Intro and questions

AKA All the questions you answer for every new member a hundred times a day.

Hi folks. I’ve been lurking and researching a bit, trying to get a handle on what I need to be looking at for the implant(s), so I’ll try to avoid the most common questions. I thought I was good, but I think I may have confused myself on something and would love a dummy-check.

I want to replace two items:

• Kanteck P40 keyfob
  • Lots of info in this thread
  • They got it working with the T5577 so it should be using 125khz, which fits my research
• HID iClass DY tap card
  • Initial research says the iClass cards are capable of using either/both frequencies
  • I’ll order an RDC so I can test which frequency the reader is polling and hope for HF

It looks like the P40 should be using 125khz but the Sparkfun ID-12LA reader that I have on hand, which is a 125khz rfid reader, doesn’t detect it at all. I know the reader module works because it detects other cards I have. Could the issue be that the reader I have is not supporting the XSF encoding\protocol of the fob, or have I completely misunderstood something?

Welcome! Sounds like you have been doing your research.
The ID-12(LA or otherwise) only work with EM4100 tags so thats why it won’t scan

Thanks, I like to do my research before asking the same questions that have been answered a dozen times. That was the bit I was missing, thanks. So, in theory, if the RDC gets here and shows the reader for the HID card is responding on the HF band then a single NExT should do the trick for me, otherwise I would need a pair of implants with enough distance between them so I don’t trigger the wrong UID on the wrong access pad. Is that accurate?

Unfortunately not, the NExT contains a NTAG216 which has a fixed UID. There are mifar HF chips that have a changeable UID but these are mifar classic 1k only.

There is a good chance it is 125khz.

Thanks @Pilgrimsmaster for pointing out how my original comment was a little too exclusive

Just so I’m 100% sure I know what you mean, if the card reader uses 13.5/HF then I am not going to be able to replace that card with an implant. Is that correct?

Can you scan the fob with your phone? Using an app called taginfo. Also I was talking almost exclusively about the p40 up until this point sorry. The iclass I believe can only be cloned to the xSLX (HF)

Nothing to be sorry about, I misunderstood. Happy to solve one problem at a time. No, no luck reading the fob from Taginfo using a Galaxy S9. Tested with a MiFare card I have around to make sure the hardware/app were working.

So that thread I linked in the OP seems to imply that with a proxmark3 and the ProxLF antenna, I can get the fob working on a NExT, am I reading that right?

The P40 keyfob is able to be cloned to any of the EM variant of which the NExT is one.

I can help with the ioProx cloning if you hit any snags, but you’ll need to get a Proxmark3. A PM3 Easy would probably do for this. People recommend the Piswords one. If you need someone can dig up a purchase link.

LIKE THIS

Thanks all. I can read\research all I want, but it is nice to hear it confirmed straight up before making the investment.

I thought I had read that some of the implants required the cylindrical coil of the ProxLF antenna. Is that just for longer range/reception then? I was planning to order a Proxmark3 RDV4 from Hacker Warehouse this morning with the ProxLF antenna from here (hey, with the NExT as a bundle, why not!), but if the Easy does the job at a fraction of the cost… I’ll do some reading on what that extra money would get me and pull the trigger on one or the other that week.

P40 questions seem to be solved, it looks like that is a known entity. For the HID iClass card, @Devilclarke said they think the only option is the xSLX. The card’s datasheet says it uses ISO15693 so that does appear to be the only implant using that standard, so that sounds settled as well. I’ve heard rumours that those cards are being replaced/upgraded so I’ll verify the new cards are on the same standard, but unless they swap out all of the readers I suspect they won’t deviate too far from the old standard, and the old ones will likely still be supported as legacy for some time either way. So I have feelers out to verify that right now.

So with an NExT for the P40 and an xSLX for the iClass card, that should cover my two initial use cases and leave me with a spare HF for whatever. If that’s wrong, I’d love to be corrected now rather than struggle later after they are implanted.

Follow-up question, just to verify: Since these are all on a different frequency/standard, it should be fine to use position 0 for both implants and all three chips should work fine without interfering, right? If so, then is the range on the x-series good enough to be read from the palm-side or am I placing the back of my hand on every reader?

Next steps:

• pick and buy a proxmark
• verify the new replacement card standard
• get the two implants
• ???
• PROFIT!!!

Thanks for your help and patience. I can’t wait to think of ways to put my “spare” chip to use.

EDIT: Or did the previous comment that non of the HF chips allowed reprogramming mean this is not going to work for the iClass? Currently researching that process and realized I may have glossed over that comment.

EDIT: for my own sanity, consolidating links.

Looks like the iClass DY was tried here: Cloning HID iClass DY
and worked on at the PM site: http://www.proxmark.org/forum/viewtopic.php?pid=32488#p32488

Correct

Un likely from Palm side, but the back of the hand is still very usable.

Yep, currently.
A year ago, you would have also had the original Spark as an option, you could TRY and ask amal if he has any spares, but I think @Backpackingvet nabbed the last one.

It definitely helps, but not necessary, The LF antenna coil is only compatible with the PM3 RDV4, however there is a home brew for the PM Easy that @Compgeek eek developed, I will grab you the link. HERE

RE RDV4, Hacker Warehouse are AN option, there are others available, I see you are in Canada, so Sneak technology (Oceania and Asia) and KSEC (Europe) wouldn’t be the most sensible, therefore I would personally point you to Red Team Alliance who also do an iClass test card, but like I say, there are other suppliers, and at the end if the day, there is not a lot of price difference in the RDV4, maybe just shipping; then grab the LF antenna from DT when you order your implants
OR
if you go for an Easy,
The EASY I would Reccomend Aliexpress piswords as above
But again, there are other options available, I just know their ones work

Just saw your Edits

You will need to enroll into the system via administrator etc.

My reccomenation to you and a worthwhile investment is grab yourself an iso15693 test card and whilst you are at it a KSEC test card bundle

I think I covered most of it, let us know if you have further questions

You’ve been very helpful. To make sure I got this, the TL;DR is with a NExT I can copy my existing P40 into my implant; no trouble, not changes on their side. For the iClass I would need an xSTX, which can not be reprogrammed, so I have to convince them to accept it.

I also just found this thread Can you clone HID iclass to a xSLX chip?.

So overall it looks like the only real option for that card will be to get the xSLX (or Spark maybe) and convince someone with admin access to add my implant to the system on their side; it looks like it will not be possible to clone my existing access card over to my hand from what I am seeing. That adds a layer of difficulty there. [EDIT - your edit in response to my edit covered this. editing the edited edit to edit… wait… where was I? cheers]

Sorry for a million questions (or, rather, asking the same question a dozen different ways). With specific uses in mind, I want to make sure I’m getting the right toys for the job and understand the process.

Sorry I’m late to the party here.

For iClass an xSLX isn’t going to help you, there’s no implant that can clone iClass cards.

As others have indicated, enrolling is your only option on this, but ISO15693 doesn’t actually help with that - depending on the readers used of course. If they are the genuine HID readers, they use ISO14443a for the UID only mode. For original series, they specify Mifare Classic (not sure if others work) and for the SE readers, its any ISO14443a UID.

The kicker? It’s a hardware configuration setting on the reader that enables or disables it. Even if you befriend the person enrolling it, if it’s turned off (for security it SHOULD be off, but its probably 50:50), they can’t turn it on without a configuration card and physically pulling the reader off the wall.

Basically for enrolling, look at what UID (CSN) modes the reader supports and aim for that, usually its not ISO15693.

(EDIT: of course talking about HF only, which is the only iClass freq. If its a dual technology card, it could also contain something LF - usually HID Prox II, sometimes Indala - and if it uses that a T5577 is your best friend)

Thanks for the correction. I’m getting more confused now; too many different protocols and technologies, I need some help narrowing down my reading. I’m friendly with the admin, I might be able to chat them into enrolling my chip, but they are not the most tech-savvy person so it’ll be on me (with you wonderful cyborgs for help) to sort out which chip will work and it’ll have to be done without removing the reader from the wall or anything disruptive like that. How do I get the reader’s CSN mode, is that coming from the proxmark or one of the test cards?

So far I have ordered the following today:

Red Team Alliance: T5577 rewritable RFID card and Blank iCLASS 2K RFID Card
KSEC: Test Card Bundle
DT: RFID Diagnostic Card

I was about to pull the trigger on a PM3 Easy which I can have in my hands tomorrow, but if I am going to want/need to use it on the reader then I should splurge on the RDV4 after all.

Alright, it looks like the iClass may be out of reach right now, or at least much more involved to try to figure out how to get it working. I ordered the NExT deluxe kit for now, and I can always get the other one later. I’ll hold off a little on the PM3; if @Compgeek says I’l want the RDV4 to test the reader to get the iClass details then I’ll get that, otherwise it looks like the Easy should be fine for my needs (for now?)

Any testing you can do should be similar on an Easy, not sure of anything other than a couple of standalone modes it can’t do that the RDV4 can for this purpose.

The easiest way to see if it will work is to grab an NTAG test card, or use your implant, and see if the reader beeps. If it beeps but doesn’t open, it got a read and you’re good to go. If it doesn’t beep, then the reader doesn’t have the right mode enabled. What brand are the readers? Do you have a picture?

No pictures of the reader yet, but I’ll be getting one. It’s an HID system, but I will need to get more info on the readers themselves. I had not realized there was so much variation in their own products.

I have a bunch of testing cards I ordered today so when they come in, I can try them out. International shipping slows everything down

Sorry for the double post, not entirely sure about etiquette here about that.

got my proxmark easy today and set it up.

P40 fob:

proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

00000000 0
11110000 1
01011011 1 facility
00000001 1 version
10101011 1 code1
11000011 1 code2
01000101 11 checksum
IO Prox XSF(01)5b:43971 (007856e03abe1d17) [45 crc ok]

Valid IO Prox ID Found!

Valid T55xx Chip Found
Try lf t55xx ... commands

iClass Card:

proxmark3> hf search

CSN: 48 ce 76 03 f9 ff 12 e0
CC: ff ff ff ff f1 de ff ff
Mode: Application [Locked]
Coding: ISO 14443-2 B/ISO 15693
Crypt: Secured page, keys not locked
RA: Read access not enabled
Mem: 2 KBits/2 App Areas (32 * 8 bytes) [1F]
AA1: blocks 06-12
AA2: blocks 13-1F
AppIA: ff ff ff ff ff ff ff ff
: Possible iClass (legacy tag)

Valid iClass Tag (or PicoPass Tag) Found - Quiting Search```