Proxmark NExT Cloning Help

TGK · October 12, 2020, 2:01pm

Hello! I’m new to the DT community and looking for help. I just got my NExT implanted maybe a few weeks ago. I’ve tried cloning my work badge to a T5577 blank id and it works. I then have tried to read my implanted chip and I’m having some trouble. I’m using a Proxmark3 RDV4 with the duel pocket antenna and it is reading an EMx410 ID but cannot identify the chipset. I’ve tried using the DT LF antenna and I cannot get a successful read. Any help is appreciated!

NMCCW · October 12, 2020, 3:05pm

TGK · October 12, 2020, 3:31pm

Thank you! What if the chipset is not being detected?

NMCCW · October 12, 2020, 3:55pm

Did you hw tune the proxmark after replacing the dual antenna with the DT LF?

I would try re-positioning the LF antenna a little at a time parallel to the chip while attempting the scans. My DT LF antenna coupled rather easily with my NExT the day it was implanted so I don’t have a horror story to tell. I’ll defer more in dept advice to those like @Pilgrimsmaster and @Compgeek who are much more qualified.

teeny · October 12, 2020, 4:29pm

Can you reade the id with lf sea or are you having problems with lf t55 detect?

TGK · October 12, 2020, 4:50pm

I WAS getting an EM410x ID reading on lf search with no chipset detected. Now Im having trouble even getting a reading. I’ve tried to adjust slightly to get a better read and so far no luck.

teeny · October 12, 2020, 5:14pm

ok so you looking for [+] Chipset detection: T55xx when your running lf search?
This is from a card with a t55 chip and i dont get a t55 detected.

Summary

teeny@ubuntu:~$ pm3
[=] Session log /home/teeny/.proxmark3/logs/log_20201012.txt
[+] loaded from JSON file /home/teeny/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC

██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ iceman@icesql.net
╚═╝ ╚═╝ ╚═╝╚════╝ bleeding edge

https://github.com/rfidresearchgroup/proxmark3/

[ Proxmark3 RFID instrument ]

[ CLIENT ]
client: RRG/Iceman/master/v4.9237-783-g6bd0138f 2020-08-13 13:44:49
compiled with GCC 9.3.0 OS:Linux ARCH:x86_64

[ PROXMARK3 RDV4 ]
external flash: present
smartcard reader: present

[ PROXMARK3 RDV4 Extras ]
FPC USART for BT add-on support: absent

[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-783-g6bd0138f 2020-08-13 13:45:10
os: RRG/Iceman/master/v4.9237-783-g6bd0138f 2020-08-13 13:45:22
compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev A
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 287800 bytes (55%) Free: 236488 bytes (45%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory

[usb] pm3 --> hw tune
[=] Measuring antenna characteristics, please wait…
8
[=] ---------- LF Antenna ----------
[+] LF antenna: 27,49 V - 125,00 kHz
[+] LF antenna: 26,63 V - 134,83 kHz
[+] LF optimal: 28,30 V - 127,66 kHz
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[!] HF antenna is UNUSABLE

[+] Displaying LF tuning graph. Divisor 88 is 134,83 kHz, 95 is 125,00 kHz.

[usb] pm3 --> lf em 410x_write 3100A45E31 1
[+] Writing T55x7 tag with UID 0x3100a45e31 (clock rate: 64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff98600512ae986a

[+] Done
[usb] pm3 --> lf sea
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM410x pattern found

EM TAG ID : 3100A45E31

Possible de-scramble patterns

Unique TAG ID : 8C00257A8C
HoneyWell IdentKey {
DEZ 8 : 10772017
DEZ 10 : 0010772017
DEZ 5.5 : 00164.24113
DEZ 3.5A : 049.24113
DEZ 3.5B : 000.24113
DEZ 3.5C : 164.24113
DEZ 14/IK2 : 00210464169521
DEZ 15/IK3 : 000601297877644
DEZ 20/ZK : 08120000020507100812
}
Other : 24113_164_10772017
Pattern Paxton : 834182193 [0x31B89C31]
Pattern 1 : 3263180 [0x31CACC]
Pattern Sebury : 24113 36 2383409 [0x5E31 0x24 0x245E31]

[+] Valid EM410x ID found!

[usb] pm3 -->

Can you post a dump from when your trying to write to your Next?

TGK · October 12, 2020, 5:31pm

Summary

[=] Session log /root/.proxmark3/logs/log_20201012.txt
[+] loaded from JSON file /root/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC

██████╗ ███╗ ███╗█████╗
██╔══██╗████╗ ████║╚═══██╗
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ╚══██╗
██║ ██║ ╚═╝ ██║█████╔╝ Iceman
╚═╝ ╚═╝ ╚═╝╚════╝ bleeding edge

https://github.com/rfidresearchgroup/proxmark3/

QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to ‘/tmp/runtime-root’

[ Proxmark3 RFID instrument ]

[ CLIENT ]
client: RRG/Iceman/master/v4.9237-1491-g08a875c2 2020-10-05 11:51:47
compiled with GCC 9.3.0 OS:Linux ARCH:x86_64

[ PROXMARK3 ]
firmware…PM3RDV4
external flash…present
smartcard reader…present
FPC USART for BT add-on…absent

[ ARM ]
bootrom: RRG/Iceman/master/v4.9237-1491-g08a875c2 2020-10-05 11:52:16
os: RRG/Iceman/master/v4.9237-1491-g08a875c2 2020-10-05 11:52:32
compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev B
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 293752 bytes (56%) Free: 230536 bytes (44%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory

[usb] pm3 --> hw tune
[=] Measuring antenna characteristics, please wait…
9
[=] ---------- LF Antenna ----------
[+] LF antenna: 73.17 V - 125.00 kHz
[+] LF antenna: 36.15 V - 134.83 kHz
[+] LF optimal: 74.21 V - 126.32 kHz
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 45.02 V - 13.56 MHz
[+] HF antenna is OK

[+] Displaying LF tuning graph. Divisor 88 is 134.83 kHz, 95 is 125.00 kHz.

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[!] Error Manchester at 80
[=] Paradox - ID: 00c3fffff FC: 255 Card: 65535, Checksum: ff, Raw: 0f55552aaaaaaaaaaaaaaaaa

[+] Valid Paradox ID found!

Couldn’t identify a chipset

[usb] pm3 --> lf search

[=] Checking for known tags…
[=]
[!] (em4x50) timeout while waiting for reply.
[+] Indala - len 76, Raw: 80000000000000000000000fffffffffffffffffffffffffffffffff

[+] Valid Indala ID found!

[!] (em4x50) timeout while waiting for reply.
Couldn’t identify a chipset

teeny · October 12, 2020, 5:39pm

If you are using the stock antenna change it from +Range to +Accurate your lf antenna volt is a bit high. I had the same problem before.

Summary

My antenna: LF antenna: 27,49 V - 125,00 kHz
Your antenna: LF antenna: 73.17 V - 125.00 kHz

TGK · October 12, 2020, 6:03pm

Okay! We are getting somewhere lol.

Now i am getting the chipset but seeing this.

[usb] pm3 --> lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[!] (em4x50) timeout while waiting for reply.
[=] DEBUG: detectindala | 40
[-] No known 125/134 kHz tags found!
[+] Chipset detection: T55xx

I have tried to do “lf hid clone -l (with long ID)”
shows that it has finished but when i try to verify with “lf search” it repeats the lines above and seems like it didn’t take.

I’m scared to keep trying to clone if it’s not taking.

teeny · October 12, 2020, 6:21pm

Take a marker and make a mark on your hand at both ends of the chip it will make it easier for you to line it up and exit your terminal window and disconnect your proxmark and start over. If you get a time out its best to restart. Se it that helps if not we will reset it to a blank t55 chip.

TGK · October 12, 2020, 6:32pm

teeny,

I really appreciate the time you are taking to help! I might need to wipe it back to a blank t55 chip. Is there any instructions on wiping the chip? I don’t want to take up any more of your time!

anon3825968 · October 12, 2020, 6:33pm

Are you running the PM3 client in Linux or Windows?

TGK · October 12, 2020, 6:34pm

Linux

anon3825968 · October 12, 2020, 6:35pm

Okay. Check that the modem manager is running.

$ ps ax | grep -i modem | grep -i manager

TGK · October 12, 2020, 6:36pm

I was watching some videos on the install and was told to disable the modem manager. So It should still be disabled.

anon3825968 · October 12, 2020, 6:37pm

Well, I almost got burnt the other day with that: I had disabled it and it started all by itself. Hence my comment. I almost bricked my PM3 with that damn thing.

If you have it installed, just zap it.

TGK · October 12, 2020, 6:37pm

oh good call!

teeny · October 12, 2020, 6:42pm

I always wipe my chip to a blank t55 when programming it. I got the info from this thread. Lots of good info in it. https://forum.dangerousthings.com/t/xem-cloning-emulation-modes-and-the-perils-of-chinese-cloners/1547

Command

lf t55 write b 0 d 00088040 t
b = block
d = data
BLANK t55 config 00088040
t = debug mode

After you run the command you wont find you chip with lf search as its not set to emulate a chip yet.

TGK · October 12, 2020, 7:04pm

IT WORKSSSSS!

Thank you guys!