Hitag2 & xEM | White Chinese Cloner & PM3Easy

Hi everyone!

After about a year of using my xEM as a clone of my HID access card for my old job, I’ve moved overseas, am at a new workplace and I’m hoping to repurpose my xEM to work with our new badges.

Now, when I first cloned my HID Proxcard to my xEM I was pretty new to this, and used one of the “white Chinese multi-frequency cloners”. To my understanding this has locked the chip with a password in HID mode. When I attempted to scan my new card with the Chinese cloner it failed to read anything - which lead me to finally break out my PM3Easy and figure it out a bit. After updating the PM3Easy and running the “lf search u” command, on my new work badge I received this back:

Valid Hitag2 tag found - UID: 09558f11

Running the same command on my xEM I receive this back:

HID Prox TAG ID: 20063387cc (50150) - Format Len: 26bit - FC: 25 - Card: 50150
Valid HID Prox ID Found!
Valid T55xx Chip Found

What are my next steps? I’m extremely new to using the PM3, and should have listened to @TomHarkness when he said to stay the hell away from the white Chinese multi-freq cloner. I will grovel and/or beg for help where desired.

Cheers!

2 Likes

Good god I am lost. Is this what elderly people feel like when they look at Facebook?

proxmark3> lf hitag list
recorded activity (TraceLen = 76280224 bytes):
ETU :nbits: who bytes
---------±----±—±----------

  •  0:    5:     c0
    
  • 172: 32: TAG 09! 55! 8f 11!
  • -262: 0:
3 Likes

@TomHarkness I followed your advice here and ran “lf t55xx p1detect” - and got a positive read response. I then ran " lf t55xx write b 0 d 00148041 p AA55BBBB" and checked with “lf search u”, receiving back the following:

Checking for Unknown tags:

Possible Auto Correlation of 1 repeating samples

Using Clock:64, Invert:0, Bits Found:625
ASK/Manchester - Clock: 64 - Decoded bitstream:
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010110100101101
0100111010101010
1010110010101010
1010101010110100
1010111111111111
1111111111111111
1111111111111111
Unknown ASK Modulated and Manchester encoded Tag Found!
if it does not look right it could instead be ASK/Biphase - try ‘data rawdemod ab’
Valid T55xx Chip Found

Attempting to read my xEM now comes up with nothing, which I’m assuming is good news?

1 Like

Hey - I don’t have time for a long reply sorry - but from a quick glance over your posts. It seems that you wrote a block 0 config of “00148041” which is EM emulation mode - no password- based off this the unlock worked but you’ve just got block 0 in the wrong mode. For HID emulation mode block 0 should be:
00107060

Try: lf t5 detect - get the config set

and then: lf t55xx write b 0 d 00107060

And then try an: lf search

Should work as long as coupling is OK… Let me know!

6 Likes

Also make sure to wipe block 7 which contains the password that was set. Just set it to all 0’s. lf t5 wr bl 7 d 00000000

2 Likes

Excellent, thanks for the confirmation, I’ll clean up block 7, and I seriously appreciate you being precise like this with the commands.

That said, is there a way to copy the Hitag2 UID and/or clone the Hitag2 access card on to the xEM?

Cheers!

2 Likes

A bit off topic but I’m extremely pleased how this small forum community treats one another. I asked a similar question on the proxmark forums and just got snarky replies to read the user manual and do a search. Clearly I had but couldn’t find what I was looking for so I made another post. Yikes. Won’t do that again.

4 Likes

Completely understand and appreciate the appreciation! The guys over at the PM forum can be a bit touchy sometimes - they are constantly getting smashed with questions that could easily be answered if the person just read a few lines of the readme etc…

3 Likes

No worries - Hitag2 should work BUT the stock antenna may cause you some issues.

Assuming the antenna isn’t too bad (I seem to be coupling okay at the moment) what are the commands that I’d use to clone my access badge to my xEM? I’ve gone through all the “lf hitag reader” and other “lf hitag” commands, and nothing seems to be making much sense - now that I’ve gotten the UID from the “lf search u” command, what write command do I need to use to write to my implant now?

So you think you could make a T5577 behave like a hitag2 ? certainly not the S variant (with 48bit challenge response)… but maybe just the hitag2 UID (not user memory)?

I think just the UID should be possible , definitely not the S variant - unsure how happy the reader / system on the other side would be but looking at the t5577 data sheet, the modulation etc should be “set-able”.

If I can get hold of a Hitag reader / card I’ll do some tests.

2 Likes

I did some reading into the specs of the T5577 and emulating a hitag2, and the T5577 supports all the modes that are used for communication by the hitag2. I just don’t have the parts, tools, or experience necessary to see if I could make it work. I gave some more info on it in this post.

I’m going to pass all this info on to iceman from RRG as we work closely at times. Will see if he has any input or ideas. Might be quite simple if one knows the code base and understands the analogue stuff a bit better than I (and iceman certainly does).

3 Likes

Yeah, exactly. It seems like it could be easy to do if one knew how to make the chip do what you want it to and have more fine control over the modes. I’m interested to see how this turns out.

1 Like

As always Tom, you are a scholar and a gentleman. I owe you and iceman a beer.

2 Likes

The conclusion is we need to test and try some things:

  1. Hitag2 is a reader talk first system, the reader sends a start command first before the tag responds. A t5577 would scream the block data back constantly - that’s how they function when powered up

  2. The pulse width in terms of modulation is not the same

  3. Not to mention the auth : crypto parts.

  4. We can probably make a t55 just send one block data that equates to a 32b uid. Over and over. Might confuse the reader though lol.

Worth playing with I guess but my gut tells me this is very dependent on what the readers are doing.

2 Likes

Ok, if all of that is true then I suppose its not as simple as it seems. Glad we have guys like you around that have the knowledge to really dig into it.

But who knows, maybe there is a workaround.

@amal Rather than messing with my xEM, is there a possibility of getting an implantable Hitag2 chip? I’d put in the first pre-order if there was.

We do have these, they are HITAG S2048… we just have not released them. The primary reason is - i don’t want to have to support a bunch of hitag questions.

Who here knows anything about them and is willing to help support questions about them here on the forum?

2 Likes