Yes, it was my fault to use the blue cloner on my NeXT impant
As far as I understand, the cloner sets a Password.
I now spent several hours here in the forum to gain my knowledge about removing this password.
I read through many threads and I am aware of how it shold work with the Proxmark3 to rermove it.
But now I am somehow stuck. DonĀ“t know whats the reason that I still cannot write nwe data to it after performing all commands to remove pw.
I got the following information from my NeXT:
Is it possible to determine from this infos if the PW is still set?
[=] --- T55x7 Configuration & Information ---------
[=] Safer key : 11
[=] reserved : 8
[=] Data bit rate : 7 - RF/128
[=] eXtended mode : No
[=] Modulation : 0x1D (Unknown)
[=] PSK clock frequency : 3 - (Unknown)
[=] AOR - Answer on Request : Yes
[=] OTP - One Time Pad : No
[=] Max block : 4
[=] Password mode : Yes
[=] Sequence Terminator : No
[=] Fast Write : Yes - Warning
[=] Inverse data : Yes - Warning
[=] POR-Delay : No
[=] -------------------------------------------------------------
[=] Raw Data - Page 0, block 0
[=] B11DDE96 - 10110001000111011101111010010110
[=] --- Fingerprint ------------
There are a couple of ways you could do this.
Here is one example
First do an lf search or similar a few times to make sure you are well coupled between NExT and PM3
without moving your NExT and PM3 send (have this ready to go so you donāt have to type)
Unfortunately lf t5 wipe --p 51243648 does not work on my NExT
The coupling shoud be good. I can run several lf serch commands in a row and it always reponds with the current configuration. So I assume that the wipe command should work as well (according to the couplingā¦). After the wipe command I run a lf search again, but this shows still the āoldā configuration and the clone command does not work as well.
Could the t55xx config of PM3 be wrong? Could this have something to do with the capability of writing to the t55xx chip?
I can read the t5 config from my NExT. See posting above.
And then there is the config of PM3, which shows the following parameters:
[usb] pm3 --> lf t5 config
[=] --- current t55xx config --------------------------
[=] Chip type......... T55x7
[=] Modulation........ ASK
[=] Bit rate.......... 0 - RF/8
[=] Inverted.......... No
[=] Offset............ 0
[=] Seq. terminator... No
[=] Block0............ 00000000 (n/a)
[=] Downlink mode..... default/fixed bit length
[=] Password set...... No
Is this PM3 config correct for writing to the T5 of my NExt or does this config not affect the writing/wiping/ā¦ function?
I am still stuck with my efforts to unlock my NExT.
My latest findings:
If I try to reproduce all steps according to @Pilgrimsmaster s mail above, it works with a keyfob:
I can clone some card with the blue cloner to the keyfob.
Then it is PW protected
With lf t5 wipe --p 51243648 I can unlock/wipe it.
And finally clone some new data to it.
But the same steps do not work for the NExt.
As mentioned above, the coupling should be fine.
I can do all commands like lf search, lf t5 info, ā¦ successfully.
I also used lf t5 chk on the keyfob.
It found a password:
[usb] pm3 --> lf t5 chk
[=] press <Enter> to exit
[+] loaded 124 keys from dictionary file F:\Proxmark\ProxSpace\pm3\proxmark3\client\dictionaries/t55xx_default_pwds.dic
[=] press <Enter> to exit
[=] testing 51243648
[=] Chip type......... T55x7
[=] Modulation........ FSK2a
[=] Bit rate.......... 4 - RF/50
[=] Inverted.......... Yes
[=] Offset............ 33
[=] Seq. terminator... No
[=] Block0............ 00107070 (auto detect)
[=] Downlink mode..... default/fixed bit length
[=] Password set...... Yes
[=] Password.......... 51243648
[+] found valid password: [ 51243648 ]
[+] time in check pwd 0 seconds
So I am sure, that my blue cloner uses 51243648 as PW.
But trying to read the PW from my NExT does not work:
Are there any reasons, why PM3 does not read/write to NExt?
I am still searching for an answer, if the lf t5 config parameters needs to be changed.
Could anyone post a lf t5 config that works with the NExT?
Another thing that wouldnāt hurt trying at this point (I already know Iām going to catch some hell by everyone for suggesting this)
is popping your blue cloner open and placing the antenna over the NeXT (as if you were to cut it in half) and try writing to it again until you get a pass.
This has worked for me in the past to straighten out goofy T5577ās when a PM3 couldnāt.
Also worth mentioning, ever since I got my FlexEM about a year ago I havenāt used the Lf side of my NeXT so it took quite some time on Lf tune to get my voltage down to acceptable for reading / writing with the PM3
[=] Measuring LF antenna at 125.00 kHz, click pm3 button or press Enter to exit
[=] 21793 mV / 21 V / 24 Vmax
This is a good number for me, Iām curious what yours is.
Itās hard to go by the base number alone because the start point is different for everyone. A more interesting approach would be to give the deltaā¦ the difference between your start voltage and your lowest point. If it drops by 500 then thatās more or less typical of what I get for xEM or NExT on my proxmark3, but because my start value is around 32000 it only drops to 31500 or soā¦ see what I mean?
update: fyi, this difference in antenna performance and initial voltage start points for everyone has to do with the lack of consistency in component quality and wide tolerances for those components.
I have proxmark3 easy with original antenna. lf tune starts at 31.5V and decreases to 30.8V with my NExT (in best case when I push the implant close to the surface by tensing the muscle below). So I see a drop of 700mV.
ThatĀ“s no problem. I can clone my work badge to my NExT or a mifare cardā¦ no problem with the blue cloner. And I can verfiy the result with the PM3. Maybe I will try this a few more times. But Iām not sure if it always works wellā¦
Only problem is, that I cannot get rid of this password
I will report progress as soon as availableā¦
when I push the implant close to the surface by tensing the muscle below). So I see a drop of 700mV.
