NExT xEM side stuck in HID mode

Hello and good morning/afternoon/evening to everyone. Let me start by saying I have actually never started a forum post anywhere before because I usually figure out my problems myself/sleuth forums for solutions/get bored, don’t care.
Problem —> As the title says xEM side of my NExT seems to be locked/stuck in HID mode.
History before problem —> I bought a Proxmark3 rdv2, and the first programming that side of the chip, I used the original antenna and iceman fork and set the chip to HID mode to use my school ID as proof of concept, month or so later I set it back to EM4100 mode with a copied uid from my xAC for use with that device.
Symptoms —> I noticed some weirdness when I did the switch back to EM4100, basically, after writing it, it was unreadable (on proxmark3) both with LF search and all the t55xx commands other than the wipe command. The chip was also unreadable after the wipe command however I could set it back to HID or write an EM uid on it. It was weird to me, but even though the proxmark3 couldn’t read it in EM mode, it still worked with the xAC. I was worried about it at this point and decided not to play with the stock antenna on the Proxmark3 anymore for fear of write tearing.
Testing —> I built my own antenna based on Compgeek’s post a while back, and have done a ton of reading (including the datasheet albeit I don’t fully understand all of it) forum posting etc… Purchased a batch of atmel ata5577 cards on Amazon to play with so I don’t brick my NExT playing with the dangerous commands. I started with a ton of card/hand reading to gather what data I could to gauge the situation. IF I set my NExT into HID mode, I can use all the t55xx commands such as detect, trace, read, etc… So I set both a card and my hand to the same HID ID, figured out how to rewrite page 1 blocks 1 and 2 to clone the traceability data from my hand to the card. At this point if I dump either card, I get identical output. If I wipe the card/NExT to blank t5577’s I can detect the card but not my hand. Once I detect the card (to set the configuration in proxmark3) I can trace the card but still can’t trace my hand. I can read block 0 page 0 and one on the blank card, but neither on my hand. I can see the plot when attempting these last 2 reads and the wave forms look identical, except the amplitude of the card is up to about 80 and the one in my hand at best is around 40. That is about as much testing as I remember off the top of my head/notes.
Theory —> I think when I originally wrote my NExT some tearing happened due to coupling with the stock antenna and a lock bit got set on either page 0 block 0 or on page 1 block 0, therefore locking that part of the configuration into HID mode only (which would explain why it only works (but really works well, in HID mode). I don’t know how to confirm this theory as I cant seem to find a way to get it to spit out the lock bits to check if any are set. I fear I will have to dump the scope of an HID mode t55xx read and manually decode it after much more research. I also cant seem to simulate the problem on a card, however I am willing to break some cards trying. My end goal is to get this thing fixed up and able to be rewritten to what ever mode I may feel like/need as my HID school badge is not super useful with covid-19 right now.

Any and all knowledge and support is welcome and appreciated. Any relevant information I did not provide that may be needed just ask and I shall provide to the best of my ability. Thanks in advance everyone.


Just heading out so can’t write much, I Just wanted to say WOW, if only every person needing help gave even a 10th of the information and research you did, all forums would be a better place! (although some white space might make it easier to read for some)

Regarding the flipping a config bot that locks it, the NExT comes protected from changes like that AFAIK but not sure how a tear would interact with that. :thinking: as in if a tear could get around the config protection.


That’s what I call doing one’s homework before posting. Bravo!


I didn’t want to be one of “those guys” my first time :stuck_out_tongue: but yeah, I learn better if I figure it out on my own usually but I’m super stumped at this point and really want to get my mo.lock hooked up on my Zero DS. Also, leumas95, I believe it’s only the xNT side thats protected, the xEM side is just a raw t5577 chip if I’m not mistaken.

Damn you are right… of course… you used to have to use a phone app to do that… my bad.

With 19hrs of read time I hardly think someone would say you are



I haven’t had a T55xx in that sort of state, so I’m just spitballing here, but if you’ve got a page 1 issue and trace isn’t working you can look at doing a write in test mode and ‘restoring’ block 1

I think @TomHarkness has some test mode experience

I’m not 100% sure where exactly the issue is, I just suspect that it’s a lock bit as that’s the only thing I have not figured out how to see. I do know that if I put it in HID mode I can get a t55xx detect and trace/dump/read/write all work fine, but as soon as I do a wipe or change the mode, I basically loose all communication until I set it back in HID. The weirdest thing to me though is that if I put it in EM mode, my xAC can still read it… But my proxmark3 can’t. So what I THINK my next step should be is figure out how to see the lock bits to determine if that’s actually my problem, haven’t figured that out yet, then, figure out how test mode works. As I was typing the above I remembered coming across a post about test mode and dug back into it and found this page —>
And there is a link in the bottom of that last post to an extremely helpful looking page. Time to read all that 5 or 6 times and break some cards with raw data :grimacing:
Edit: I also saw a thing in there suggesting that the otp bits are only accessable in extended modes or when there is a 6 or 9 in page 0 block 0. Mine is 00 in that block for the record.

1 Like