How many 13.56MHz implants needed, and where to put them..?

Many of the things that work on Linux will have some way or another to work on Mac via command line… but I couldn’t say for sure. The less I use my Mac the happier I am, usually. :laughing:

Exactly the route I would (and did) take. :wink:

I have found out that my work badge has two chips in it; a EM and a Mifare.
Not sure about which type of Mifire yet, (I have the name of the readers tho) but are allready confused :sweat_smile:

I belive I’ll need a xM1 for my friends building (some old system) and possibly also for my parents house (yaleman v2n). I can enroll my chip into my parents system, but that is not an option at my friends house or at work.
If I have understood it correct, that means I would need two UID chips because one can’t hold to IDs at the same time, right?

But Mifare seems to be a lot of different chips. Does the xM1 work with several Mifare types or only classic? DESFire only work with DESFire?

That is unusual.

I venture that the door access authentication is done on the EM, and the Mifare is there for something else - possibly unused in your company, if whoever procured the card simply bought a batch of whatever happened to work from that reseller and the Mifare part of it was just extra unused cruft.

It’s highly unlikely that the door access uses dual-frequency readers and authenticates on both frequencies. If it does, I really want to know what make/model it is.

My suggestion is: get yourself a DT RFID Diagnostic Card and present it to the reader at your workplace:

  • If the LF LED lights up, you’ll need a xEM, flexEM, or NExT or flexNExT.
  • If the HF LED lights up, you’ll need a xM1 or flexM1.
  • If both light up, you’ll need a flexMT and you need to tell me who makes the reader :slight_smile:

The xM1 (of flexM1, or the HF part of the flexMT) is a “Magic Chinese” Mifare Classic 1K chip. That is, a Mifare Classic that happens to have a hidden command that lets you program its sector 0 - which is not programmable normally on genuine M1Ks - so you can make 1:1 clones.

Some smarty-pants readers are aware of the “hidden” Magic Chinese command (which isn’t much of a secret anymore) and issue it, to probe whether the card is a clone or genuine. It’s not the norm however, although it is getting more common.

In short, unless you’re unlucky, a properly programmed xM1, flexM1 or flexMT will pass off as the genuine article and fool the reader if indeed it is a HF reader.

All this of course is assuming the reader does in fact require a Mifare Classic, which isn’t even certain. It may just be happy with any old ISO14443A transponder that spews out a UID that’s enrolled into the system.

It’s not as unusual as you might think… often times these are the natural choice for facilities that want to transition from insecure LF to a more secure HF like iClass or something… but have tons of LF only badges deployed. Often times they enable LF and HF until all LF badges are cycled out and then disable LF… sometimes… if the security people haven’t changed since the decision was made… and if they remember.

Chances are good the LF side still works fine… it would totally be worth trying to clone just the LF side.

1 Like

Yeah, but… transition to a Mifare Classic? That seems like yesterday’s fight. That’s why I said it’s unusual.

Unless our friend has an older transitional card, and they’ve transitioned to the then-more-secure Mifare Classic years ago. Hmm… didn’t think about that.

Yes that would be unusual… but…

My bet is that it is DESFire at least if not a form of iClass.

@Bunne can you try scanning your badge with TagInfo? It should be able to shed more light on the situation.

Where are the recommended places for implanting the chips other than the traditional one and close to the armpit in the case of xBT?
I would like recommendations for places where you can implant without any problem, I have an xNT in my left hand between the index finger and the thumb and I would like a chip with LED but I fight jiujitsu and boxing.

Here is a great resource:

Hope this helps!

1 Like

On a side note, you’d think any old location you fancy should work. But the body artist who installed my doNExT warned me against certain locations on the arm and forearm that are too close to major nerves, and against very fleshy bits like the buttocks. He told me he’s had customers who ended up with shooting pains in their arms, and he knows of cases of implants migrating deep into the tissues.

1 Like

thank you very much, I will check with my artist about it.

We got new cards a couple of years a go due to some upgrade, soon after they also did something on all the readers. Nobody would tell me what and why, just that it was an upgrade. We have different readers cross the buildings, but all I have checked the name of per now have been a Assa Abloy model.

We do also use the bagdes for activating the copy machine, so it might be that the access system uses one of type of chip and the copy machine another.

I´ve tried readying the card with TagInfo (on iPhone), that did not work. I ordered a DT diagnostic cards a couple of days ago, but it has not arrived yet - I´ll try at as soon as it shows up! Thanks!

As much of a pain and learning curve it was for me, I really recommend picking up a proxmark3 easy (dt sells them now which is easier and sooo much faster than China)

Gives you a whole different level of ability to interact with chips and cards

1 Like

I will ship you my ProxMark3 to use if you ship it back, just make sure it’s what you need first! $300+ is too much for me to have paid for just one use cloning my school ID to my xEM lol. Trying to share the resource around! (It also has a ProxLF antenna)


I got my NFC reader today. It reads both my NTAG216 chip and my work badge (NXP Mifare Classic 4k). I use a Macbook and the software «NFC Tools for Desktop».

I’m able to import and save information from my chip, but when I try importing from my work badge nothing happens. Why, and how to solve it?

Under «memory» on the badge there is a bunch of lines:
Addr. 01 : DATA
Addr. 02 : DATA
Addr. 07 : KEYA / ACCESS / KEYB
Addr. 08 : DATA
And so on.

The memory information says:
4kBytes: 32 sectors of 4 blocks and 8 sectors of 16 blocks (16 bytes per block).



Disclaimer: I have no clue what I’m saying.
I guess because the NTAG and the M1 need different commands to be read?
Aint that the thing with all this Mifare stuff, that they need their own readers?

The same goes for the card to my friends building (Mifare Classic 1k). A lot of lines, not able to import

I would scan this with a compatible Android phone with NFC and an NXP reader chip (necessary for Mifare) with TagInfo… chances are high that the badge does not use default keys but has secured its sectors. It’s not uncrackable, but NFC Tools is not designed to do that kind of work.

Do you have a proxmark3? If not you should get one as is the defacto standard tool for messing around with RFID :slight_smile:

1 Like

This looks like the app is failing at unpacking the data…

Given that Apple is notoriously bad at dealing with RFID stuff, I would follow @amal’s suggestion: Try using NFC Tools for android…?


Nfc tools is shit for identifying tag chips and dealing with data visualization imo

My bad. Total Brainfart…
I completely forgot that NFC Tools is an app name. Yet somehow my muscle memory picked up on that and capitalised the T, thus shifting the original meaning of “any of the many available tools for dealing with NFC stuff, from Android”, into a specific app. :expressionless:

That said, TagInfo and Chameleon are the only 2 NFC apps that I keep installed, but chameleon fits a peculiar use case and requires a particular Hardware as well…
So I don’t actually have any modern opinion on “NFC Tools”.

1 Like