xdf2
December 2, 2021, 1:22am
1
Article here.
I’ve been using my xEM chip since arriving on campus this fall as my student ID to access buildings/dining halls/my dorm. And to no surprise, people have asked a lot of questions. I wrote this article in the hopes of addressing some of the most common ones, while also delivering commentary on the space and its future prospects for the “average” person.
I realize this isn’t groundbreaking information for many of you though I thought I’d share it nonetheless! Send it to anyone you know who wants to learn more about the subject.
Cheers everyone,
17 Likes
Awesome,
Keep us in the loop how it’s received
xdf2
June 16, 2024, 11:30pm
3
Well, for the past year or so it has ceased to function (or even take a read from my PMEasy). So now I’m looking for possible fixes…
xdf2
June 27, 2024, 3:10am
5
Update: purchased a RD4 and ProxLF antenna, followed the steps you linked, and sadly no luck. The piece that is surprising me: running lf tune, the voltage reading appears to go up? I’ve put other test cards against it as well as my current student ID card and watch the voltage drop from ~28 to ~26 V. Running lf tune without placing anything against the antenna, it modulates rapidly between 27 and 28 V, so it appears to be going between 27950 and 28050 quickly. Placing my implant against the antenna, it stabilizes at 28v around 28100.
To recap, this is an xEM that was functioning for more than 5 years without much issue. Before I came to college, I used it at my office as an HID ProxCard, programmed via a blue cloner . When I arrived here in 2021, I acquired a PM3 Easy and successfully copied my student IT (HID H10301 26-bit and Indala 26-bit) to the implant. I used it without error for ~2 years and then began to face read issues over time wherein the chip progressively became harder and harder to read.
Here are my stats:
PM3
Release v4.18589 - Aurora
MCU....... AT91SAM7S512 Rev B
Memory.... 512 KB ( 70% used )
Client.... Iceman/master/v4.18589 2024-05-28 10:36:31
Bootrom... Iceman/master/v4.18589-suspect 2024-05-28 10:36:31
OS........ Iceman/master/v4.18589-suspect 2024-05-28 10:36:31
Target.... RDV4
Installed on 13-inch, M2, 2022 MacBook Pro via Homebrew.
[usb] pm3 --> hw status
[#] Memory
[#] BigBuf_size............. 39700
[#] Available memory........ 39700
[#] Tracing
[#] tracing ................ 1
[#] traceLen ............... 0
[#] Current FPGA image
[#] mode.................... fpga_pm3_lf.ncd image 2s30vq100 2024-02-03 15:12:10
[#] Flash memory
[#] Baudrate................ 24 MHz
[#] Init.................... ok
[#] Memory size............. 2 mbits / 256 kb
[#] Unique ID (be).......... 0x37916053175462D5
[#] Smart card module (ISO 7816)
[#] version................. v4.42 ( ok )
[#] LF Sampling config
[#] [q] divisor............. 95 ( 125.00 kHz )
[#] [b] bits per sample..... 8
[#] [d] decimation.......... 1
[#] [a] averaging........... no
[#] [t] trigger threshold... 0
[#] [s] samples to skip..... 0
[#]
[#] LF T55XX config
[#] [r] [a] [b] [c] [d] [e] [f] [g]
[#] mode |start|write|write|write| read|write|write
[#] | gap | gap | 0 | 1 | gap | 2 | 3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | n/a | n/a |
[#] long leading reference | 29 | 17 | 18 | 50 | 15 | n/a | n/a |
[#] leading zero | 29 | 17 | 18 | 40 | 15 | n/a | n/a |
[#] 1 of 4 coding reference | 29 | 17 | 15 | 31 | 15 | 47 | 63 |
[#]
[#] HF 14a config
[#] [a] Anticol override.... std ( follow standard )
[#] [b] BCC override........ std ( follow standard )
[#] [2] CL2 override........ std ( follow standard )
[#] [3] CL3 override........ std ( follow standard )
[#] [r] RATS override....... std ( follow standard )
[#] Transfer Speed
[#] Sending packets to client...
[#] Time elapsed................... 500ms
[#] Bytes transferred.............. 364544
[#] Transfer Speed PM3 -> Client... 729088 bytes/s
[#] Various
[#] Max stack usage......... 3520 / 8480 bytes
[#] Debug log level......... 1 ( error )
[#] ToSendMax............... -1
[#] ToSend BUFFERSIZE....... 2308
[#] Slow clock.............. 32433 Hz
[#] Installed StandAlone Mode
[#] LF HID26 standalone - aka SamyRun (Samy Kamkar)
[#] Flash memory dictionary loaded
[#] Mifare.................. 1817 / 2047 keys
[#] T55x7................... 123 / 1023 keys
[#] iClass.................. 28 / 511 keys
[usb] pm3 --> hw version
[ Proxmark3 RFID instrument ]
[ Client ]
Iceman/master/v4.18589-suspect 2024-05-28 10:36:31 669923317
compiled with............. Clang/LLVM Apple LLVM 15.0.0 (clang-1500.1.0.2.5)
platform.................. OSX / aarch64
Readline support.......... present
QT GUI support............ present
native BT support......... absent
Python script support..... present
Lua SWIG support.......... present
Python SWIG support....... present
[ Proxmark3 ]
device.................... RDV4
firmware.................. RDV4
external flash............ present
smartcard reader.......... present
FPC USART for BT add-on... absent
[ ARM ]
bootrom: Iceman/master/v4.18589-suspect 2024-05-28 10:36:31 669923317
os: Iceman/master/v4.18589-suspect 2024-05-28 10:36:31 669923317
compiled with GCC 10.3.1 20210824 (release)
[ FPGA ]
fpga_pm3_lf.ncd image 2s30vq100 2024-02-03 15:12:10
fpga_pm3_hf.ncd image 2s30vq100 2024-02-03 15:12:20
fpga_pm3_felica.ncd image 2s30vq100 2024-02-03 15:12:41
fpga_pm3_hf_15.ncd image 2s30vq100 2024-02-03 15:12:31
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 70% used )
[=] -------- LF Antenna ----------
[+] 125.00 kHz ........... 28.00 V
[+] 134.83 kHz ........... 26.86 V
[+] 127.66 kHz optimal.... 28.83 V
[+]
[+] Approx. Q factor measurement
[+] Frequency bandwidth... 4.1
[+] Peak voltage.......... 5.0
[+] LF antenna............ ok
[=] -------- HF Antenna ----------
[+]
[+] Approx. Q factor measurement
[!] ⚠️ HF antenna ( unusable )
[=] -------- LF tuning graph ------------
[+] Orange line - divisor 95 / 125.00 kHz
[+] Blue line - divisor 88 / 134.83 kHz
xdf2
June 27, 2024, 4:01am
6
In the meantime, recommendations from anyone one New England area chip removal?
Have you removed the password that the blue cloner automatically writes to it?
Check out this for a how to
PROXMARK Remove Blue Cloner Password
T5577 using the password, something like this:-
lf t5 wipe --p 51243648
Then write the new mode to it as per Proxmark instructions ( Found elsewhere )
Thanks @TomHarkness for the Blue Cloner Password
xdf2
June 27, 2024, 5:28pm
8
I’ve gone through the motions with no luck, unfortunately.
