After about a year of using my xEM as a clone of my HID access card for my old job, I’ve moved overseas, am at a new workplace and I’m hoping to repurpose my xEM to work with our new badges.
Now, when I first cloned my HID Proxcard to my xEM I was pretty new to this, and used one of the “white Chinese multi-frequency cloners”. To my understanding this has locked the chip with a password in HID mode. When I attempted to scan my new card with the Chinese cloner it failed to read anything - which lead me to finally break out my PM3Easy and figure it out a bit. After updating the PM3Easy and running the “lf search u” command, on my new work badge I received this back:
Valid Hitag2 tag found - UID: 09558f11
Running the same command on my xEM I receive this back:
HID Prox TAG ID: 20063387cc (50150) - Format Len: 26bit - FC: 25 - Card: 50150
Valid HID Prox ID Found!
Valid T55xx Chip Found
What are my next steps? I’m extremely new to using the PM3, and should have listened to @TomHarkness when he said to stay the hell away from the white Chinese multi-freq cloner. I will grovel and/or beg for help where desired.
@TomHarkness I followed your advice here and ran “lf t55xx p1detect” - and got a positive read response. I then ran " lf t55xx write b 0 d 00148041 p AA55BBBB" and checked with “lf search u”, receiving back the following:
Checking for Unknown tags:
Possible Auto Correlation of 1 repeating samples
Using Clock:64, Invert:0, Bits Found:625
ASK/Manchester - Clock: 64 - Decoded bitstream:
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010111111111111
1111111111111111
1111111111111111
Unknown ASK Modulated and Manchester encoded Tag Found!
if it does not look right it could instead be ASK/Biphase - try ‘data rawdemod ab’
Valid T55xx Chip Found
Attempting to read my xEM now comes up with nothing, which I’m assuming is good news?
Hey - I don’t have time for a long reply sorry - but from a quick glance over your posts. It seems that you wrote a block 0 config of “00148041” which is EM emulation mode - no password- based off this the unlock worked but you’ve just got block 0 in the wrong mode. For HID emulation mode block 0 should be:
00107060
Try: lf t5 detect - get the config set
and then: lf t55xx write b 0 d 00107060
And then try an: lf search
Should work as long as coupling is OK… Let me know!
A bit off topic but I’m extremely pleased how this small forum community treats one another. I asked a similar question on the proxmark forums and just got snarky replies to read the user manual and do a search. Clearly I had but couldn’t find what I was looking for so I made another post. Yikes. Won’t do that again.
Completely understand and appreciate the appreciation! The guys over at the PM forum can be a bit touchy sometimes - they are constantly getting smashed with questions that could easily be answered if the person just read a few lines of the readme etc…
Assuming the antenna isn’t too bad (I seem to be coupling okay at the moment) what are the commands that I’d use to clone my access badge to my xEM? I’ve gone through all the “lf hitag reader” and other “lf hitag” commands, and nothing seems to be making much sense - now that I’ve gotten the UID from the “lf search u” command, what write command do I need to use to write to my implant now?
So you think you could make a T5577 behave like a hitag2 ? certainly not the S variant (with 48bit challenge response)… but maybe just the hitag2 UID (not user memory)?
I think just the UID should be possible , definitely not the S variant - unsure how happy the reader / system on the other side would be but looking at the t5577 data sheet, the modulation etc should be “set-able”.
If I can get hold of a Hitag reader / card I’ll do some tests.
I did some reading into the specs of the T5577 and emulating a hitag2, and the T5577 supports all the modes that are used for communication by the hitag2. I just don’t have the parts, tools, or experience necessary to see if I could make it work. I gave some more info on it in this post.
I’m going to pass all this info on to iceman from RRG as we work closely at times. Will see if he has any input or ideas. Might be quite simple if one knows the code base and understands the analogue stuff a bit better than I (and iceman certainly does).
Yeah, exactly. It seems like it could be easy to do if one knew how to make the chip do what you want it to and have more fine control over the modes. I’m interested to see how this turns out.
The conclusion is we need to test and try some things:
Hitag2 is a reader talk first system, the reader sends a start command first before the tag responds. A t5577 would scream the block data back constantly - that’s how they function when powered up
The pulse width in terms of modulation is not the same
Not to mention the auth : crypto parts.
We can probably make a t55 just send one block data that equates to a 32b uid. Over and over. Might confuse the reader though lol.
Worth playing with I guess but my gut tells me this is very dependent on what the readers are doing.
Ok, if all of that is true then I suppose its not as simple as it seems. Glad we have guys like you around that have the knowledge to really dig into it.
We do have these, they are HITAG S2048… we just have not released them. The primary reason is - i don’t want to have to support a bunch of hitag questions.
Who here knows anything about them and is willing to help support questions about them here on the forum?