Texecom Premier Elite LCDLP-W Alarm System (125KHz) - xEM RFID Tag

Nightwalker · December 2, 2018, 9:32pm

First up: I fully understand and appreciate that I may not be able to interact with this system, it isn’t the main reason why I was implanted, but it would be a lovely addition if possible…

I’m looking to see if I can interact with this alarm system that I own and have a (125KHz) Fob for.

The alarm: Premier Elite LCDLP-W

Data sheet: https://www.texe.com/uk/uploads/Premier_Elite_LCDLP-W_LIT-256.pdf

The Fob Front:

The Fob Back:

I have implanted with me a xEM RFID Tag [T5577 Emulator] which is 125kHz and I have determined that the alarm system above is 125kHz also.

I don’t presently have the equipment to read or write on 125kHz, but I have a PenTesting friend who does have equipment. I gave him a spare fob that came with the alarm that has not been authorised or added to the system, to do some analysis.

Now I would like to note at this point; when going through the process of adding a new fob to the system it seems to allow you to do one of two things:

Write to the fob and add to the system
Authorise and existing fob (read only)

From my PenTesting pal’s analysis he got the following from the spare fob:

ASKRAW: 0CCCCF0CCCF30CF0F330F1CF330CF31F1CCCCF0CCCF30CF0F331F0CF330CF30F

PSK1RAW: 2AAAAAAAAAA555555555555555555555552AAAAAAAAAAAAAAAAAAAAAAAAB5555

I’m new to all this, could anyone give me some pointers on how to best move forward; do I need to work on:

Decoding these data schemes?
Cracking some basic form of encryption?
Or just clone this data to my xEM (if possible)

I would be intrigued to know if anyone else out there is interacting with a alarm system like this from the same manufacturer & via a implant etc. I also appreciate that it could be the case that the alarm system may not be able to read the chip due to coupling issues.

If anyone could give me any indications as to whether they think this will be possible and any suggested next steps, it would be greatly appreciated.

I’m all set up for readers & writers for my other chip (xNT - 13.56MHz) but I don’t have any for my 125KHz - if anyone also has recommendations on what writers/clones are good to use in conjunction with a xEM chip that would be good to know, I noted that it looks like a previous cloner has been pulled from DangerousThings & Digiwell from what looks like compatibility / writing issues in rare cases, will that always be a risk with any reader or is there reader out there which is deemed reliable and safe?

Sorry for all the questions, thank you for your time and help.

amal · December 3, 2018, 6:38pm

What equipment did they use to get this data from your fob? If they used a proxmark3, it should be able to determine the tag type. If it is EM, HID ProxCardII, or Indala then the xEM should work with it… provided the antenna coupling is good enough.

I need to change the wording on this… it has nothing to do with the reader… it has to do with the inherent issues with the T5577 chip inside the xEM. There is no fixing it… it will always be a risk when writing changes to the xEM. https://forum.dangerousthings.com/t/quirks-of-the-t5577-cloning-tags-to-the-xem

Nightwalker · December 30, 2018, 8:59pm

Apologies for the delayed reply, the rest of life has been getting in the way!

At first I thought it was a proxmark3, but re-reading emails now I don’t think it was, I think they used a “RFIDler” kickstarter project, this device: https://www.kickstarter.com/projects/1708444109/rfidler-a-software-defined-rfid-reader-writer-emul

I noted on that page it lists a whole host of tags which it can read or emulate, one of them being: T55xx which would also cover the xEM (T5577) tag I have implanted, which is handy if it can read both the alarm system-fob and my implant.

Thank you for this link, I have read more and understand the issue. Knowing that now it does feel as though the xEM has somewhat of a design-flaw. Quoting a sentence from the URL mentioned above:

Any update on this? I notice that the antenna in the xEM Access Controller Kit looks similar to the one shown in your video here.

Obviously knowing now that any reader/writer could potentially have coupling issues with the xEM/T5577 I would of course be interested in optimizing my chances of success with the best writer setup.

If anyone has any advice on guidance on how I can look at using my xEM/T5577 implant in conjunction with this Texecom Premier Elite LCDLP-W Alarm System it would be greatly appreciated.

I suppose I need to focus on analyzing the alarm system fob more and determining its exact type and modulation? And obtaining the right kit for that, perhaps I should see if there are any of those RFIDler’s going second-hand. I’m open to recommendations.

Thank you for your time and help,

amal · January 4, 2019, 8:19pm

Well, it’s less an xEM design flaw and more a T5577 chip “limitation”. The T5577 chip is the only chip that can do what it does, so we had no choice in using it for the xEM… and they opted to skip building in tear protection to keep costs rock bottom… so it’s really not up to us… even though it might feel that way.

No updates yet… the idea is to release them for the rdv4 and that partnership arrangement is being worked out. The antenna is the same as I ripped one off one of my access controllers… but be warned, resonant loops work by pairing or “tuning” an inductor / capacitor network… it’s not anything like electric field RF antennas (CB or FRS radios, broadcast RF, cell phones, wifi, bluetooth, etc.) … so just swapping antennas isn’t a guarantee it will work. The problem has to do with how proxmark3 boards are made… it’s open source hardware so people choose any 'ol capacitors to do the job and plop them on the board. Chances are more than good that if you rip the antenna coil from an xEM Access Controller and attach it to your proxmark3 board, it won’t work. You will have to get familiar with tuning and maybe you can add capacitance to adjust… but if you need to reduce capacitance to get it properly tuned, then you’re screwed unless you want to start mucking with SMT components on your very expensive proxmark3 board.

That’s the best thing to do at this point… just figure out what kind of tags it uses.

Nightwalker · January 5, 2019, 12:01pm

Hi Amal,

I would like to thank you for your openness, honesty and time spent helping others, it is greatly appreciated.

Truth is I don’t have direct access to 125KHz equipment myself at the moment, I had someone else test the fob on my behalf but I don’t have access to their equipment. I don’t mind investing in some equipment but I have been holding off purchasing 125KHz readers/writers/cloners myself until I knew which equipment may be the best for me and the type of analysis I would be looking to do. I’m worried about purchasing something that isn’t useful to me.

Is there a particular type of proxmark3 that you would recommend for this type of analysis of the fob? I understand the fob is somewhat of an unknown at the moment so there’s always the chance it may not be able to read it.

In the meantime I’m going to see if I can query my friend to see if he may be able to test the fob further using his equipment.

amal · January 8, 2019, 1:04am

Would it be possible to get another fob? If so, you could mail it to me and I could do some analysis on it. If it’s 125khz then chances are good that it’s either EM41xx or Indala… but my bet is on EM41xx because the alarm company is an alarm company, not an RFID / Access Control company… so they probably went with something very cheap, easy, and generic… so my bet is that this fob is EM. You should be able to buy a simple cheap EM only blue cloner from Amazon and use that to clone the fob to your xEM. Once you receive the cloner, power it on and put it up to your fob and tap the read button. You should hear a beep or two beeps. That will mean it can read your fob, which also means it can write that data to your xEM… but before you attempt the write procedure, let me make a video that walks you through exactly how best to use the cloner to do that and minimize risk of page tearing your xEM.

Nightwalker · June 24, 2019, 6:54pm

Sorry for the late reply. Thank you for your continued help.

I actually ended up spending a bit more and getting this cloner which supposedly handles 9 or 10 different frequencies.

It claims to work with: 125KHz, 250kHz, 500KHz,
375KHz, 750kHz, 875KHz, 1000KHZ, 13.56MHz,125KHZ H–ID

It read my 125KHz implant very well, to my surprise it does not seem to recognise my 13.56MHz xNT at all. That doesn’t bother me too much because I bought the cloner primarily to work with 125KHz anyway.

Unfortunately although it interacts with my xEM [T5577 Emulator] well, it fails to recognise the alarm fob shown in my first post.

It is 125KHz I know that much. Is it worth me trying another different cheap 125KHz reader/cloner? Or will it be modulated in a way that prevents it being read by most other readers?

Emumanx · January 14, 2020, 5:45pm

Hi, I am an engineer that works on texecom products . The texecom premier LCD-p is 125khz using em410x prox tags .
The reader is very low powered in standby. It requires a larger pull on the reader than the xEM can provide to trigger the power to increase and read the tag. I found a way to increase that coupling and draw a bit more power by having the RFID Diagnostic card on the reader 1st. You will see a very faint glow on the LF led. Then present your xEM and it will read it. Hope that’s of some help. . Also if anyone thinks of a way to do this without that card (cant open or touch the keypad as there customers not mine lol ) that would be great.

amal · January 15, 2020, 7:28pm

Make a patch antenna? Basically two antennas connected together… one over the reader antenna, and one smaller antenna off to the side that couples better with your implant.

Devilclarke · April 12, 2020, 9:04pm

I know I’m kinda reviving a long dead thread but I’ve got basically the same alarm panel and fob wondering if the flexEM would be better/work I imagine the antenna in it would probably be better than the fobs so I’m hopeful.

Emumanx · April 14, 2020, 7:50am

I’d say a big yes to the flex EM. With the larger antenna I think you would have no trouble using it. Even on a wireless keypad with lower power rfid.
Remember once you add this tag to the system it changed the bits , so you would need a pm3 to use it for anything else…
Good luck

Devilclarke · April 14, 2020, 11:38am

Cool I though as much! One final question I was going to just clone an existing tag to the implant rather than enrolling this one there’s no reason this won’t work is there?

Emumanx · April 14, 2020, 5:23pm

OK here is the thing… to copy an existing tag you WILL need a proxmark v4 . And you will need to do a raw read and write as its not one of the formats they support. I’d simply enrol the flexEM