Texecom Premier Elite LCDLP-W Alarm System (125KHz) - xEM RFID Tag


#1

First up: I fully understand and appreciate that I may not be able to interact with this system, it isn’t the main reason why I was implanted, but it would be a lovely addition if possible…

I’m looking to see if I can interact with this alarm system that I own and have a (125KHz) Fob for.

The alarm: Premier Elite LCDLP-W

Data sheet: https://www.texe.com/uk/uploads/Premier_Elite_LCDLP-W_LIT-256.pdf

The Fob Front:

The Fob Back:

I have implanted with me a xEM RFID Tag [T5577 Emulator] which is 125kHz and I have determined that the alarm system above is 125kHz also.

I don’t presently have the equipment to read or write on 125kHz, but I have a PenTesting friend who does have equipment. I gave him a spare fob that came with the alarm that has not been authorised or added to the system, to do some analysis.

Now I would like to note at this point; when going through the process of adding a new fob to the system it seems to allow you to do one of two things:

  1. Write to the fob and add to the system
  2. Authorise and existing fob (read only)

From my PenTesting pal’s analysis he got the following from the spare fob:

ASKRAW: 0CCCCF0CCCF30CF0F330F1CF330CF31F1CCCCF0CCCF30CF0F331F0CF330CF30F

PSK1RAW: 2AAAAAAAAAA555555555555555555555552AAAAAAAAAAAAAAAAAAAAAAAAB5555

I’m new to all this, could anyone give me some pointers on how to best move forward; do I need to work on:

  • Decoding these data schemes?
  • Cracking some basic form of encryption?
  • Or just clone this data to my xEM (if possible)

I would be intrigued to know if anyone else out there is interacting with a alarm system like this from the same manufacturer & via a implant etc. I also appreciate that it could be the case that the alarm system may not be able to read the chip due to coupling issues.

If anyone could give me any indications as to whether they think this will be possible and any suggested next steps, it would be greatly appreciated.

I’m all set up for readers & writers for my other chip (xNT - 13.56MHz) but I don’t have any for my 125KHz - if anyone also has recommendations on what writers/clones are good to use in conjunction with a xEM chip that would be good to know, I noted that it looks like a previous cloner has been pulled from DangerousThings & Digiwell from what looks like compatibility / writing issues in rare cases, will that always be a risk with any reader or is there reader out there which is deemed reliable and safe?

Sorry for all the questions, thank you for your time and help.


#2

What equipment did they use to get this data from your fob? If they used a proxmark3, it should be able to determine the tag type. If it is EM, HID ProxCardII, or Indala then the xEM should work with it… provided the antenna coupling is good enough.

I need to change the wording on this… it has nothing to do with the reader… it has to do with the inherent issues with the T5577 chip inside the xEM. There is no fixing it… it will always be a risk when writing changes to the xEM. https://forum.dangerousthings.com/t/quirks-of-the-t5577-cloning-tags-to-the-xem


#3

Apologies for the delayed reply, the rest of life has been getting in the way!

At first I thought it was a proxmark3, but re-reading emails now I don’t think it was, I think they used a “RFIDler” kickstarter project, this device: https://www.kickstarter.com/projects/1708444109/rfidler-a-software-defined-rfid-reader-writer-emul

I noted on that page it lists a whole host of tags which it can read or emulate, one of them being: T55xx which would also cover the xEM (T5577) tag I have implanted, which is handy if it can read both the alarm system-fob and my implant.

Thank you for this link, I have read more and understand the issue. Knowing that now it does feel as though the xEM has somewhat of a design-flaw. Quoting a sentence from the URL mentioned above:

Any update on this? I notice that the antenna in the xEM Access Controller Kit looks similar to the one shown in your video here.

Obviously knowing now that any reader/writer could potentially have coupling issues with the xEM/T5577 I would of course be interested in optimizing my chances of success with the best writer setup.

If anyone has any advice on guidance on how I can look at using my xEM/T5577 implant in conjunction with this Texecom Premier Elite LCDLP-W Alarm System it would be greatly appreciated.

I suppose I need to focus on analyzing the alarm system fob more and determining its exact type and modulation? And obtaining the right kit for that, perhaps I should see if there are any of those RFIDler’s going second-hand. I’m open to recommendations.

Thank you for your time and help,


#4

Well, it’s less an xEM design flaw and more a T5577 chip “limitation”. The T5577 chip is the only chip that can do what it does, so we had no choice in using it for the xEM… and they opted to skip building in tear protection to keep costs rock bottom… so it’s really not up to us… even though it might feel that way.

No updates yet… the idea is to release them for the rdv4 and that partnership arrangement is being worked out. The antenna is the same as I ripped one off one of my access controllers… but be warned, resonant loops work by pairing or “tuning” an inductor / capacitor network… it’s not anything like electric field RF antennas (CB or FRS radios, broadcast RF, cell phones, wifi, bluetooth, etc.) … so just swapping antennas isn’t a guarantee it will work. The problem has to do with how proxmark3 boards are made… it’s open source hardware so people choose any 'ol capacitors to do the job and plop them on the board. Chances are more than good that if you rip the antenna coil from an xEM Access Controller and attach it to your proxmark3 board, it won’t work. You will have to get familiar with tuning and maybe you can add capacitance to adjust… but if you need to reduce capacitance to get it properly tuned, then you’re screwed unless you want to start mucking with SMT components on your very expensive proxmark3 board.

That’s the best thing to do at this point… just figure out what kind of tags it uses.


#5

Hi Amal,

I would like to thank you for your openness, honesty and time spent helping others, it is greatly appreciated.

Truth is I don’t have direct access to 125KHz equipment myself at the moment, I had someone else test the fob on my behalf but I don’t have access to their equipment. I don’t mind investing in some equipment but I have been holding off purchasing 125KHz readers/writers/cloners myself until I knew which equipment may be the best for me and the type of analysis I would be looking to do. I’m worried about purchasing something that isn’t useful to me.

Is there a particular type of proxmark3 that you would recommend for this type of analysis of the fob? I understand the fob is somewhat of an unknown at the moment so there’s always the chance it may not be able to read it.

In the meantime I’m going to see if I can query my friend to see if he may be able to test the fob further using his equipment.


#6

Would it be possible to get another fob? If so, you could mail it to me and I could do some analysis on it. If it’s 125khz then chances are good that it’s either EM41xx or Indala… but my bet is on EM41xx because the alarm company is an alarm company, not an RFID / Access Control company… so they probably went with something very cheap, easy, and generic… so my bet is that this fob is EM. You should be able to buy a simple cheap EM only blue cloner from Amazon and use that to clone the fob to your xEM. Once you receive the cloner, power it on and put it up to your fob and tap the read button. You should hear a beep or two beeps. That will mean it can read your fob, which also means it can write that data to your xEM… but before you attempt the write procedure, let me make a video that walks you through exactly how best to use the cloner to do that and minimize risk of page tearing your xEM.