NeXT Chip Can't read LF but HF/NFC Working Fine

computerstuff · April 18, 2023, 5:53pm

Hello All,

I recently got my NeXT chip 5 days ago and was hesitant to make this post just yet as I know it can take some time for the healing process before you get any reads. I can use my phone to program the NFC and it working consistently and perfectly fine.

When using my proxmark3 easy, not sure where I got it bc Ive had it so long, but its the same model as shown on the dangerousthings store. I have used varied iceman versions every time I have been able to read my test HID cards perfectly, although when going to read my implant, I cant get a good read. When it does pickup the chip, it reads indala. Currently this is my proxmark output

pm3 ~/proxmark3$ ./pm3
[=] Session log C:\Users\xxx\Desktop\ProxSpace\pm3/.proxmark3/logs/log_20230418.txt
[+] loaded from JSON file C:\Users\xxxx\Desktop\ProxSpace\pm3/.proxmark3/preferences.json
[=] Using UART port COM5
[=] Communicating with PM3 over USB-CDC

<removed ascii art>
  [ Proxmark3 RFID instrument ]

    MCU....... AT91SAM7S512 Rev B
    Memory.... 512 KB ( 60% used )

    Client.... Iceman/master/v4.16191-284-g2be05ceea 2023-04-14 18:51:06
    Bootrom... Iceman/master/v4.16191-284-g2be05ceea 2023-04-14 18:50:31
    OS........ Iceman/master/v4.16191-284-g2be05ceea 2023-04-14 18:50:42
    Target.... PM3 GENERIC

I would assume this indicates the chip being detected just not successfully read. But when I follow up t55xx chip detection I always get nothing. Now I want to chalk it up to, give it time to heal, but then I can get NFC super easy, so im not 100%. I thought potentially a bad reader? Well, it doesnt seem like it because cards are reading just fine. I know the general spot I need to be scanning at, I can feel it and its pretty straight. Does anyone have any ideas as to what I could be doing wrong? How likely is it that my t5577 chip is bad? If the best answer is wait a week or two, thats fine, I will report back at a later time and update, just super frustrated atm.

>hw tune
>lf t55xx detect

Response:
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'

For a while, I thought it was getting more reads when doing a bunch of lf seach commands on my implant, but as of recent it seems like the scanner is just picking up indala reads at random whether my hand is there or not. Below is an example of of the lf search commands when my hand IS NOT over the scanner, picked up 4/8…

[=] Couldn't identify a chipset
[usb] pm3 --> **hw tune**
[=] ---------- Reminder ------------------------
[=] `hw tune` doesn't actively tune your antennas,
[=] it's only informative.
[=] Measuring antenna characteristics, please wait...
[-]  9
[=] ---------- LF Antenna ----------
[+] LF antenna: 38.46 V - 125.00 kHz
[+] LF antenna: 31.20 V - 134.83 kHz
[+] LF optimal: 38.46 V - 125.00 kHz
[+] Approx. Q factor (*): 5.8 by frequency bandwidth measurement
[+] Approx. Q factor (*): 11.2 by peak voltage measurement
[!] Contradicting measures seem to indicate you're running a PM3GENERIC firmware on a RDV4
[!] False positives is possible but please check your setup
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 33.02 V - 13.56 MHz
[+] Approx. Q factor (*): 9.6 by peak voltage measurement
[+] HF antenna is OK

(*) Q factor must be measured without tag on the antenna

[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.

**[usb] pm3 --> lf search; lf search; lf search; lf search; lf search; lf search; lf search; lf search;**

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[=] Odd size,  false positive?
[+] Indala (len 131)  Raw: 8000000000000000000080d0040010020217ffffffdffdebfffbffff

[+] Valid Indala ID found!

[=] Couldn't identify a chipset

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[=] Odd size,  false positive?
[+] Indala (len 137)  Raw: 80000000000002000000205000000080008000814000000200037fff

[+] Valid Indala ID found!

[=] Couldn't identify a chipset

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[-] No known 125/134 kHz tags found!
[=] Couldn't identify a chipset

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[=] Odd size,  false positive?
[+] Indala (len 147)  Raw: 80000000000000440000005040000010000400000000000440000005

[+] Valid Indala ID found!

[=] Couldn't identify a chipset

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[=] DEBUG: detectindala | 43
[-] No known 125/134 kHz tags found!
[=] Couldn't identify a chipset

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[=] DEBUG: detectindala | 43
[-] No known 125/134 kHz tags found!
[=] Couldn't identify a chipset

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[=] DEBUG: detectindala | 32
[-] No known 125/134 kHz tags found!
[=] Couldn't identify a chipset

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[=] Odd size,  false positive?
[+] Indala (len 68)  Raw: 80000000400808040fffeffef7fffffbfffffffbfffff7fffeffdfff

[+] Valid Indala ID found!

computerstuff · April 18, 2023, 9:48pm

Should add instead of edit - I have run LF tune and HF tune and tested cards/ implant.

I get a voltage change on HF tune when placing the implant. For the LF I get 1v drop when pressing my hand to the reader. It doesnt seem dead when doing this, but touching it during the tuning appears to impact the voltage a tad, so is the 1v drop from my touching or actually picking up a signal is the question. (answered: there are 2 metal tips holding the plastic, 2/4 when touched drop 1v )

Just rubbed my hand for a few minutes only touching the cord and the plastic screen to my hand, just stays at 38 V

Starting to feel more and more like a dead t5577 chip… this is why you test hardware before sticking crap inside you. Lesson learned. Still open to suggestions.

Pilgrimsmaster · April 19, 2023, 9:26am

The PM3 Easy is a good tool, but it is not designed for implants, and the LF antenna specifically is notoriously difficult to read and write with consistency.

Indala results are almost always just noise and a sign you have not quite got the required coupling.

Wait a FULL 2 weeks, check it again.

Let us all know if it works or not.

amal · April 20, 2023, 6:41pm

also be sure to use the delay to make it easier to position your pm3 lf antenna over the implant;

computerstuff · April 21, 2023, 10:32pm

Toothpicks for slight repositioning. It reads. Appreciate all the help.

computerstuff · April 22, 2023, 12:58am

Wanted to add, $4 refrigerator magnets work much better than toothpicks.

Cjdmbballa · December 20, 2024, 11:40pm

Hi every one, I believe my implant a little deep in my muscle in my fatty portion. I get nfc a little but hardly LF. It was fine after it healed I was able to get Lf but 4 years later I’m having trouble.

Equipter · December 21, 2024, 12:19am

can you take a picture(s) to demonstrate how deep it is?

LF is incredibly volatile with little in the way of data integrity, it just screams its payload into the void when inducted, no coupling and mutual authentication/anticollision, if its too deep into your hand it may be occluding the payload as its making its way out of your hand.

if youre only able to get reads by firmly pressing down into your hands its definitely too deep to be effective on normal non-optimised readers, while not a total write-off it does limit the usability.

edit2add: what equipment are we working with here? Do you have a proxmark? flipper? some other cloner? if so which one(s)

if you’ve got the proxmark do you have the implant chip antenna?

if you’ve got the flipper are you making sure the silicone sleeve (if you’ve got one) is removed when trying a read?

you might be able to try finding the chip with lf t55 detect (or on the flipper, a normal RFID read) and then writing chip info to it, it might wake it back up if its been dormant for the past 4 years. with only the odd parity bit here or there depending on the format its possible your eeprom just needs refreshing.

Cjdmbballa · December 21, 2024, 12:41am

Proxmark3. Proxmark fully update with proxspace.
I’ve been actively using the NFC side but LF has been dormant. When I was using the proxmark I was finding a indala ID. I read in the forum it was just noise which made sense due to the raw data changing.

Pilgrimsmaster · December 21, 2024, 12:48am

So not, not at all?

Thats a good thing

An xSeries implant like your NExT should ideally be in the fascia, which is the connective tissue between the dermis and muscle (hypodermis)

If its deeper than that and in the muscle you would expect to struggle.

An easy and obvious solution is to remove it and relocate it.

Equipter · December 21, 2024, 12:48am

can you use your other hand to press down on the implant to show where it is in the hand lol

ok so the stock proxmark3 easy isn’t great at talking to LF implants due to the conflicting antenna shapes but you have to lay the proxmark so the antenna intersects the implant perpendicularly making a bent little cross shape, you may need to press down into the implant to achieve this.

do this and do lf t55 detect till you get a positive response and when you do get a response, maintain that position and do lf em 410x clone --id 1a2a3a4a5a then do lf em 410x reader -@ and you should get a constant stream of data with that matching ID.

Pilgrimsmaster · December 21, 2024, 12:50am

If you cant succesfully fault find with equipter, then

Myself and others have done this many times.

Cjdmbballa · December 21, 2024, 12:55am

The chip had moved when in the healing process.
Line wasn’t perfectly drawn either imagine the line parallel with the dot. You can’t see it with my other hand pushing it.

Equipter · December 21, 2024, 12:59am

id be… surprised if they had managed to get it under the muscle layer in the hand that’s quite the feat and a lot of pain (relative)

by the looks of it they put the implant in a little lower, so i think it might be just sitting super deep in that skin-void in P0.

either way if its super difficult to communicate with removal might be an option

or just buy an install a new implant in a different location that is less fleshy than p0.

removal is “easy” in the sense there is no biobond melding your skin with the tag so it should just slip out when a tunnel is created with a scalpel, but if its deep in there even without being in the muscle. its going to be right uncomfortable experience so it may be best to let sleeping lions lay and use it as just a HF implant & get another for your LF purposes.

xem’s are great and remarkably cheap for what they are and they have the added bonus of not being a dual-tech implant so they don’t cause issues with multi technology readers (IE HID MultiClass readers as they poll HF first if HF is enabled making NEXT’s impossible to use on them )

Cjdmbballa · December 21, 2024, 1:02am

Thank you, it’s definitely interesting predicament I’m in.

Equipter · December 21, 2024, 1:05am

fair, im going to assume its quite deep in there as its not making an impression on the surface of the skin and you don’t appear to have very thick hands that would naturally obscure a lot of usually visible implant locations.

anyhoo, some options are there for you and we are here to help if any of the steps, don’t give up easily as if its recoverable it might take a couple tries to get it right.

pic of how you should be positioning the proxmark (relative to the marked line obvs adjust for the real position of the implant)

given it is so deep, even if we are able to get it to start responding as intended, its depth may make it harder to use on a host of non-optimised LF readers that already struggle with implant form factors.

Pilgrimsmaster · December 21, 2024, 1:24am

Agreed, and how I was looking at it.

I have never had any problems reading any of my implants on a PM3, but the occasional LF lock, I get the big fat…

computer-says-no

So if it were me, I would be going shallow with my relocated or replacement implant.

Equipter · December 21, 2024, 2:36am

oh yah. shallow and easily manoeuvrable.

i like 1-4 for a safe bet but my favourite and most used spots are 7-10, though they are definitely a bit more… interesting to install especially on fingers with less real-estate.