The proper way would be using a proxmark to identify it.
But whatever it is, it’s very likely it’s clonable to a t5577 (the chip in the xEM), afaik most LF chips are reprogrammed t5577s.
I guess you want to clone it to your chip anyways, so a proxmark easy would be a good investment IMO. But lets wait for the HID reader results.
A couple of ideas for you:-
WAIT & HOPE your reader you ordered works
ANOTHER OPTION Grab yourself as many different LF cards as you can ( ebay / amazon ) and try to enroll them into your system, the one(s) that work will be your answer.
You will mainly be looking for the common ones: EM41xx, EM4200, HID 1326 ProxCard II, HID 1346 ProxCard III, and Indala.
Where are you located?
You may be able to send a spare fob to one of our community members nearby with a proxmark.
That would probably be your FASTEST and CHEAPEST option.
The BEST option, especially If your work will pay for it.
Send an enrolled fob to Amal ( with your access profile on it ), he can scan and enroll it onto a NExT ( or xEM or FlexEM etc ) and send it back.
This will give you the implant you want NEED ready to install, PLUS you will get the answer as to what LF cards you need for the rest of the staff.
THE PROBLEM IS:
This service is no longer available on the website, so you may have to ask Amal super nicely 
DT are also on holiday until 1st Jan, so If you can hold out sending an @ Amal on here, or using the Orange help on the webpage until after then, that would be nice ( They are having a well deserved break, over the past year, Amal has been on the forum 354 of the 365 days, that’s not including the other platforms he monitors and work he may be dong outside of communicating with the community )
This is what you are looking for on the webpage
THEN, convince others at your work to get some implants
I’m in the UK.
For once, time isn’t an issue. This is a project of my own devising and I can work on it at my leisure. That being said, once I’ve had a tinker and got all the bits in, it won’t take long to commission it all.
I’ve started mandatory isolation today, so access to the existing system isn’t possible until late next week at the earliest.
Grabbing some common cards sounds like a good idea, I can get them before I’m allowed back in.
A proxmark3 is on my shopping list, I might bump that up and get it much sooner than later.
I’ll avoid getting someone to clone a chip for the time being. I’ll learn more by doing and asking questions when I break things…
Good plan! However, if you wan’t somebody to tell you what cards you have to save you some time ( You will still learn )
There are a few people on here in the UK.
Once they see this I’m sure you will get some offers…
I am almost the complete antipodes from you, in NZ, otherwise, I would do it for you.
We discontinued the cloning service for a couple reasons but the availability of a cheap upgraded proxmark3 is the primary reason.
I am going to be following up with some basic how-to write-ups for the iceman firmware soon too.
Bit of an update.
The USB HID arrived (14 days delivery, 30 miles from me…).
My Proxmark3 Easy & NExT arrived (24 hours, US to UK!).
I’ve built up a test rig with the access control board and enrolled our existing keyfobs. Picked up a couple of random em fobs and they work too. The HID scans the fobs not problem. All looking good so far.
@amal A couple of observations for the proxmark3 getting started. This is on Windows 10 with Proxspace 3.7.1. You might want to note these variations in the guide.
Firmware update appears to have gone well. I can lf search various tags and get results back. I haven’t gotten around to copying/cloning/writing anything yet. I have a couple of spare tags to mess with, but they are showing as “couldnt identify a chipset”, but show a valid EM421x ID. My original tag is a T55xx.
I’ve ordered a stack of T5577/EM4305 tags from amazon, they should be with me tomorrow.
What should be my next step? Copy the ID of the existing tag to a new tag?
LF search doesn’t usually manage to identify a chipset unless it’s a perfect antenna / couple. Try running LF t55 det if you want to find out if any of your existing tags are T5577.
Yeah, this would be a great thing to learn. Try to clone as many different LF card types as possible.
Had some time to fiddle tonight, but don’t seem to be getting anywhere.
Here’s a tag a want to copy
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 32006B5D31
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 4C00D6BA8C
[=] HoneyWell IdentKey
[+] DEZ 8 : 07036209
[+] DEZ 10 : 0007036209
[+] DEZ 5.5 : 00107.23857
[+] DEZ 3.5A : 050.23857
[+] DEZ 3.5B : 000.23857
[+] DEZ 3.5C : 107.23857
[+] DEZ 14/IK2 : 00214755401009
[+] DEZ 15/IK3 : 000326431586956
[+] DEZ 20/ZK : 04120000130611100812
[=]
[+] Other : 23857_107_07036209
[+] Pattern Paxton : 847223601 [0x327F9B31]
[+] Pattern 1 : 10406478 [0x9ECA4E]
[+] Pattern Sebury : 23857 107 7036209 [0x5D31 0x6B 0x6B5D31]
[=] ------------------------------------------------[+] Valid EM410x ID found!
Couldn’t identify a chipset
If I try to copy it to a T5577 I get
[usb] pm3 --> lf em 410xwrite 32006B5D31 1
help This help
410x EM 4102 commands…
4x05 EM 4205 / 4305 / 4369 / 4469 commands…
4x50 EM 4350 / 4450 commands…
4x70 EM 4070 / 4170 commands…
[usb] pm3 -->
Suggestions?
lf em 410xwrite 32006B5D31 1
Should that not be
lf em410x write 32006B5D31 1
Or
lf em 410x_write 32006B5D31 1
Or
lf em 410x write 32006B5D31 1
by the looks of the lf help section, i think it might be an icky chinese firmware on that thing… get yo self iceman…
alternatively you could use the built-in help menus to explore the proper commands you need to use for your firmware… though it’s probably a huge mess and likely not clear at all.
I’ve been through the permutations of em410x_write, em410xwrite, em410x write, all give the same result
Anything standing out here as incorrect?
[=] Session log D:\Working\ProxSpace\pm3/.proxmark3/logs/log_20210112.txt
[+] loaded from JSON file D:\Working\ProxSpace\pm3/.proxmark3/preferences.json
[=] Using UART port com3
[=] Communicating with PM3 over USB-CDC██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ Iceman
╚═╝ ╚═╝ ╚═╝╚════╝ bleeding edgehttps://github.com/rfidresearchgroup/proxmark3/
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.9237-2834-gb60daea57 2021-01-10 12:38:47
compiled with MinGW-w64 10.2.0 OS:Windows (64b) ARCH:x86_64[ PROXMARK3 ]
firmware… PM3OTHER[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-2834-gb60daea57 2021-01-10 12:40:24
os: RRG/Iceman/master/v4.9237-2834-gb60daea57 2021-01-10 12:40:55
compiled with GCC 8.4.0[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30[ Hardware ]
–= uC: AT91SAM7S512 Rev B
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 274623 bytes (52%) Free: 249665 bytes (48%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory[usb] pm3 -->
I’m banging my head against a wall now.
I’ve tied reinstalled proxspace and tried recompiling the firmware, it ends with the following warning
GEN lualibs/mfc_default_keys.lua
[=] LD proxmark3
[*] MAKE bootrom/all
/bin/sh: arm-none-eabi-gcc: command not found
compiler version:
[=] GEN version.c
[-] CC version.c
make[1]: arm-none-eabi-gcc: No such file or directory
make[1]: *** […/common_arm/Makefile.common:124: obj/version.o] Error 127
make: *** [Makefile:131: bootrom/all] Error 2
pm3 ~/proxmark3$
So, I’ve abandoned that and tried the precompiled binaries at https://proxmarkbuilds.org/
Flashed bootrom & full image. Client starts up, I can hw tune, lf search, lf t55 det no problem, but when it comes to writing to a tag with lf em 410x_write xxxxxxxx 1, I’m back to a non helpful help listing.
So, is the current Iceman release broke? Is it worth me stealing my freshly wiped laptop from work and trying on that, could it be a pc issue?
whaaaa? no… much wow!
what version firmware and client are you on right now?
██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ Iceman
╚═╝ ╚═╝ ╚═╝╚════╝ bleeding edgehttps://github.com/rfidresearchgroup/proxmark3/
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman/master/v4.9237-2844-g2646925ad 2021-01-13 17:03:54
compiled with MinGW-w64 10.2.0 OS:Windows (64b) ARCH:x86_64[ PROXMARK3 ]
firmware… PM3OTHER[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-2844-g2646925ad 2021-01-13 17:03:39
os: RRG/Iceman/master/v4.9237-2844-g2646925ad 2021-01-13 17:03:47
compiled with GCC 8.4.0[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30[ Hardware ]
–= uC: AT91SAM7S512 Rev B
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 274623 bytes (52%) Free: 249665 bytes (48%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory
Hey @vworp, if you’re on the latest iceman build, the command for writing / cloning to an em410x has changed (not sure exactly when they’ve changed). Instead of lf em 410x write try lf em 410x_clone.
Here’s where you can find the commands, and the command specific help: lf em and lf em [command] help (e.g. lf em 410x_clone help)
Hope that helps!
Yeah, I’m not getting that
[usb] pm3 --> lf em 410x
help This help
demod demodulate a EM410x tag from the GraphBuffer
reader attempt to read and extract tag data
sim simulate EM410x tag
brute reader bruteforce attack by simulating EM410x tags
watch watches for EM410x 125/134 kHz tags (option ‘h’ for 134)
spoof watches for EM410x 125/134 kHz tags, and replays them. (option ‘h’ for 134)
clone write EM410x UID to T55x7 or Q5/T5555 tag
[usb] pm3 --> lf em 410x_clone help
help This help
410x EM 4102 commands…
4x05 EM 4205 / 4305 / 4369 / 4469 commands…
4x50 EM 4350 / 4450 commands…
4x70 EM 4070 / 4170 commands…
[usb] pm3 -->
I should be on the latest Iceman.
[ CLIENT ]
client: RRG/Iceman/master/v4.9237-2844-g2646925ad 2021-01-13 17:03:54
compiled with MinGW-w64 10.2.0 OS:Windows (64b) ARCH:x86_64[ PROXMARK3 ]
firmware… PM3OTHER[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-2844-g2646925ad 2021-01-13 17:03:39
os: RRG/Iceman/master/v4.9237-2844-g2646925ad 2021-01-13 17:03:47
compiled with GCC 8.4.0
Damn, that sucks. It definitely shows up when you run lf em 410x though, so at least now you know it’s clone instead of write. I’m definitely not using the very latest iceman build (I think mine is from mid December last year), so that could be the cause of it. I’ll try updating and see if I get the same issue.
