand. And being a noob meant that a 3mm diameter needle still held a slight pucker factor for me! Still, all went well and I was happy. Due to some swelling and the poor range of my Proxmark3 easy I was unable to read or write to it (potential 2nd alarm bell), but my Android phone worked well as was the case when I first got my NExT.

Wanting to change sector 0 and clone things I ordered an ACR122U reader/writer. This took 1-2 weeks to arrive which didn’t really bother me. It gave my hand the time it needed for the swelling to subside. Finally the ACR122U arrived, yet having tried countless pieces of software I simply could not get it to change sector 0. It just wrote to all other sectors in exactly the same way you would expect a normal 1k Mifare card to act (3rd alarm bell). I literally tried everything! Thinking the problem was somehow me I trawled through the Dangerous Things Forum and the web in general trying to see what the problem could be. I even picked up a couple of viruses on my desperate journey to find appropriate software. I checked every possibility I could using the ACR122U, a PN532 chip reader, and my Android Phone.

In desperation I emailed I Am Robot but haven’t heard back from them yet (I contacted them last Friday and it’s Monday now, so I’m happy to give it a couple more days).

Whilst waiting for a response I began erasing the implant (NFC Tools App), formatting memory (NFC Tools App), using the Factory Format feature (Mifare Classic Tool App), cloning cards using the mfocGUI and Card Programmer software tweaked by Amal). Nothing seemed to change sector 0.

With Proxmark still not picking up the tag, and having no residual swelling, the prospect of cutting the thing out of my hand was now definitely on the horizon. I performed a full scan using the TagInfo App and got this:

** TagInfo scan (version 4.25.5) 2022-08-21 15:51:17 **
Report Type: – IC INFO ------------------------------

IC manufacturer:

Unknown Manufacturer

IC type:

Unknown Mifare class IC, possibly cloned

– NDEF ------------------------------

No NDEF data storage populated:

– EXTRA ------------------------------

Memory size:

1 kB

  • 16 sectors, with 4 blocks per sector
  • 64 blocks, with 16 bytes per block

Block 0 analysis:

UID: 1C:FB:38:D9

  • NXP Semiconductors
    Check Byte: 0x06
    SAK: 0x08 (ERROR)
    ATQA: 0x0400
    Manufacturer data:
  • 03 2E BC BA 29 18 92 1D |…)…|

TagInfo Version:

Version :4.25.5

Device Info:

Device Model :samsung ( SM-G930F )
Android OS Version :8.0.0

– FULL SCAN ------------------------------

Technologies supported:

ISO/IEC 14443-3 (Type A) compatible

Android technology information:

Tag description:

  • TAG: Tech [android.nfc.tech.NfcA, android.nfc.tech.MifareClassic, android.nfc.tech.NdefFormatable]
  • Maximum transceive length: 253 bytes
  • Default maximum transceive time-out: 618 ms

Detailed protocol information:

ID: 1C:FB:38:D9
ATQA: 0x0400
SAK: 0x08
ATS: 0xB20038D906080400032EBCBA2918921D

  • Max. accepted frame size: 16 bytes (FSCI: 0)
  • Supported receive rates:
    • 106 kbit/s
  • Supported send rates:
    • 106 kbit/s
  • SFGT: 302.0 us
  • FWT: 4.833 ms
  • NAD not supported
  • CID supported
  • Historical bytes: [none]

Memory content:

Sector 0 (0x00)
[00] r-- 1C FB 38 D9 06 08 04 00 03 2E BC BA 29 18 92 1D |…8…)…|
[01] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[02] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[03] wxx FF:FF:FF:FF:FF:FF FF:07:80 69 FF:FF:FF:FF:FF:FF
Factory default key Factory default key (readable)

Sector 1 (0x01)
[04] ??? – – – – – – – – – – – – – – – –
[05] ??? – – – – – – – – – – – – – – – –
[06] ??? – – – – – – – – – – – – – – – –
[07] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 2 (0x02)
[08] ??? – – – – – – – – – – – – – – – –
[09] ??? – – – – – – – – – – – – – – – –
[0A] ??? – – – – – – – – – – – – – – – –
[0B] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 3 (0x03)
[0C] ??? – – – – – – – – – – – – – – – –
[0D] ??? – – – – – – – – – – – – – – – –
[0E] ??? – – – – – – – – – – – – – – – –
[0F] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 4 (0x04)
[10] ??? – – – – – – – – – – – – – – – –
[11] ??? – – – – – – – – – – – – – – – –
[12] ??? – – – – – – – – – – – – – – – –
[13] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 5 (0x05)
[14] ??? – – – – – – – – – – – – – – – –
[15] ??? – – – – – – – – – – – – – – – –
[16] ??? – – – – – – – – – – – – – – – –
[17] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 6 (0x06)
[18] ??? – – – – – – – – – – – – – – – –
[19] ??? – – – – – – – – – – – – – – – –
[1A] ??? – – – – – – – – – – – – – – – –
[1B] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 7 (0x07)
[1C] ??? – – – – – – – – – – – – – – – –
[1D] ??? – – – – – – – – – – – – – – – –
[1E] ??? – – – – – – – – – – – – – – – –
[1F] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 8 (0x08)
[20] ??? – – – – – – – – – – – – – – – –
[21] ??? – – – – – – – – – – – – – – – –
[22] ??? – – – – – – – – – – – – – – – –
[23] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 9 (0x09)
[24] ??? – – – – – – – – – – – – – – – –
[25] ??? – – – – – – – – – – – – – – – –
[26] ??? – – – – – – – – – – – – – – – –
[27] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 10 (0x0A)
[28] ??? – – – – – – – – – – – – – – – –
[29] ??? – – – – – – – – – – – – – – – –
[2A] ??? – – – – – – – – – – – – – – – –
[2B] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 11 (0x0B)
[2C] ??? – – – – – – – – – – – – – – – –
[2D] ??? – – – – – – – – – – – – – – – –
[2E] ??? – – – – – – – – – – – – – – – –
[2F] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 12 (0x0C)
[30] ??? – – – – – – – – – – – – – – – –
[31] ??? – – – – – – – – – – – – – – – –
[32] ??? – – – – – – – – – – – – – – – –
[33] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 13 (0x0D)
[34] ??? – – – – – – – – – – – – – – – –
[35] ??? – – – – – – – – – – – – – – – –
[36] ??? – – – – – – – – – – – – – – – –
[37] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 14 (0x0E)
[38] ??? – – – – – – – – – – – – – – – –
[39] ??? – – – – – – – – – – – – – – – –
[3A] ??? – – – – – – – – – – – – – – – –
[3B] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

Sector 15 (0x0F)
[3C] ??? – – – – – – – – – – – – – – – –
[3D] ??? – – – – – – – – – – – – – – – –
[3E] ??? – – – – – – – – – – – – – – – –
[3F] ??? FF:FF:FF:FF:FF:FF --:–:-- – XX:XX:XX:XX:XX:XX
Factory default key (unknown key)

r/R=read, w/W=write, i/I=increment,
d=decr/transfer/restore, x=r+w, X=R+W
data block: r/w/i/d:key A|B, R/W/I:key B only,
I/i implies d, *=value block
trailer (order: key A, AC, key B): r/w:key A,
W:key B, R:key A|B, (r)=readable key
AC: W implies R+r, R implies r


I knew this wasn’t good. And worse was the fact that I wasn’t able to write, format or erase the implant anymore! Without the ability to use my Proxmark3 to even troubleshoot I knew I had to bite the bullet and cut the bloody thing out. So last night I did exactly that. And what a surreal experience that was!

With my tail firmly between my legs I placed the extracted tag on the Proxmark3 for a last ditch attempt to see if physical contact with the implant would make any difference. Nothing! No results from auto, analyse, or hf search :face_with_symbols_over_mouth:

I saw in Zyonee’s post that using the revive script might help so I ran it. This is the report:

[usb] pm3 β†’ script run hf_mf_magicrevive.lua
[+] executing lua C:\ProxSpace-3.10\pm3\proxmark3\client\luascripts/hf_mf_magicrevive.lua
[+] args β€˜β€™
hf 14a raw -k -a -b 7 40
hf 14a raw -k -a 43
hf 14a raw -c -k -a A000
hf 14a raw -c -k -a 01020304049802000000000000001001
hf 14a raw -c -a 5000
hf mf csetbl --blk 3 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number: 3 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 7 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number: 7 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 11 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:11 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 15 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:15 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 19 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:19 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 23 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:23 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 27 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:27 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 31 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:31 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 35 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:35 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 39 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:39 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 43 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:43 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 47 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:47 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 51 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:51 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 55 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:55 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 59 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:59 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1
hf mf csetbl --blk 63 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number:63 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] wupC1 error
[!!] Can’t write block. error=-1

[+] finished hf_mf_magicrevive.lua

This too looks like a bad day, and a good reason to have cut it out.

If anyone has any thoughts on what the hell happened then please fire away. I still have the implant on my desk (for how much longer I don’t know), but I’m happy to try any ideas you may have.

In the meantime, I will continue to try and liaise with I Am Robot and think about what I have done! :disappointed_relieved:

1 Like

You can try calling them up - that could work better then email communication.

0231 58695638

Google says they open only at one day a week - you will maybe get the response at saturday.
grafik

my approach would be to see if the number is registered with any messenger like signal…

others from here have contacted them and their support was good as far as i remember

2 Likes

Doesn’t IAR use anti-migration coatings on many of their implants? I would like to know how hard it was to get that thing removed?

All I can think of is the fact that the magic M1 chips are gray market and there’s a chance that someone in china might send you the wrong thing. And I’m starting to wonder if IAR is placing to much trust in some asian factory. In which case, there’s no point in buying from them.

I hope that you’ll be able to get those problems resolved and that the removal of that thing wasn’t too painful.

2 Likes

Thanks, mrln.

I think you’re right. I’m happy enough to wait till Saturday though I think I’d be a bit miffed if I got no response by then. Also, I get the impression there’s a physical shop that’s open one day a week.

In any case I guess we’ll see soon enough (I’ll update with any news).

Good lord that looks troublesome.

I have one xshine in my hand for quite some time now. While I had no problems with it, I was in contact with Sven via email and he was quite quick to respond.

I’m sure you’ll get a response - I used google translate to chat in German, it made it easier :slight_smile:

Hi Enginerd
When the implant arrived I very briefly pushed half of it out of the syringe before re-homing it to check for cracks. From what I could see there was no coating – at least nothing with colour.

Here is a photo of what it looks like now having been removed after 5 weeks. It has not been cleaned.

Removing it was somewhat troublesome. Rightly or wrongly I made the decision to try and move the implant to a more convenient spot – out from under blood vessels essentially. With a bit of forceful massaging I was able to literally β€˜pop’ the capsule my body had formed around it and then migrate it toward the distal end (fingers end) of my hand. I was initially concerned I might have broken it but with careful feeling I could tell it was still intact.

I was only able to move the implant a max of ~2cm, but that proved to be enough to make the incision and go fishing for it. In total it took me about 1.5hrs to get it out. Definitely a sweat on the upper lip moment, that’s for sure. And not one for the faint of heart. It’s a very strange feeling to be cutting in and poking around under your skin. I think my determination to get the bloody thing out beat the pain factor. Though in truth, the pain wasn’t that bad. Sharp scalpel, good tweezers, caution and taking my time got the job done. The cut did gape quite a lot so I made sure to use the plaster to pull the two sides of the wound together. Note to anyone reading this bit for advice: only ever remove a plaster inline with the direction of the incision. So for example, in my case I will be removing the plaster from the long edge. Only time will tell if my aseptic technique is sufficient.


As you say; it’s definitely a grey market and I really don’t know what happened in my case, only that I’m not the only person to experience it.

You’re quite right.

I did email and get a response from Sven before I got the implant – he’s very helpful from my limited experience. I’m sure he’ll be able to find out what went wrong. I’ve sent photos of the packaging which may show the wrong item being sent(?).

Just my 2 cents here, but Fudan does not make a magic chip. The make mifare licenced chips with read only sector 0.

Also, when trying for a read on the proxmark, were you using the bottom of the bottom PCB or were you using the top of the middle PCB? Photo?

1 Like

According to their German website and google translate, they do make a magic implant. And it appears to be available in both a 2mm version and a 3mm.

Also, the amount of resin inside of the implant in @NTT’s picture makes me uneasy. That thing is kinda empty.

I mean the Chinese company Fudan. I’ve talked to them. They do not make a magic chip.

By chip I mean the silicon bit inside the implant… Fudan doesn’t make magic chips.

To be extra super clear here, Fudan is the Chinese equivalent of NXP. They are a chip fabricator. They don’t make magic chips.

1 Like

I used the HF PCB only. I figured that the LF coil might have drained some power via induction, so I temporarily removed it. Note that I have also put a single layer of packing tape over the HF coil traces to reduce the voltage drop I noticed when simply bridging the traces with my body. It’s the thinnest layer of insulation I could think of besides lacquering them which I didn’t want to do. All of my other 13.56MHz cards and fobs work perfectly well with it.

That’s annoying to discover. IAR made clear claims on that one :unamused:
There’s also a section on the Iceman software for Fudan chips that would mean time wasted if you were to try and play around with it.

Fudan makes many types of cards, including some with fun features… but a β€œmagic mifare 1k knock-off of an NXP S50 Mifare Classic with writable sector 0” is not one of them.

Here is the F08 chip’s data sheet;

doc_fudan_F08_1k_20163410574018435.pdf (161.0 KB)

Page 13 under β€œsecurity”;

In my opinion, IAR is either lying or simply unfamiliar with their own products. Magic chips are grey market products pumped out by chip fabs that are not the size and scale of legitimate players like Fudan :slight_smile:

Oh… also!

Don’t feel this way… we are all cyborgs here :slight_smile:

7 Likes

:hugs: Thank you, Amal.

1 Like

UPDATE

No response from Sven at IAR.
Two emails sent with details of issue and proof of order, plus pictures of packaging (labels etc). No response whatsoever.

I’m going to try and call him as mrln suggested :frowning_face:

EDIT!
Literally just got an email from Sven a couple of hours after first posting this update. He simply put that he’ll get back to me tomorrow and that he’s been really busy.

1 Like

progress is progress.
Keep us in the loop