Close call with my new xEM

Kaylachu · March 26, 2025, 6:06am

I got my xEM implanted on Saturday and my knockoff Proxmark from AliExpress finally showed up today. Long story short, I made the mistake of updating the firmware to the latest Iceman release, and nearly bricked my brand new implant! After a bunch of digging I stumbled across a post saying the Iceman branch had broken t5577 timings so I compiled and flashed the main branch, and fortunately I was able to use that to recover it.

Unfortunately, in the process of trying to un-brick my implant, I wiped it, which also wiped the traceability data. Is there any way to get that back? Or is my only option to copy it from another chip?

JennyMcLane · March 26, 2025, 6:15am

Can you try it with a “Flipper Zero”

Aoxhwjfoavdlhsvfpzha · March 26, 2025, 6:18am

What exactly happened? Did it stop responding somehow?

The one from today? It doesn’t seem like them to release something with a known problem with such a common chipset…

Could you link to that post?

I’m not sure there’s any way to get yours back, nor do I know how much they vary from chip to chip, but I can post the data from my xMagic if you’d like

amal · March 26, 2025, 6:21am

I seem to recall this was a problem for a very short time a long while ago… I believe it was fixed fairly quickly. Possibly having to do with some kind of init process on the RDV4 if memory serves… nothing to do with the Easy as far as I remember.

hmm… yeah this rings a bell from 2018… also someone having an issue bricking an xEM hah!

https://www.proxmark.io/www.proxmark.org/forum/viewtopic.php%3Fid=5886.html

Aoxhwjfoavdlhsvfpzha · March 26, 2025, 6:23am

I suspect the issue more likely lies on either healing time or positioning, but you never know

Kaylachu · March 26, 2025, 6:50am

‘lf t5 detect’ wouldn’t work, ‘lf t5 info’ would randomly alternate between sane but inaccurate data and random garbage, and ‘lf sea’ wouldn’t detect any chips at all.

Yes. I’m on a MacBook Pro so I just cloned the Git repository, compiled it, installed it, flashed my Proxmark3, started poking around with my pile of fobs, and eventually my implant. Everything went sideways when I issued a ‘lf t5 wipe’ command, that’s when it stopped responding consistently.

This is the post I’m referring to. After downloading, compiling, and flashing the main fork the ‘lf t5 detect’ command actually detects my implant, ‘lf t5 wipe’ cleared out all the garbage that was in there, and I was able to clone my work fob onto my implant. Unfortunately my traceability data was lost in that process, but at least it’s not completely bricked.

I was able to duplicate the traceability data from my work fob onto my implant so ‘lf sea’ actually recognizes it as a t55xx again, I just wish I had my original data back.

Kaylachu · March 26, 2025, 6:51am

It wasn’t… I found a post about optimal implant positioning and while that did help immensely, it didn’t solve my issue.

Kaylachu · March 26, 2025, 6:53am

It was just implanted on Saturday, but this was the first implant my piercer has ever done, so it ended up being a bit on the shallow side. I’m hoping it’s deep enough and doesn’t reject, suppose I’ll be finding out over the next few weeks.

Aoxhwjfoavdlhsvfpzha · March 26, 2025, 6:56am

It’s been installed for 4 days, conventional advice is that performance will improve for up to 2 months, with good/stable usability happening somewhere in the 2-4 week range in most cases, there’s a pretty good chance that the issue could be healing related

Hey, great guess!

The Iceman fork is still working fine on my PM3 with the latest dev build, on both my implant and my cards, somehow the issue seems to be with your implant or your PM3. hw tune might give you some insight in the latter case

amal · March 26, 2025, 7:29am

Did they pull the skin up while injecting or did they just push the needle in with the skin flat?

Pilgrimsmaster · March 26, 2025, 8:17am

Did you want to share a picture for some opinions?

Kaylachu · March 26, 2025, 12:20pm

She did pull up, or “tent” the skin, while injecting it, but thought she might have stayed too shallow because you can see the deep end of the chip through my skin. Then again that might just be because I have very little body fat and there’s not much there to hide it, idk. I’ll share a couple pics in a min.

Kaylachu · March 26, 2025, 12:26pm

Sure! The third pic probably best shows how visible the deep end of the chip is through my skin

This was taken in the car about 30 minutes afterwards.

These were taken the following day.

And this was taken the day after that, on Monday.

.

amal · March 26, 2025, 12:29pm

This looks ok to me but hard to tell for sure without seeing in person.

Kaylachu · March 26, 2025, 12:31pm

Unfortunately I don’t have one…I will have access to one in a couple days though, a coworker has one and we are both going to be on site for the same project later this week. I could give it a try then.

Kaylachu · March 26, 2025, 1:40pm

What about the traceability data? Any way to recover that?

My chip does have a sibling… My boss decided to get one a year or two ago and purchased two just in case, but didn’t end up needing the second one. When I expressed interest in getting one myself, he gave his unused spare to me. Since they were purchased together, I would imagine the traceability data would be pretty close for the two.

Not · March 26, 2025, 3:09pm

Out of sheer curiosity, is there any reason that you need the traceability data to be accurate?

amal · March 26, 2025, 3:47pm

Out of sheer curiosity, what do you mean by traceability data?

Not · March 26, 2025, 4:02pm

I assume this:

“Traceability data is manufacturer-programmed (and locked) data that contains information related to the manufacture of the chip - presumably so that issues can be “traced back” to the point and date of manufacture. It contains data such as the year and quarter of manufacture, the wafer number on which the chip was produced, and the die number on the wafer. The traceabiltiy data occupies blocks 1 and 2 of Page 1, and is normally NOT writeable, although some T5577 clones will allow you to overwrite these blocks. You can read the traceability data with the lf t55xx trace command.”

Source:

github.com/RfidResearchGroup/proxmark3

doc/T5577_Guide.md

master

# T5577 Introduction Guide
<a id="Top"></a>

### Based on Iceman Proxmark3 repo

### Ver.1 8 Sep 2019
### Ver.2 7 March 2021

# Table of Contents

| Contents                                                                            |
| ----------------------------------------------------------------------------------- |
| [Part 1](#part-1)                                                                   |
| [Introduction](#introduction)                                                       |
| [T5577 Overview](#t5577-overview)                                                   |
| [What data is on my T5577](#what-data-is-on-my-t5577)                               |
| [Read and Write Blocks of Data](#read-and-write-blocks-of-data)                     |
| [Exercise 1](#exercise-1)                                                           |
| [How do I use a password](#how-do-i-use-a-password)                                 |
|                                                                                     |

This file has been truncated. show original

amal · March 26, 2025, 4:12pm

Ok so this data should not be overwritable … hence it should not have changed?