Can't rewrite my xEM implant

Hi all,

I purchased an RFID xEM implant in 2018 and successfully implanted it and cloned my existing 125Khz building access fob and have been using successfully since.

However the physical fob I cloned broke and I replaced it with a new one, and I would now like to clone the new one into my implant so that they match and doesn’t cause questions from building security. But I can’t seem to reprogram it.

I can read my implant no problem with the portable duplicator I used back in 2018 and I can read the new FOB with the portable duplicator, but I can’t write the new Fob to my implant. No error. Nothing.

I have gone to key copying place that clones RFID as a sideline and he has two different devices that can also read my implant and my fob but can’t write my implant either.

What is going on here, any suggestions?

1 Like

your handheld cloner you originally used set a password. this is very common.

without the password you can’t overwrite it.

depending on the make and model of the handheld cloner you used 7 years ago, the password may be a global static password or it might be diversified based on payload.

what handheld writer was it?

3 Likes

In preperation of your answer
A couple of options and quick references for whomever helps you out next

The local guy with readers, find out what they are, potentially you can use the guides, or maybe just the password, depending on the readers

OR

Get yourself a Proxmark3 or Flipper Zero and use the following guides to remove the password,

OR

Looking at your name, and timezone, you are likely in Melbourne.

I’m going to try a Hail Mary and drop a @Compgeek here.

He MAY be able to help you out

or POSSIBLY his brother @PulsarForce

4 Likes

i’d go for the proxmark as there is the potential need to sniff the password from the handheld writer (if diversified) which the flipper can’t do.

2 Likes

Yes I have the Blue Cloner which I bought with the implant from ChipMyLife.

Reading the Blue Cloner how to, it should be able to reprogram one that it has previously programmed shouldn’t it?

Does that mean antenna alignment issue and I just need to keep trying?

I mentioned to the copying “guy” it might have a password, he said “that’s a problem”.
You can’t set that? - “No”.
Have you heard of Proxmark? “Yeah I’ve got that but I don’t use it, sorry”

Don’t think he’s my guy!

@Compgeek or @PulsarForce can you assist?

1 Like

it should, because it using the same password.

Quite possibly, and this might help you also.

2 Likes

It would be a weird request, but can you ask him if you can borrow it?
Or buy it off him since he doesnt use it…

3 Likes

oh, if I wasn’t clear, If you get your hand on it, we will step you through what you need to do, from set up, to password removal to rewriting your xEM

4 Likes

Thanks. He’s a bit of an odd guy but I’ll go ask him when I’m back in the office next week.

3 Likes

So I went in and asked to borrow, rent or buy and he does use it regularly for a single task so wasn’t willing to part with it and didn’t know what to do with mine. I mentioned that there was info on this web site about removing the password and he was happy to review the info and we had a go.

He initially got talking to it ok with his Promark, initially it wouldn’t autofind frequency or something like that. Strangely after my trip to see him last week my Blue Cloner no longer seems to be able to read it but it still works fine with my building.

With the proxmark he was able to read the fob I want to copy, get it’s id and then use the proxmark to write to my chip. He said it said it did it successfully but then when he read it nothing had changed.

I said because we need to do the unlock command on the Blue Cloner how to page. We couldn’t work out which mode the xEM was in for the Block 0 config.

We guessed and tried:
lf t55xx write b 0 d 00148051 p 51243648 assuming it was EM4100 PWD ACTIVE setting. It accepted the command, didn’t complain but didn’t say success either, but still nothing had changed, and he gave up. Both of us weren’t sure if my chip would get into my building still but it does.

He thought he might have an older Proxmark he could lend me if I go back next, but wondering if you have any ideas to suggest he try.

Failing that I might buy the Proxmark3 but it will likely get one use only.

Thanks for your help.

2 Likes

Ok, there are a couple of approaches we can try.
I THINK the easiest is to start from scratch.
To do that, we will remove the password and reset your NExT to blank…so T5577 with nothing on it.
BUT

First, lets get you familiar with the PM3 (dont worry, it seems daunting, but its truly just a step by step)
@Aoxhwjfoavdlhsvfpzha made an AWESOME tool for this, Basically a Proxmark emulator, It will teach you the commands. Its a web page, so you can practice without a PM3, But learn how to step through what you are try to do when you actually have a PM3 infront of you.

Stay with me, its truly easier than it sounds

Go here
https://siliconbased.us/pm3/ref/

Tap on lf, because that’s what we are dealing with

Scroll to t5577, because thats the chip we are dealing with

Scroll to the bottom to wipe, because thats what we are trying to do

Again, scroll to the bottom, to see the wipe with the password command

This is where you should have ended up
https://siliconbased.us/pm3/ref/lf-t55xx-wipe.php

THATS IT, Thats the command you will use.

To learn the commands you might be dealing with you can play with the emulator before you get your hands on the PM3, just dig around, you cant break it.

Proxmark Day

Let’s remove the password

Place the Proxmark LF Antenna perpendicular to your NExT

First do an lf search or similar a few times to make sure you are well coupled between NExT and PM3
without moving your NExT and PM3 send
‘lf t5 wipe --p 51243648’
(have this ready to go so you don’t have to type or ask the PM3 owner to help)
This is what we learnt from above but using the known password instead of the example

‘lf t5 wipe --p 51243648’

this SHOULD revert back to blank T5577

if you have issues, check the coupling and maybe try with test mode -t at the end

lf t5 wipe --p 51243648 -t

from there just write whatever you want to it, we want to know what to write

So, you need to lf search on your fob.
This will tell us what you will end up writing

Lets guess it results in em

If it is, your next command will be something like

lf em 41 reader
(this will attempt to read and extract tag data)

Then you will take the result and attemt to write to your NExT
Coupling is super important, you might want to do a couple of
‘lf t5 detect’
to ensure you have good coupling
THEN
you write the info from your results
eg.
lf em 41 clone --id 1122334455

There is an extra step in there you dont need but we’ll just do it anyway, there are a couple of curve balls that may pop up, there might be a different result, BUT with the emulator you should have learned how the commands work, how you can step by step command it, you SHOULD be able to interpret the data enough to know what to do with it.

The Proxmark (and emulator) steps you through, it give you options ans it gives you examples.
Use those examples, substitute the example data with YOUR data and all going well, it should work.

It’s tricky to help without having hands on, typing this all out on my phone, trying to make it easy, but also providing you with enough info to do it yourself.
I hope this all makes sense

give that all try and let us know how it goes

3 Likes

Thanks for all the detailed information and assistance Pilgrimsmaster. Unfortuantely

Just doesn’t seem to wipe it. It all looked ok on his PC, he had to change the syntax slightly as his version didn’t like the “–” and instead just wanted a space.

He actually thought it had worked but then when he read it, it hadn’t changed?

Any thoughts on this? I think my man has given up, he’s actually been great but says he has a business to run, engraving, key copying and fob cloning with a constant stream of customers I was holding up. Fair enough.

I’m thinking maybe I just buy a Proxmark myself to work it out and become the Melbourne goto since @Compgeek and @PulsarForce don’t seem to be around at the moment.

1 Like

Good investment if you are planning on playing in the RFID arena.

I’m confident we will get it.

2 Likes

I’ve just looked more closely at purchasing a Proxmark, do you need a Windows PC? My personal computer is a Mac. I have a locked down work PC but assume I won’t be able to install it on that.

I can see there is a link to MacOS installation guide on the getting started page in the forum but it looks pretty heavy going. Do you know if this works ok for most people?

1 Like

I’ve done it a few times, and I don’t think installing on Mac is all that much harder than installing on Windows. I think you’d be fine, especially if you’re familiar with CLI at all

Although, I don’t actually regularly use a mac based install, so you know, take that with a grain of salt :classic_tongue:

1 Like

If you get stuck on the software side, let me know. I’ve got a RPI zero2w gathering dust, I’ll install the proxmark client and send it to you. Probably take a couple of days from Perth.

3 Likes

@Aoxhwjfoavdlhsvfpzha, yes familiar with CLI: MS-DOS lol, maybe i’m too old for this! You didn’t specify the flavour, I guess that doesn’t matter so much?

@mhcasc I don’t know what an RPI zero2w is but thank you!

Dangerous things want $63 for shipping! Surely there is another way for something that probably weighs a couple of hundred grams?

1 Like

Experience with a modern unix-like environment would be ideal, but honestly even DOS would be a good start. If you can copy commands exactly as they are written and "dir c:" without freaking out that “the screen filled with a bunch of words and numbers and I just don’t understand these computer things” you’ll be fine.

Raspberry Pi (RPi) is a series of small linux-based computers. The Zero 2W is quite limited in CPU and RAM but I use its slightly bigger brother (a Pi 3) to drive my Proxmark and it works fine so I’m pretty sure the Zero 2W would also manage.

I suggest you wait and see what the DT team come back with regarding postage because having the official device with a known good firmware will definitely make things easier (especially if you aren’t entirely comfortable compiling software and flashing firmware), but if you want another option, drop me a DM.

1 Like

Hi all,

So I now have my Proxmark 3 and today tried connecting to it with my MacBook Air running Sonoma.

Followed the macOS-Homebrew-installation-instructions and all seemed to go ok
Installed xcode
Installed homebrew
Installed xquartz
tapped the repo
Installed promark3 with brew install proxmark3 (for stable release)
Didn’t do optional upgrade of homebrew to formula
Flashed the bootrom and full image pm3-flash-all seemed ok
Then ran PM3 and I had this info:

Release v4.20469 - Daddy Iceman
[ This is rather distressing! :coffee: ]

[=] Creating initial preferences file
[+] Saved to json file /Users/bradmarsh/.proxmark3/preferences.json
[ Proxmark3 ]

MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 77% used )
Target.... device / fw mismatch

Client.... Iceman/master/v4.20469 2025-06-16 16:18:01
Bootrom... Iceman/master/v4.20469-suspect 2025-06-16 16:18:01 72b1b17a3
OS........ Iceman/master/v4.20469-suspect 2025-06-16 16:18:01 72b1b17a3

Is the Target device mismatch an issue?

I then did script run init_rdv4 and this seemed to go ok except for the line:

[#] Smart card module (ISO 7816)
[#] version… ( fail )

The instructions in Configuration & Verification said to verify the version so this seems to be a problem so I’ve stopped at this point to ask for help on what I should do.

Thanks all for support

Brad

1 Like

Do you have an RDV4 or an easy?

2 Likes