NExT Not able to write - Randomized?

Support
1

Hi! I was hesitant on creating this but I don’t really know what else to do, I feel like I’ve done it all.

To preface, I installed the NExT Chip approximately three months ago, so it has had plenty of time to heal. I believe it was a week or two after installation, I had written to it with my friend’s FOB (permission granted of course) to see if it would write. I was using the Flipper Zero at the time and it was able to write, but didn’t have any confirmation. I thought nothing of it. When I went to attempt to write again, it just wouldn’t write at all but it was able to read.

I don’t know if this is where I messed up, but my next troubleshooting steps were to attempt a wipe followed by attempting to remove the password, given I didn’t use one. I would clear the password, wipe, clear again, attempt a wipe, you get the idea. (All on the Flipper Zero)

Up until now, with working with the FlexUG4 in my other hand (not related to this ticket), I wanted to give it another shot.

I don’t know if this is the “gotcha” of the ticket, but when running lf t55xx info multiple times against this chip, it gives the following:

[usb] pm3 --> lf t55xx info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 15
[=]  reserved                  : 15
[=]  Data bit rate             : 63 - RF/128
[=]  eXtended mode             : Yes - Warning
[=]  Modulation                : 0x1F (Unknown)
[=]  PSK clock frequency       : 3 - (Unknown)
[=]  AOR - Answer on Request   : Yes
[=]  OTP - One Time Pad        : Yes - Warning
[=]  Max block                 : 7
[=]  Password mode             : Yes
[=]  Sequence Start Marker     : Yes
[=]  Fast Write                : Yes
[=]  Inverse data              : Yes
[=]  POR-Delay                 : Yes
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  FFFFFFFF - 11111111111111111111111111111111
[=] --- Fingerprint ------------

[usb] pm3 --> lf t55xx info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 15
[=]  reserved                  : 15
[=]  Data bit rate             : 63 - RF/128
[=]  eXtended mode             : Yes - Warning
[=]  Modulation                : 0x1F (Unknown)
[=]  PSK clock frequency       : 3 - (Unknown)
[=]  AOR - Answer on Request   : Yes
[=]  OTP - One Time Pad        : Yes - Warning
[=]  Max block                 : 7
[=]  Password mode             : Yes
[=]  Sequence Start Marker     : Yes
[=]  Fast Write                : Yes
[=]  Inverse data              : Yes
[=]  POR-Delay                 : Yes
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  FFFFFFFF - 11111111111111111111111111111111
[=] --- Fingerprint ------------

[usb] pm3 --> lf t55xx info
[usb] pm3 --> lf t55xx info
[usb] pm3 --> lf t55xx info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 9 - testmode
[=]  reserved                  : 32
[=]  Data bit rate             : 4 - RF/50
[=]  eXtended mode             : No
[=]  Modulation                : 0 - DIRECT (ASK/NRZ)
[=]  PSK clock frequency       : 0 - RF/2
[=]  AOR - Answer on Request   : No
[=]  OTP - One Time Pad        : Yes - Warning
[=]  Max block                 : 1
[=]  Password mode             : No
[=]  Sequence Terminator       : No
[=]  Fast Write                : No
[=]  Inverse data              : Yes - Warning
[=]  POR-Delay                 : No
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  94100122 - 10010100000100000000000100100010
[=] --- Fingerprint ------------

[usb] pm3 --> lf t55xx info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 10
[=]  reserved                  : 72
[=]  Data bit rate             : 2 - RF/32
[=]  eXtended mode             : No
[=]  Modulation                : 0x15 (Unknown)
[=]  PSK clock frequency       : 0 - RF/2
[=]  AOR - Answer on Request   : Yes
[=]  OTP - One Time Pad        : No
[=]  Max block                 : 0
[=]  Password mode             : Yes
[=]  Sequence Terminator       : No
[=]  Fast Write                : No
[=]  Inverse data              : No
[=]  POR-Delay                 : Yes
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  A9095211 - 10101001000010010101001000010001
[=] --- Fingerprint ------------

Needless to say, it keeps randomizing block 0. Doing a dump is also random at times:

[usb] pm3 --> lf t55xx dump

[=] ------------------------- T55xx tag memory -----------------------------

[+] Page 0
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  01 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  02 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  03 | 00000000 | 00000000000000000000000000000000 | ....
[+]  04 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  05 | 0001FFFF | 00000000000000011111111111111111 | ....
[+]  06 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  07 | FFFFFFFF | 11111111111111111111111111111111 | ....

[+] Page 1
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  01 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  02 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  03 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+] Saved 48 bytes to binary file `C:\Users\alfie\Downloads\ProxSpace\pm3/lf-t55xx-dump-004.bin`
[+] Saved to json file C:\Users\alfie\Downloads\ProxSpace\pm3/lf-t55xx-dump-004.json
[usb] pm3 --> lf t55xx dump

[=] ------------------------- T55xx tag memory -----------------------------

[+] Page 0
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00000000 | 00000000000000000000000000000000 | ....
[+]  01 | 00000000 | 00000000000000000000000000000000 | ....
[+]  02 | 00000000 | 00000000000000000000000000000000 | ....
[+]  03 | FFFF8000 | 11111111111111111000000000000000 | ....
[+]  04 | 00000000 | 00000000000000000000000000000000 | ....
[+]  05 | 00000000 | 00000000000000000000000000000000 | ....
[+]  06 | 00000000 | 00000000000000000000000000000000 | ....
[+]  07 | FFFFFFFF | 11111111111111111111111111111111 | ....

[+] Page 1
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 00000000 | 00000000000000000000000000000000 | ....
[+]  01 | 00000000 | 00000000000000000000000000000000 | ....
[+]  02 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+]  03 | FFFFFFFF | 11111111111111111111111111111111 | ....
[+] Saved 48 bytes to binary file `C:\Users\alfie\Downloads\ProxSpace\pm3/lf-t55xx-dump-005.bin`
[+] Saved to json file C:\Users\alfie\Downloads\ProxSpace\pm3/lf-t55xx-dump-005.json

I had attempted the following:

lf t55xx write -b 0 -d 00107060 -t --r0
lf t55xx write -b 0 -d 00107060 -t --r1
lf t55xx write -b 0 -d 00107060 -t --r2
lf t55xx write -b 0 -d 00107060 -t --r3

Still nothing. Detect doesn’t work except very rarely, but it only showed the following:

=]  Chip type......... T55x7
[=]  Modulation........ DIRECT/NRZ
[=]  Bit rate.......... 2 - RF/32
[=]  Inverted.......... Yes
[=]  Offset............ 37
[=]  Seq. terminator... No
[=]  Block0............ 10080244 (auto detect)
[=]  Downlink mode..... 1 of 4 coding reference
[=]  Password set...... No

If there’s anything else to suggest, I’m open but I feel like it might be toast. It can still read the very first EM4100 card I wrote to it, so in a way it’s mocking me that I’ll never be able to change it.

Please let me know what suggestions or anything else to run and I’d be more than happy to share the results. Thank you!

1 Like
2

Are you running lf t5 detect first before running other t5 commands?

2 Likes
3

I hadn’t initially because I’d use it to test against the other chips in my right hand since those would be successful but trying to get this one to detect isn’t very reliable. It’s located in L0 for reference.

I had refreshed the shell to get the detect to scan and ran it multiple times, moving the Proxmark3 around the area to see if it can snag a signal. I’m pressing deep into my hand and aligning it properly using the example implant that came with it.

These are my results, the lf T55xx info is still randomizing quite a bit, but at least is consistently able to read the chip.

image
image776×869 21.6 KB

image
image776×878 33.3 KB

1 Like
4

if you saw what this comment previously said, ignore it, it’s irrelevant since you don’t get consistent t55 detect outputs.

do you have discord? add me my handle is equip i’ll help you fix it later today when i wake up, pretty sure i know what’s up with it.

4 Likes
5

No worries! I was just in the middle of using the detect. I’ll post the results I got below just in case.

Can we keep the responses in this thread for public visibility in case someone else runs into the same issue? I would most appreciate it. I’m not in any hurry, so don’t worry about times. (I waited like three months to start fully troubleshooting! :sweat_smile:)

image
image1680×2119 199 KB

3 Likes
6

try downloading latest source and compile/flash,

we updated the fgpa images which might have caused some issues.

in the end, always be on the bleeding edge!

2 Likes
7

I had updated but I don’t think it made much of a difference. Trying to detect the chip is very difficult, but I managed to snag it two times.

image
image1314×1765 195 KB

image
image1314×1883 121 KB

I then ran these commands again:

lf t55xx write -b 0 -d 00107060 -t --r0
lf t55xx write -b 0 -d 00107060 -t --r1
lf t55xx write -b 0 -d 00107060 -t --r2
lf t55xx write -b 0 -d 00107060 -t --r3

But still getting the randomized Block 0 when running lf t5 info

I do appreciate the help though! :innocent:

1 Like
8

you must run lf t55xx detect first.

Do that until you get a “good detection”.
then you can try lf t55xx info

There is no cheating when it comes to pm3. Miss one command and the next outcome is garbish

2 Likes
9

Here are my results for running lf t55xx detect. I was previously running lf t5 detect as I thought there originally wasn’t any difference.

I really hope I don’t ever have to do this again, I’m practically jamming the device deep into my hand. Very uncomfortable.

image
image909×2114 59.2 KB

image
image909×755 23.3 KB

After running lf t55xx info it reads consistently in the same spot.

image
image909×1693 43.6 KB

But then if I remove the device from my hand and move it just a little, it read inconsistently.

image
image909×1874 85.8 KB

I attempted to write to it jamming it in my hand again but no luck, the info reads are still randomized.

My question is, with how difficult detect has been, is it too deep in my L0 location for it to write properly? Some of the block 0’s that are read with the detect doesn’t seem to run consistently, so I’m still at a loss for what’s really going on. :frowning:

Probably not necessary, but to add this is the xMagic located in my R0. I have no difficulty detecting and reading this chip.

image
image909×1439 66.5 KB

1 Like
10

If you manually look at the signal.

data plot
lf read -@ -s 3000

It easier to visually see when you get a good place.
and it also makes more logical sense to your question of why.

3 Likes
11

I hope this will help!

This is standard noise, not anywhere near a tag

image
image1688×339 6.57 KB

This is the xMagic in R0

image
image1688×339 7.77 KB

This is a standard T5577 card

image
image1688×339 6.16 KB

And lastly, this is the NExT giving me trouble in L0

image
image1688×339 8.31 KB

I wonder what this means, I am most interested in learning about this! Thank you again so very much! :emoji_alien:

3 Likes
12

Following up with this, with the graphs found I do not know what it means. Do you think I can still salvage the chip or is it toast? Thanks! :slight_smile: