xEM received, injected and readable just cant write?


#1

I have a proxmark3 rdv2 and I can read my card consistently:

Checking for known tags:
          
EM410x pattern found:           

EM TAG ID      : 2015061314          

Possible de-scramble patterns          
Unique TAG ID  : 04A860C828          
HoneyWell IdentKey {          
DEZ 8          : 00398100          
DEZ 10         : 0352719636          
DEZ 5.5        : 05382.04884          
DEZ 3.5A       : 032.04884          
DEZ 3.5B       : 021.04884          
DEZ 3.5C       : 006.04884          
DEZ 14/IK2     : 00137791673108          
DEZ 15/IK3     : 000020004784168          
DEZ 20/ZK      : 00041008060012080208          
}
Other          : 04884_006_00398100          
Pattern Paxton : 538595604 [0x201A5114]          
Pattern 1      : 606362 [0x9409A]          
Pattern Sebury : 4884 6 398100  [0x1314 0x6 0x61314]          

Valid EM410x ID Found!      

unfortunately I cannot issue the 'lf t55xx detect" command as it returns nothing but I can get this from t55xx info:

proxmark3> lf t55xx info
          
-- T55x7 Configuration & Tag Information --------------------          
-------------------------------------------------------------          
 Safer key                 : 8          
 reserved                  : 25          
 Data bit rate             : 4 - RF/50          
 eXtended mode             : No          
 Modulation                : 0x0D (Unknown)          
 PSK clock frequency       : 0          
 AOR - Answer on Request   : Yes          
 OTP - One Time Pad        : No          
 Max block                 : 7          
 Password mode             : No          
 Sequence Start Terminator : Yes          
 Fast Write                : Yes          
 Inverse data              : Yes          
 POR-Delay                 : Yes          
-------------------------------------------------------------          
 Raw Data - Page 0          
     Block 0  : 0x8330D2EF  10000011001100001101001011101111          
-------------------------------------------------------------  

All reads return this wave form: https://i.imgur.com/Cu4WviR.png

Is my implant bricked?


#2

More info, can pull this from the tag:

proxmark3> lf t55xx read
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
  255 | 60CC34BB | 01100000110011000011010010111011          
proxmark3> lf t55xx dump
Reading Page 0:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | 8330D2EF | 10000011001100001101001011101111          
  1 | 8330D2EF | 10000011001100001101001011101111          
  2 | 8330D2EF | 10000011001100001101001011101111          
  3 | 0661A5DF | 00000110011000011010010111011111          
  4 | 8330D2EF | 10000011001100001101001011101111          
  5 | 0661A5DF | 00000110011000011010010111011111          
  6 | 0661A5DF | 00000110011000011010010111011111          
  7 | 0661A5DF | 00000110011000011010010111011111          
Reading Page 1:          
blk | hex data | binary          
----+----------+---------------------------------          
  0 | 8330D2EF | 10000011001100001101001011101111          
  1 | 0661A5DF | 00000110011000011010010111011111          
  2 | 0661A5DF | 00000110011000011010010111011111          
  3 | 0661A5DF | 00000110011000011010010111011111          
proxmark3>

#3

For Reference the LOT# was 15250001
MFG Date: 2015 :06
EXP Date: 2020 :05


#4

UPDATE:

Have tried Icemans fork to no benefit and I have also tried the access antenna from the site to no benefit. This seems to be the best coupling I’ve got… should I remove the tag before it heals over?


#5

What is it you’re trying to accomplish with “lf t55xx detect”, and are you sure it’s included in the version of iceman fork you’re trying?

@TomHarkness opened an issue similar to this here; https://github.com/RfidResearchGroup/proxmark3/issues/3 … sounds like a bug, because we set our T5577 chips to EM mode by default.


#6

Thanks for the reply! Im trying to wipe the card and then clone an indala card to my implant. To answer your question I’m using the latest iceman fork I flashed my proxmark back to the master branch though. Is there a version for the rdv2 that you recommend?

2 further questions:

In regards to Tom’s reply:

Just checked this in the original pm3 fork and.
the issue does not present with rdv4 hardware.
Edit: just tested this fork with rdv2 / 3 - same issue. 
Definitely software related guys.

I understand that the latest rdv4 proxmark3 resolves the timing issues?

Second question, what is the correct baud rate, offset and extended t55xx config to be able to wipe this chip? Should I use the proposed:

lf t55xx deviceconfig a 29 b 17 c 15 d 47 e 15
lf t55xx detect

Thanks again amal


#7

It appears I have either bricked the chip or wiped it as I can no longer read the chip and the waveform has changed:


#8

hmm possibly… why the wipe step? it’s not necessary and it may be the issue. @TomHarkness … any secret commands to bring it back to life?


#9

Ok so you’ve wiped all blocks to 0s with the “Lf t5 wipe” command?

If so you should be able to simply write a new ID to recover the chip. “Lf Hid clone 1123434455” or similar command.

Because these specific t55 chips are fully writable you’ve also wiped clear the traceability and manufacturer data which is stored in blocks 1,2 & 3 of PAGE 1 - not page 0 which stores your ID data.

I’m 99% sure that your chip is just fine and simply needs some valid data written. If your having issues it may be a coupling issue.


#10

After reading the thread a bit more properly I’m pretty sure this is a coupling issue. Currently at the 9-5 job but will try and replicate this as soon as I get home this evening.


#11

Ok guys:

See below (ignore the automatic t5 detect with lf search, you won’t get that without an insanely good antenna):


[fpc] pm3 --> lf sear
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…

[+] HID Prox TAG ID: 2004840532 (665) - Format Len: 26bit - OEM: 000 - FC: 66 - Card: 665

[+] Valid HID Prox ID found!

[+] Chipset detection : T55xx found

[+] Try lf t55xx commands
[fpc] pm3 --> lf t5 det
Chip Type : T55x7
Modulation : FSK2a
Bit Rate : 4 - RF/50
Inverted : Yes
Offset : 33
Seq. Term. : No
Block0 : 0x00107060

[fpc] pm3 --> lf t5 wipe

[=] Beginning Wipe of a T55xx tag (assuming the tag is not password protected)

[=] Writing page 0 block: 00 data: 0x000880E0 pwd: 0x00000000
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
[fpc] pm3 --> lf sear
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…

[-] No known 125/134 kHz tags found!
lf h
[+] Chipset detection : T55xx found

[fpc] pm3 --> lf t5 det
Chip Type : T55x7
Modulation : ASK
Bit Rate : 2 - RF/32
Inverted : No
Offset : 32
Seq. Term. : Yes
Block0 : 0x000880E0

[fpc] pm3 -->

[+] Try lf t55xx commands
[fpc] pm3 --> lf hid clone 1122334455
[=] Preparing to clone HID tag with ID 1122334455
[fpc] pm3 --> lf sear
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…

[+] HID Prox TAG ID: 1122334455 (107050) - Format Len: 37bit - OEM: 000 - FC: 4643 - Card: 107050

[+] Valid HID Prox ID found!

[+] Chipset detection : T55xx found

[+] Try lf t55xx commands
[fpc] pm3 -->


So what I want you to try is:

  1. Set the LF config as per the above config displayed after the wipe command. Note that the bitrate is 2, not 4 as it would be for EM / HID modulation, it’s now just a blank t5. The config is “lf t5 config b 2 L”

  2. Get your xEM orientated with the antenna as best you possibly can (whatever orientation you had for the wipe seemed to work so try that)

  3. Write a HID ID to your tag with the command “lf hid clone 2004840534” - This will be FC:66 CC: 666.

  4. Issue the “hw reset” command to clear the lf config you set above as it will now need to be RF 4.

  5. Exit and restart the proxmark client just to be sure

  6. Lf search and see if you get an ID.

I’ve just tested this 5-6 times while on the bus to work and can assure you if it does not work, your issue is antenna related and your implant it not broken in any way.

Just to clarify, the process looks like this:

[fpc] pm3 --> lf t5 wipe

[=] Beginning Wipe of a T55xx tag (assuming the tag is not password protected)

[=] Writing page 0 block: 00 data: 0x000880E0 pwd: 0x00000000
[=] Writing page 0 block: 01 data: 0x00000000
[=] Writing page 0 block: 02 data: 0x00000000
[=] Writing page 0 block: 03 data: 0x00000000
[=] Writing page 0 block: 04 data: 0x00000000
[=] Writing page 0 block: 05 data: 0x00000000
[=] Writing page 0 block: 06 data: 0x00000000
[=] Writing page 0 block: 07 data: 0x00000000
[fpc] pm3 --> lf conf b 2 L
#db# LF Sampling config
#db# [q] divisor…95 ( 125 kHz )
#db# [b] bps…2
#db# [d] decimation…1
#db# [a] averaging…Yes
#db# [t] trigger threshold…0
[fpc] pm3 --> lf hid clone 2004840534
[=] Preparing to clone HID tag with ID 2004840534
[fpc] pm3 --> hw reset
[=] Proxmark3 has been reset.
[fpc] pm3 --> exit

tom@SilverBox:~/proxmark3-RRG$ ./client/proxmark3 /dev/cu.PM3_RDV40-DevB

[fpc] pm3 --> lf sear
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…

[+] HID Prox TAG ID: 2004840534 (666) - Format Len: 26bit - OEM: 000 - FC: 66 - Card: 666

[+] Valid HID Prox ID found!

[+] Chipset detection : T55xx found

[+] Try lf t55xx commands
[fpc] pm3 -->

Let me know how this goes for you!


xEM no longer readable after first commands