NExT T55 detect could not detect modulation

Support
1

I implanted a NExT on Saturday and I’m having issues after trying to write to it.
I have a Proxmark3 RDV4 and the LF ferrite antenna. The ferrite antenna doesn’t seem to work as well as the standard antenna. I am running the ‘hw tune’ command.

The 2 commands I used on my NExT were:

lf em 410x clone --id 011125082C
Which said it was successful but didn’t actually work.

lf t55xx wipe
Which seemed to have not worked or messed up block 0?

I did successfully run these 2 commands on some other T5577 tags I have before trying them on my implant.

Now I can no longer detect the T5577 implant. I’m wondering if I messed up the configuration on block 0? Hopefully I didn’t completely brick it. ‘lf t55 search’ and ‘lf t55 info’ do give results.

I ran these commands because I was getting a successful read. But maybe it’s too soon and there was a decoupling issue from swelling. I’m going to wait a couple weeks for swelling to go down before I mess with this any further. Are there any suggested commands I can use to try and fix this?

I’ve started reading the datasheet at https://ww1.microchip.com/downloads/en/DeviceDoc/ATA5577C-Read-Write-LF-RFID-IDIC-100-to-150-kHz-Data-Sheet-DS70005357B.pdf to get a better understanding of the T5577.

I did some testing with my other T55 tags and completely bricked 2 of them where I could not get a result from detect, info, etc. I thought they were trash. I later found I was able to completely fix them with: lf t55 write -b 0 -d 000c8040 --pwd 00000000

I’v also seen examples of people fixing their tag with the following commands:
lf t55 write -b 0 -d 00148040 --pwd 00000000
lf t55xx write -b 0 -d 000880E8 -p 00000000

But I guess this sets an all 0s password, resets the config, and fixes tags that are bricked when you run a password command against a tag that didn’t have a password?

Sorry for the long post. Here are commands/results that show my settings from the Proxmark:

Summary

[+] T55xx chip found!
Downlink Mode used : default/fixed bit length

[usb] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[-] :no_entry: No known 125/134 kHz tags found!
[+] Chipset detection: T55xx
[?] Hint: try lf t55xx commands

[usb] pm3 → lf t55 detect
[!] :warning: Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’

[usb] pm3 → lf t55 info

[=] — T55x7 Configuration & Information ---------
[=] Safer key : 15
[=] reserved : 15
[=] Data bit rate : 63 - RF/128
[=] eXtended mode : Yes - Warning
[=] Modulation : 0x1F (Unknown)
[=] PSK clock frequency : 3 - (Unknown)
[=] AOR - Answer on Request : Yes
[=] OTP - One Time Pad : Yes - Warning
[=] Max block : 7
[=] Password mode : Yes
[=] Sequence Start Marker : Yes
[=] Fast Write : Yes
[=] Inverse data : Yes
[=] POR-Delay : Yes
[=] -------------------------------------------------------------
[=] Raw Data - Page 0, block 0
[=] FFFFFFFF - …111.11111111111.1111111.111111
[=] — Fingerprint ------------

[usb] pm3 → lf t55 dump
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[+] 00 | FFFFFFFF | .1.111.11111111111.1111111.11111 | …
[+] 01 | FFFFFFFF | .1.111.11111111111.1111111.11111 | …
[+] 02 | FFFFFFFF | .1.111.11111111111.1111111.11111 | …
[+] 03 | FFFFFFFF | …111.11111111111.1111111.111111 | …
[+] 04 | FFFFFFFF | .1.111.11111111111.1111111.11111 | …
[+] 05 | FFFFFFFF | .1.111.11111111111.1111111.11111 | …
[+] 06 | FFFFFFFF | …111.11111111111.1111111.111111 | …
[+] 07 | FFFFFFFF | …111.11111111111.1111111.111111 | …
[+] Reading Page 1:
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[+] 00 | FFFFFFFF | .1.11111111111111111111111111111 | …
[+] 01 | FFFFFFFF | …111111111111111111111111111111 | …
[+] 02 | FFFFFFFF | .1.11111111111111111111111111111 | …
[+] 03 | FFFFFFFF | …111111111111111111111111111111 | …
[+] saved to json file lf-t55xx-dump-2.json
[+] saved 12 blocks to text file lf-t55xx-dump-2.eml
[+] saved 48 bytes to binary file lf-t55xx-dump-2.bin

[usb] pm3 → lf t55xx read -b 0
[+] Reading Page 0:
[+] blk | hex data | binary | ascii
[+] ----±---------±---------------------------------±------
[+] 00 | FFFFFFFF | .1.111.11111111111.1111111.11111 | …

[usb] pm3 → hw version

[ Proxmark3 RFID instrument ]

[ CLIENT ]
Iceman/master/v4.14831-1008-ga1633f932-dirty-unclean 2022-10-24 23:10:53 8b5c14153
compiled with… GCC 10.2.1 20210110
platform… Linux / x86_64
Readline support… present
QT GUI support… present
native BT support… present
Python script support… present
Lua SWIG support… present
Python SWIG support… present

[ PROXMARK3 ]
device… RDV4
firmware… RDV4
external flash… present
smartcard reader… present
FPC USART for BT add-on… absent

[ ARM ]
bootrom: Iceman/master/v4.14831-1008-ga1633f932-dirty-unclean 2022-10-24 23:10:02 8b5c14153
os: Iceman/master/v4.14831-1008-ga1633f932-dirty-unclean 2022-10-24 23:10:41 8b5c14153
compiled with GCC 8.3.1 20190703 (release) [gcc-8-branch revision 273027]

[ FPGA ]
LF image 2s30vq100 2022-03-23 17:21:05
HF image 2s30vq100 2022-03-23 17:21:16
HF FeliCa image 2s30vq100 2022-03-23 17:21:27
HF 15 image 2s30vq100 2022-03-23 17:21:38

[ Hardware ]
–= uC: AT91SAM7S512 Rev B
–= Embedded Processor: ARM7TDMI
–= Internal SRAM size: 64K bytes
–= Architecture identifier: AT91SAM7Sxx Series
–= Embedded flash memory 512K bytes ( 65% used )

[usb] pm3 → hw status
[#] Memory
[#] BigBuf_size… 40912
[#] Available memory… 40912
[#] Tracing
[#] tracing … 1
[#] traceLen … 0
[#] Current FPGA image
[#] mode… LF image 2s30vq100 2022-03-23 17:21:05
[#] Flash memory
[#] Baudrate… 24 MHz
[#] Init… OK
[#] Memory size… 2 mbits / 256 kb
[#] Unique ID… 0xD5690C23DF8FBD2A
[#] Smart card module (ISO 7816)
[#] version… v3.10
[#] LF Sampling config
[#] [q] divisor… 95 ( 125.00 kHz )
[#] [b] bits per sample… 8
[#] [d] decimation… 1
[#] [a] averaging… no
[#] [t] trigger threshold… 0
[#] [s] samples to skip… 0
[#]
[#] LF T55XX config
[#] [r] [a] [b] [c] [d] [e] [f] [g]
[#] mode |start|write|write|write| read|write|write
[#] | gap | gap | 0 | 1 | gap | 2 | 3
[#] ---------------------------±----±----±----±----±----±----±-----
[#] fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | N/A | N/A |
[#] long leading reference | 29 | 17 | 18 | 50 | 15 | N/A | N/A |
[#] leading zero | 29 | 17 | 18 | 40 | 15 | N/A | N/A |
[#] 1 of 4 coding reference | 29 | 17 | 15 | 31 | 15 | 47 | 63 |
[#]
[#] HF 14a config
[#] [a] Anticol override… std ( follow standard )
[#] [b] BCC override… std ( follow standard )
[#] [2] CL2 override… std ( follow standard )
[#] [3] CL3 override… std ( follow standard )
[#] [r] RATS override… std ( follow standard )
[#] Transfer Speed
[#] Sending packets to client…
[#] Time elapsed… 500ms
[#] Bytes transferred… 273408
[#] Transfer Speed PM3 → Client… 546816 bytes/s
[#] Various
[#] Max stack usage… 4104 / 8480 bytes
[#] Debug log level… 1 ( error )
[#] ToSendMax… -1
[#] ToSend BUFFERSIZE… 2308
[#] Slow clock… 30439 Hz
[#] Installed StandAlone Mode
[#] LF HID26 standalone - aka SamyRun (Samy Kamkar)
[#] Flash memory dictionary loaded
[#] Mifare… 1462 keys
[#] T55x7… 122 keys
[#] iClass… 11 keys

2

When you write with the PM it does not verify the write was actually successful. So it will tell you it wrote but you then need to do a read to confirm it was successful.

If you only installed last Friday, I am surprised you are getting any reads. I would be very careful writing to either side of the chip for at least two weeks. My first NExT took just under two weeks for all the swelling to go and be consistently able to be read. My second took just over three weeks.

It may not look swollen but it will be. Patience and all will be good!

3

I can feel a little soreness so I’m sure it’s still swollen. I’ll definitely hold off on doing anything for a couple of weeks.