Chipping myself for college
Hi there! I’m making this thread to chronicle my post-implant RFID journey. Here’s my situation. I go to a college (university) which, like many, many colleges in the US, uses HID-branded “OneCards” for building access, dining hall swipes, printing/photocopying, vending machines, etc. My ultimate goal is to be able to have an implanted chip act as my OneCard. This way, it’ll be impossible for me to forget it when leaving my dorm!
So far, I’ve collected a bunch of information and understanding from all over the web about this process to get to where I am now. In an effort to share this, and to clarify and log it for myself, I’ve decided to create this thread. Feel free to add questions and (please!) advice.
Search tags: xEM, Proxmark3 RDV4, HID, clone, clone OneCard
xEM and Implantation
Two weeks ago I got an xEM implant.
I bought this implant before the NExT came out, and kinda forgot about the NExT. Maybe I’ll get one of those too, someday. For now, the xEM will work for me!
The procedure went flawlessly and I’m very happy with the implant location. It’s almost completely healed. It was VERY worth it for me to go to a piercer who was familiar and safe with the procedure than attempt to do it myself.
Testing with the xEM Access Controller
The xEM Access Controller is an all-in-one device sold by Dangerous Things for detecting and authenticating low frequency (LF) RFID tags like the xEM. It has a cylindrical antenna which is wound specifically to couple well with the antenna in the small, cylindrical xEM antenna. I had an xEM Access Controller that came with my xEM chip, so a day after getting the implant I fired up the Access Controller and used it to test my chip.
I didn’t have a 12 volt power-source to power the Access Controller with, so I used a 7–8v one that I found in a drawer. It seems to work fine.
I presented the master tag and then presented my hand with the implant a second after. Sure enough, the chip was registered and after that, presenting my hand lit the red LED. Also, the white signal wire went high to 7v (not 12) which was expected.
With this information, I was confident my chip was working properly, acting as an LF em4100 type tag.
Understanding RFID and the xEM
Here’s my understanding of the xEM implant in the context of RFID technologies. I will present it in bullet-point form.
- RFID and NFC are similar if not pretty much the same technology.
- There are different frequencies of RFID/NFC tags/readers: 125kHz (Low Frequency) and 13.56MHz (High Frequency). They’re not cross-compatible.
- Most readers on my campus are 125kHz (LF), so is the xEM, we’ll discuss be talking about this frequency from now on.
- LF tags generally don’t support any encryption. Most LF systems just grab the ID of the card and use that to decide to open/not open a door for example. This makes LF systems easy to clone/fake/spoof.
- Within 125kHz tags, there are different types of tags.
- The xEM’s hardware (or chipset, the actual chip inside it) is called the Atmel ATA5577 chip, also referred by
t55xxlater in the post.
- This chip is an emulation chip which, with a bit of configuration, can act as many different types of RFID tags. Note the distinction here between chip (hardware) and tag (protocol).
- The xEM ships from Dangerous Things in EM41xx (EM4100) mode. This is mode of emulation that the T5577 chip supports. EM41xx seems to be most common for one-off or hobbyist uses. The xEM Access Controller reads EM41xx tags, and the tags it comes with are EM41xx.
- You can switch the xEM’s T5577 chip from EM41xx emulation mode to HID emulation mode. HID is another of the many tag types the T5577 chip supports.
To achieve my goal I need to read my campus OneCard and take note of the tag ID. Then I need to clone that tag ID to my xEM, in doing so switching my xEM from EM41xx mode to HID mode and writing the ID number to it. Then I should be able to unlock doors with it!
To interface with all these cards and tags, I ordered the Proxmark3 RDV4 from Hacker Warehouse.
Next: I struggle with the Proxmark3, antenna woes and whoas. Stay tuned (haha).