xEM Cloning, Emulation Modes and the perils of Chinese cloners!


#1

So here goes!

Below I am going to try and outline my experiences with the xEM implant and Chinese cloners in the hopes that it will help some of the community. I am no expert - just a guy that likes to fiddle in my spare time. I got my xEM implanted some months ago and after cloning my work HID card to the xEM with one of the dreaded Blue Cloners I have been on a war path even since to understand the technology properly, unlock my implant and possibly help some other people unlock their implants.

Firstly I want to thank Skeeve Steevens, Shanti and the team at Chip My Life for both convincing me to get the implant done and providing me with a lot of the tech needed for R&D. If you are in Australia I highly recommend getting your gear and even booking your installation through them! Check them out at:

Secondly thanks to Amal for sending over some xEM’s to test on along with various other bits and pieces. And thanks for generally supporting the R&D of the community in the way that you do!

Last but not least, thanks to James Campbell for your input along the way and bravely letting me do the first real testmode unlock on your hand.

Some Assumptions:

I will try and explain everything in detail but if I were to cover absolutely everything this post would turn into a small book. Therefore, the below assumes that the reader have some basic understanding about the data structure of a t55xx chip and what data is stored in each page and the successive blocks in that page. Also you should have a grasp on proxmark lf t55 operations. I suggest checking out the following to if you need a refresher:
http://www.priority1design.com.au/t5557_rfid_transponder.html
and maybe have a brief read through the ATA5577C datasheet:


And probably the proxmark3 command reference. Play with some spare t5577 keychain fobs, break them, un-break them and learn as you go.

We are going to talk about two well-known Chinese cloners, the proxmark3 and the beginnings of some custom coils for the proxmark3:

Blue EM / HID Cloner:
blue

White Multi-Frequency Cloner:
white

I will begin with briefly covering what has already been discovered. We know that when writing to the xEM (or any t55xx chip) certain Chinese cloners set a password in block 7 of the chip and the password enable bits in block 0. So far people have worked to sniff or acquire the password in order to unlock their chip & help others in the community. I was lucky and used a blue cloner with a known password. Some were not so lucky and used one of the white handheld cloners pictured above, which lead a lot of people to think their xem was perma-locked to that cloner as even a proxmark3 with the correct password would not unlock the chip - more details on this later.

Let’s go over each cloner in a bit more detail!

The Blue Cloner:

From what I have seen after getting to play with about 8 different units from various sellers & sources:

  • The coil quality and component quality in these devices varies a huge amount. This means that some people have units that work very well and almost always consistently read and write to an implant (I have one myself that works consistently at roughly 2cm away from my skin), note that you still need the implant in roughly the right orientation (more on this later).

  • There are a lot of very subtle variations of this device being sold, plastic type, slight mold size change and some vary slightly in color - they all have the same circuitry, but some have different firmware that either does just HID mode, just EM mode or both.

  • Most if not all of these blue cloners set the same password: 51243648, and can be unlocked with a proxmark3. Even the with the variations I have seen the password remains the same - I have not seen one that sets a different password.

  • People previously thought that some of these set a different password BUT, I propose that some are having issues unlocking due to bad RF coupling with the stock proxmark3 coil.

The White Cloner:

  • The coil / component quality in these far surpasses the Blue Cloner and is a lot more consistent. After playing with about 4 of these they all read and wrote to the xEM from centimeters off the skin.

  • These ARE multi-frequency. You can even “kind of” change the UID of a Chinese backdoor mifare card in the displayed IC mode" - actually High Frequency mode.

  • The Windows based software supplied on the device does actually work to crack and clone a mifare classic card with some variation of the hardnested attack.

There are three main “English Version” variations of this unit that I have seen so far:

1. Older than 2015
If you have one of these the buttons will light up BLUE!

a. Reads the card data correctly i.e. for a HID card with a facility code of 150 and a card number of 3000 the screen would read 0015003000.

b. Has a slightly deferent startup screen / firmware than never models BUT if you look closely are actually running
newer version of the firmware? Huh?

c. Coil performance is definitely not as good as newer revisions

d. The input button is actually useful because you can properly input the facility and card code correctly.

2. Newer than 2015
If you have one of these the buttons will light up WHITE!

a. Does not read the card data correctly i.e. for a HID card with a facility code of 150 and a card number of 3000 the screen would read some nonsense like 81504055. (have not been able to figure out what the conversion is - seems totally nonsensical and likely something that was put in place by the manufacture for fear of legal issues from HID global LOL)

b. Coil performance is AWESOME! I mean seriously awesome! Clean reads / writes with the xEM every time!

c. The input button is useless as the device does some crazy conversion that as stated above is nonsensical and so far, impossible to figure out. So really this device is only good for cloning.

3. Rip off FAKE cheap version (anything less than about $60-70 AUD is usually one of these):

a. Only works for EM / ID cards, no high frequency and no HID from what I can gather (have not had one to play with yet).

b. No high frequency functionality as it’s a rip off device

c. Just don’t buy one, it’s not worth it.

  • Again, most if not all of these cloners set the same password AA55BBBB.

  • These cloners have a HUGE issue when used in the displayed “125khz ID” mode which in actuality, is EM410x mode that prevented a lot of people from being able to unlock their implant. This issue, and fix that I have found will be outlined in detail further on.

Now that we are a bit more familiar with the devices let’s look at some of the issues that I have faced, and found solutions for.

A few things to note:

  1. The stock proxmark3, proxmark3 RDV2 and proxmark3 easy antennas are NOT designed to work with the cylindrical antennas in our little xEM’s. This causes a few issues with accuracy when we try to read / write to the chip. This has been outlined in other posts, so I won’t go into great detail about write tearing, but I will offer a way to help prevent it.

  2. I have the proxmark3 easy board, that is the cheaper version. BUT have cut the built-in antennas cleanly off the main PCB so that I can attach my own custom antennas via USB port - allowing me to do some experimentation. Pics Below:
    pm3orig

ISSUE #1 - IT JUST WONT WRITE 9

This problem happened to me for about 2 weeks when I first got the proxmark3 and was using the stock coils. I was fairly certain I had the right password for the Blue Cloner used to first copy a HID card to my xEM, but still nothing was happening when trying to unlock the chip.

Trying to set the Block 0 configuration so that it was not password protected just did not work, I had the right commands and the right password but was not getting results, the chip remained locked. I thought shit, maybe I got a cloner with a different password. After another week-long adventure, learning to sniff the password when the cloner writes to the chip. I managed to sort the data and get a password, SHIT it was the same known password from other cloners (51243648) - SHIT!

After much digging and reading online I noticed that Amal had used the coil from the xEM access kit on a proxmark3, GENUIS! I got that same coil, made a usb plug for the proxmark3 and managed to write the correct settings and unlock my chip. Hooray I thought it was all over!

Not quite…

Keep in mind that this antenna is not designed to work with the proxmark3, nor has it been tuned even closely to what it should be. So, when issuing a hw tune you’ll be under 10v with a long cable.

I then Wrote my xEM to an EM410x ID with that same coil to use with some equipment at home for testing, all went well… Until I had to re-write my HID ID back later that night so that I could get in to work the next day. I tried to write, nothing, nothing again, more nothing, Its still in freaking EM410x mode! Argh! WTF!

I shortened the cable between the coil and proxmark and used a lighter gauge wire in an attempt to get more power. This worked, and I was finally able to write the xEM back to HID mode. PHEW! Coil tuning matters more than anything else!

A neat tip on coil placement:

  1. Try and issue an lf t55xx detect command. If the proxmark can detect the chip than you are close to a good spot (if
    the chip is locked the proxmark will not return anything - this is part of what makes unlocking implants & antenna
    placement tricky)

  2. After the lf t55xx detect, issue an lf t55xx trace a few times, if the proxmark returns the t55 tractability data screen
    shown below you are in the “sweet spot” and writes should work cleanly. The reason for this is that it requires almost
    perfect coupling to get clean reads from page1 of the t55 chip.

  3. On the above coil - the black mark seems to be the “sweet spot” even though it is on the back side.

There is much more to the antenna & coil side of things to be worked out. I am desperately seeking people to collaborate with on antenna design. The community needs better antennas to work with the proxmark3 and implants.

ISSUE #2 - THE WHITE CLONER AND “ID” MODE.

This thing is crazy just absolutely crazy, it very nearly drove me insane! After some hours of experimentation in HID mode, I found that the password set by this device is AA55BBBB but this seemed to only work on, and unlock chips written in HID mode, not in “ID” / EM410x mode. I was confused and frustrated as a few good friends had written to their implanted xEM with this device in that mode.

After some serious time spent sniffing and sorting data I realized that it was indeed the SAME password but there was something odd, I noticed one extra bit in the configuration data that was completely unknown to me at the time. After trolling through the datasheet linked above I thought that it was setting the chip in X-mode but that shouldn’t prevent writes.I noticed that the chip has a “test mode” bit that can be set, now this is not very well documented (publically at least) - there is one line in the entire datasheet that references it. Seems that once that bit is set, you need to write to the chip in test mode otherwise it will not respond. Luckily the proxmark3 has the “t” switch when writing - which writes in test mode.

This was a great relief - I managed to unlock someone’s chip for them.

There is one issue with this solution though. After using the testmode switch to write to Block 0 and unlock the tag. IF you choose to wipe the chip using the lf t55xx wipe command the command is able to wipe page1 of the chip - removing all traceability data / manufacturer information, this happens with some other Chinese t55xx chips too, not just the xEM. The issue then, is that a lot of cloners will not work with the t55 chip and the proxkmark will behave strangely - inconsistent reads etc…

What needs to be done to fix this is to restore the page1 data or create it. I’m unsure why having a blank page1 causes issues but to fix the problem you can simply restore the page1 data from another xEM implant.

Below is an example of the xEM page1 data. You can simply restore the two blocks and your xEM will respond happily.

proxmark3> lf t5 trace
T55x7 Trace Information

ACL Allocation class (ISO/IEC 15963-1) : 0xE0 (224)
MFC Manufacturer ID (ISO/IEC 7816-6) : 0x15 (21) - ATMEL France
CID : 0x01 (1) - ATA5577M1
ICR IC Revision : 2
Manufactured
Year/Quarter : 2014/2
Lot ID : 727
Wafer number : 16
Die Number : 8968

Raw Data - Page 1
Block 1 : 0xE0150A48 11100000000101010000101001001000
Block 2 : 0x2D782308 00101101011110000010001100001000

To restore the above tractability block data to block 0 of page 1 page one the commands are:

lf t55xx write b 1 d E0150A48 1
lf t55xx write b 2 d 2D782308 1

Making sure to have the 1 at the end of the command to reference page1.

Keep in mind that you are essentially spoofing the chips traceability data - I have not done enough digging to decipher what bits refer to what data but theoretically you could change the above data to whatever you want. As long it is within the standards specifications.
In summary:

Some of the blue cloners work very well, most don’t. Avoid if at all possible. If you do get one, it’s worth making a custom coil to avoid bad writes. This is something I am currently looking at, along with creating a better cloner. Generally, a rule of thumb with these is: if it reads bad i.e. hard to place / get a read - toss it, if it reads well and easily / consistently it may be kind of OK to use (at your own risk).

  • The newer white cloners are just bad news - avoid even more so than the blue devices.
  • We need better coils for the proxmark3 - can’t emphasize this enough.
  • Test mode should be explored more - this is likely the way to un “bricking” some peoples xEM’s
  • The xEM cloner project should be revived!

Based on the above information we can unlock our implants with the following commands and block data/
I have included the Block 0 configuration settings for all common modes with and without password protection:

EM4100 NO PWD-------------------00148041
EM4100 PWD ACTIVE-------------00148051
HID NO PWD-------------------------00107060
HID PWD ACTIVE-------------------00107071
BLANK t55 config--------------------00088040

Blue HID / EM Cloner:
lf t55xx write b 0 d ******** p 51243648

White multi-frequency HID mode:
lf t55xx write b 0 d ******** p AA55BBBB

White multi-frequency EM / ID mode:
lf t55xx write b 0 d ******** p AA55BBBB t

Note that where ******** you need to put the correct Analogue Block 0 settings for the specific mode that you currently have the xEM in. I have also included the necessary Block 0 settings if you want to keep your tag password protected.

So that is my take on the xEM and cloning issues - I hope it can help some of you out.

Happy holidays everyone! :slight_smile:

~TH


#2

Its important to note that every time you start the proxmark software, you run “hw tune” to configure the antenna


#3

Awesome post Tom! I’m going to be ‘that guy’ and ask for even more information, on how you wired the access kit’s antenna to USB male and then ran your Proxmark3 easy’s antenna to USB female? Fortunately, I have a very similar Proxmark3, and the access kit ready to go, but that’s where my experience ends.


#4

Thanks Nate :slight_smile:

What I have done is a pretty heavy modification of the proxmarx3 easy main board. If you do this you will also need to make yourself some other antennas for reading and writing to cards / fobs etc. Keep in mind that this was a first attempt to get things working half decently. I think at some stage I will redesign mine so that instead of one USB port there is two mcx connectors allowing me to have both HF and LF connectors connected at once.

So what I did was:

Cut the built in High Frequency antenna clean from the proxmark with a Dremel. Please only do this if you are confident that you can cut the board without slipping or damaging any of the components. You need to cut the pcb just before the two standoff holes making sure to leave some of the old coil traces to solder your HF antenna to.

As you can see below there are 4 wires soldered to the board where I have made the cut. I used some old flat usb cable that I had laying around to connect from the pm3 to the usb port as it had some nice thin gauge copper wires inside that should result in minimal voltage drop.

Green & Grey are soldered to the outside standoff holes where the LF coil normally connects via standoffs. This should be straightforward to understand.

Pink & White are soldered to what is left of the HF coil traces. I have attached a picture with red markup showing where to solder. Try and get the solder joints as close to the middle of the board as possible - near where the lines seperate.

At the Female USB connector I’ve simply soldered the Green and Grey (LF) wires to the two left most pins and the Pink and White (HF) wires to the two righthand most pins.

Now for the coils.

What you need is a USB cable that you are willing to sacrifice (preferably as thin as possible for minimal loss) and the coil from the xEM access kit or any other coil that you make / have. You can still use the original proxmark3 LF antenna like this as well.

Below is the cable that I use for testing new coil performance. I’ve used it for this purpose as its a nice visual representation. As you can see I have the coil connected to the two left most pins of the male usb plug:

These connections meet the two left most connections in the female USB plug which in turn are connected to the two standoff holes that previously connected to the built in LF antenna.

If you don’t have boxes of random parts and connectors to make something from scratch - you can achieve the same result with any old usb cable by cutting the male end from it, stripping the four wires and using your multimeter in continuity mode to identify which wires relate to which pins in the male end of the usb plug. I don’t have any cables here at the moment to sacrifice otherwise I would post a picture.

One mistake that I originally made, was to cut the coil lead close to the access kit control box, thinking a longer lead should be fine. After some tests I realised that the proxmark3 easy’s output just can’t cope with the thick gage coax cable that the coil uses so latter I cut is shorter and gained a lot of performance.

Hopefully this helps to clarify what I have done. Below I’ll post some pictures of some other antennas that I have made for both LF and HF.

This little coil is perfect for little keychain fobs. Note: you can buy reasonable coils from eBay etc… it just takes a bit of digging and some trial and error to find the right ones.

This is one I made for high frequency implants. It reads the xNT from about 1’ about the skin!!

If there is anything else I can add or clarify please let me know. One final note:

Make sure your wires are all quality copper, a thin enough gage so as to not introduce too much loss but a thick enough gauge to handle the power output and make sure that every connection is as close to perfect as you can get. Your dealing with RF signalling and you want everything to be as close to optimal as possible. I am no expert and only speaking from what I have learned over the past 4 months with the proxmark.

~TH


#5

Great writeup, though I’m impressed you get any performance out of this setup.

Using non-coax cable for RF as well as non-RF type connectors is definitely going to decrease your performance. It’s also going to detune your circuit.

The antenna system (antenna, coax, connectors, capacitors, etc) as a whole need to be tuned for optimal performance. Not sure if the proxmark has some self-tuning abilities.

The size of the wire doesn’t matter, the impedance of the wire does. Regular wire (as opposed to coax) does not transfer RF very well. It’s very lossy. It becomes an antenna itself.

Replace the cable with some small coax and the connectors with SMA or other high frequency connectors and I bet you’d get even better performance. You can get coax pigtails on ebay for a couple bucks.


#6

great instructions! Where am i able to buy the cylindrical antenna for the 125 khz to connect to my Prooxmark3? i can not seem to find it om ebay. is the best way to just order the XEM access controller and only use the antenna ?


#7

Thanks for the tips Turbo! I actually seem to get better performance than a stock PM3 easy in every scenario. I have a brand new stock Pm3 here for comparison. Long term plan is definitely to sort out coax and proper connectors. This was all just proof of concept.

Zimmii the only option here is to buy the xEM access kit and salvage the coil from it - remember to keep the wire as short as possible while still keeping a useful length! I have a long term plan to find some better suited coils and I think I may have had a solid win over the last couple of days, I need to do some testing but if all works out well I’ll be letting everyone know.


#8

FYI to anyone with a proxmark3 dev kit 2, the antenna coax cables are mmcx sized, not the rg316 from the link above :).


#9

Hi all,

Quick update - things have been hectic so I haven’t had much time to work on this stuff recently but hope to have a lot more free time soon!

Ditched the USB connectors, added some nice sma connectors. The performance boost is absolutely insane! In comparison to my genuine PM3 RDV3 - this thing gets vastly better performance every time, reading implants both HF & LF, sniffing mifare card - reader communication. I’ve seen performance boosts in every way, now this may also be due to the fact that I’ve spent time tuning coils which is a painstakingly long process of trial and error in most cases.

Hoping to have some of the shelf coils delivered for testing soon, if they are as good as I hope I will be doing a full write up detailing how to do the SMA mod cleanly and what coils work well with minimal tuning.


#10

@TomHarkness
I’m really looking forward to your writeup! We’ve got a group looking to make our own antennas, and would really love to see how you’ve done it.


#11

@bashNinja - I’ll do my best to get some details out soon but have been flat out working on some stuff for the RDV4. Watch this space, there may be some cool things coming!


#12

Sounds good.

The majority of us are working with the Proxmark3 RDv2, with the MMCX connectors. We’ve got parts coming from china, so it’ll be a few weeks before we start trying to coil our own.

I’m excited to see what you come up with.


#13

Nice man! I’ve got all revisions here and have done custom antennas for the lot. Best performance is rdv4 by a long shot.