xAC alternatives / let’s build a more secure alternative?

Sorry I came home last night and went to sleep lol

I have good news

@amal
The blue board version seems immune to the vulnerability

I have 2 other boards to test,
One of which is nfc… so I don’t think it will even be possible to test? But yay non insecure options

I have noticed, as a quirk… the wiring harness is close but not the same… so you can’t technically just unplug and swap the board in like I hoped, you’ll need to wire in the new harness since the relay wires are transposed

Good news blue board, that appears 99% the same, but uses a daughterboard for nfc seems to read x series just fine, it lights up and triggers my Xsiid
(Amal, I’d be willing to send this one to you to play with to see if you might want to sell it or whatever, I have no active plans for it yet… and shipping from China is terrible)

Bad news, the double antenna board fails, and will open with the vulnerability

So this is a winner??

https://a.aliexpress.com/_m03qeCw

Thanks so much! For ordering and testing them.
I’d definitely chip in on your costs. I couldn’t do anything to help.

I’ll get a few ordered.

Much appreciated

Yep
That’s the one that’s works for me,
The nfc version of that listing also appears to work with x series implants also

Yeah it does.

I actually have both also but didn’t want to step on your toes with your testing.

By the way, I’m pretty sure The HF one only uses 3 bytes of the UID

No toes to step on… I just wanted to find a fix to a problem I pointed out… felt kinda bad

you shouldn’t, It was a good find

I’d love to test it. Every NFC board i tested before actually only checks like one, two, or at best 3 bytes of the ID… terrible.

THANK YOU!!

This is hugely helpful and appreciated!

You’re right!

Can you also test byte variations? Basically to ensure it uses all 5 bytes of a typical EM tag ID, add one to memory and then change one byte at a time to see if it uses all 5 bytes or just like 3.

Should be able to with the flipper

Not at home right now, but gimme till midnight and I can

edit
Just to confirm @amal what you want me to do is

Enroll : “12:34:56:78:90”

Test
“F2:34:56:78:90”
“1F:34:56:78:90”
“12:F4:56:78:90”
“12:3F:56:78:90”
“12:34:F6:78:90”
“12:34:5F:78:90”
“12:34:56:F8:90”
“12:34:56:7F:90”
“12:34:56:78:F0”
“12:34:56:78:9F”

What really happened :

image500×669 60.4 KB

done,
and crap :-/

Enroll : “12:34:56:78:90”

Test
“F2:34:56:78:90” - accepted
“1F:34:56:78:90” - accepted
“12:F4:56:78:90” - accepted
“12:3F:56:78:90” - accepted
“12:34:F6:78:90” - rejected
“12:34:5F:78:90” - rejected
“12:34:56:F8:90” - rejected
“12:34:56:7F:90” - rejected
“12:34:56:78:F0” - rejected
“12:34:56:78:9F” - rejected

so like @Pilgrimsmaster said for the HF version, it appears to only read the last 3 bytes of the UID
I guess this should be expected since Pilgrim said his HF board only took 3 bytes, and its almost identical to the LF board

looks like the v2 does the same thing, so at least its better than the v2

Yeah basically but easier like;

Test
“AA:34:56:78:90”
“12:AA:56:78:90”
“12:34:AA:78:90”
“12:34:56:AA:90”
“12:34:56:78:AA”

If you wanted to get specific about how many bits vs bytes you could explore the byte boundary if it’s found to be less than 5 bytes, but just proving it’s less than 40bits is all I’m after at this point.

Not sure I follow all that, but I checked above and it’s only the last 3 bytes

So fuck me… do we gotta make our own shit here wtf.

The xACv2 was also only 3bytes :-/

So the blue board is pretty much identical, minus the easy to guess master uid

Question.

I ended up getting both the 125 and 13.56 versions.

And now I’m looking at getting a magic ring. Cause I’m not set up for the implant yet.

Which magic ring would I want for the 13.56, the mifare one?

Can I program that for LF with my flipper (which I haven’t set up at all yet? ). I just have LF locks now. But may switch to dual at some point. So would like the ring to do both.

Appreciate any help.
I’m lurking a lot but not much smarter. Haha.