Brand new xEM, no trace of t5577

non-bin · April 5, 2022, 8:23am

I got a Titan and a flexEM today, and my friend got an xEM. I’m programming both chips with the friends apartment key, and my flex worked perfectly, but his X series is proving difficult.

With my proxmark 3 easy lf search it shows up as an EM410X with no chipset and reads really well, but I just can’t find any trace of a t5577 in it.
I’ve tried:

lf t5 detect
lf t5 p1detect
lf t5 write -b 0 -d 00107071 -t (with a few different passwords as well)
lf t5 wipe
lf em 41 clone --id 0F0368568B

all with no luck. And this time it’s not even my fault, I know better what I’m doing compared to when I broke my NEXT, and didn’t write garbage directly to the config block.
If I didn’t know better I’d think you’d sent me a bog standard EM410X

non-bin · April 5, 2022, 8:57am

I wrote it on my phone so it was formatted poorly, sorry, I updated it

Eriequiet · April 5, 2022, 9:33am

Brand new chips are harder to read and write to; so there’s that

Are you getting good scans? It can take a while to find the perfect sweet spot, and again… new implant… swelling etc

And one of the first things that gets wonky on iffy coupling I believe is chip detection…

That’s usually how I know I’m close but not in a good enough spot is that the chip type will show up wrong or not detected

Also Could be wrong( probably)

But I don’t think it shows up as a t55 when it’s set in em mode, at least I dont think mine did

I think you have to

non-bin · April 5, 2022, 9:52am

done some tests of a random fob, and you’re right it doesn’t show as a t5577 when in em mode, but lf t5 det works, and I can’t replicate the able to read em but not t5. What’s the best way you’ve found to “break in” a chip? and why are they harder to write to?

EDIT:
Ok I’m kind of suspicious of my proxmark, for one the USB connector broke off so I had to solder a cable to it, and now some things aren’t working properly like it will say things like [!] Timeout while waiting for Proxmark LF initialization, aborting but not actually disconnect. I’ll see if re-flashing helps
Another thought (stabing in the dark) is could it have the 0x44 0x4E 0x47 0x52 ASCII of DNGR as the password? I’ll try that tomorrow

Equipter · April 5, 2022, 10:22am

sending random password reads (that arent on the chip) to LF chips can damage them so be sparing with how much you do that, it can confuse and write instead, often not even writing the password you mean to send

what proxmark version are you running, can you post an output of the hw version command

when youre scanning make sure youre intersecting the implant with the antenna like this:

with the chip in that orientation run these commands it should refresh all important areas to default

lf t55 write -b 0 -d 000880E0 --r0 -t
lf t55 write -b 0 -d 000880E0 --r1 -t
lf t55 write -b 0 -d 000880E0 --r2 -t
lf t55 write -b 0 -d 000880E0 --r3 -t
lf t55 wipe
lf t55 det

enginerd · April 5, 2022, 12:58pm

How so? Is this related to the swelling around a new implant or something weird going on with the silicon?

enginerd · April 5, 2022, 12:59pm

Sounds like you managed to piss off the transmission line gods with your soldering work…

Assuming that the error string you posted comes from the client and not from the proxmark itself.

Eriequiet · April 5, 2022, 5:49pm

Yes exactly, even if it doesn’t look swollen there is often swelling and fluid build up that makes things a bit harder for a bit

non-bin · April 6, 2022, 12:31am

Alright, I did a got pull then rebuilt and flashed the pm3, then I used data plot; lf read to find where I get the strongest signal, then ran your script, but still no change. Maybe I will wait a few weeks for the swelling to go down

pm3 output

pm3 ~$ ./proxmark3/pm3
[=] Session log D:\Repos\ProxSpace\pm3/.proxmark3/logs/log_20220406.txt
[+] loaded from JSON file D:\Repos\ProxSpace\pm3/.proxmark3/preferences.json
[=] Using UART port COM3
[=] Communicating with PM3 over USB-CDC


8888888b.  888b     d888  .d8888b.
888   Y88b 8888b   d8888 d88P  Y88b
888    888 88888b.d88888      .d88P
888   d88P 888Y88888P888     8888"
8888888P"  888 Y888P 888      "Y8b.
888        888  Y8P  888 888    888
888        888   "   888 Y88b  d88P
888        888       888  "Y8888P"    [  ]


[ Proxmark3 RFID instrument ]

    MCU....... AT91SAM7S512 Rev B
    Memory.... 512 Kb ( 58% used )

    Client.... Iceman/master/v4.14831-531-g190508339 2022-04-05 20:49:22
    Bootrom... Iceman/master/v4.14831-531-g190508339 2022-04-05 20:51:20
    OS........ Iceman/master/v4.14831-531-g190508339 2022-04-05 20:58:21
    Target.... PM3 GENERIC

[usb] pm3 --> dat plo
[usb] pm3 --> lf read -s 3000 -@
[=] Press <Enter> to exit
[usb] pm3 --> lf t55 write -b 0 -d 000880E0 --r0 -t
[=] Writing page 0  block: 00  data: 0x000880E0
[#] Using Test Mode
[usb] pm3 -->    lf t55 write -b 0 -d 000880E0 --r1 -t
[=] Writing page 0  block: 00  data: 0x000880E0
[#] Using Test Mode
[usb] pm3 -->    lf t55 write -b 0 -d 000880E0 --r2 -t
[=] Writing page 0  block: 00  data: 0x000880E0
[#] Using Test Mode
[usb] pm3 -->    lf t55 write -b 0 -d 000880E0 --r3 -t
[=] Writing page 0  block: 00  data: 0x000880E0
[#] Using Test Mode
[usb] pm3 -->    lf t55 wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0

[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
[=] Writing page 0  block: 01  data: 0x00000000
[=] Writing page 0  block: 02  data: 0x00000000
[=] Writing page 0  block: 03  data: 0x00000000
[=] Writing page 0  block: 04  data: 0x00000000
[=] Writing page 0  block: 05  data: 0x00000000
[=] Writing page 0  block: 06  data: 0x00000000
[=] Writing page 0  block: 07  data: 0x00000000
[usb] pm3 -->    lf t55 det
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
[usb] pm3 --> lf sear

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] EM 410x ID 2018070366
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : 0418E0C066
[=] HoneyWell IdentKey
[+]     DEZ 8          : 00459622
[+]     DEZ 10         : 0403112806
[+]     DEZ 5.5        : 06151.00870
[+]     DEZ 3.5A       : 032.00870
[+]     DEZ 3.5B       : 024.00870
[+]     DEZ 3.5C       : 007.00870
[+]     DEZ 14/IK2     : 00137842066278
[+]     DEZ 15/IK3     : 000017597251686
[+]     DEZ 20/ZK      : 00040108140012000606
[=]
[+] Other              : 00870_007_00459622
[+] Pattern Paxton     : 538657126 [0x201B4166]
[+] Pattern 1          : 723378 [0xB09B2]
[+] Pattern Sebury     : 870 7 459622  [0x366 0x7 0x70366]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[=] Couldn't identify a chipset

non-bin · April 23, 2022, 6:07am

Tried again just now and still nothing at all. I got a single search to show a possible t5577 chip but couldn’t reproduce it, probably an error

amal · April 25, 2022, 4:43pm

damn. it might be time for a warranty replacement

APartOfMe · April 25, 2022, 6:30pm

If you’re able to, I would also try different readers. I’ve never been able to get a good read on the LF side of my NExT using my pm3, but the flipper zero reads it without much fuss. It sounds like the chip may actually need replacing, but it’s definitely worth trying different readers before going to the trouble of yanking and replacing.

ItaBeAight · April 26, 2022, 4:26pm

X’s 2 on this.

Flipper is my absolute go to for LF on the NExT from now on.

Equipter · April 26, 2022, 8:55pm

just so ppl are aware, right now all 3 main fws (muddled, official and unleashed) can only do

Hid ProxII 26bit (h10301)
Em410x & Em42xxx
Indala raw
so if your needs fall out of this a flipper wont work just yet

Eriequiet · April 26, 2022, 9:08pm

@Equipter can you give a more detailed explaination in the flipper thread?

I’m currently running stock, but don’t know what I gain with muddled