Trouble configuring new xEM implant

justSomeGuy · September 1, 2017, 5:22pm

I’m having some trouble configuring a new xEM implant. I’m using the ProxMark3 RDV2.

I can reliably detect and read the tag, it shows up as an EM410x when using the generic lf search command.

EM410x pattern found:

EM TAG ID : 2015060657

Possible de-scramble patterns
Unique TAG ID  : 04A86060EA
HoneyWell IdentKey {
    DEZ 8          : 00394839
    DEZ 10         : 0352716375
    DEZ 5.5        : 05382.01623
    DEZ 3.5A       : 032.01623
    DEZ 3.5B       : 021.01623
    DEZ 3.5C       : 006.01623
    DEZ 14/IK2     : 00137791669847
    DEZ 15/IK3     : 000020004757738
    DEZ 20/ZK      : 00041008060006001410
}
Other          : 01623_006_00394839
Pattern Paxton : 538592343 [0x201A4457]
Pattern 1      : 590780 [0x903BC]
Pattern Sebury : 1623 6 394839  [0x657 0x6 0x60657]

Valid EM410x ID Found!

I can detect the t5577 chip with the lf t55xx detect command and it gives me the following output:

Chip Type  : T55x7
Modulation : BIPHASEa - (CDP)
Bit Rate   : 5 - RF/64
Inverted   : Yes
Offset     : 57
Seq. Term. : No
Block0     : 0x201780BE

From my reading online, it seems like that may be an invalid block 0. I’ve tried to clone an HID card onto the tag, but no writes seem to take. The values always stay the same.

Thanks for any help!

amal · September 1, 2017, 6:52pm

Have you attempted to write to the xEM with any other device? A handheld cloner perhaps?

justSomeGuy · September 1, 2017, 8:03pm

Nope, I’d read your thread about the trouble with those before attempting anything.

amal · September 2, 2017, 8:29am

Can you walk me through the proxmark3 commands used to attempt an HID clone to the xEM?

mercrutio · February 5, 2018, 4:02am

This looks very similar to the output I am receiving from my xEM. Did the OP figure this out?

planet29 · July 11, 2019, 7:29am

any followup to this thread? I need this info

amal · July 12, 2019, 1:55am

Still waiting for this… @justSomeGuy posted all the detection output, but not the actual write attempts.

One thing to keep in mind is that writing data to any tag requires more power than reading the tag, and thus successfully writing data to the T5577 requires a better coupling than reading it does… so maybe you have a good enough coupling to read your tag but not a good enough one to write. It’s unlikely, but possible.

black_sam · July 26, 2019, 2:33am

Hi -

I also am trying to program the xEM with a Proxmark 3 RDV2. I spent a good amount of time going through the forums and didn’t see anyone do it successfully? I’m trying to clone a HID tag to it.

==================================================

pm3 --> hw tune

[=] Measuring antenna characteristics, please wait…

…

[+] LF antenna: 43.62 V - 125.00 kHz
[+] LF antenna: 19.26 V - 134.00 kHz
[+] LF optimal: 47.30 V - 122.45 kHz
[+] LF antenna is OK

[+] HF antenna: 35.75 V - 13.56 MHz
[+] HF antenna is OK

[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

=====================================================

pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…

[+] EM410x pattern found

EM TAG ID : 2018070414

Possible de-scramble patterns
Unique TAG ID : 0418E02028
HoneyWell IdentKey {
DEZ 8 : 00459796
DEZ 10 : 0403112980
DEZ 5.5 : 06151.01044
DEZ 3.5A : 032.01044
DEZ 3.5B : 024.01044
DEZ 3.5C : 007.01044
DEZ 14/IK2 : 00137842066452
DEZ 15/IK3 : 000017597210664
DEZ 20/ZK : 00040108140002000208
}
Other : 01044_007_00459796
Pattern Paxton : 538657300 [0x201B4214]
Pattern 1 : 720924 [0xB001C]
Pattern Sebury : 1044 7 459796 [0x414 0x7 0x70414]

[+] Valid EM410x ID found!

=============================================

pm3 --> lf t55xx config
Chip Type : T55x7
Modulation : ASK
Bit Rate : 0 - RF/8
Inverted : No
Offset : 0
Seq. Term. : No
Block0 : 0x00000000

========================================

When modifying the T55xx config, I get the following -

pm3 --> lf t55xx config
Chip Type : T55x7
Modulation : BIPHASEa - (CDP)
Bit Rate : 5 - RF/64
Inverted : Yes
Offset : 59
Seq. Term. : No
Block0 : 0x00000000

pm3 --> lf t55xx dump
Reading Page 0:
blk | hex data | binary | ascii
----±---------±---------------------------------±------
00 | 41B2E9E0 | 01000001101100101110100111100000 | A…
01 | 8365D3C0 | 10000011011001011101001111000000 | .e…
02 | 8365D3C0 | 10000011011001011101001111000000 | .e…
03 | 8365D3C0 | 10000011011001011101001111000000 | .e…
04 | 8365D3C0 | 10000011011001011101001111000000 | .e…
05 | 8365D3C0 | 10000011011001011101001111000000 | .e…
06 | 8365D3C0 | 10000011011001011101001111000000 | .e…
07 | 06CBA780 | 00000110110010111010011110000000 | …
Reading Page 1:
blk | hex data | binary | ascii
----±---------±---------------------------------±------
00 | 8365D3C0 | 10000011011001011101001111000000 | .e…
01 | 8365D3C0 | 10000011011001011101001111000000 | .e…
02 | 8365D3C0 | 10000011011001011101001111000000 | .e…
03 | 06CBA780 | 00000110110010111010011110000000 | …

====================================================

When I try write the hid uid to it… no luck…

pm3 --> lf hid clone 2020202020
[=] Preparing to clone HID tag with ID 2020202020

pm3 --> lf hid read

=========================================

I’m sure I’m doing something incorrectly…just can’t find out what.

black_sam · July 28, 2019, 5:00am

Found this thread by @TomHarkness. Linking for future reference.

Not sure if it will work, will update after I’m able to try it…

=======================================

This is the output I received. Suggested commands did partially work. It appears the failure is due to a poor coupling of my chip with my LF antenna. Working on a solution. The link above provides the best info I can find on this forum for writing to the xEM with a proxmark3 with specific focus on the RDV2 version.

pm3 --> lf t55xx detect
Chip Type : T55x7
Modulation : BIPHASEa - (CDP)
Bit Rate : 5 - RF/64
Inverted : Yes
Offset : 58
Seq. Term. : No
Block0 : 0xE0178093

pm3 --> lf t55xx dump
Reading Page 0:
blk | hex data | binary | ascii
----±---------±---------------------------------±------
00 | E0178093 | 11100000000101111000000010010011 | …
01 | E0178093 | 11100000000101111000000010010011 | …
02 | E0178093 | 11100000000101111000000010010011 | …
03 | C02F0126 | 11000000001011110000000100100110 | ./.&
04 | E0178093 | 11100000000101111000000010010011 | …
05 | C02F0126 | 11000000001011110000000100100110 | ./.&
06 | C02F0126 | 11000000001011110000000100100110 | ./.&
07 | C02F0126 | 11000000001011110000000100100110 | ./.&
Reading Page 1:
blk | hex data | binary | ascii
----±---------±---------------------------------±------
00 | E0178093 | 11100000000101111000000010010011 | …
01 | C02F0126 | 11000000001011110000000100100110 | ./.&
02 | C02F0126 | 11000000001011110000000100100110 | ./.&
03 | C02F0126 | 11000000001011110000000100100110 | ./.&
pm3 --> lf t55xx wipe

[=] Beginning Wipe of a T55xx tag (assuming the tag is not password protected)

[=] Writing page 0 block: 00 data: 0x000880E0 pwd: 0x00000000
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
pm3 --> lf conf b 2 L
#db# LF Sampling config
#db# [q] divisor…95 (125 kHz)
#db# [b] bps…2
#db# [d] decimation…1
#db# [a] averaging…Yes
#db# [t] trigger threshold…0
pm3 --> lf hid clone 2004840534
[=] Preparing to clone HID tag with ID 2004840534
pm3 --> lf hid clone 2004840534
[=] Preparing to clone HID tag with ID 2004840534
pm3 --> hw reset
[=] Proxmark3 has been reset.
[=] Running in OFFLINE mode. Use “hw connect” to reconnect

[offline] pm3 --> exit
root@test-system:/opt/proxmark3/client# ./proxmark3 /dev/ttyACM0

██████╗ ███╗ ███╗ ████╗ …iceman fork
██╔══██╗████╗ ████║ ══█║ …dedicated to RDV40
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ══█║ iceman@icesql.net
██║ ██║ ╚═╝ ██║ ████╔╝ https://github.com/rfidresearchgroup/proxmark3/
╚═╝ ╚═╝ ╚═╝ ╚═══╝ pre-release v4.0

Support iceman on patreon, https://www.patreon.com/iceman1001/

[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC

[ Proxmark3 RFID instrument ]

[ CLIENT ]
client: RRG/Iceman

[ PROXMARK RDV4 ]
external flash: absent
smartcard reader: absent

[ PROXMARK RDV4 Extras ]
FPC USART for BT add-on support: absent

[ ARM ]
bootrom: RRG/Iceman/master/d4c3d077 2019-05-15 15:03:25
os: RRG/Iceman/master/d4c3d077 2019-05-15 15:03:39

[ FPGA ]
LF image built for 2s30vq100 on 2019/ 4/18 at 9:35:32
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23

[ Hardware ]
–= uC: AT91SAM7S512 Rev A
–= Embedded Processor: ARM7TDMI
–= Nonvolatile Program Memory Size: 512K bytes, Used: 248458 bytes (47%) Free: 275830 bytes (53%)
–= Second Nonvolatile Program Memory Size: None
–= Internal SRAM Size: 64K bytes
–= Architecture Identifier: AT91SAM7Sxx Series
–= Nonvolatile Program Memory Type: Embedded Flash Memory

pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…

[+] EM410x pattern found

EM TAG ID : 2018070414

Possible de-scramble patterns
Unique TAG ID : 0418E02028
HoneyWell IdentKey {
DEZ 8 : 00459796
DEZ 10 : 0403112980
DEZ 5.5 : 06151.01044
DEZ 3.5A : 032.01044
DEZ 3.5B : 024.01044
DEZ 3.5C : 007.01044
DEZ 14/IK2 : 00137842066452
DEZ 15/IK3 : 000017597210664
DEZ 20/ZK : 00040108140002000208
}
Other : 01044_007_00459796
Pattern Paxton : 538657300 [0x201B4214]
Pattern 1 : 720924 [0xB001C]
Pattern Sebury : 1044 7 459796 [0x414 0x7 0x70414]

[+] Valid EM410x ID found!

black_sam · August 10, 2019, 8:15pm

All -

For the sake of others with the same problem, I was finally able to resolve the issue and write to the xEM chip. Here is what worked for me -

I am using a Proxmark3 RDV2 as shown above and was only able to read the chip with the included antenna. After searching through these forums in addition to the proxmark forums, it seemed like the only solution was a different LF antenna.

I found one that is essentially the same as the one sold in the xEM Access Controller kit.

I removed the antenna, spliced and soldered it into an MMCX antenna cable… And IT WORKED. After checking the new antenna with “hw tune” and “hw status”, I was able to both read and write to the xEM T5577 chip!

amal · August 11, 2019, 5:52pm

Just so everyone is aware… this is not typically a cut & splice antenna replacement job. The proxmark3 is open source and as such there are now so many different versions out there, and some versions are made by Chinese vendors who don’t use the best components (like tuning caps that have huge tolerances) and so it there is a 99% chance that simply splicing in a different LF antenna will NOT work, and only a 1% chance it will work… so @black_sam, you won the lottery.