Hi, I’m looking for an implant to exchange my keyfob at work. I’m not a complete beginner, but no expert later so that’s why I thought it would be best to ask here first!
The reader my job uses is an Assa Abloy 6585MF and I’ve found the specs here: https://bit.ly/2wnoiy1
It looks as though the information would be encrypted somehow.
The fob I would like to copy is listed as a EM4200 with numeral UID written on it.
Is there any implants that could work with this setup? And if so, would it be possible to copy the fob into the implant with something like a Proxmark3?
Many thanks in advance!
Hmmmm, Without doing research myself, I am a little confused, 2 different techs…
hopefully it is using one of the 2 options below.
EM4200 I would say you would be looking at an xEM or NExT. ( personally I would reccomend the NExT)
With 2 Options
- Proxmark to clone
- Have your NExT or xEM enrolled into the access system
BUT 6585MF suggests Mifare, which is a whole different kettle of fish.
Different tech, different frequency
If it is Mifare, hopefully it would be an xM1 that would be suitable, (This is currently the only HF implant with a changeable UID/NUID.)
With 2 Options
- Proxmark to clone
- Have your xM1 enrolled into the access system
The xM1 will be having a Flex version out soon!?, and possibly a xEM/xM1 2in1 combination, but this is not even 100% confirmed so delivery unknown.
Assa Abloy make fantastic physical locks, so I would be very surprised if they chose either of these technologies.
We might need to do some more research, but on the face of it, the 2 suggestions I put above are your best bet.
Looks like its comparing its security to better than just uid authentication.
It appear the the card will be written to then protected so that the reader issues the password then reads the content of the memory.
However it is not necessary to read the memory if the use a custom pak to show authentication is successful.
Non of the above is certain and neither is it really a problem along as we can read the card as already suggested a proxmark to dump the card.
The community here is amazing and I’m sure people will spring to help/investigate
I also read this… but remember… 1) marketing people are often wrong… and 2) it’s likely that this feature requires extra setup from the customer, in which case I seriously doubt they did… because most customers have a hard time even changing the default passwords on their network routers… and when it comes to access control systems, I find even the most savvy corporate offices don’t have a clue when it comes to their access control security… but I could be wrong.
Thanks a lot for all the replies so far! Wasn’t expecting this much help in just one hour.
I have some investigation to do, and I think ordering a Proxmark3 would be the first step. My first concern is what if the information is encrypted somehow, would that mean that the reader wouldn’t be able to copy the fob?
I could perhaps, after finding out which technology the readers are using and choosing the right chip for it ask the guy programming these fobs if he would be willing to add my fob into the system, but he could say no, or perhaps his system wouldn’t let him enroll my implant since it’s not recognised as a proprietary Assa fob?
Definitely agree with you there at work the domain controllers password was Admin1234…
The proxmark may even be able to read it even if it is encrypted, if the data is just in memory and its read and decoded by the reader than a direct copy may work. Obviously depends on if the card is read protected but wont find out until you try.
Befor jumping in and grabbing a proxmark you could try reading the card with a nfc enabled phone and nfctools
This is where marketing people are terrible people… it’s not “encrypted”… old ass Mifare cards don’t “do encryption” to the data stored… and I doubt the reader bothers with encrypting the data it stores on the card either… I bet when the marketing people say “encrypted” they simply mean the passkey for each sector… key A and B for each sector, and the access bits which allow data visibility in those sectors…
In fact, I don’t even think the Mifare cards support channel encryption, meaning yes if you sniffed the conversation you should be able to pick up the keys in transit over the air, then use those to unlock the card without even needing to crack anything… though mifare classic card sectors are also easily cracked open by the proxmark3…
anyway. in short, you’re right.
You could… But if you can have your implant enrolled directly into the access system you have no real need for it, it would be a waste of money…
I would suggest, get some more info to confirm the system.
Get your access card and get TagInfo or similar app, scan your card, If it is Mifare,then you know to get xM1 if it doesn’t scan then it is probably LF 125kHz so you will be looking at xEM or NExT.
Um, yeah, what @Devilclarke said… I must have been typing and missed that
I’ve tried reading the tag with my Android (Samsung S10) using both TagInfo and Mifare Classic tool but nothing happens when I try scanning.
Reading the reader’s spec sheet, it seems the base unit (6585MF) is NFC-only, and uses an “encrypted” sector to store the unlocking UID on a M1k. But there seems to be multi-frequency models also (the 6585MIK3a and 6585MIK3v) that claim to do Mifare, EM and magnetic strip. It may be that all models are marked “6585MF” but I doubt it. @Birnir: is there a mag card reader on the device?
If the reader is multi-frequency, I would definitely NOT recommend a NExT, as if might confuse the reader if it sees a LF and a HF chip responding at the same time.
A RFID diagnostic card would be a very good investment at this point methink…
Maybe, hopefully Low Frequency, which explains the EM4200.
Could be an xEM or NExT for you then!?
I will definitely buy a RFID diagnostic card and see what happens. There’s a seller in my country so I will have it within a week.
There’s no magnetic card reader, but I’ve noticed that my company uses several different models of readers. They almost look the same and they all come from Assa Abloy, but the model name/number is different. I’ll take note of them and see what they have in common.
There’s no security zones warranting different security methods, so I think the readers are different probably just because they got installed years between or something like that.
Hi all, apparently I was wrong about the reader model. It’s a 6485PL II and after searching Google all I found was that it’s installed in “low security environments”. And it’s definitely a LF reader with EM4200 chips, so it looks like the NExT is the safest bet?
Ah yeah I would bet on a NExT.
Thank you everyone for the help! I’m definitely choosing the NExT. I have a couple of questions that I haven’t found the answer to somewhere online.
Is it just as “easy” to write to the NExT compared to a one-freq chip? No interference?
Same question, but about reader compatibility? I guess some interference would occur if it’s a multireader (LF and HF).
Is it possible to write to all sectors on both the LF and HF side so complete cloning is possible? I don’t know if these chips have sector 0’s with a unique UID like Mifare does?
Any suggestions on a good reader/cloner which would be ideal to use with the NExT chip?
No problems at all, 2 Very different frequencies.
The only time you may have an issue with the 2 frequencies, is with a multifrequency reader for an access system for example.
It is looking for 125kHz for access but also scanning 13.56MHz, and “sees” the “wrong” one 13.56 and will give an error.
I should have read this whole post before answering, But I would change the wording to COULD occur ( depends on programming )
You can write a new UID to the LF ( xEM ) side, but you cant do this on the HF xNT side, but you can write NDEF data, over NFC ( obviously )
Depends on what you hope to do.
Phone to write NDEF
In order of price cheapest, but descending order of reccomendation
Blue Cloner Please read
Thanks a lot! Now I think I have everything I need to know right now at least. I’ll find the time to get myself the NExT perhaps in a month or two. I’ll give you guys an update then on how the cloning worked out for me.
And now I have a NExT implanted! I did it 3 days ago and it feel alright today. Some swelling, tenderness and itching still.