I am attempting to clone an Indala card to an xEM using a proxmark3, so far with no success.
I read the card with:
lf search
lf indala demod
I receive the output:
BitLen: 64
Indala UID: 0000000000000000
0000000000000000
0000000000000000
0000000000000000
(a0000000a0a0aa00)
The UID has been changed to all zeros and a’s for this post.
Then I place the xEM on the proxmark in the proper position, and use:
lf indala clone a0000000a0a0aa00
I get the output:
Cloning 64bit tag with UID a0000000a0a0aa00 #db# DONE!
Then, when I execute lf search on the xEM, I get:
EM410x pattern found:
with all of the EM tag info following. After this process the xEM does not grant the access that the Indala card does at the access controller. However I was able to successfully clone the Indala card to a blank T5577 card via the process described above, and that card provides access. What am I doing wrong? I know I am getting a successful read on the xEM because I can issue lf t55xx detect and lf t55xx trace on the xEM.
This could be an issue with positioning the chip in the right place over the proxmark antenna. I have seen this a lot.
Here are some tips to first make sure that you have the xEM in the sweet spot before cloning your indala ID:
Try and position your implant exactly perpendicular with but over the top of one of the the edges of the coil.
Issue the “lf t55xx detect” command. If the pm3 detects and returns the t55 configuration settings, you are in the right spot. If the pm3 returns “Could not detect modulation automatically…” you are not getting good coupling with the xEM antenna. Very slightly re-position the xEM and keep issuing the same command with each SLIGHT move until the pm3 returns the configuration data a few times in a row. I just did this with my xEM and the stock proxmark coil and it took me a number of tries to get the “sweet spot”, see below:
proxmark3> lf t5 det
Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
proxmark3> lf t5 det
Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
proxmark3> lf t5 det
Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
proxmark3> lf t5 det
Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
proxmark3> lf t5 det
Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
proxmark3> lf t5 det
Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
proxmark3> lf t5 det
Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
proxmark3> lf t5 det
Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
proxmark3> lf t5 det
Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
proxmark3> lf t5 det
Chip Type : T55x7
Modulation : FSK2a
Bit Rate : 4 - RF/50
Inverted : Yes
Offset : 32
Seq. Term. : No
Block0 : 0x00107060
After doing the lf t55xx detect, and being sure that you are roughly in the right spot, issue the “lf t55xx trace” command. If you can read the traceability data you are definitely in the right spot position wise. This is because reading page1 consistently requires VERY good RF coupling. If not keep slightly re-positioning more until you get a clean read. See below for an example:
proxmark3> lf t55xx trace
– T55x7 Trace Information ----------------------------------
ACL Allocation class (ISO/IEC 15963-1) : 0xE0 (224)
MFC Manufacturer ID (ISO/IEC 7816-6) : 0x39 (57) - Silicon Craft Technology Thailand
CID : 0x00 (0) -
ICR IC Revision : 0
Manufactured
Year/Quarter : 2013/0
Lot ID : 354
Wafer number : 30
Die Number : 18906
Raw Data - Page 1
Block 1 : 0xE03900D0 11100000001110010000000011010000
Block 2 : 0x162F49DA 00010110001011110100100111011010
Once you can read the t55xx traceability data a few times, issue your clone command while making sure not to move from that position. You may have to issue the clone command a few times before it sticks if the coupling is a bit off position wise.
The other thing to note is that in EM mode the coupling is particularly bad with the stock proxmark antenna and issuing an “lf t55xx wipe” command to clean the chips modulation settings before the clone may help.
Thanks for the input, however I suspect you missed the last sentence of my post. “I know I am getting a successful read on the xEM because I can issue lf t55xx detect and lf t55xx trace on the xEM.” Unfortunately lf t55xx wipe did not solve the problem.
My apologies! Are you able to read individual blocks?
Also are you using the iceman fork? If so I recommend switching back to the main fork as there are a lot of bugs with the LF functionality in the iceman fork at this time.