NeXT with Blue Cloner - PW still set?

Hi all!

Yes, it was my fault to use the blue cloner on my NeXT impant :tired_face:
As far as I understand, the cloner sets a Password.
I now spent several hours here in the forum to gain my knowledge about removing this password.
I read through many threads and I am aware of how it shold work with the Proxmark3 to rermove it.
But now I am somehow stuck. Don´t know whats the reason that I still cannot write nwe data to it after performing all commands to remove pw.

I got the following information from my NeXT:
Is it possible to determine from this infos if the PW is still set?

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 11
[=]  reserved                  : 8
[=]  Data bit rate             : 7 - RF/128
[=]  eXtended mode             : No
[=]  Modulation                : 0x1D (Unknown)
[=]  PSK clock frequency       : 3 - (Unknown)
[=]  AOR - Answer on Request   : Yes
[=]  OTP - One Time Pad        : No
[=]  Max block                 : 4
[=]  Password mode             : Yes
[=]  Sequence Terminator       : No
[=]  Fast Write                : Yes - Warning
[=]  Inverse data              : Yes - Warning
[=]  POR-Delay                 : No
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  B11DDE96 - 10110001000111011101111010010110
[=] --- Fingerprint ------------

Thank you for any hint how to proceede…

Gambrinus

There are a couple of ways you could do this.
Here is one example

First do an lf search or similar a few times to make sure you are well coupled between NExT and PM3
without moving your NExT and PM3 send (have this ready to go so you don’t have to type)

lf t5 wipe --p 51243648

this should revert back to blank T5577

if you have issues, check the coupling and maybe try with test mode -t at the end

lf t5 wipe --p 51243648 -t

from there just write whatever you want to it

eg.
lf em 41 clone --id 1122334455

give that a try and let us know how it goes

Hi and thank you for this fast response!

Did not know, that wipe can be combined with --p.
Together with -t “testmode” PM3 repondes:

[usb] pm3 --> lf t5 wipe --p 51243648 -t
lf t55xx wipe: invalid option "-t"
[!] Try 'lf t55xx wipe --help' for more information.

Unfortunately lf t5 wipe --p 51243648 does not work on my NExT :frowning_face:
The coupling shoud be good. I can run several lf serch commands in a row and it always reponds with the current configuration. So I assume that the wipe command should work as well (according to the coupling…). After the wipe command I run a lf search again, but this shows still the “old” configuration and the clone command does not work as well.

Could the t55xx config of PM3 be wrong? Could this have something to do with the capability of writing to the t55xx chip?

I can read the t5 config from my NExT. See posting above.
And then there is the config of PM3, which shows the following parameters:

[usb] pm3 --> lf t5 config
[=] --- current t55xx config --------------------------
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
[=]  Bit rate.......... 0 - RF/8
[=]  Inverted.......... No
[=]  Offset............ 0
[=]  Seq. terminator... No
[=]  Block0............ 00000000 (n/a)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... No

Is this PM3 config correct for writing to the T5 of my NExt or does this config not affect the writing/wiping/… function?

Thank you,
Gambrinus

Hi!

I am still stuck with my efforts to unlock my NExT.
My latest findings:
If I try to reproduce all steps according to @Pilgrimsmaster s mail above, it works with a keyfob:
I can clone some card with the blue cloner to the keyfob.
Then it is PW protected
With lf t5 wipe --p 51243648 I can unlock/wipe it.
And finally clone some new data to it.

But the same steps do not work for the NExt.

As mentioned above, the coupling should be fine.
I can do all commands like lf search, lf t5 info, … successfully.

I also used lf t5 chk on the keyfob.
It found a password:

[usb] pm3 --> lf t5 chk
[=] press <Enter> to exit

[+] loaded 124 keys from dictionary file F:\Proxmark\ProxSpace\pm3\proxmark3\client\dictionaries/t55xx_default_pwds.dic
[=] press <Enter> to exit
[=] testing 51243648
[=]  Chip type......... T55x7
[=]  Modulation........ FSK2a
[=]  Bit rate.......... 4 - RF/50
[=]  Inverted.......... Yes
[=]  Offset............ 33
[=]  Seq. terminator... No
[=]  Block0............ 00107070 (auto detect)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... Yes
[=]  Password.......... 51243648

[+] found valid password: [ 51243648 ]

[+] time in check pwd 0 seconds

So I am sure, that my blue cloner uses 51243648 as PW.
But trying to read the PW from my NExT does not work:

[usb] pm3 --> lf t5 chk
[=] press <Enter> to exit

[+] loaded 124 keys from dictionary file F:\Proxmark\ProxSpace\pm3\proxmark3\client\dictionaries/t55xx_default_pwds.dic
[=] press <Enter> to exit
[=] testing 51243648
[=] testing 000D8787
[=] testing 19920427
[=] testing 50524F58
[=] testing F9DCEBA0
[=] testing 65857569
[=] testing 05D73B9F
[=] testing 89A69E60
[=] testing 314159E0
[=] testing AA55BBBB
[=] testing A5B4C3D2
[=] testing 1C0B5848
[=] testing 00434343
[=] testing 444E4752
[=] testing 4E457854
[=] testing 44B44CAE
[=] testing 88661858
[=] testing E9920427
[=] testing 575F4F4B
[=] testing 50520901
[=] testing 20206666
[=] testing 65857569
[=] testing 5469616E
[=] testing 7686962A

[!] aborted via keyboard!

Are there any reasons, why PM3 does not read/write to NExt?
I am still searching for an answer, if the lf t5 config parameters needs to be changed.
Could anyone post a lf t5 config that works with the NExT?

Thank you!

[usb] pm3 --> lf t5 config
[=] --- current t55xx config --------------------------
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
[=]  Bit rate.......... 0 - RF/8
[=]  Inverted.......... No
[=]  Offset............ 0
[=]  Seq. terminator... No
[=]  Block0............ 00000000 (n/a)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... No

I have never tried this myself, but youcould try a bruteforce “attack”

Just be aware of this note

“WARNING this may brick non-password protected chips!”

So use with caution, and a test card first


This command uses bruteforce to scan a number range.
Try reading Page 0, block 7 before.

WARNING this may brick non-password protected chips!

usage:
lf t55xx bruteforce [-h] -s -e [–r0] [–r1] [–r2] [–r3] [–all]

options:
-h, --help This help
-s, --start search start password (4 hex bytes)
-e, --end search end password (4 hex bytes)
–r0 downlink - fixed bit length
–r1 downlink - long leading reference
–r2 downlink - leading zero
–r3 downlink - 1 of 4 coding reference
–all try all downlink modes (def)

examples/notes:
lf t55xx bruteforce --r2 -s aaaaaa77 -e aaaaaa99

Great! Thank you! I will try this config…
I will report if it worked…

I’m getting the same thing you are, looks like

lf t55xx detect

Doesn’t work with your

[=]  Block0............ 00000000

Have you tried

lf t55xx write -b 0 -d 000880E0

In my experience

Lf t55xx write -b 0 -d 000880E0 -t

Followed by

Lf t55xx wipe

Just about always works.

Another thing that wouldn’t hurt trying at this point
(I already know I’m going to catch some hell by everyone for suggesting this)
is popping your blue cloner open and placing the antenna over the NeXT (as if you were to cut it in half) and try writing to it again until you get a pass.
This has worked for me in the past to straighten out goofy T5577’s when a PM3 couldn’t.

2 Likes

Also worth mentioning, ever since I got my FlexEM about a year ago I haven’t used the Lf side of my NeXT so it took quite some time on Lf tune to get my voltage down to acceptable for reading / writing with the PM3

[=] Measuring LF antenna at 125.00 kHz, click pm3 button or press Enter to exit
[=] 21793 mV / 21 V / 24 Vmax

This is a good number for me, I’m curious what yours is.

1 Like

It’s hard to go by the base number alone because the start point is different for everyone. A more interesting approach would be to give the delta… the difference between your start voltage and your lowest point. If it drops by 500 then that’s more or less typical of what I get for xEM or NExT on my proxmark3, but because my start value is around 32000 it only drops to 31500 or so… see what I mean?

update: fyi, this difference in antenna performance and initial voltage start points for everyone has to do with the lack of consistency in component quality and wide tolerances for those components.

1 Like

image

You’re right, I’ll have to remember to document that starting point next time.

2 Likes

Thank you @ItaBeAight and @amal for your inputs about lf tune.

I have proxmark3 easy with original antenna.
lf tune starts at 31.5V and decreases to 30.8V with my NExT (in best case :wink: when I push the implant close to the surface by tensing the muscle below). So I see a drop of 700mV.

1 Like

That seems about normal for an x-series.

That´s no problem. I can clone my work badge to my NExT or a mifare card… no problem with the blue cloner. And I can verfiy the result with the PM3. Maybe I will try this a few more times. But I’m not sure if it always works well…
Only problem is, that I cannot get rid of this password :rage:
I will report progress as soon as available…

1 Like

SUCCESS!!!

Finally it was a combination of your ideas in the thread above.

…did not work, but in combination with the blue cloner password it did its job:

[usb] pm3 --> lf t55xx write -b 0 -d 000880E0 --pwd 51243648
[=] Writing page 0  block: 00  data: 0x000880E0 pwd: 0x51243648

Now PW is gone and I can clone anything to the NExT :upside_down_face: :slightly_smiling_face: :upside_down_face:

Thank you @amal @Pilgrimsmaster and @ItaBeAight for your support!!

3 Likes