Does anyone happen to know what technology the big worldwide gym with the famous purple key fobs uses? I’ve just become a member and wondering if an xM1 may help me out, or if there’s any chance of enrolling a tag into their system, but I suspect cloning would be the only option with it being a worldwide chain.
I put it on my ProxMark and both a HF and LF search didn’t show any results, so maybe its a UHF tag? I’ll take my diagnostic card with me next time I head in to see if I can learn more, but was hoping maybe someone was more familiar with them than I am.
@Compgeek
I’m glad you posted this, I tried ordering one of these off of Ebay
Two weeks ago just to check the frequency they use, But the seller
Didn’t have her paypay account setup right so she canceled it after making me wait forever
I’m pretty sure their LF, but don’t quote me on it.
I’m interested to know what they are as well.
Intriguing that it didnt come up in a ProxMark search if it is indeed LF, I think there’s a bit of research still to go! Will definitely keep this thread up to date if I can find out more.
My current theory is that it may be made by Farpointe - the reader has the signature shape of theirs, some of the gyms old style tags seem to have the Farpointe logo from what I can tell, and it looks like for this unique look they may have reused parts of the moulding for some of their push-button remotes like below.
Oh yeah I’ve seen these also… strange tags. Pretty sure they are LF… proxmark3 doesn’t know how to decode these, but you should be able to get raw binary.
You could always, if you were willing, say you lost the fob and get a replacement, then send off the other for analysis so the structure could be understood and used to clone the replacement one. IDK what they charge for a replacement fob though.
They love ripping off the Aussies sadly, it’s about a $70 AUD fee to replace the fob (highway robbery for a <$1 key fob i know!)
PM3 Easy clone running the latest Iceman firmware (but I did have some other issues with Iceman firmware, so perhaps there’s more to the story there - haven’t had a chance to try on the official firmware)
I’ll grab it out again later today and send the output.
Definitely 125kHz, FSK modulation, but no repeating pattern that it can see… The reads seem to be consistent though, I’m getting the same data each read so that’s promising.
Summary
[=] Checking for known tags…
[=] #db# Starting Hitag reader family #db# Configured for hitag2 reader #db# Unknown frame length: 160 #db# TX/RX frames recorded: 3
[-] No known 125/134 kHz tags found!
See if your T5577 looks like your gym tag… try it out at the gym… let me know if that works because I think I’ve seen those types of gym tags around before… might be useful for customers if this does work.
Actually the other way around, my gym tag looks like a T5577
I’ve been having issues with T55xx detection, tried a hail-mary Iceman update/reinstall/rebuild and it detected my gym tag as being a T5577!
Still couldn’t demod the data, but a dump and restore got most of the blocks looking the same, (Page 1 Block 1 is different due to traceability data - if this causes any trouble I can always use testmode to force it)
The output from
lf search u
looks different, but I’m guessing its the traceability data thats affecting that. I’ll try it as-is in a few days when I’m there next, and if that doesn’t work I’ll force that other block and see how I go.
One more thing I should probably note: I did all my tests on a T5577 card, not on my NExT (It’s programmed to my car and I didn’t want to risk tearing during programming and brick it) - so the chip is definitely compatible and its extremely likely that it should work on an implant, but I haven’t tested the performance of the reader with the small cylindrical coil!
