ANYTIME FITNESS Pyramid - Cloning Gym Fob to implant

Do you know if they could be written to a T5577? I’m guessing if Proxmark doesnt understand them I haven’t got very good chances, but you never know!

No idea… if we can get a spare I know who we could send it off to for analysis.

Unfortunately I’ve only got the one so I can’t let it go - I’ll keep my eyes open for any abandoned/expired ones though

You could always, if you were willing, say you lost the fob and get a replacement, then send off the other for analysis so the structure could be understood and used to clone the replacement one. IDK what they charge for a replacement fob though.

What proxmark3 do you have and what firmware version?

Try using the lf search u command and send the output

They love ripping off the Aussies sadly, it’s about a $70 AUD fee to replace the fob (highway robbery for a <$1 key fob i know!)

PM3 Easy clone running the latest Iceman firmware (but I did have some other issues with Iceman firmware, so perhaps there’s more to the story there - haven’t had a chance to try on the official firmware)

I’ll grab it out again later today and send the output.

Definitely 125kHz, FSK modulation, but no repeating pattern that it can see… The reads seem to be consistent though, I’m getting the same data each read so that’s promising.

I’ve changed some 1’s and 0’s around since this is my own valid tag, hopefully that doesn’t cause too much issue with understanding the tag.

You might consider doing a dump and restore to a T5577 to see if that does it regardless of being able to demod the data.

LF t55 detect
LF t55 dump gym.bin
LF t55 restore gym.bin

See if your T5577 looks like your gym tag… try it out at the gym… let me know if that works because I think I’ve seen those types of gym tags around before… might be useful for customers if this does work.

Actually the other way around, my gym tag looks like a T5577

I’ve been having issues with T55xx detection, tried a hail-mary Iceman update/reinstall/rebuild and it detected my gym tag as being a T5577!

Still couldn’t demod the data, but a dump and restore got most of the blocks looking the same, (Page 1 Block 1 is different due to traceability data - if this causes any trouble I can always use testmode to force it)

The output from

lf search u

looks different, but I’m guessing its the traceability data thats affecting that. I’ll try it as-is in a few days when I’m there next, and if that doesn’t work I’ll force that other block and see how I go.

Good news! No problems at all with the cloned tag - traceability data being different wasn’t a problem.

Once I got my Proxmark to detect it as a T5577 the rest was very simple using the T5577 dump and restore commands

Gettum Tiger!

One more thing I should probably note: I did all my tests on a T5577 card, not on my NExT (It’s programmed to my car and I didn’t want to risk tearing during programming and brick it) - so the chip is definitely compatible and its extremely likely that it should work on an implant, but I haven’t tested the performance of the reader with the small cylindrical coil!

Sounds like you need another chip

It’s definitely tempting! With this being a worldwide chain gym instead of just a local one, I am concerned about if they’d cancel my membership if they saw me using anything other than their fob to get in. For the moment I’ve put their fob on my water bottle so its not a massive inconvenience to carry it when I’m going to the gym.

Similar deal with my work badge - I want to put it on an implant, but I have to display my card as photo ID anyway, so I’m not really getting the convenience of dropping an item from my daily carry by doing it.

@Compgeek

I find myself following in your footsteps. I too have a gym keyfob that looks much like the one you pictured. Same form factor with the little impression on one side and the impressed rectangle on the other. The only differences being mines black, and the back just has a serial(hex?) number printed on it instead of the sticker and company logo.

I’m at the point where my pm3rdv4 is showing the message ‘Unknown FSK Modulated Tag found!’

Googling that is what brought me to this site.

Unfortunately, I’m unable to get my pm3rdv4 to read it as a T5577, or any other type of card. I see that in your post you said you updated your firmware/repo and it suddenly detected. Could I ask the exact steps / github you cloned from?

I’m on OSX, I updated brew to grab the newest stuff. (I’d last updated in january) The update process finished yet, still no joy.

Hoping that I’ll be able to narrow down what the difference is between our success.

Thanks mate.

What command did you send to get this result?
lf search?

It is 6:30am where @Compgeek lives, so while you wait for him to answer…

(Also, just checking, did you hw tune first?)

I’m only guessing, but could your tag be a HiTag?
Have you tried the HiTag commands in the help to interact with it?

lf hitag help

Hey @HewhoHax ,

The recent versions of the Iceman/RRG firmware are what fixed the detection for me. In January I had issues, doing an update via brew in Feb made it magically work (I’m also on OSX)

Remember that you need to do 3 steps for the upgrade.

• Update the brew formula using brew upgrade --fetch-HEAD proxmark3
• Install the latest version now that the formula is upgraded using brew install --HEAD proxmark3
• Flash the updated firmware to your Proxmark

If it looks the same and you’re getting the ‘Unknown FSK Modulated Tag’ message that implies is probably the same encoding as mine which nobody seems to have decoded still, so you’re in 1 of 2 positions.

1. Your tag is before Farpointe changed from using a dedicated chip to a T5577 (I have a sample size of 1, so not sure if they ever used a dedicated chip or when they would have changed) - if this is the winner, I’m afraid I can’t help you further, but @amal did mention he has someone that is great with decoding - if you can get spare fobs they may have luck figuring it out.

2. (I hope it’s 2!) You just have the same issue as I have, its a T5577 and your Proxmark just isn’t detecting it. If you have a T5577 card lying around, run an lf search on it and see if it says this down the bottom (ideally before and after a Proxmark update just for curiosity sake!)…

    Valid T55xx Chip Found
    Try lf t55xx commands

Good luck! Please let us know how you go on this, fingers crossed!

Hey guys,

Wow. Did not expect an answer so quickly. Thanks.

I did not do HW tune first, hf search’s come back with nothing, but the ‘lf search u’ did come back with the same error that Compgeek displayed in his post.

Originally, I didn’t even know about the ‘u’ part of the command and lf search wasn’t recognizing the card at all.

I did all 3 of the steps you recommended before I posted Compgeek. I have a sample T5577 card that came with my proxmark and have read and wrote to it several times without any problems. This includes several hotel keys.

I’m still a novice with the pm3 commands, and I don’t see the help menu as very intuitive. Could you provide some commands to try?

I did open the case, had to drill 2 holes and push the thing apart to get a small opening, then used a guitar pick to pry open the rest. I then used a hair dryer to weaken the adhesive so I could remove the rfid. I was hoping for a serial number or something I could trace.

It’s just the antenna in a circle around the (very) small chip and covered in some type of epoxy so that it has the shape of a clear coin.

When you do an lf search on this, does it say down the bottom that it detected a T5577? What happens if you run lf t55xx detect on it? My detect command not working slowed me down, but if yours is working that’s great.

If your detect works, try putting your gym fob on the proxmark and run these commands that @amal suggested…

lf t55xx detect
lf t55xx dump gym.bin

If those complete without issue, put a test card on the antenna and run

lf t55xx restore gym.bin

Then you’ll need to test at the gym, since your proxmark can’t decode these tags its not easy to verify if it works via proxmark.

Once you know it’s working, then you can try writing to an implant!

lf t55xx dump gym.bin

• came back with a mini help screen
  lf t55xx dump
• displayed blk 00 - 07 [page 0] and blk 00- 03 [page 1] all F’s in hex, all 1’s in binary

lf t55xx detect does not detect modulation automatically on the gym badge

• Doesn’t on the test card labeled T5577 from proxgrind either
  – Should note that this was my only lf test card, so I have wrote to it many times. Not sure if writing a EM410x card to it would cause it to be dtected as such when passed a ‘lf search u’ & ‘lf search’ commands

My commands to update from brew were similar, only I had
brew tap RfidResearchGroup/proxmark3
brew install proxmark3
brew install --HEAD rfidresearchgroup/proxmark3/proxmark3
brew upgrade --fetch-HEAD proxmark3
pm3-flash-all [while holding the button initially until the 2 lights where steady before proceeeding with the pm flashing.]

On another note. My keysy [ https://www.amazon.com/Keysy-RFID-Duplicator-keycards-keyfobs/dp/B07D7K2LCB ] came in and seems to of cloned the card effortlessly. I still need to goto the gym to see if it opens the door though.