Readers read only the first 4 bytes in reverse order. Why?

I have at several locations, and places of employment here in Sweden had problems with enrolling the Implants, both xSIID and xNT, on the access systems. These systems only do UID checks, so I couldn’t figure out why it wouldn’t enroll. Then I actually got to see what the reader read.

Both xSIID and xNT have 7 byte UID as we all know, but the readers are apparently for 4 byte NUID cards. So it only reads the first 4 bytes in the 7 byte UID and in reverse byte order.
So when to software shows what it has read, it’s for HEX bytes, but the software also only accept Decimal as input.
That was easy to convert, but I’m just scratching my head over why.

Does anyone know why this is the case, how common this is? I help out some in the cyborg community in Sweden, so this is a question that has been bugging me for quite some time.

Kinda common to reverse the order, dunno why, many people including me trip over that sometimes, e.g. when using the vivokey api.

Yes, i knew about it beeing somewhat standard for reading inputs, from when I had a course in integrated circuits and microcontroller. But then we learned that it should always be displayed the other way around to the user or program.

So what I’m actually wondering is, is there a practical purpose to store it, and display it in that order. Or is it just that someone haven’t bothered to correct it. Because now these buildings have problems with all kinds of cards. Because when they read them is one ID, but they have to put it in reversed.

Just seems strange to me.

Oh I bet I know why: your access system is Wiegand 32-bit reversed.


Oh, yeah. That explains it. That’s bad. I heard about that standard long ago. Thought it had died a natural death… Well then.

Nah. Wiegand sticks around like a bad fart in an elevator. In this day and age, it’s security through faith in humanity.

But look at the bright side: it’'s dumb readers and insecure chips that allow implantees to clone their credentials onto their implants. The alternative at present - and for a very, very long time to come - is conversion of secure, single-purpose chips and yet another scalpel job.

Most of my customers hand me an un-labeled T5577 coded for their system … And I found that usually the “contractor guest pass” allows access to ALL areas …

1 Like

How is this common practice?
Shure, I’m happy that most places here in Sweden let’s you add your own tag, but not administrating where guest are allowed to go just sounds bad…

It is …
At least in the US, it’s not about “security” but liability … If you update the system, you are now liable for it, and as contractor, we signed NDA and “house rules” (for lack of better terms) so we’re are liable to stay where we are supposed to …
This way the company is not liable for new/proper security system and if/when there is a breach, they sue the cr** out of the contractor/employee …

Are you in a position to enroll your own?

Do you have a Mifare Magic 1k card you can test with?

They are 4 bytes with changeable NUID so you SHOULD be able to make it work easily with your system?

If it works, one of the magic implants :mage: could be a good solution for you


I can enroll my own at almost all the places I’ve been at. It just takes some social engineering. But I have a xM1 gen1a implant, but I have had no need for it yet.
In my experience the xSIID antenna is better, so I’d rather enroll that.

But if you just explain to the person administrating the system that this is a tag IN MY HAND. So I can’t drop it or borrow it to someone, then they are really quick to enroll it as it’s “more secure”

1 Like



Fair enough; however, for me, I would at least be giving it a try, and running the xM1 concurrently for testing purposes. No social engineering required, just change the NUID and test .

I do this as well, but most of the time I just check if the reader is LF or HF and then just talk to someone who controls it. But I love my xM1, for when you meet some foil hat that doesn’t like Implants.

1 Like

Yeah, totally, Doing things officially is always the best approach