xEM emulation questions

Hey, I’m going to be getting an xEM chip soon (well, an NExT actually, but you know what I mean) and it says it can emulate many different chip types. Is there a certain way that you have to manage that, or does it automatically do it based on what information you put on it?

Only the xEM part of the implant can emulate different chips. It’s only one at a time. Typically you clone a card to the chip and part of the cloning process is telling the chip what mode to be in… Once it’s set that’s it until you change it. it’s not an “on the fly” thing.

For the most part, EM mode and HID mode are by far the most common modes. Indala is another mode.
Check out this thread Quirks of the T5577 & cloning tags to the xEM
and this http://www.proxmark.org/forum/viewtopic.php?id=1767

To be fair… “mode” is not really a thing… a “mode” on the T5577 chip is a specific setting of the analog front end configuration bits that control modulation, data encoding, etc… so EM “mode” is once specific set of bit settings, and HID “mode” is another. In this way it’s important to differentiate because it makes it clearer that the T5577 chip is simply changing certain ways it communicates data to the reader and you can mix and match these settings to attempt to match the source tag’s behavior. The T5577 does not have a hard set of “modes”, that’s all I’m trying to say.

The important bit here is if you understand that, for example, modulation for one type of source tag (tag 1) is FSK and another type of source tag (tag 2) is PSK, then clearly tag 1 and 2 are not going to be compatible with each other… hence reader 1 cannot read tag 2 because the modulation is totally different… even though they are both 125kHz tags.

To further the point, EM4100 tags are typically modulated using either ASK or PSK, and HID are modulated using FSK.

From http://www.gizmolab.co.za/rfid-modulation-encoding/

PSK Modulation

FSK Modulation

Data encoding schemes

1 Like

That’s what I said. lol. :rofl:

1 Like

I’ve come across one exception to this where it worked “on the fly.” A spa had lockers where they’d give you a fob that you used to lock and unlock your stuff while there… The chip you scanned to lock it would be the chip to unlock it (and they had a master, of course.) So, they could hand any fob to someone to use on any locker. Very cool system. And easily as secure as most spa lockers with cheap ass combo locks or 4-pin cam locks.

1 Like

This is becoming more common in gyms and shared office spaces, the idea being that anyone can grab any locker and use their badge or gym fob to lock it, and only they will be able to unlock it (or a supervisor)

One thing of note though is that its not the lock programming the tag to work on it, its the lock learning what ‘unique’ tag locked it. @turbo2ltr is still correct in that the tag is programmed with a particular value and stays in that mode with that ID until its written to with special hardware.


True enough. But, from a user perspective, sinceit learns my UID, I don’t have to change it for this use. Meaning, anything else I have configured to work will continue to work since I don’t have to make any changes to the tag. So, I can use it “on the fly” for a locker as well as anything else I’ve set up.

1 Like

As long as your other use is EM mode or whatever mode the locker uses - if you used it for your work badge in HID mode, you still would have to reprogram it and it wouldn’t work on the fly. Great for a lot of use cases, but still not a universal solution.