ANYTIME FITNESS Pyramid - Cloning Gym Fob to implant

It’s definitely tempting! With this being a worldwide chain gym instead of just a local one, I am concerned about if they’d cancel my membership if they saw me using anything other than their fob to get in. For the moment I’ve put their fob on my water bottle so its not a massive inconvenience to carry it when I’m going to the gym.

Similar deal with my work badge - I want to put it on an implant, but I have to display my card as photo ID anyway, so I’m not really getting the convenience of dropping an item from my daily carry by doing it.

1 Like

@Compgeek

I find myself following in your footsteps. I too have a gym keyfob that looks much like the one you pictured. Same form factor with the little impression on one side and the impressed rectangle on the other. The only differences being mines black, and the back just has a serial(hex?) number printed on it instead of the sticker and company logo.

I’m at the point where my pm3rdv4 is showing the message ‘Unknown FSK Modulated Tag found!’

Googling that is what brought me to this site.

Unfortunately, I’m unable to get my pm3rdv4 to read it as a T5577, or any other type of card. I see that in your post you said you updated your firmware/repo and it suddenly detected. Could I ask the exact steps / github you cloned from?

I’m on OSX, I updated brew to grab the newest stuff. (I’d last updated in january) The update process finished yet, still no joy.

Hoping that I’ll be able to narrow down what the difference is between our success.

Thanks mate.

4 Likes

What command did you send to get this result?
lf search?

It is 6:30am where @Compgeek lives, so while you wait for him to answer…

(Also, just checking, did you hw tune first?)

I’m only guessing, but could your tag be a HiTag?
Have you tried the HiTag commands in the help to interact with it?

lf hitag help

2 Likes

Hey @HewhoHax ,

The recent versions of the Iceman/RRG firmware are what fixed the detection for me. In January I had issues, doing an update via brew in Feb made it magically work (I’m also on OSX)

Remember that you need to do 3 steps for the upgrade.

  • Update the brew formula using brew upgrade --fetch-HEAD proxmark3
  • Install the latest version now that the formula is upgraded using brew install --HEAD proxmark3
  • Flash the updated firmware to your Proxmark

If it looks the same and you’re getting the ‘Unknown FSK Modulated Tag’ message that implies is probably the same encoding as mine which nobody seems to have decoded still, so you’re in 1 of 2 positions.

  1. Your tag is before Farpointe changed from using a dedicated chip to a T5577 (I have a sample size of 1, so not sure if they ever used a dedicated chip or when they would have changed) - if this is the winner, I’m afraid I can’t help you further, but @amal did mention he has someone that is great with decoding - if you can get spare fobs they may have luck figuring it out.

  2. (I hope it’s 2!) You just have the same issue as I have, its a T5577 and your Proxmark just isn’t detecting it. If you have a T5577 card lying around, run an lf search on it and see if it says this down the bottom (ideally before and after a Proxmark update just for curiosity sake!)…

    Valid T55xx Chip Found
    Try lf t55xx commands

Good luck! Please let us know how you go on this, fingers crossed!

2 Likes

Hey guys,

Wow. Did not expect an answer so quickly. Thanks.

I did not do HW tune first, hf search’s come back with nothing, but the ‘lf search u’ did come back with the same error that Compgeek displayed in his post.

Originally, I didn’t even know about the ‘u’ part of the command and lf search wasn’t recognizing the card at all.

I did all 3 of the steps you recommended before I posted Compgeek. I have a sample T5577 card that came with my proxmark and have read and wrote to it several times without any problems. This includes several hotel keys.

I’m still a novice with the pm3 commands, and I don’t see the help menu as very intuitive. Could you provide some commands to try?

I did open the case, had to drill 2 holes and push the thing apart to get a small opening, then used a guitar pick to pry open the rest. I then used a hair dryer to weaken the adhesive so I could remove the rfid. I was hoping for a serial number or something I could trace.

It’s just the antenna in a circle around the (very) small chip and covered in some type of epoxy so that it has the shape of a clear coin.

2 Likes

When you do an lf search on this, does it say down the bottom that it detected a T5577? What happens if you run lf t55xx detect on it? My detect command not working slowed me down, but if yours is working that’s great.

If your detect works, try putting your gym fob on the proxmark and run these commands that @amal suggested…

lf t55xx detect
lf t55xx dump gym.bin

If those complete without issue, put a test card on the antenna and run

lf t55xx restore gym.bin

Then you’ll need to test at the gym, since your proxmark can’t decode these tags its not easy to verify if it works via proxmark.

Once you know it’s working, then you can try writing to an implant!

3 Likes

lf t55xx dump gym.bin

  • came back with a mini help screen
    lf t55xx dump
  • displayed blk 00 - 07 [page 0] and blk 00- 03 [page 1] all F’s in hex, all 1’s in binary

lf t55xx detect does not detect modulation automatically on the gym badge

  • Doesn’t on the test card labeled T5577 from proxgrind either
    – Should note that this was my only lf test card, so I have wrote to it many times. Not sure if writing a EM410x card to it would cause it to be dtected as such when passed a ‘lf search u’ & ‘lf search’ commands

My commands to update from brew were similar, only I had
brew tap RfidResearchGroup/proxmark3
brew install proxmark3
brew install --HEAD rfidresearchgroup/proxmark3/proxmark3
brew upgrade --fetch-HEAD proxmark3
pm3-flash-all [while holding the button initially until the 2 lights where steady before proceeeding with the pm flashing.]

On another note. My keysy [ https://www.amazon.com/Keysy-RFID-Duplicator-keycards-keyfobs/dp/B07D7K2LCB ] came in and seems to of cloned the card effortlessly. I still need to goto the gym to see if it opens the door though.

3 Likes

Sounds like your detect commands still aren’t working, on your test card it should detect the modulation. If it can’t detect then it doesnt know how to properly read all the memory pages and won’t succeed in a dump.

Having to written as em4100 shouldn’t prevent the detect command from working, but if you want to be sure, you can lf em 410x_wipe I think is the right command, this should put it back to blank, then try a detect again.

Seems like your install commands may be out of order (upgrade doesn’t actually update whats installed i dont think, pretty sure it upgrades the install instructions and should be run before install) - also make sure you are using —HEAD as the stable releases i found to be a bit older and still have the detect bug last time i checked.

If you still have trouble getting detect to run, the guys over on the Proxmark forum may be able to help you better than we can I’m afraid.

Thats quite interesting, i thought they didn’t do these sort of oddball tags - worth noting though that they won’t write to your implant or for that matter any card/tag that isnt sold by keysy

2 Likes

Mini Update:

(This is based on working with the data sheets and 1’s and 0’s, with the gyms being shut I can’t fully verify if it’ll work on their readers, but the math and logic check out)

The thing that had me stumped is that the FSK bitstream is inverted to what is in the T5577 memory… should have looked closer at the config block (its FSK2a, Proxmark can’t detect inversion since theres no reference)

For anyone wanting to clone one of these: lf search u
It should return as FSK2 - grab 4 lines from the middle of the dump
Invert them (change 0’s to 1’s and 1’s to 0’s) then convert to Hex

Then write to your T5577 (xEM or NExT - but use a test card first!) as follows…

Block 0: 00107080
Block 1-4: The Hex digits you found earlier

Still can’t figure out how this relates to the printed numbers with a sample size of 1, but if you have one that isn’t a T5577 you should still be able to copy it.

1 Like

How did you go with this? Did the Keysy do the trick?

1 Like

I’ve been doing some work for the giant multinational purple gym. I know someone who does the security systems. I’ll ask when I see him next!

1 Like

Hi this text topic has kinda been down. Im new to this. Im currently using the iCopy to read and write but it doesnt seem to be reading the AF keyfob. Was thinking of purchasing Proxmark3 but im scared it might not work as well. I would not want to spend another money knowing it might fail again. Someone could enlighten me on this please thank you!

Read this article and this guy manages to copy the RFID of the AF keyfob using keysy. Unfortunately i live in Singapore and keysy is not available in my country.

Anytime Fitness Low-Frequency 125khz Key Fob
Chip Type: T55x7
Modulation: FSK2a
Bit Rate: 4 — RF/50

Farpointe Data Inc., Low-Frequency RFID Card Reader

Since the source tag is t5577 based, it’s trivial to dump and write the dump with a proxmark3 to any of our t5577 based products like xEM, NExT, etc

Im new to all this rfid :frowning: i have not purchase proxmark myself and i zero knowledge on using the proxmark. Could u lay out the instructions on doing so? Would definitely appreciate it thank you!!!

https://forum.dangerousthings.com/search?context=topic&context_id=5674&q=T5%20dump%20order%3Alatest&skip_context=true

Many posts that talk about t5577 dumps.

Also the trick with proxmark3 is knowing how to explore it to figure things out…

Thank you sir :slight_smile:

I have the same looking source tag as yours but having the same issue as @HewhoHax. lf search works on a random t5577 card. but when run on the purple fob it shows(lf search -u also gives the same thing):

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[!] Error Manchester at 120
[!] Error Manchester at 122
[!] Error Manchester at 128
[!] Error Manchester at 134
[!] Error Manchester at 136
[!] Error Manchester at 138
[!] Error Manchester at 140
[!] Error Manchester at 142
[!] Error Manchester at 144
[!] Error Manchester at 146
[!] Error Manchester at 150
[!] Error Manchester at 152
[!] Error Manchester at 154
[!] Error Manchester at 158
[!] Error Manchester at 160
[!] Error Manchester at 162
[!] Error Manchester at 166
[!] Error Manchester at 168
[!] Error Manchester at 170
[!] Error Manchester at 174
[!] Error Manchester at 176
[!] Error Manchester at 178
[!] Error Manchester at 182
[!] Error Manchester at 184
[!] Error Manchester at 188
[!] Error Manchester at 190
[!] Error Manchester at 192
[!] Error Manchester at 196
[!] Error Manchester at 198
[!] Error Manchester at 202
[!] Error Manchester at 204
[!] Total Manchester Errors... 31
[=] Paradox - ID: 000000001 FC: 0 Card: 1, Checksum: 00, Raw: 0ffa24000704040404ec1041

[+] Valid Paradox ID found!

[=] Couldn't identify a chipset

which means the dump and restore method didn’t work. cloning the paradox raw to t5577 didn’t work either. funny thing is lf search and lf para reader gives different raws

pm3 --> lf paradox reader
[!] Error Manchester at 120
[!] Error Manchester at 122
[!] Error Manchester at 128
[!] Error Manchester at 134
[!] Error Manchester at 136
[!] Error Manchester at 138
[!] Error Manchester at 140
[!] Error Manchester at 142
[!] Error Manchester at 144
[!] Error Manchester at 146
[!] Error Manchester at 150
[!] Error Manchester at 152
[!] Error Manchester at 154
[!] Error Manchester at 158
[!] Error Manchester at 160
[!] Error Manchester at 162
[!] Error Manchester at 166
[!] Error Manchester at 168
[!] Error Manchester at 170
[!] Error Manchester at 174
[!] Error Manchester at 176
[!] Error Manchester at 178
[!] Error Manchester at 182
[!] Error Manchester at 184
[!] Error Manchester at 188
[!] Error Manchester at 190
[!] Error Manchester at 192
[!] Error Manchester at 196
[!] Error Manchester at 200
[!] Error Manchester at 202
[!] Error Manchester at 204
[!] Error Manchester at 206
[!] Total Manchester Errors... 32
[=] Paradox - ID: 000000001 FC: 0 Card: 1, Checksum: 00, Raw: 0ffa24000704040404ec11ff

lf t55xx detect gives:

[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

Do you think this is a reader issue or they changed the fob? Thank you

i end up figuring it out and the cloned card ended up working but my block 0 was 00105080, and lf search never ended up working for me.

for those who might come across this later. in summary
lf read
data rawdemod --fs
take the first 4 lines to convert to hex to write to block 1-4 later
put new card on
lf t5 det
lf t5 wipe
lf t5 det
lf t5 write -b 0 -d 00105080
lf t5 det
lf t5 write -b 1 -d “first line of converted hex from rawdemod”
lf t5 write -b 2 -d “second line of converted hex from rawdemod”
lf t5 write -b 3 -d “third line of converted hex from rawdemod”
lf t5 write -b 4 -d “fourth line of converted hex from rawdemod”
done
you can check by
lf t5 dump
and should look something like this
[+] ----±---------±---------------------------------±------
[+] 00 | 00105080 | 00000000000100000101000010000000 | …P.
[+] 01 | “hex 1” | “line 1 from rawdemod” |
[+] 02 | “hex 2” | “line 2 from rawdemod”|
[+] 03 | “hex 3”| “line 3 from rawdemod”|
[+] 04 | “hex 4”| “line 4 from rawdemod”|

3 Likes