Proxmark Gurus! Help!

If anyone can give me a little help with this, I’d really appreciate it. I’m not as proficient with Proxmark as I’d like to be. I have a NExT that I had successfully cloned from my HID access badge at work using the Proxmark3 Easy and the DT access controller antenna. I am using the Iceman fork.
I am trying to switch it to EM mode for use with a DT access controller (as I no longer really need the HID for work), but something is going wrong with the write. I know the antenna characteristics are a little weak, but the PM reads and writes HID without issue all day long. Can you guys tell me if there’s a way to determine whether this problem is with the coupling or with my software/firmware?
Here is some data:
pm3 --> hw tune

[=] measuring antenna characteristics, please wait…

[+] LF antenna: 17.14 V - 125.00 kHz
[+] LF antenna: 12.04 V - 134.00 kHz
[+] LF optimal: 76.19 V - 107.14 kHz
[+] LF antenna is OK

[+] HF antenna: 31.29 V - 13.56 MHz
[+] HF antenna is OK

[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

pm3 --> lf t55xx detect
Chip Type : T55x7
Modulation : FSK2a
Bit Rate : 4 - RF/50
Inverted : Yes
Offset : 32
Seq. Term. : No
Block0 : 0x00107060

pm3 --> lf t55xx trace
The modulation is most likely wrong since the ACL is not 0xE0.
pm3 --> lf t55xx info

– T55x7 Configuration & Tag Information --------------------

Safer key : 0
reserved : 0
Data bit rate : 4 - RF/50
eXtended mode : No
Modulation : 7 - FSK 2a RF/10 RF/8
PSK clock frequency : 0
AOR - Answer on Request : No
OTP - One Time Pad : No
Max block : 3
Password mode : No
Sequence Start Terminator : No
Fast Write : No
Inverse data : No
POR-Delay : No

Raw Data - Page 0
Block 0 : 0x00107060 00000000000100000111000001100000

pm3 --> lf t55xx read
Reading Page 0:
blk | hex data | binary | ascii
----±---------±---------------------------------±------
255 | 556965AA | 01010101011010010110010110101010 | Uie.
pm3 --> lf t55xx read 1
Reading Page 1:
blk | hex data | binary | ascii
----±---------±---------------------------------±------
255 | 445915F7 | 01000100010110010001010111110111 | DY…

As a note, upon trying to write an EM config (LF EM 410x_write xxxxxxxxxx 1), the implant can no longer be read or found. This data can only be seen by the T55xx commands when i have the HID clone in place.
If you guys have any troubleshooting steps I can take, I’m all ears. Thanks!

I honestly can’t help as I’ve not played with a proxmark yet but have you seen the wiki’s over here.

2 Likes

Just to clarify your not actually writing Xs to it right? Your writing a valid ID? I haven’t played with em much but I’ll have a go when I wake up a bit more.

1 Like

Correct! I’ve been trying to help @RickD in the FB group and via PM, suggested he post here to see if anyone else had any thoughts!

Commands are all correct and work on a test card, leading us to believe its not a software or firmware issue. Implant isn’t password protected and is responding to other write commands so doesn’t seem to be the implant.

We suspected a coupling issue as trying to get trace commands to work with the DT xAC antenna wasn’t the most reliable, but even in a good spot when coupling seemed fine it didn’t work.

I’m still a little iffy on those voltages, they definitely aren’t right in the optimal range, but acceptable when detuned to 125kHZ, and it is capable of coupling well enough to get trace to work - so 50/50 on that unless anyone may have some ideas of further things to try.

Writing requires more power (afaik) and since it’s possible to tear a t5577 I personally wouldn’t write to an implant with dodgy coupling… If the commands are working on a test card but not the implant then yeah sounds like a coupling issue and the antenna tuning looks bad as you pointed out.

Did you hook an xAC up to a proxmark somehow? O.o

1 Like

With the xAC antenna hooked up it will be far from an ideal connection unless the capacitors have been changed and the antenna soldered on?

The tuning info above also seems too far out to be of massive use.

1 Like

Well, unless there needs to be a significant better couple in order to write a 410x ID than an HID ID, I don’t know what could be causing this. I know the voltages are low, but it works “well enough” to write and rewrite that HID ID over and over, without ever an issue. If I wipe the chip (LF T55xx wipe) or write (LF EM 410x_write) an ID, it can’t be found via any T55xx commands- but with the LF HID Clone command, i can write the ID back to it and start reading again. Does an EM ID require a much better coupling to write than an HID?

yes I’m writing a valid ID, i just used ‘x’ placeholders for anonymity. It’s probably moot, but why not?

1 Like

I realize this antenna isn’t tuned perfectly. but it’s worlds better than the original toroid antenna, as that coupling was so poor, there was no sweet spot; just a random blip of a read. So if the antenna is good enough to clone an HID tag, why can it not write an EM one?
For reference, i’m just trying to write the ID from one of the little fob tags that come with the DT access controller.

Yeah just thought I’d check. :sweat_smile:

It’s possible, as they use different modulation strategies I think. I’m not sure how this effects it from a technical standpoint. Like how sometimes AM radio is clearer than FM radio kind of thing.

But we know the commands work as you tested on a test card.
We know that the implant works as you can read and write hid data to it.

That doesn’t leave much other than the coupling issue :man_shrugging: that I know of at least.

Better yet, can anyone explain to me what “The modulation is most likely wrong since the ACL is not 0xE0.” means? If this is indeed the problem, how do I fix the ACL. Other than anterior cruciate ligament, what even IS an ACL? How do I change modulation? Compgeek had mentioned to me that it could be the timing of the write. If not that, perhaps some method/protocol that the write is being performed that’s throwing the data into an incorrect place?
Thanks for the help guys!

1 Like

Out of interest have you had a look on the proxmark fourm?

I realise non of us are really answering your question but were just trying to gather as much info before we try anymore.

Have you got another tag (t5577) card you can try and write to?

I have poked around, via googling keywords and got a few hits. None of the threads seemed to address this exact issue, however. Also, it’d be nice if there was a writeup after their issue was solved with some specific steps taken that could be educational. Most end in “Oh hey I think the problem was this, but it works now. [solved]”.

The only other tag i have is the T5577 card that came with the PME. I can write the EM ID, no problem. Here’s an LF Search of this card:
pm3 → lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible

Checking for known tags:

EM410x pattern found

EM TAG ID : xxxxxxxxxx

Possible de-scramble patterns
Unique TAG ID : 200822BEAA
HoneyWell IdentKey {
DEZ 8 : 04488533
DEZ 10 : 0272923989
DEZ 5.5 : 04164.32085
DEZ 3.5A : 004.32085
DEZ 3.5B : 016.32085
DEZ 3.5C : 068.32085
DEZ 14/IK2 : 00017452793173
DEZ 15/IK3 : 000137575448234
DEZ 20/ZK : 02000008020211141010
}
Other : 32085_068_04488533
Pattern Paxton : 72923989 [0x458BB55]
Pattern 1 : 8508254 [0x81D35E]
Pattern Sebury : 32085 68 4488533 [0x7D55 0x44 0x447D55]

[+] Valid EM410x ID Found!

Allocation class. It’s mandated by ISO/IEC 15963-1 it it should always be 0xE0 afaik. Like you can change it on the t5577 I think but I don’t know of any cases where it shouldn’t be 0xE0 but I’m also not an expert prehapse @TomHarkness has some insight.

You essentially are. HID uses FSK

EM uses PSK (and some others iirc)

2 Likes

All this data is the same as your I’d that you Xed out btw.

Sounding more and more like a coupling issue, Trace should be giving you data on manufacture date like it does on the test card. Try and get that data with the stock antenna - it’s the wrong shape, but at least its the right tuning. It has a sweet spot for sure, so will take time to find the right spot, but see how you go.

1 Like