Hello and good morning/afternoon/evening to everyone. Let me start by saying I have actually never started a forum post anywhere before because I usually figure out my problems myself/sleuth forums for solutions/get bored, don’t care.
Problem —> As the title says xEM side of my NExT seems to be locked/stuck in HID mode.
History before problem —> I bought a Proxmark3 rdv2, and the first programming that side of the chip, I used the original antenna and iceman fork and set the chip to HID mode to use my school ID as proof of concept, month or so later I set it back to EM4100 mode with a copied uid from my xAC for use with that device.
Symptoms —> I noticed some weirdness when I did the switch back to EM4100, basically, after writing it, it was unreadable (on proxmark3) both with LF search and all the t55xx commands other than the wipe command. The chip was also unreadable after the wipe command however I could set it back to HID or write an EM uid on it. It was weird to me, but even though the proxmark3 couldn’t read it in EM mode, it still worked with the xAC. I was worried about it at this point and decided not to play with the stock antenna on the Proxmark3 anymore for fear of write tearing.
Testing —> I built my own antenna based on Compgeek’s post a while back, and have done a ton of reading (including the datasheet albeit I don’t fully understand all of it) forum posting etc… Purchased a batch of atmel ata5577 cards on Amazon to play with so I don’t brick my NExT playing with the dangerous commands. I started with a ton of card/hand reading to gather what data I could to gauge the situation. IF I set my NExT into HID mode, I can use all the t55xx commands such as detect, trace, read, etc… So I set both a card and my hand to the same HID ID, figured out how to rewrite page 1 blocks 1 and 2 to clone the traceability data from my hand to the card. At this point if I dump either card, I get identical output. If I wipe the card/NExT to blank t5577’s I can detect the card but not my hand. Once I detect the card (to set the configuration in proxmark3) I can trace the card but still can’t trace my hand. I can read block 0 page 0 and one on the blank card, but neither on my hand. I can see the plot when attempting these last 2 reads and the wave forms look identical, except the amplitude of the card is up to about 80 and the one in my hand at best is around 40. That is about as much testing as I remember off the top of my head/notes.
Theory —> I think when I originally wrote my NExT some tearing happened due to coupling with the stock antenna and a lock bit got set on either page 0 block 0 or on page 1 block 0, therefore locking that part of the configuration into HID mode only (which would explain why it only works (but really works well, in HID mode). I don’t know how to confirm this theory as I cant seem to find a way to get it to spit out the lock bits to check if any are set. I fear I will have to dump the scope of an HID mode t55xx read and manually decode it after much more research. I also cant seem to simulate the problem on a card, however I am willing to break some cards trying. My end goal is to get this thing fixed up and able to be rewritten to what ever mode I may feel like/need as my HID school badge is not super useful with covid-19 right now.
Any and all knowledge and support is welcome and appreciated. Any relevant information I did not provide that may be needed just ask and I shall provide to the best of my ability. Thanks in advance everyone.
as in if a tear could get around the config protection.
but yeah, I learn better if I figure it out on my own usually but I’m super stumped at this point and really want to get my mo.lock hooked up on my Zero DS. Also, leumas95, I believe it’s only the xNT side thats protected, the xEM side is just a raw t5577 chip if I’m not mistaken.
…