NExT Not able to write - Randomized?

Hi! I was hesitant on creating this but I don’t really know what else to do, I feel like I’ve done it all.

To preface, I installed the NExT Chip approximately three months ago, so it has had plenty of time to heal. I believe it was a week or two after installation, I had written to it with my friend’s FOB (permission granted of course) to see if it would write. I was using the Flipper Zero at the time and it was able to write, but didn’t have any confirmation. I thought nothing of it. When I went to attempt to write again, it just wouldn’t write at all but it was able to read.

I don’t know if this is where I messed up, but my next troubleshooting steps were to attempt a wipe followed by attempting to remove the password, given I didn’t use one. I would clear the password, wipe, clear again, attempt a wipe, you get the idea. (All on the Flipper Zero)

Up until now, with working with the FlexUG4 in my other hand (not related to this ticket), I wanted to give it another shot.

I don’t know if this is the “gotcha” of the ticket, but when running lf t55xx info multiple times against this chip, it gives the following:

[usb] pm3 --> lf t55xx info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 15
[=]  reserved                  : 15
[=]  Data bit rate             : 63 - RF/128
[=]  eXtended mode             : Yes - Warning
[=]  Modulation                : 0x1F (Unknown)
[=]  PSK clock frequency       : 3 - (Unknown)
[=]  AOR - Answer on Request   : Yes
[=]  OTP - One Time Pad        : Yes - Warning
[=]  Max block                 : 7
[=]  Password mode             : Yes
[=]  Sequence Start Marker     : Yes
[=]  Fast Write                : Yes
[=]  Inverse data              : Yes
[=]  POR-Delay                 : Yes
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  FFFFFFFF - 11111111111111111111111111111111
[=] --- Fingerprint ------------

[usb] pm3 --> lf t55xx info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 15
[=]  reserved                  : 15
[=]  Data bit rate             : 63 - RF/128
[=]  eXtended mode             : Yes - Warning
[=]  Modulation                : 0x1F (Unknown)
[=]  PSK clock frequency       : 3 - (Unknown)
[=]  AOR - Answer on Request   : Yes
[=]  OTP - One Time Pad        : Yes - Warning
[=]  Max block                 : 7
[=]  Password mode             : Yes
[=]  Sequence Start Marker     : Yes
[=]  Fast Write                : Yes
[=]  Inverse data              : Yes
[=]  POR-Delay                 : Yes
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  FFFFFFFF - 11111111111111111111111111111111
[=] --- Fingerprint ------------

[usb] pm3 --> lf t55xx info
[usb] pm3 --> lf t55xx info
[usb] pm3 --> lf t55xx info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 9 - testmode
[=]  reserved                  : 32
[=]  Data bit rate             : 4 - RF/50
[=]  eXtended mode             : No
[=]  Modulation                : 0 - DIRECT (ASK/NRZ)
[=]  PSK clock frequency       : 0 - RF/2
[=]  AOR - Answer on Request   : No
[=]  OTP - One Time Pad        : Yes - Warning
[=]  Max block                 : 1
[=]  Password mode             : No
[=]  Sequence Terminator       : No
[=]  Fast Write                : No
[=]  Inverse data              : Yes - Warning
[=]  POR-Delay                 : No
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  94100122 - 10010100000100000000000100100010
[=] --- Fingerprint ------------

[usb] pm3 --> lf t55xx info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 10
[=]  reserved                  : 72
[=]  Data bit rate             : 2 - RF/32
[=]  eXtended mode             : No
[=]  Modulation                : 0x15 (Unknown)
[=]  PSK clock frequency       : 0 - RF/2
[=]  AOR - Answer on Request   : Yes
[=]  OTP - One Time Pad        : No
[=]  Max block                 : 0
[=]  Password mode             : Yes
[=]  Sequence Terminator       : No
[=]  Fast Write                : No
[=]  Inverse data              : No
[=]  POR-Delay                 : Yes
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  A9095211 - 10101001000010010101001000010001
[=] --- Fingerprint ------------

Needless to say, it keeps randomizing block 0. Doing a dump is also random at times:

[usb] pm3 --> lf t55xx dump

[=] ------------------------- T55xx tag memory -----------------------------

[+] Page 0
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  01 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  02 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  03 | 00000000 | 00000000000000000000000000000000 | ....
[+]  04 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  05 | 0001FFFF | 00000000000000011111111111111111 | ....
[+]  06 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  07 | FFFFFFFF | 11111111111111111111111111111111 | ....

[+] Page 1
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  01 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  02 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  03 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+] Saved 48 bytes to binary file `C:\Users\alfie\Downloads\ProxSpace\pm3/lf-t55xx-dump-004.bin`
[+] Saved to json file C:\Users\alfie\Downloads\ProxSpace\pm3/lf-t55xx-dump-004.json
[usb] pm3 --> lf t55xx dump

[=] ------------------------- T55xx tag memory -----------------------------

[+] Page 0
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00000000 | 00000000000000000000000000000000 | ....
[+]  01 | 00000000 | 00000000000000000000000000000000 | ....
[+]  02 | 00000000 | 00000000000000000000000000000000 | ....
[+]  03 | FFFF8000 | 11111111111111111000000000000000 | ....
[+]  04 | 00000000 | 00000000000000000000000000000000 | ....
[+]  05 | 00000000 | 00000000000000000000000000000000 | ....
[+]  06 | 00000000 | 00000000000000000000000000000000 | ....
[+]  07 | FFFFFFFF | 11111111111111111111111111111111 | ....

[+] Page 1
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00000000 | 00000000000000000000000000000000 | ....
[+]  01 | 00000000 | 00000000000000000000000000000000 | ....
[+]  02 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  03 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+] Saved 48 bytes to binary file `C:\Users\alfie\Downloads\ProxSpace\pm3/lf-t55xx-dump-005.bin`
[+] Saved to json file C:\Users\alfie\Downloads\ProxSpace\pm3/lf-t55xx-dump-005.json

I had attempted the following:

lf t55xx write -b 0 -d 00107060 -t --r0
lf t55xx write -b 0 -d 00107060 -t --r1
lf t55xx write -b 0 -d 00107060 -t --r2
lf t55xx write -b 0 -d 00107060 -t --r3

Still nothing. Detect doesn’t work except very rarely, but it only showed the following:

=]  Chip type......... T55x7
[=]  Modulation........ DIRECT/NRZ
[=]  Bit rate.......... 2 - RF/32
[=]  Inverted.......... Yes
[=]  Offset............ 37
[=]  Seq. terminator... No
[=]  Block0............ 10080244 (auto detect)
[=]  Downlink mode..... 1 of 4 coding reference
[=]  Password set...... No

If there’s anything else to suggest, I’m open but I feel like it might be toast. It can still read the very first EM4100 card I wrote to it, so in a way it’s mocking me that I’ll never be able to change it.

Please let me know what suggestions or anything else to run and I’d be more than happy to share the results. Thank you!

1 Like

Are you running lf t5 detect first before running other t5 commands?

2 Likes

I hadn’t initially because I’d use it to test against the other chips in my right hand since those would be successful but trying to get this one to detect isn’t very reliable. It’s located in L0 for reference.

I had refreshed the shell to get the detect to scan and ran it multiple times, moving the Proxmark3 around the area to see if it can snag a signal. I’m pressing deep into my hand and aligning it properly using the example implant that came with it.

These are my results, the lf T55xx info is still randomizing quite a bit, but at least is consistently able to read the chip.


1 Like

if you saw what this comment previously said, ignore it, it’s irrelevant since you don’t get consistent t55 detect outputs.

do you have discord? add me my handle is equip i’ll help you fix it later today when i wake up, pretty sure i know what’s up with it.

4 Likes

No worries! I was just in the middle of using the detect. I’ll post the results I got below just in case.

Can we keep the responses in this thread for public visibility in case someone else runs into the same issue? I would most appreciate it. I’m not in any hurry, so don’t worry about times. (I waited like three months to start fully troubleshooting! :sweat_smile:)

3 Likes

try downloading latest source and compile/flash,

we updated the fgpa images which might have caused some issues.

in the end, always be on the bleeding edge!

2 Likes

I had updated but I don’t think it made much of a difference. Trying to detect the chip is very difficult, but I managed to snag it two times.


I then ran these commands again:

lf t55xx write -b 0 -d 00107060 -t --r0
lf t55xx write -b 0 -d 00107060 -t --r1
lf t55xx write -b 0 -d 00107060 -t --r2
lf t55xx write -b 0 -d 00107060 -t --r3

But still getting the randomized Block 0 when running lf t5 info

I do appreciate the help though! :innocent:

1 Like

you must run lf t55xx detect first.

Do that until you get a “good detection”.
then you can try lf t55xx info

There is no cheating when it comes to pm3. Miss one command and the next outcome is garbish

2 Likes

Here are my results for running lf t55xx detect. I was previously running lf t5 detect as I thought there originally wasn’t any difference.

I really hope I don’t ever have to do this again, I’m practically jamming the device deep into my hand. Very uncomfortable.


After running lf t55xx info it reads consistently in the same spot.

But then if I remove the device from my hand and move it just a little, it read inconsistently.

I attempted to write to it jamming it in my hand again but no luck, the info reads are still randomized.

My question is, with how difficult detect has been, is it too deep in my L0 location for it to write properly? Some of the block 0’s that are read with the detect doesn’t seem to run consistently, so I’m still at a loss for what’s really going on. :frowning:


Probably not necessary, but to add this is the xMagic located in my R0. I have no difficulty detecting and reading this chip.

1 Like

If you manually look at the signal.

data plot
lf read -@ -s 3000

It easier to visually see when you get a good place.
and it also makes more logical sense to your question of why.

4 Likes

I hope this will help!

This is standard noise, not anywhere near a tag

This is the xMagic in R0

This is a standard T5577 card

And lastly, this is the NExT giving me trouble in L0

I wonder what this means, I am most interested in learning about this! Thank you again so very much! :emoji_alien:

3 Likes

Following up with this, with the graphs found I do not know what it means. Do you think I can still salvage the chip or is it toast? Thanks! :slight_smile:

@Iceman
@amal

I do apologize to ping directly but are my readings that of a faulty unit? I don’t really know what to do next and my device is still unusable. Thank you for understanding! :emoji_alien:

1 Like

What “mode” is the T5577 card in? This will drastically affect the signal depicted in the graph.

The T5577 in the NExT appears to be doing… something…

Is it possible to take a little video of how you are presenting the pm3 to the NExT? Show the proxmark3 first… let’s see the LF antenna, middle board, etc… then show in your hand where the next is and how it’s positioned… show how you present to the pm3… use the medium to it’s fullest potential. Tracking down these kinds of problems is very difficult unless you’re there, and a good video has the best chance to give information on everything one might see if standing right there with you. The T5 is a finicky chip when it comes to signaling. Signal timing and signal noise can affect things quite a bit. Showing all the “moving parts” so to speak, will help a lot.

Also, take a video of using the lf tune command. Once your pm3 is in lf tune mode it will give a voltage number that constantly repeats… position your LF antenna over your NExT and the voltage should drop. You will find a specific position for your pm3 that will result in the largest voltage drop. That will be the best way to hold your pm3 over your next.

3 Likes

Awesome! Thank you so much! Please give me a day or two to complete this; I’ll try to include as many details as possible. I look forward to a possible resolution! <3 :blush:

1 Like

Actually was able to do it during my lunch break. Was thinking there was going to involve more video editing but it was pretty simple.

Please let me know if you need me to run more commands, or anything, I look forward to seeing what you think! Thank you! :emoji_alien:

Edit: I put timestamps in the description because I’m not really good at this but thought I’d make it easier to show what I did and where I did it. You don’t need to see the whole thing where I scan a MIFARE Classic tag instead of a T5577 tag :sweat_smile:

I also scanned my implants on my right hand so the video is not flipped. They have no issues whatsoever and I actually really love them so far! Thank you for the assistance on helping with the UG4 chip <3

1 Like

@amal

I do apologize if this seems impatient, but do you have an idea on what’s going on with my NExT implant? Looking for a follow-up or some guidance on what to do next. Thank you! :emoji_alien:

ok I’m reviewing now… sorry haven’t had time but first thing…

Ok we are going to do something about this in production but basically when you put the LF antenna to your hand you have to be very careful not to touch these two posts which are the electrical contacts of the LF antenna. Touching them to your skin will change the voltage of lf tune and also fuck things up when you’re trying to actually send data.

We are going to find a way to cover these with an insulator of some kind for future production, but for now just try being very careful not to touch those screw heads on top or the sides of those posts when placing the LF antenna over your hand… and try again.

1 Like

I guess the footage isn’t really showing it very well with the angles but I am aware touching those two pins will short the connection and make it unreliable. I had attempted to re-record running lf t55xx detect but I’m not getting a reading and jamming the device in my hand is starting to hurt. I was lucky with the footage I as able to record. Additionally, re-running the data plot instructions I was given still provide the same results, looking off from a standard T5577 chip.

Do you require me to re-record running lf t55xx detect and lf t55xx info to guarantee results showing I’m not touching the pins? I will if I have to, but I really dislike having to keep pushing this device deep into my hand. It’s very painful. :frowning:

Please let me know what my next steps are. Thank you!

This is what I mean… you will definitely have read issues. Try something like this…

You should not need to smash the proxmark into your hand. What I would do is feel your hand with your finger and find exactly where the NExT is, then mark your hand with a marker or something to clearly show where it is. Then you can pick up the proxmark gently by the USB cable and hold it such that the edge of the LF antenna loop rests directly overtop of it. You can confirm which end of the NExT has the T5577 using lf tune. Once you’re certain, you can run the command.

Don’t forget you can also use the delay command to make things much easier…

1 Like