LF of NExT Implant not reading after 3 Weeks, HF Works

Thanks for the Answer,

after trying maybe 20x lf search with pressure I found a spot I could get a read.

But it shows up as an “Indala Chip”. As I understand the T5577 can emulate/function as a Indala, but shouldn’t the xEM/T5577 Chip of the NeXT come preprogrammed as an EM410x ?

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] Indala (len 322) Raw: 80000000500220040000002088002040001420088912a28421000002
[+] Valid Indala ID found!
[=] Couldn’t identify a chipset

But it still cannot identify the T5577 chipset

I got repeating Reads of the Indala ID, but as soon as I removed the Proxmark from my Hand to copy the Text, I was unable to get a read again (tried like 20x again around that position)

I have no clue what Indala is used for / how it works.

But I tried the following:
Took one of the, with the Proxmark included, T5577 cards that I had programmed as an EM410x (which functions perfectly). I programmed the Card with the following command:

[ usb ] pm3 —> lf indala clone -r 80000001b23523a6c2e31eba3cbee4afb3c6ad1fcf649393928c14e5

[=] Preparing to clone Indala 224 bit to T55x7 raw 80000001B23523A6C2E31EBA3CBEE4AFB3C6AD1FCF649393928C14E5
[+] Blk | Data
[+] ----±-----------
[+] 00 | 000820E0
[+] 01 | 80000001
[+] 02 | B23523A6
[+] 03 | C2E31EBA
[+] 04 | 3CBEE4AF
[+] 05 | B3C6AD1F
[+] 06 | CF649393
[+] 07 | 928C14E5
[=] Block0 write detected, running detect to see if validation is possible
[+] Done
[?] Hint: try lf indala reader to verify

that’s the example Commands given by the Proxmark when typing lf indala clone

After writing I was unable to read the Card and saw the same error as with my Implant

[ usb ] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[-] No known 125/134 kHz tags found!
[=] Couldn’t identify a chipset

When doing a lf em 410x clone --id 0F0368568B right after I im able to read the Card again:

[usb] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 0F0368568B
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : F0C0166AD1
[=] HoneyWell IdentKey
[+] DEZ 8 : 06837899
[+] DEZ 10 : 0057169547
[+] DEZ 5.5 : 00872.22155
[+] DEZ 3.5A : 015.22155
[+] DEZ 3.5B : 003.22155
[+] DEZ 3.5C : 104.22155
[+] DEZ 14/IK2 : 00064481678987
[+] DEZ 15/IK3 : 001034014845649
[+] DEZ 20/ZK : 15001200010606101301
[=]
[+] Other : 22155_104_06837899
[+] Pattern Paxton : 259822731 [0xF7C948B]
[+] Pattern 1 : 9750181 [0x94C6A5]
[+] Pattern Sebury : 22155 104 6837899 [0x568B 0x68 0x68568B]
[=] ------------------------------------------------
[+] Valid EM410x ID found!
[+] Chipset detection: T55xx
[?] Hint: try lf t55xx commands

But I am still unable to read my Implant again

Also the lowest Voltage I can get with lf tune is 37800 mV (normal Voltage, with the Proxmark far away from any Metal is 38200 mV). Is that a normal Voltage Drop for the NexT LF Side?

Indala is a common false positive for LF searches. Id usually recommend to confirm that output by getting another 2 or 3 searches of the same card and ensure its the Indala ID it comes out as.

If this is a stock NExT, as in the LF side hasnt been written to before, out of the box it should read as an EM (I tried to fact check but couldnt find a source) tag so it reading as an Indala leads me to believe more that its a false positive.

I would be interested to see where and how your implant looks in your hand. My NExT in R0 is quite visible when I flex my fist and doing so dramatically increases my read success.

True

Generally when we see unexpected results it is either:
Firmware mismatch ( Pretty sure yours looked good )

or

You are not Quuiittee in the right spot,

It sounds like you are a gnats cock away from the right spot, Frustrating I know, but when you finally get a read
Something like:

pm3 → lf search
Blah Blah Blah

Checking for known tags:

Valid EM41xx Chip Found
Try lf EM41xx commands

and can replicate it a few times, you are good to write! so have your script ready to cut and paste. ( Or Up arrow if you have it in your command history.
The tricky thing comes, not moving AT ALL when trying to type etc. If you have an assistant that will help also.

It is more difficult / takes longer to write compared to a read.

Anyway, that all comes AFTER you get a read.

Keep us updated as to your progress and good luck.

Ok, I will try again to find that reeeaalll small Spot where I can get a EM Read

Another Question: Is that Voltage Drop normal?:

In the meanwhile, here are some Pictures of my hand (The Chip is directly under that black line):

Pictures

Image1768×1024 54.6 KB

Image2768×1024 72.8 KB

Image3768×1024 57 KB

Image4768×1024 56.5 KB

Check this post, Amal will answer better than I could

It looks like a good shallow install and you really shouldn’t be struggling as much as you are,
It is unlikely a faulty implant, but Proxmarks can be finnicky when dealing with xSeries implants.
That’s what I think we are seeing…

Ok, so it’s now been four weeks since I got the NExT installed.

In the Last Days, I tried to read maybe 300 times, but cannot for the life of me get a successful LF read

Only one false Cotag ID read:

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
Searching for COTAG tag…
[+] COTAG Found: FC 254, CN: 16382 Raw: F3FC7FFFFFFF7FFFFFF9EFFEFDFE9FFE
[+] Valid COTAG ID found!

I really don’t know what to do next. I’ve tried every position.

Voltage Drop seems to be normal, as Amal said in that linked Comment.

But It also looks like the Chip is alive given from the Voltage Drop (but that could also come from the ferrite Core, right?) And the false reads I have been getting.

Any ideas what to try?

It cannot be normal that the Chip is sooo difficult to read after 4 Weeks with such a good installation If I cannot even get a read with the proxmarks big antenna & pressure against the Skin, how would I be able to use it in the Real World on readers, Door Knobs, etc.?

I know it’s not ideal but can you find someone with a Proxmark RDV4?

There will always be a voltage drop given the copper coil and the ferrite but this doesnt mean the chip is alive/healthy; just that something is pulling some voltage.

The challenge here is that the proxmark Easy is a cheap, mass produced clone of another device so the quality isnt amazing.
Its also very common, given those conditions, that the LF antenna isnt tuned anywhere near 125kHz but close enough that LF cards can be read reliably.
The LF antenna is also made to couple with flat antennae found in cards and fobs, not a round antenna that is present in an implant.
Since the LF antenna is most likely going to have bad tuning, you may be better with some distance between the implant and the antenna. This should, hopfully, offset the bad tuning of the LF antenna and allow it to couple with the implant antenna. Ive personally found I can get consistent reads with 1-3mm of distance/air between my skin and the proxmark antenna.

All of these factors combined is what you are working with and trying to overcome. I find it very difficult to read my NExT with my Easy, slightly less difficult with my RDV4 (using the flipped antenna) and even less difficult with some PACs readers.

Your implant looks shallow enough that there should be no inherent difficulty penetrating the skin and, since its been >=4 weeks post install, there should be no swelling/fluid build up to make things more difficult.

I actually tried to get some distance between the Antenna & Skin a couple of times. Didn’t help either.

Given what you guys said I am thinking of getting an RDV4.
Finding Someone in my Region who has one of those would be almost impossible given I live in a rural area. So buying would be the only reasonable option, and I also could use it for Pentesting and IT-related things.
Unfortunately, the price is a bit high for having a pm3 Easy and an RDV4.

I have to say I’m not really familiar with the RDV4. I think of it as the “complete” “high quality” proxmark3 package.
Are any good Docs or Videos like “Exploring the Proxmark3 RDV4” as Amal did for the PM3 Easy?

Living in Germany, i think the suggested Website for buying would be lab401.com?
So the Perfect setup for my Problem of Reading my Implant would be the RDV4 (Proxmark 3 RDV4.01 – Lab401) and the 125 kHz Antenna designed for Implants (ProxRF 125KHz Biochip Antenna – Lab401), right?

I have a couple of questions.

1. can you read the HF side consistently? If you can then there are other options than an RDV4 that might work.

2. do you have a use case for the LF side in particular? I am wondering because using a Proxmark3 would only be needed for some use cases.

If you can read the HF side consistently you might consider making a small ferrite coil for your Proxmark3 LF Antenna. There are several posts on the subject on here. People have had better luck reading with a homebrew antenna before.

The other option worth testing would be to get a larger reader and see if that is any better. I have a battery powered HID pad with an ESP-RFID-Tool which I use for some testing.

I can read/write the HF side without Problem using my Phone and the PM3 Easy.
I want to use the LF side for Access Control, Vehicle Start, etc.

Unfortunately, I have no bigger Reader than the Proxmark3 Easy.

For a custom Ferrite Core Antenna, I found this thread:

Before going through all that trouble of Optimizing and buying the parts I need for that project, I would consider just buying the pretested Version of the RDV4 and ProxLF antenna, they should (I hope at least) work definitely.

From memory some people have found the proxlf doesn’t solve coupling problems, but it is up to you.

I spent about $45 making my HIDprox pad, and while it is a bit small to use as a huntpad (read range is about 6") it was an interesting experiment in some physical penetration techniques.

There are quite a few Germans on here, so it is possible that someone in your area could help. (As a Scot in the US I am well aware that In the US 100 years is a long time but in Europe 100 miles is a long distance.)

It may be that the LF side is just terribly tuned… they are programmed with EM serials and tested during manufacturing but that system passes the tag through the antenna center so coupling is nearly absolute and a badly tuned LF side could sneak through. A replacement is probably the way to go here.

@landwirt
Have you had any luck since you last attempt?

We have kindly exhausted what we can suggest for you to try…

Do this

And reference back to this thread.

I’ve got the exact same symptoms with mine (NT works flawlessly, EM doesn’t work at all)
When I do data plot; lf read -@ I just get static, is that helpful?

@amal Aww, a defect LF Side would be awful

@Pilgrimsmaster Unfortunately no Luck at all Tried Reading with the PM3 Easy again & again but cannot get a read

I thought of building that custom Antenna for the PM3 easy or buying a RDV4, but if the Problem is hardware related, It won’t help me if I should get a read on a specialized piece of Equipment, but not on Every Day Readers like Door Knobs etc.

I got the Implant only for the LF Side and thought of the HF as a nice to have addition.

Would it be worth the risk to read the implant before injection to confirm we can read it?

I always read mine before and after implanting. Before to ensure I’m not breaching my skin for nothing, and after to make sure the implant hasn’t come back out with the needle (in the case of glassies - yes, it’s happened to me) and it hasn’t been handled too roughly during insertion or nicked by the stitching needle (in the case of flexies).

LF glassies implants can be read in the syringe. HF glassies can be read in the syringe with a high-power NFC reader - just barely. I don’t hesitate to crowd the bodymod parlor with my laptop, readers and relevant electronic paraphernalia.

@landwirt so I got the support ticket from the site… but before we process a return, I wanted to confirm;

• using this proxmark3 are you able to lf search any other T5577 chips set up as EM ?

• your client and firmware appear to be mismatched… are you able to update, recompile, and reflash, then try?