Nothing to be sorry about, I misunderstood. Happy to solve one problem at a time. No, no luck reading the fob from Taginfo using a Galaxy S9. Tested with a MiFare card I have around to make sure the hardware/app were working.
1 Like
So that thread I linked in the OP seems to imply that with a proxmark3 and the ProxLF antenna, I can get the fob working on a NExT, am I reading that right?
The P40 keyfob is able to be cloned to any of the EM variant of which the NExT is one.
2 Likes
I can help with the ioProx cloning if you hit any snags, but you’ll need to get a Proxmark3. A PM3 Easy would probably do for this. People recommend the Piswords one. If you need someone can dig up a purchase link.
2 Likes
Thanks all. I can read\research all I want, but it is nice to hear it confirmed straight up before making the investment.
I thought I had read that some of the implants required the cylindrical coil of the ProxLF antenna. Is that just for longer range/reception then? I was planning to order a Proxmark3 RDV4 from Hacker Warehouse this morning with the ProxLF antenna from here (hey, with the NExT as a bundle, why not!), but if the Easy does the job at a fraction of the cost… I’ll do some reading on what that extra money would get me and pull the trigger on one or the other that week.
P40 questions seem to be solved, it looks like that is a known entity. For the HID iClass card, @Devilclarke said they think the only option is the xSLX. The card’s datasheet says it uses ISO15693 so that does appear to be the only implant using that standard, so that sounds settled as well. I’ve heard rumours that those cards are being replaced/upgraded so I’ll verify the new cards are on the same standard, but unless they swap out all of the readers I suspect they won’t deviate too far from the old standard, and the old ones will likely still be supported as legacy for some time either way. So I have feelers out to verify that right now.
So with an NExT for the P40 and an xSLX for the iClass card, that should cover my two initial use cases and leave me with a spare HF for whatever. If that’s wrong, I’d love to be corrected now rather than struggle later after they are implanted. 
Follow-up question, just to verify: Since these are all on a different frequency/standard, it should be fine to use position 0 for both implants and all three chips should work fine without interfering, right? If so, then is the range on the x-series good enough to be read from the palm-side or am I placing the back of my hand on every reader?
Next steps:
- pick and buy a proxmark
- verify the new replacement card standard
- get the two implants
- ???
- PROFIT!!!
Thanks for your help and patience. I can’t wait to think of ways to put my “spare” chip to use. 
EDIT: Or did the previous comment that non of the HF chips allowed reprogramming mean this is not going to work for the iClass? Currently researching that process and realized I may have glossed over that comment.
EDIT: for my own sanity, consolidating links.
Looks like the iClass DY was tried here: Cloning HID iClass DY
and worked on at the PM site: http://www.proxmark.org/forum/viewtopic.php?pid=32488#p32488
1 Like
Correct
Un likely from Palm side, but the back of the hand is still very usable.
Yep, currently.
A year ago, you would have also had the original Spark as an option, you could TRY and ask amal if he has any spares, but I think @Backpackingvet nabbed the last one.
It definitely helps, but not necessary, The LF antenna coil is only compatible with the PM3 RDV4, however there is a home brew for the PM Easy that @Compgeek eek developed, I will grab you the link. HERE
RE RDV4, Hacker Warehouse are AN option, there are others available, I see you are in Canada, so Sneak technology (Oceania and Asia) and KSEC (Europe) wouldn’t be the most sensible, therefore I would personally point you to Red Team Alliance who also do an iClass test card, but like I say, there are other suppliers, and at the end if the day, there is not a lot of price difference in the RDV4, maybe just shipping; then grab the LF antenna from DT when you order your implants
OR
if you go for an Easy,
The EASY I would Reccomend Aliexpress piswords as above
But again, there are other options available, I just know their ones work
Just saw your Edits
You will need to enroll into the system via administrator etc.
My reccomenation to you and a worthwhile investment is grab yourself an iso15693 test card and whilst you are at it a KSEC test card bundle
I think I covered most of it, let us know if you have further questions
2 Likes
You’ve been very helpful. To make sure I got this, the TL;DR is with a NExT I can copy my existing P40 into my implant; no trouble, not changes on their side. For the iClass I would need an xSTX, which can not be reprogrammed, so I have to convince them to accept it.
I also just found this thread Can you clone HID iclass to a xSLX chip?.
So overall it looks like the only real option for that card will be to get the xSLX (or Spark maybe) and convince someone with admin access to add my implant to the system on their side; it looks like it will not be possible to clone my existing access card over to my hand from what I am seeing. That adds a layer of difficulty there. [EDIT - your edit in response to my edit covered this. editing the edited edit to edit… wait… where was I? cheers]
Sorry for a million questions (or, rather, asking the same question a dozen different ways). With specific uses in mind, I want to make sure I’m getting the right toys for the job and understand the process.
Sorry I’m late to the party here.
For iClass an xSLX isn’t going to help you, there’s no implant that can clone iClass cards.
As others have indicated, enrolling is your only option on this, but ISO15693 doesn’t actually help with that - depending on the readers used of course. If they are the genuine HID readers, they use ISO14443a for the UID only mode. For original series, they specify Mifare Classic (not sure if others work) and for the SE readers, its any ISO14443a UID.
The kicker? It’s a hardware configuration setting on the reader that enables or disables it. Even if you befriend the person enrolling it, if it’s turned off (for security it SHOULD be off, but its probably 50:50), they can’t turn it on without a configuration card and physically pulling the reader off the wall.
Basically for enrolling, look at what UID (CSN) modes the reader supports and aim for that, usually its not ISO15693.
(EDIT: of course talking about HF only, which is the only iClass freq. If its a dual technology card, it could also contain something LF - usually HID Prox II, sometimes Indala - and if it uses that a T5577 is your best friend)
1 Like
Thanks for the correction. I’m getting more confused now; too many different protocols and technologies, I need some help narrowing down my reading. I’m friendly with the admin, I might be able to chat them into enrolling my chip, but they are not the most tech-savvy person so it’ll be on me (with you wonderful cyborgs for help) to sort out which chip will work and it’ll have to be done without removing the reader from the wall or anything disruptive like that. How do I get the reader’s CSN mode, is that coming from the proxmark or one of the test cards?
So far I have ordered the following today:
Red Team Alliance: T5577 rewritable RFID card and Blank iCLASS 2K RFID Card
KSEC: Test Card Bundle
DT: RFID Diagnostic Card
I was about to pull the trigger on a PM3 Easy which I can have in my hands tomorrow, but if I am going to want/need to use it on the reader then I should splurge on the RDV4 after all.
1 Like
Alright, it looks like the iClass may be out of reach right now, or at least much more involved to try to figure out how to get it working. I ordered the NExT deluxe kit for now, and I can always get the other one later. I’ll hold off a little on the PM3; if @Compgeek says I’l want the RDV4 to test the reader to get the iClass details then I’ll get that, otherwise it looks like the Easy should be fine for my needs (for now?)
Any testing you can do should be similar on an Easy, not sure of anything other than a couple of standalone modes it can’t do that the RDV4 can for this purpose.
The easiest way to see if it will work is to grab an NTAG test card, or use your implant, and see if the reader beeps. If it beeps but doesn’t open, it got a read and you’re good to go. If it doesn’t beep, then the reader doesn’t have the right mode enabled. What brand are the readers? Do you have a picture?
No pictures of the reader yet, but I’ll be getting one. It’s an HID system, but I will need to get more info on the readers themselves. I had not realized there was so much variation in their own products.
I have a bunch of testing cards I ordered today so when they come in, I can try them out. International shipping slows everything down
Sorry for the double post, not entirely sure about etiquette here about that.
got my proxmark easy today and set it up.
P40 fob:
proxmark3> lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
00000000 0
11110000 1
01011011 1 facility
00000001 1 version
10101011 1 code1
11000011 1 code2
01000101 11 checksum
IO Prox XSF(01)5b:43971 (007856e03abe1d17) [45 crc ok]
Valid IO Prox ID Found!
Valid T55xx Chip Found
Try lf t55xx ... commands
iClass Card:
proxmark3> hf search
CSN: 48 ce 76 03 f9 ff 12 e0
CC: ff ff ff ff f1 de ff ff
Mode: Application [Locked]
Coding: ISO 14443-2 B/ISO 15693
Crypt: Secured page, keys not locked
RA: Read access not enabled
Mem: 2 KBits/2 App Areas (32 * 8 bytes) [1F]
AA1: blocks 06-12
AA2: blocks 13-1F
AppIA: ff ff ff ff ff ff ff ff
: Possible iClass (legacy tag)
Valid iClass Tag (or PicoPass Tag) Found - Quiting Search```Fatal mistake. I expect you’ll be burned at the stake for this.
1 Like
… the way the world is going, that might soon be the easy way out… I was going to swing by the office and take some pics of the scanner tomorrow while I was out, then heard that there have been five confirmed cases in the building in the last week and a half so… I’m’a pass on that trip for now…
So I have the proxmark up and running and it does detect both original/donors. Not sure if that tells you smart people enough to know if that card can be duped, but I have been going ahead under the assumption that is can not, based on previous feedback. Figured I’d put it up in case it gave good news. Scanning the card using lf search came up blank, so I believe that is out of reach right now.
1 Like
May be that the p40 is actually a t55xx which is kinda cool. Have you got a t5577 test card with your package if so you could try the steps from @Satur9 in the post you linked.
I’ve got one of these lying around (Canadia money for scale). Let’s see if I can get this RVD2 I just got from cexshun running so I can try some stuff out for ya.
1 Like
Here’s what I got from running an lf search on my RVD2 running the most recent iceman
If your P40 is an ioProx card, it should be easily detectable and cloneable.
@Devilclarke I wonder if it really is a T5577 in there. Now I’ll have to do some science.
EDIT: Lol. Yeah, it’s just a T5577 in there. Nothing special. They charge $10+ for these. I made it into an EM4100 with 3 commands.
1 Like
The pm clone came with a handful of unlabeled, unidentified cards and I have some other random unlabelled cards from various Arduino and rPi kits. I’ll go through those and see how they read. Worst case, I have the bunch of test cards coming from Red Team and KSEC I can use when they come in.
2 Likes