I’ve had an xEM tag in my left hand for a couple of years now and I’ve cloned cards to it several times using the cloner I got on the Dangerous Things store. It worked like a dream until the other day when it failed to write. I even got that chinese multi-frequency reader/writer on amazon to see if the cloner was to blame. no dice. The tag is still readable, but it’s like the read-only bit got flipped or something. Any thoughts?
Amal has already removed the cloner from the website ages ago due that problem. if you want get a proxmark3 using the same or similar antennae to the xem access controller and you may be able to unbrick it. if not then you will need to go through some pain to remove and/ or replace the xem.
dont ever use the cheap cloner as they can cause the same problem.
Actually this is not accurate… it is not the cloner that is the issue… the T5577 chip itself is to blame.
First read this;
https://forum.dangerousthings.com/t/quirks-of-the-t5577-cloning-tags-to-the-xem
Then read this;
https://forum.dangerousthings.com/t/xem-cloning-emulation-modes-and-the-perils-of-chinese-cloners
In short @StoicMaverick it may be possible to recover your tag. I will be working with @TomHarkness to eventually create a clear “how to” guide for doing just that, and we are also working on a new proxmark3 antenna that will couple well with the xEM.
I have a bricked xEM tag. Any chance you’ve finished the ‘how to’ for bringing them back yet. I have a proxmark3 rdev4 (never used a Chinese cloner)
Not documented anything yet but I think I have an idea for a set process for this. I’ll test tonight and if all good I will get you to try it for me.
How did it end up “bricked” ? Was it ever responsive to any reads?
I’m sorry, I misspoke when I said “bricked”. I could not write to my implant. I kept switching between iceman repo and original repo, and during one of the many firmware flashes I was careless and “bricked” the proxmark. Got a j-tag reader, couldn’t get anything working on my Mac, realized that I could just install Linux, so I did that, fixed the proxmark firmware, then I was able to write to the chip, but I had to find ideal antenna placement and I think I ran some commands that I can’t remember. Chip was never “bricked”, just needed to figure out how to get the proxmark to write to it properly. In retrospect the antenna thing was probably unnecessary.
Ok sorry for late reply! Been frantic.
So, I managed to “brick” a text xEM by programming a HID ID, and then programming block 0 config to modulate for EM ID LOL! Turns out then the pm3 cant even t55xx detect in that state anymore, (thinking of a way to fix this in the pm3 client and open to suggestions) I suspect this is where you are at…
So what I did to fix it was the following after starting up the pm3 client on the latest git pull form the RRG repository:
1. lf t55xx wipe
2. lf t55xx config d ASK b 32
3. lf t55xx detect
4. lf hid clone 2004840534
5. lf t55xx detect
6. lf search
You should get HID ID with a card value of 666 and facility code of 66.
Give this a try and let me know how you go!
So I also tried to write a block 0 config of 13371337 which should definitely “brick” the xEM.
IT DIDN’T.
xEM is still working just fine!
I had to wipe it and apply a valid block 0 config using a password of 00000000 because 13371337 in block 0 sets the password bit to 1 and block 7 which contains the password was set to all 0’s.
So basically at this point I’m becoming more and more sure that these little ATA5577 chips are extremely hard to break or “brick”. I just can’t ever seem to end up with one that’s really bricked.
I’ll keep trying though! Haha
I think the term “Brick” has become generic at this stage, same as how phones and consoles could be “bricked” years ago.
I don’t think I’ve bricked a phone in over a decade flashing or cracking them for fun.