New workplace is annoying

Today is my first day in my new workplace. They give out EM4xxx tags to access the building (at least I’m fairly sure they’re EMs, I haven’t read one with my reader yet).

I asked the lady in charge of the security system if she could scan my hand instead of one of her tags, to register my implant in their system instead, but she says no can do. I asked why, and she answered that the system can only use “approved” tags. I tried to explain the hows and whys, but I did not get very far: either the tag comes out of her magic box, or I can get stuffed.

Soo… I’ll be looking at implanting a RFID tag that I can reprogram the UID of soon - and possibly the protocol too. I suppose I’m looking at getting a xEM or a xHT chip from DT, depending on what I find on the magic approved company tag. Correct? Anything else I should know or get to clone the tag successfully?

If you are sure this is EM4xxx (125 kHz) then Atmel T5577 chip is enough for you. They are listed as xEM and NExT here. NExT is actually a two-in-one (xNT + xEM) and I suggest it because you get additional features on NFC frequency :slight_smile: If you already have a 13.56 MHz tag in the same place (like xNT), I suggest xEM because two NFC chips will interfere.

3 Likes

Totally agree with @koteeq, just from my own experience, I use my NExT for access to
my workplace which operates on LF but has dual frequency capable readers. Most of them have LF only activated, but the ones with HF also caused me grief (denied access on HF reads) until I learnt the orientation of my NExT under my skin, so I would present the LF end to the reader first.
I :heart: my NExT, but I am getting a dedicated xEM for work for this reason.

Unless you are in a hurry to start buying things, just start by getting your ducks lined up
:duck: :duck: :duck: :gun: :duck:
If I was in your situation I would use a RFID diagnostic card
and/or
xField Detector
to learn what I could about my system Frequencies, search for clues :mag_right: written on the card and access readers then get on the interwebs to research including On the forum to see if anyone else has the same access system.

Now I dont know this for a fact, but for me at least, it seems to be, if I shine a :flashlight: behind a card, if the antenna is circle it has been a LF card, if a rectangle it has been a HF.
Maybe give it a try, you have got nothing to lose and it might just help confirm what you already suspect.

Hopefully and probably yours will be a single frequency reader.
I would still personally recommend the NExT, because,why wouldn’t you; a two-for-one device for just a little money and free postage!!!

Well, it looks like a HID Indala.

Not that I’ve read it, because my new workplace is in another country and I didn’t bring all my hardware with me yet. But apparently they’ve been recycling tags from one employee to the next for many years, and there’s a very faded, almost unreadable lettering on the tag that I barely make out as “I??ALA” on one side and “*ID” on the other side.

When I looked it up, I found this page, which shows almost exactly the same tag. It’s one of these guys:

On top of that, the readers at work look almost exactly like these:

So, yeah, probably HID Indala. Never heard of those before…

Looks like the xEM can emulate those. My plan is to get a ProxMark reader (I need to do get me one anyway) and 2 xEMs, program one out of the syringe and see if it functions properly as a clone of the magic tag they gave me at work. Then if it does, I’ll implant the other.

I’ll probably do that a bit later though, as I first need to finish my move here and get settled. And that’s no small feat, as I don’t speak the language of the country I’m moving to very well, so I need to concentrate on learning it before getting distracted with other things.

That’s the great thing with standards: there’s so many to choose from :slight_smile:

You COULD buy 2 xEM or you SHOULD just buy 1 xEM (I Still reccomend the NExT) and just grab a cheap card off, amazon, ebay, aliexpress etc. to test/ practice on.
My Proxmark actually came with a T5577 card…

HERE is a very helpful guide @TomHarkness answered somebody in a similar situation.
and hopefully THIS wiki is of some use to you.

2 Likes

Thanks! When I have time to play with this, I should have all the information I need.

Oh yeah, and I’m not getting the NExT. I already have a Mifare Classic in the hand I intend to implant the xEM in. Also, I like to keep things separate, because I have a dual-frequency reader at home, and I don’t need the aggravation of 2 chips talking to it at once.

1 Like

Good call!
I hope your move and new job goes well.

1 Like

Okay so I got my Proxmark3 in the mail today (ended up ordering one before moving, since France is closer). Conveniently, it came with a T5577 test card.

It successfully identified my company-issued tag as a 224-bit Indala tag. So I tried to clone it, but I did it in steps, to try and figure out the pitfalls when the time comes to do it on a chip implanted in my hand:

1/ I took a dozen readings and compared the UIDs, to make sure I got a solid read from the original tag. No problem there.

2/ I issued the clone command, but without the test card on the Proxmark. The Proxmark proceeded and told me it was all done. Uh oh… That means it blasts the programming commands without any checks whatsoever, meaning trouble if the coupling isn’t good enough. Not good…

3/ I placed the test card on the Proxmark, as well positioned as possible and redid the clone command. Then I re-read it several times and compared the UID against the original UID: half of it was corrupted, despite the test card having a full-size coil and being located perfectly over the antenna. Uh oh… The trouble I expected happened rightaway with an easy-to-read card. This really doesn’t bode well for operation with an implant.

4/ I redid the clone command once more, and this time the UID matched.

So, when I return to my new workplace, I’ll see if the (now properly cloned) test card opens the door. If it does, then I’ll order a xEM and a DT coupling coil. I think that’ll be a must. In the meantime, I’ll try to figure out if I can get the Proxmark to report the quality of the coupling in real time, so I can locate the implant as best I can before the final cloning operation. I may also encase the DT coil in a plaster cast of my hand so it stays put at the ideal location even if I move around. I can see this has the potential to end up in a bricked chip very easily…

Did you first do a “hw tune”, unlikely that is your issue, but lets “do this in steps”
run hw tune and post your results so some of the :nerd_face: can have a look at it

You definitely sound like you are on track,
I would suggest / agree with most of your ideas
Test your cloned card
Order a @TomHarkness DT LF antenna, it just couples sooo much better because it is designed to do so.

THIS might be a bit extreme, defnately try the TH/DT PM3 RDV4 LF antenna first before a CaSO4.1/2H2O.

Did you first do a “hw tune”, unlikely that is your issue, but lets “do this in steps”
run hw tune and post your results so some of the :nerd_face: can have a look at it

I did. Here’s the graph. Not sure what I’m looking at to be honest: the scales don’t mean anything to me. But I assume it self-calibrates or something.

THIS might be a bit extreme

Plaster rolls are cheap, and making a small cast is easier and less annoying that bricking a chip you got implanted inside you because you couldn’t be assed to ensure everything was setup as well as can be :slight_smile:

Order placed. I’ll probably implant the xEM even if the test card doesn’t work, just because I want one :slight_smile:

1 Like

Hmm, things are more complicated than expected.

So I arrived in Finland today, and the first thing I did was swing by the office to get a couple of things I had left there. Trouble is, my “official” Indala badge didn’t work, and neither did the clone I did on the T5577 test card that came with the Proxmark3.

So one of two things have happened:

1/ Somehow the readers outside are deactivated on Saturdays. My boss says he’s a 100% sure they aren’t though.
2/ The mere act of reading an Indala card increments a counter or moves along a list of OTPs, and now my badge is out of sync with the readers at the office because I read it with my Proxmark.

Anybody knows if #2 is a thing in the HID Indala system? Because if it is, I think I can shelve my idea of implanting a clone of the badge…

I got issued a new tag. They told me the old one was broken because it didn’t register on their reader. Only I know it’s not true because I could read it just fine on the Proxmark only yesterday.

All I did on the old badge was a lf search then a bunch of lf indala read. My guess is lf search put it in a funky state somehow - and the funky state got cloned into the T5577 card too, because that didn’t open the door either this morning.

I’ll do a single lf indala read on the new badge when I get back home tonight and I’ll see if it kills it :slight_smile:

1 Like

I have never seen this in any commercial access control system that uses shitty insecure 125khz crap ever.

dunno man, but I have seen the slow takeover of T5577 and other T55xx chips in the commercial badge space… so rather than original indala or EM chips you are now seeing T55xx chips because card and badge makers can easily program a single inventory item as anything they want now… so it’s possible THEY left the original source chip in the badge in a shitty state and maybe there was something kicked over by your proxmark3 messing about, but honestly I have seen government keyfobs use T5577 chips and get screwed by a simple pass of a crappy blue cloner and accidentally hitting the write button with nothing in the read buffer… toasted it… person had to go through a bunch of nonsense and interrogation to get a new fob…

1 Like

Yes, that is my understanding also. It’s just that it was the only logical explanation I could come up with, if the tag didn’t genuinely “die enough” to prevent the company readers from reading it while staying “live enough” for the Proxmark to read it okay. The latter seemed very unlikely.

The new badge I have has “HEDSAM Indala” written across it. A quick googling reveals it’s one of them guys, and some more googling indicate it’s a NXP Mifare 1434NSSNN programmable chip. Unless it’s not a chip and it’s a T5577 behind it, I don’t know.

Anyway, I did a single lf indala read on it. One read command, that’s all. If it’s dead when I arrive at work in a few hours, I’ll know for sure the Proxmark killed it - and I’ll have some explaining to do I guess :slight_smile:

That’s not making sense to me… Mifare is 13.56MHz … and all the hits I found for Mifare 1434NSSNN indicates it’s 13.56MHz… so the T5577 is not applicable… unless you have a dual frequency card as well, it should not have gotten a read with lf indala read

I’m not sure to be honest. The fog I have is identical to the photo and I just did 2 minutes of googling. Maybe there are several versions and the ones Google comes up with are 13.56MHz. But mine is definitely 125KHz.

And for the good news: my new fob got me inside the company building this morning, and so did the cloned test card. Now all I have to do is attach the ProxLF antenna, try to clone the fob into the xEM in the needle if possible, then head off downtown to meet my new piercer .)

I went to the local piercing shop in my new town and explained my request. At first the guy balked at the idea. But then he explained it was because he didn’t do anything involving sutures. Perfect I said, it’s just an injection - no butchery involved.

So he’s cool about it. He’s never implanted a chip, but he agrees to do it and to let me direct him from A to Z, He’ll also call his friend who runs a shop at the other end of the country, who’s done it before, to get extra advice. He looks serious and willing to help.

So, I have an appointment tomorrow evening already. That went swimmingly.

3 Likes

The xEM opens my company door while still inside the needle. What a great thing! Now all there is left to do is stick it inside me.

2 Likes

Okay, the xEM is in my hand and it opens the doors. Job done!

It was the piercer’s first implant job, but he was willing to let me direct him provided I let him do everything with his own hands, to gain experience. I explained everything to him step by step, and all in all he did a pretty good job. The chip landed 5 mm off the mark, but that was my fault because I instructed him to go deeper than he should have with the needle.

Anyway, after we were done, I asked him how much I owed him: he said nothing because I had taught him something new and I had let him practice on my own meat. Nice! So instead I invited him for a couple brewskies to thank him, and we ended up spending a nice evening together at the bar.

So, a very professional and friendly guy, and a real class act. On top of that, he wants an implant too now :slight_smile:

@amal: I mentioned to the piercer that he might want to be added to your network of partners. He said he’d be interested and gave me his business card for me to pass along. Do you want it? Shall I PM you his name and the address of his shop?

7 Likes