Cloning Gym Fob to implant

Hey everyone,

Does anyone happen to know what technology the big worldwide gym with the famous purple key fobs uses? I’ve just become a member and wondering if an xM1 may help me out, or if there’s any chance of enrolling a tag into their system, but I suspect cloning would be the only option with it being a worldwide chain.

I put it on my ProxMark and both a HF and LF search didn’t show any results, so maybe its a UHF tag? I’ll take my diagnostic card with me next time I head in to see if I can learn more, but was hoping maybe someone was more familiar with them than I am.

Cheers!

1 Like

I know it is redundant because you tried a Proxmark, but out of curiosity did you also try with TagInfo app ( or similar ) at all?

1 Like

I’m an iPhone user, got no scans on TagInfo but all that tells me is that its not formatted for NDEF data :slightly_frowning_face:

@Compgeek
I’m glad you posted this, I tried ordering one of these off of Ebay
Two weeks ago just to check the frequency they use, But the seller
Didn’t have her paypay account setup right so she canceled it after making me wait forever
I’m pretty sure their LF, but don’t quote me on it.
I’m interested to know what they are as well.

Intriguing that it didnt come up in a ProxMark search if it is indeed LF, I think there’s a bit of research still to go! Will definitely keep this thread up to date if I can find out more.

1 Like

My current theory is that it may be made by Farpointe - the reader has the signature shape of theirs, some of the gyms old style tags seem to have the Farpointe logo from what I can tell, and it looks like for this unique look they may have reused parts of the moulding for some of their push-button remotes like below.


All of that said, Proxmark still can’t get a read on it, so I’m still not sure if I’m on the right path.

1 Like

Oh yeah I’ve seen these also… strange tags. Pretty sure they are LF… proxmark3 doesn’t know how to decode these, but you should be able to get raw binary.

1 Like

Do you know if they could be written to a T5577? I’m guessing if Proxmark doesnt understand them I haven’t got very good chances, but you never know!

No idea… if we can get a spare I know who we could send it off to for analysis.

1 Like

Unfortunately I’ve only got the one so I can’t let it go - I’ll keep my eyes open for any abandoned/expired ones though

You could always, if you were willing, say you lost the fob and get a replacement, then send off the other for analysis so the structure could be understood and used to clone the replacement one. IDK what they charge for a replacement fob though.

2 Likes

What proxmark3 do you have and what firmware version?

Try using the lf search u command and send the output

They love ripping off the Aussies sadly, it’s about a $70 AUD fee to replace the fob (highway robbery for a <$1 key fob i know!)

PM3 Easy clone running the latest Iceman firmware (but I did have some other issues with Iceman firmware, so perhaps there’s more to the story there - haven’t had a chance to try on the official firmware)

I’ll grab it out again later today and send the output.

2 Likes

Definitely 125kHz, FSK modulation, but no repeating pattern that it can see… The reads seem to be consistent though, I’m getting the same data each read so that’s promising.

Summary

[=] Checking for known tags…
[=]
#db# Starting Hitag reader family
#db# Configured for hitag2 reader
#db# Unknown frame length: 160
#db# TX/RX frames recorded: 3
[-] No known 125/134 kHz tags found!

[=] Checking for unknown tags:

[-] no repeating pattern found, try increasing window size
FSK2 decoded bitstream:
11110000011111111111111100011111
01111111011111110111111101100010
11110000011111111111111100011111
10110010011110111110110101100000
01111101111101111100111100100111
01111111011111110111111101100010
01111101111101111100111100100111
10110010011110111110110101100000
11110000011111111111111100011111
01111111011111110111111101100010
01111101111101111100111100100111
10110010011110111110110101100000
1111000001111111111111111111

Unknown FSK Modulated Tag found!

I’ve changed some 1’s and 0’s around since this is my own valid tag, hopefully that doesn’t cause too much issue with understanding the tag.

You might consider doing a dump and restore to a T5577 to see if that does it regardless of being able to demod the data.

LF t55 detect
LF t55 dump gym.bin
LF t55 restore gym.bin

See if your T5577 looks like your gym tag… try it out at the gym… let me know if that works because I think I’ve seen those types of gym tags around before… might be useful for customers if this does work.

2 Likes

Actually the other way around, my gym tag looks like a T5577 :wink:

I’ve been having issues with T55xx detection, tried a hail-mary Iceman update/reinstall/rebuild and it detected my gym tag as being a T5577!

Still couldn’t demod the data, but a dump and restore got most of the blocks looking the same, (Page 1 Block 1 is different due to traceability data - if this causes any trouble I can always use testmode to force it)

The output from

lf search u

looks different, but I’m guessing its the traceability data thats affecting that. I’ll try it as-is in a few days when I’m there next, and if that doesn’t work I’ll force that other block and see how I go.

3 Likes

Good news! No problems at all with the cloned tag - traceability data being different wasn’t a problem.

Once I got my Proxmark to detect it as a T5577 the rest was very simple using the T5577 dump and restore commands

6 Likes

Gettum Tiger!

3 Likes

One more thing I should probably note: I did all my tests on a T5577 card, not on my NExT (It’s programmed to my car and I didn’t want to risk tearing during programming and brick it) - so the chip is definitely compatible and its extremely likely that it should work on an implant, but I haven’t tested the performance of the reader with the small cylindrical coil!

2 Likes

Sounds like you need another chip :slight_smile:

3 Likes