Reprogramming master fob on xAC

Continuing the discussion from Implant ID Change:

Turns out it is possible as was briefly theorised and rumoured once on the internet to reprogram the master fobs for the xAC…

How do I know? Because I did it! My hand is now the master for my garage, it doesn’t operate the lock, but I did successfully use it to enrol a key fob.

How do you do this? I don’t know… help! I did it accidentally while I was redoing the power supply. I had a bad connection that I was troubleshooting so it got and lost power a few times.

Anyone have ideas of things to try to get this back to normal? I suspect there’s a factory programming mode that is entered by applying and removing power a certain number of times then tapping a new master, this seems to be what a lot of car immobilisers and alarms do (turning the key on and off) to enter programming mode. Judging by this thing’s automotive roots and the fact that I now can 100% confirm its possible, now I just need to determine how!

Any suggestions, ideas and assistance would be appreciated!

SUMMONING THE A TEAM:
@amal, @Pilgrimsmaster, @ODaily and @Devilclarke - you guys seem like the people most likely to be in the know, any thoughts?

All the devices I’ve seen that have some kind of master code or key that you can’t change later work by accepting the first code or key they see as master when they first power up and they don’t have one already programmed in. I’m guessing your power cuts or brownouts messed up the flash memory and it returned to (or interpreted it as) unprogrammed, thereby accepting your implant as the new master key.

I could be one of 2 things really;

Power cycling a certain number of time puts it in some hidden programming mode

Or

Multiple power cycles, brown outs and non proper use (power supply flickering) has caused the eeprom where the master is stored to become corrupt and the xAC treats this as the first power on and registers the first tag it sees as the master.

Hmm, either way doesn’t seem to make a difference as long as its repeatable.

I was betting on hidden function since its common in automotive for when the car owner inevitably loses the master fob and takes it back to the shop. Most aftermarket alarms use the ignition key as the switch to enter learning mode, so working on the theory that this is a modified touch-key immobiliser unit it made sense.

If not, maybe I can still replicate it, just might not be reliable or predictable to do so.

I’ve got a bench supply and one I haven’t got around to installing on the shed. I’ll have a play!

Okay, I’m leaning back onto team corrupt-eeprom.

It erased all fobs when it changed master, which I hadn’t noticed in all the confusion.

No luck so far with my bench tests of applying and removing power - I even tried to kill power during a tag-clear function to see if I could catch it doing a write but nothing seems reliable.

Any ideas on how I can reset the eeprom?

Eeprom programmer… short of that I dont know of a reliable way. But it does still have me interested because if that works (dump eeprom first) there’s no reason we couldn’t custom peoples master fobs. Why we would want to i dont know but unless you had lost the tag…

Strange one, I will set up a bench one and try to replicate/ guess/ stumble on a similar scenario.
in the mean time

Have you read your xEM with Proxmark?
Do you have original data to compare it to?
Can you read the “master disc” with PM3?
Can you write xEM “master” data to the master disc? to Re-enroll master disc?
Also
Do you have a spare xAC to compare master disc to xEM?

Just clutching at straws…here
Wondering if it wrote to xEM as well as enrolling it as master.

The data on my implant is unchanged, works correctly on all my other readers.

I’ll grab out the Proxmark tomorrow, but I believe the black fobs are just EM4100 non-programmable and get learnt as master

Yeah, my thoughts also, totally a stab in the dark on my part…but worth a try

Will definitely investigate! Like I said, xEM data checks out on other readers.

But I do have plenty of spare programming fobs from my 9 other xACs and an xAC set up to bench test, will Proxmark once I have some daylight and see what I find

I’m going to try and hunt down the Original product webpage, It had a bit of info on there but not sure about master reprogramming. still, worth a look

I already did that. The german guy who owned the original company didn’t leave anything behind, sadly. But if you uncover something, I’d be interested.

@Devilclarke previously found the FCC filing, but all of the linked application documents don’t seem to exist there either

Oh cheers,
I hadn’t been there for about 8-9 months, I will let you know if I actually find something

Yep, all normal, no changes from original data.

As suspected, EM4100, nothing special, not writeable

Nope, not writeable. Plan B is to write my xEM code to a T5577 fob as new ‘master’ and give my hand a new ID (would rather not do this though, its a lot of work to reset all the other readers I have and re-enrol.

Only similarity being that its a EM4100 ID, nothing else of note on the tags. Definitely a case of the xAC ‘learning’ a new master.

The ‘learn master at first boot’ is looking like the winning idea. Now to see if I can clear it or otherwise trick it into thinking its first boot.

Close but no cigar
http://www.strueres.dk/kk/HTX/Datablade/RFID/RFID%20tilslutning.doc

Might need to open it up to access the board

Is that meant to go to a document? I found that link too but I just get redirected to a homepage and didn’t see anything relevant

Saw this earler, but wasn’t in a place I could reply. Got some serious mulling done as a result. There’s alot of possibilities here, and I’m gonna divide them into two camps.

Camp Funky Variables.
I can think of a bunch of scenarios that fit this. For instance there could be some kind of floating input on the unused pins that triggered a master key event. The eeprom being corupted is another. All of these scenarios share the common theme of an unlikely psuedo random happenstance that caused a triggering event.

Camp Secret Knock
In this camp I put all the scenarios that are based around an unkown combination activating an enrolling process. Could be an on - off cycle bink code, could be something else. The point is there is a repeatable process that got stumbled upon.

At this point we need to totally renounce Camp Funky Variables and all it’s inhabitants. Why? Cause they’re non repeatable within any reasonable time frame. It would take the proverbial million monkeys pounding away for a million years. It’s not that Camp Funky Variables is invalid, it’s just pointless to waste effort on. That lets us concentrate all our effort on what we can solve for, the answers in Camp Secret Knock.

We have some Secret Knock clues.

Clue One.
The power was intermittent, and / or being cycled.

Clue Two.
Compgeek was presenting his implant during this process.

Clue Three.
Comes from human nature. People tend to repeat what works for them. For example, were Amal to introduce a new implant, better than average odds that it’s name would start with x. If Pilgrimaster builds something, it’ll be measured in mm, and the components will be spaced accordingly. So if you try to guess the distance to the next piece, take an educated guess in a nice round metric number. If I designed it, that would be in decimal inches.

We don’t have any other products from the designer of the xAC, but he did leave us two processes that we can examine. To enroll a new tag, hold the master for 5 seconds, and then present the new tag. To erase all tags, hold the master for 10 seconds. Clearly he uses tag presentation and timing in design work. It’s VERY reasonable to assume any secret knock would as well.

Unfortunately it’s gonna take guess work to figure it out.

Using the clues we have, I’d start by hazarding a guess that the secret knock involves presenting a tag to the reader at power up, and holding it there for a set period of time. 5 seconds perhaps.

Compgeek may be able to narrow the field down if he can be more specific as to what was / was not going on during the time that the master key got re-written / swapped.

Questions;
1 Was the power cycled while your tag was presented?
2 Was the original Master key in play in any way?
3 Was your implant held on the reader for a period of time? If so, how long?
4 Did you at anytime experience a short circuit?
5 Don’t let all the questions fluster you, but details are gonna be super helpful. Watchya got?

Random thought. Any chance something like the Wayback Machine could retrieve any of this? Not something I have any in depth knowledge of. It just seems like a possibility. Maybe. If. Sorta. Kinda.

I had a good dig (1hr +) didn’t find anything