Best way to get xEM into HID mode?

Alright I figure this might help someone else trying to get and HID badge to a xem. I was thinking you needed to flash a bootloader or some other more advance configuration to get it in HID Mode. Really its just clone and done…

  • After you get your Proxmark3 you will hit. The following site has just about everything you need to get going on windows. To get going right away use the GUI client created by Gaucho.
  • Place your HID badge or token on the coil of the prox reader.

  • Open the GUI Client and use the Search Lf option (Command is ‘lf search’) Write down the first part of the tag number before the ().

  • At this point we need to find the sweet spot on your implant. In the same Search menu position your hand and hit scan. If you got a good lock it should return as an EM tag (If you never cloned before). Leaving you hand in that same spot follow the next step.

  • At this point we are ready to clone. Place that number you copied into the HID ID slot then hit Clone to Tag. I personally had to clone twice to get a good write. (Command ‘lf clone XXXXXXXXX’)

  • Check your tag using the LF search option again, it should return as an HID tag with your assigned tag number. If so go try a door scanner or whatever your using it for.

TAGS: xEM to HID ; Clone HID Badge ; ProxMarkIII ; ProxMark3 ; Proxmark

10 Likes

Great post! Thanks :slight_smile:

1 Like

greetings rejien: vary cool and straight up:)

Thanks for the info! I wasn’t able to get the GUI to work but found out how to do it on cmd line…Issue is I can’t seem to get a read on my implant. You got the Proxmark3 easy right? Can you let me know how you positioned your hand/implant?

Hey,
It’s just takes some time it took me a good 3 tries to find the correct position. I believe they where working on a new cylinder scanner but I’m not sure where that is in development.

Thanks
Cody

I’ve followed this post and I’ve done everything right, but even after several attempts at cloning, it’ll still read a an EM410x. Any idea what I’m doing wrong?

EDIT: I am trying to clone an HID UID (10 hex characters), just like you were trying to do. I was using the HID Clone command and passing in the correct ID, but no luck.

Can I ask, what do you read from block 0? That is, try

lf t55xx detect

And let me know what the block 0 line says. It looks like my xEM has a password on it, and I’m wondering if yours might too. You can also just try

lf t55xx info

And read the PWD line.

2 Likes

Hey natemcd - one thing that could be a problem is your antenna. I did not have much luck with the proxmark before making a custom antenna to better couple with the xEM. Modifying the antenna from the xEM Access Kit was what I did. I’m working on what will be hopefully a pretty comprehensive post regarding this and the issues with Chinese cloners and passwords and hope to have it up in a few days.

With the original PM3 antenna you need PERFECT positioning for writes to work. You want your xEM to be laying across one edge of the coil with the edge of the coil right in the centre of the xEM. IF you can do a lf t55 detect and get output your half way there. One command you can use to be sure that you are in the “sweet spot” is lf t55 info. If you can get output from that you should be in a position that allows descent coupling.

1 Like

I was finally able to get a lf t55 detect response with a Block0 of 0x0x80060060. Where do I go from here? Should I wait until I get a response from that, and then try the clone command?

HI Nate,

Was very much half asleep when writing that post I’m sorry! replace the lf t55xx info with lf t55xx trace.

  1. Try and get your implant exactly perpendicular with but over the top of the edge of the coil.

  2. Make sure that EVERY TIME you try and do an lf t55xx dump / read that you do the lf t55xx detect first

  3. To make sure that you are getting a clean dump / read after doing the lf t55xx detect, issue an lf t55 trace. If you can read the traceability data you are in the right spot position wise. If not keep slightly re-positioning until you get a clean read, And then try the lf hid clone command copying a valid HID hex. The reasoning behind this is that it takes almost perfect coupling to read out the data from page1 of the chip which is where that data is stored.

The default Block 0 configuration for a t55 is 00088040.

FYI - if you can actually issue the command lf t55xx detect, of lf t55xx info, or lf t55xx trace and get some valid output - your chip is NOT LOCKED. If it were, it would not let you read raw block data. You most likely have some antenna / placement issues.

~TH

2 Likes

I have done some testing for you. See the below proxmark output. I started with a clean t55 chip, wiped it, checked to make sure I could read the blocks cleanly and then wrote the Block 0 data 00088040 like you described to see what would happen.

After that I could not detect or dump data from the chip - it looked dead. BUT at this point I just issued the lf t55 wipe command resetting the Block 0 settings to default.

proxmark3> lf t5 wipe

Beginning Wipe of a T55xx tag (assuming the tag is not password protected)

Writing page 0 block: 00 data: 0x00088040 pwd: 0x00000000
Writing page 0 block: 01 data: 0x00000000
Writing page 0 block: 02 data: 0x00000000
Writing page 0 block: 03 data: 0x00000000
Writing page 0 block: 04 data: 0x00000000
Writing page 0 block: 05 data: 0x00000000
Writing page 0 block: 06 data: 0x00000000
Writing page 0 block: 07 data: 0x00000000
proxmark3> lf t5 det
Chip Type : T55x7
Modulation : ASK
Bit Rate : 2 - RF/32
Inverted : No
Offset : 31
Seq. Term. : No
Block0 : 0x00088040

proxmark3> lf t5 dump
Reading Page 0:
blk | hex data | binary
----±---------±--------------------------------
0 | 00088040 | 00000000000010001000000001000000
1 | FFFFFFFF | 11111111111111111111111111111111
2 | FFFFFFFF | 11111111111111111111111111111111
3 | FFFFFFFF | 11111111111111111111111111111111
4 | FFFFFFFF | 11111111111111111111111111111111
5 | FFFFFFFF | 11111111111111111111111111111111
6 | FFFFFFFF | 11111111111111111111111111111111
7 | FFFFFFFF | 11111111111111111111111111111111
Reading Page 1:
blk | hex data | binary
----±---------±--------------------------------
0 | 00088040 | 00000000000010001000000001000000
1 | C02A1491 | 11000000001010100001010010010001
2 | 5AF04610 | 01011010111100000100011000010000
3 | FFFFFFFF | 11111111111111111111111111111111
proxmark3> lf t5 read b 0
Reading Page 0:
blk | hex data | binary
----±---------±--------------------------------
0 | 00088040 | 00000000000010001000000001000000
proxmark3> lf t5 wr b 0 d 80060060
Writing page 0 block: 00 data: 0x80060060
proxmark3> lf t5 read b 0
Reading Page 0:
blk | hex data | binary
----±---------±--------------------------------
proxmark3> lf t5 dump
Reading Page 0:
blk | hex data | binary
----±---------±--------------------------------
Reading Page 1:
blk | hex data | binary
----±---------±--------------------------------
proxmark3> lf t5 det
Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
proxmark3> lf t5 wipe

Beginning Wipe of a T55xx tag (assuming the tag is not password protected)

Writing page 0 block: 00 data: 0x00088040 pwd: 0x00000000
Writing page 0 block: 01 data: 0x00000000
Writing page 0 block: 02 data: 0x00000000
Writing page 0 block: 03 data: 0x00000000
Writing page 0 block: 04 data: 0x00000000
Writing page 0 block: 05 data: 0x00000000
Writing page 0 block: 06 data: 0x00000000
Writing page 0 block: 07 data: 0x00000000
proxmark3> lf t5 det
Chip Type : T55x7
Modulation : ASK
Bit Rate : 2 - RF/32
Inverted : No
Offset : 31
Seq. Term. : No
Block0 : 0x00088040

Hi there, I’m wondering if I could get some help with my xEM, I’ve become stuck. I can consistently get a response to the t55xx detect, that usually looks like this:

proxmark3> lf t55xx detect
Chip Type : T55x7
Modulation : BIPHASEa - (CDP)
Bit Rate : 5 - RF/64
Inverted : Yes
Offset : 59
Seq. Term. : No
Block0 : 0xA01780BE

But nothing changes if I try to clone (or write) to it. lf search always discovers it as an em410 card. If I run t55xx info, sometimes it tells me the modulation is wrong, other times it returns inconsistent nonsense (as far as I can figure…)

proxmark3> lf t55xx info

– T55x7 Configuration & Tag Information --------------------

Safer key : 13
reserved : 0
Data bit rate : 2 - RF/6
eXtended mode : Yes - Warning
Modulation : 0x1C (Unknown)
PSK clock frequency : 0
AOR - Answer on Request : No
OTP - One Time Pad : No
Max block : 2
Password mode : Yes
Sequence Start Terminator : Yes
Fast Write : Yes
Inverse data : Yes
POR-Delay : Yes

Raw Data - Page 0
Block 0 : 0xD00BC05F 11010000000010111100000001011111

proxmark3> lf t55xx info

– T55x7 Configuration & Tag Information --------------------

Safer key : 8
reserved : 2
Data bit rate : 7 - RF/16
eXtended mode : Yes - Warning
Modulation : 0 - DIRECT (ASK/NRZ)
PSK clock frequency : 0
AOR - Answer on Request : Yes
OTP - One Time Pad : No
Max block : 7
Password mode : Yes
Sequence Start Terminator : Yes
Fast Write : No
Inverse data : No
POR-Delay : No

Raw Data - Page 0
Block 0 : 0x805E02F8 10000000010111100000001011111000

Is this an antenna issue, or is it bricked? Any help is welcome.

Did you use any other cloner before the proxmark3?

Nope. I don’t have experience with the proxmark3 before this, but I did read the horror stories with other cloners before starting. I honestly haven’t had time to work on it, I’ve been trying to write my dissertation. I can pull out the proxmark this weekend or next and try again.

Hi all - just wondering if this is still the best way to do this with the RDV4? :slight_smile:

Many thanks in advance <3

Yeah the RDV4 is still the top notch tool especially with the implant specific antenna.

1 Like

I agree with @NiamhAstra, The best, yes, BUT not the only way… it really depends on how frequently you will use it.

This is what I would recommend
if it is just a “one off” for a work badge etc.

FREE DOLLAR-EST
I would ask around on this forum to see if there is anybody near you with a Proxmark to help you out.

MOST HIGHLY RECOMMENDED-EST
Buy a Proxmar3 Easy ~$35

BEST TOOL AND MOST EXPENSIVE-EST
Buy a Proxmark3 RDV4 $300 + DT LF Antenna $30

CHEAPEST AND EASIEST-EST
Buy a blue cloner (but this recommendation comes with a clause)
This should do the job, but in the future you may need a Proxmark to “fix” your write.
but really for a little more $, grab a ProxMark3 Easy
How to Blue cloner clone

How to fix Blue cloner clone with proxmark

Any more questions ask away
Otherwise let us know what you decide and how it goes

1 Like

If you recall this post, I feel like “best” was the target here. But yeah for most people the easy is best value for money, good to provide that context.

1 Like

yeah agreed, and “Best” is very subjective.

The thread title:-
Best way to get xEM into HID mode?

This thread is quite old, Pre RDV4 and not sure about the Easy.
My comments were to More to update the thread for anybody trawling or searching at a later date. The RDV4 is not always the “best” option.

“get xEM into HID mode”
if that is all you wanted to do, a “one and done”, I would probably say a Blue Cloner. (bought or borrowed) would be “best” for cheapest, easiest, fastest.
Litterally a 5 sec job.
But the “Best” tool, I would say, either of the Proxmarks.
For @HDoS,

I would reccomend
The Easy (with “homemade” LF antenna)
OR
RDV4 with DT LF Antenna.
However The LF antennas only if they are planning on using their LF xSeries as a part of their Cybersecurity research.

I actually thought @HDoS had already ordered the RDV4 :man_shrugging:

1 Like

Thanks for your help guys :slight_smile:

1 Like