LF of NExT Implant not reading after 3 Weeks, HF Works

Hello everyone,
newbie here

3 weeks ago I got my first Implant (NExT) in the L0 position.
I bought the Chip from DangerousThings directly and had it installed by a professional Piercer, who is an authorized Installer / Partner (“Red Pin”).
He did a great job and has experience. We marked the spot where the Implant should go, and he installed it really well.
It migrated a bit towards the “Installation Wound” (4-5mm) but it’s in a really good position.

The Depth is also perfect, right under the skin (If you would pinch your skin on the back of the Hand and pull it up, the Chip lays right below that layer (just in the L0 position))

I’ve been taking Vitamins and collagen Pills to support the Healing Process. All Visible Swelling has gone away on Week 2, and now there only lays ~2 mm Skin above the Implant. The Chip makes a small bump on the skin and you can feel it easily.

Now to my Problem:

The HF side has been working flawlessly since 10 Minutes after the installation.
The LF part unfortunately not, since the Installation I am unable to Read the Chip.

Trying with a Proxmark3 Easy (also bought from DangerousThings). Updated it, and Configured everything (Iceman Firmware).
I’ll post the Bootup Info at the End of my Post.

When positioning the Ring LF Antenna perpendicular to the arm facing side of the Chip and doing a “lf search” the Following comes up:

[usb] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[-] No known 125/134 kHz tags found!
[=] Couldn’t identify a chipset

On the Away/Fingertip facing side, the proxmark finds nothing, so I guess that’s the HF side.

When doing a “lf t55xx detect” there is nothing detected.

[usb] pm3 → lf t55xx detect
[!] Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’

I’ve also tried to move the antenna in millimeter Increments and trying the Commands again.
I am also not touching the Antenna posts.

The Proxmark however functions perfectly with the included T5577 Cards and with my Workplace EM410x Key Fob.

Any ideas what to try next? I would find it really odd if the Problem is still Swelling Related (But as said above I’m a newbie )

Help would be awesome, Thanks for reading

Bootup Info:

[ Proxmark3 RFID instrument ]

[ CLIENT ]
client: RRG/Iceman/master/v4.13441-480-g085aa819d 2021-08-02 17:55:18
compiled with MinGW-w64 10.3.0 OS:Windows (64b) ARCH:x86_64

[ PROXMARK3 ]
firmware… PM3 GENERIC

[ ARM ]
bootrom: RRG/Iceman/master/v4.13441-702-gd3d4e72f2-dirt…-unclean 2021-08-15 11:41:51
os: RRG/Iceman/master/v4.13441-702-gd3d4e72f2-dirt…-unclean 2021-08-15 11:52:21
compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23:08:07
HF image built for 2s30vq100 on 2020-07-08 at 23:08:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23:08:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev B
–= Embedded Processor: ARM7TDMI
–= Internal SRAM size: 64K bytes
–= Architecture identifier: AT91SAM7Sxx Series
–= Embedded flash memory 512K bytes ( 53% used )

Great support write up, you have done almost everything we would have asked of you.
additionally can you try an
hw tune
and post the results

Thanks for the Quick answer

The results of hw tune:

[usb] pm3 --> hw tune
[=] ---------- Reminder ------------------------
[=] `hw tune` doesn't actively tune your antennas,
[=] it's only informative.
[=] Measuring antenna characteristics, please wait...
[/] 10
[=] ---------- LF Antenna ----------
[+] LF antenna: 37.81 V - 125.00 kHz
[+] LF antenna: 30.50 V - 134.83 kHz
[+] LF optimal: 37.81 V - 125.00 kHz
[+] Approx. Q factor (*): 5.8 by frequency bandwidth measurement
[+] Approx. Q factor (*): 11.0 by peak voltage measurement
[!] Contradicting measures seem to indicate you're running a PM3_GENERIC firmware on a RDV4
[!] False positives is possible but please check your setup
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 31.58 V - 13.56 MHz
[+] Approx. Q factor (*): 9.2 by peak voltage measurement
[+] HF antenna is OK

(*) Q factor must be measured without tag on the antenna

[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.

image791×420 10.3 KB

LF coupling with an antenna and the proxmark easy LF antenna is finicky at best.
You can try using lf tune and watch the voltage drop which should indicate if the implant is pulling some energy. Once you’ve observed a drop you can issue multiple searches from the one command by using lf search; lf search; lf search etc.

Your LF antenna looks normal from that graph and that output so no obvious issues there.
It does just seem like its more to do with strange coupling of the implant and the Easy antenna.

I’ve tried lf tune, but the lowest Voltage I can get to show is ~37.800 mV. Normal Value (without any Voltage Drop) is ~38.200 mV. lf search on the spot with the Highest Voltage Drop also give out:

[-] No known 125/134 kHz tags found!
[=] Couldn’t identify a chipset

I had the same problem and it look me ~3 weeks to get a good read on it. The trick for me was removing the cover on the proxmark RDV4.01, flipping the LF antenna out to the side and using the ‘Accurate’ setting on the Q switch.

Now that I’ve cloned the key onto it, I don’t have any problems getting a read.

As Jirvin said

but it is doable. And once you find the spot you will find it slightly easier to relay each time.

The above tells me you are doing the correct thing.
The next thing I would add is, maybe some more pressure.
Press down as you try to read (lf tune) see if you can get that voltage drop we are after.

I imagine you have from your description above, but watch this video for some more tips.(sorry if it’s sucking eggs)

This one from about the 5min mark

and this one all the way through

and just leave this one going in the background whilst you are trying to get your LF to read and bump up the DT video viewing time

This was something that I started recommending for those with an RDV4 and, from my experience, works better than the ProxLF. However, OP appears to have an Easy thus this isnt a viable option at present.

Image Showing Flipped Stock LF Antenna | RDV4

RDV4 Flipped antenna7296×5472 5.43 MB

Another idea Ive had mixed success with is trying to locate the HF end of the NExT with hf tune then a read to confirm the positioning is correct. Once the HF side is found, the LF side is the opposite end of the implant so the idea would be to have the orientation of the implant in mind and try finding the LF side with lf tune again.

This may seem like a loosing battle but anytime I want to write to the LF side of my NExT, I spend ~5mins each time finding the right coupling, ensuring I can do it consistently (by reading) the issuing write operations.

Again, you can issue several commands in the one line by separating them with semicolons.
Example: lf search; lf search; lf search; lf search will issue 4 LF search commands back to back as each of the previous commands finish.

That’s really clever. Thank you for sharing that trick. I need to try that: the ProxLF antenna really isn’t much to write home about. At least mine isn’t.

I imagine it would be unlikely that you missed it, but did you ever see this thread? ( You didn’t post in it !)

Which thread?

You’re so pedantic, wanting information and links I implied that I would provide

Geez, here you go

Thanks bubba. I was about to ask the same thing, but I figured I’d let someone confirm that I wasn’t the only one thoroughly confused by Pilgrim’s post first

I don’t recall seeing it.

Thanks for the Answer,

after trying maybe 20x lf search with pressure I found a spot I could get a read.

But it shows up as an “Indala Chip”. As I understand the T5577 can emulate/function as a Indala, but shouldn’t the xEM/T5577 Chip of the NeXT come preprogrammed as an EM410x ?

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] Indala (len 322) Raw: 80000000500220040000002088002040001420088912a28421000002
[+] Valid Indala ID found!
[=] Couldn’t identify a chipset

But it still cannot identify the T5577 chipset

I got repeating Reads of the Indala ID, but as soon as I removed the Proxmark from my Hand to copy the Text, I was unable to get a read again (tried like 20x again around that position)

I have no clue what Indala is used for / how it works.

But I tried the following:
Took one of the, with the Proxmark included, T5577 cards that I had programmed as an EM410x (which functions perfectly). I programmed the Card with the following command:

[ usb ] pm3 —> lf indala clone -r 80000001b23523a6c2e31eba3cbee4afb3c6ad1fcf649393928c14e5

[=] Preparing to clone Indala 224 bit to T55x7 raw 80000001B23523A6C2E31EBA3CBEE4AFB3C6AD1FCF649393928C14E5
[+] Blk | Data
[+] ----±-----------
[+] 00 | 000820E0
[+] 01 | 80000001
[+] 02 | B23523A6
[+] 03 | C2E31EBA
[+] 04 | 3CBEE4AF
[+] 05 | B3C6AD1F
[+] 06 | CF649393
[+] 07 | 928C14E5
[=] Block0 write detected, running detect to see if validation is possible
[+] Done
[?] Hint: try lf indala reader to verify

that’s the example Commands given by the Proxmark when typing lf indala clone

After writing I was unable to read the Card and saw the same error as with my Implant

[ usb ] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[-] No known 125/134 kHz tags found!
[=] Couldn’t identify a chipset

When doing a lf em 410x clone --id 0F0368568B right after I im able to read the Card again:

[usb] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 0F0368568B
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : F0C0166AD1
[=] HoneyWell IdentKey
[+] DEZ 8 : 06837899
[+] DEZ 10 : 0057169547
[+] DEZ 5.5 : 00872.22155
[+] DEZ 3.5A : 015.22155
[+] DEZ 3.5B : 003.22155
[+] DEZ 3.5C : 104.22155
[+] DEZ 14/IK2 : 00064481678987
[+] DEZ 15/IK3 : 001034014845649
[+] DEZ 20/ZK : 15001200010606101301
[=]
[+] Other : 22155_104_06837899
[+] Pattern Paxton : 259822731 [0xF7C948B]
[+] Pattern 1 : 9750181 [0x94C6A5]
[+] Pattern Sebury : 22155 104 6837899 [0x568B 0x68 0x68568B]
[=] ------------------------------------------------
[+] Valid EM410x ID found!
[+] Chipset detection: T55xx
[?] Hint: try lf t55xx commands

But I am still unable to read my Implant again

Also the lowest Voltage I can get with lf tune is 37800 mV (normal Voltage, with the Proxmark far away from any Metal is 38200 mV). Is that a normal Voltage Drop for the NexT LF Side?

Indala is a common false positive for LF searches. Id usually recommend to confirm that output by getting another 2 or 3 searches of the same card and ensure its the Indala ID it comes out as.

If this is a stock NExT, as in the LF side hasnt been written to before, out of the box it should read as an EM (I tried to fact check but couldnt find a source) tag so it reading as an Indala leads me to believe more that its a false positive.

I would be interested to see where and how your implant looks in your hand. My NExT in R0 is quite visible when I flex my fist and doing so dramatically increases my read success.

True

Generally when we see unexpected results it is either:
Firmware mismatch ( Pretty sure yours looked good )

or

You are not Quuiittee in the right spot,

It sounds like you are a gnats cock away from the right spot, Frustrating I know, but when you finally get a read
Something like:

pm3 → lf search
Blah Blah Blah

Checking for known tags:

Valid EM41xx Chip Found
Try lf EM41xx commands

and can replicate it a few times, you are good to write! so have your script ready to cut and paste. ( Or Up arrow if you have it in your command history.
The tricky thing comes, not moving AT ALL when trying to type etc. If you have an assistant that will help also.

It is more difficult / takes longer to write compared to a read.

Anyway, that all comes AFTER you get a read.

Keep us updated as to your progress and good luck.

Ok, I will try again to find that reeeaalll small Spot where I can get a EM Read

Another Question: Is that Voltage Drop normal?:

In the meanwhile, here are some Pictures of my hand (The Chip is directly under that black line):

Pictures

Image1768×1024 54.6 KB

Image2768×1024 72.8 KB

Image3768×1024 57 KB

Image4768×1024 56.5 KB

Check this post, Amal will answer better than I could

It looks like a good shallow install and you really shouldn’t be struggling as much as you are,
It is unlikely a faulty implant, but Proxmarks can be finnicky when dealing with xSeries implants.
That’s what I think we are seeing…

Ok, so it’s now been four weeks since I got the NExT installed.

In the Last Days, I tried to read maybe 300 times, but cannot for the life of me get a successful LF read

Only one false Cotag ID read:

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
Searching for COTAG tag…
[+] COTAG Found: FC 254, CN: 16382 Raw: F3FC7FFFFFFF7FFFFFF9EFFEFDFE9FFE
[+] Valid COTAG ID found!

I really don’t know what to do next. I’ve tried every position.

Voltage Drop seems to be normal, as Amal said in that linked Comment.

But It also looks like the Chip is alive given from the Voltage Drop (but that could also come from the ferrite Core, right?) And the false reads I have been getting.

Any ideas what to try?

It cannot be normal that the Chip is sooo difficult to read after 4 Weeks with such a good installation If I cannot even get a read with the proxmarks big antenna & pressure against the Skin, how would I be able to use it in the Real World on readers, Door Knobs, etc.?