xEM seems to be corrupted?

Support
41

Hi Kent,

Yes, we do on occasion sell to bio-hackers in China.

My best,

Mdanger

42

I’m having the same problem here. Any chance you could help?

43

Happy to! Are you located in Australia? and do you have a proxmark? lets work out a time that’s good for both of us and do a chat.

44

I live in the US. Currently have to unbrick my proxmark3. I followed the online instructions, and ended up with a ‘bricked’ device. I am back in the states around 5/7, and will have access to the tools to fix it. I’ll message you when my proxmark is good, and we can sort out a time. thanks for being so willing to help!

2 Likes
45

Hey @TomHarkness, Feel like helping this noob too?
Can consistently read from my tag, the test mode command ~seems ~ to go ok? lf t55xx config gives me
“Chip Type : T55x7
Modulation : ASK
Bit Rate : 2 - RF/32
Inverted : No
Offset : 31
Seq. Term. : Yes
Block0 : 0x000880E8”
but HID clone doesn’t work, and any of the other t55xx comands (dump etc) dont return… any advice?

Thanks
Brendan

46

I discovered the case on my PM3 RDV4 was hampering my coupling ( from another post you replied too thanks for that ) got some better reads lf detect now gives
pm3 → lf t55xx detect
Chip Type : T55x7
Modulation : BIPHASEa - (CDP)
Bit Rate : 5 - RF/64
Inverted : Yes
Offset : 59
Seq. Term. : No
Block0 : 0xE01780BE

update 2

pm3 → lf t55xx info

**T55x7 Configuration & Tag Information -------------------- **
**------------------------------------------------------------- **
** Safer key : 12 **
** reserved : 0 **
** Data bit rate : 23 - RF/48 **
** eXtended mode : Yes - Warning **
** Modulation : 16 - Biphase **
** PSK clock frequency : 0 - RF/2 **
** AOR - Answer on Request : Yes **
** OTP - One Time Pad : No **
** Max block : 4 **
** Password mode : No **
** Sequence Start Marker : No **
** Fast Write : Yes **
** Inverse data : No **
** POR-Delay : Yes **
**------------------------------------------------------------- **
** Raw Data - Page 0 **
** Block 0 : 0xC05F0285 11000000010111110000001010000101 **
-------------------------------------------------------------

I think I’m still getting coupling issues?? the block 0 data isn’t consistent but the trace viewer shows what looks like clipping at 150 (what are the units for this btw) i was concerned that earlier attempts to with test mode and poor coupleing may have damanged the chip however it still reads as an EM410 card. a bit lost as to where to go next

update

stroke of luck, cloned my hid tag to it, have no idea what i changed, must have been placement, but trace looked the same (clipping at 150)

2 Likes
47

Looks like the issue was a coupling problem between the proxmark3 and the tag. Details are below:

  1. Proxmark3 wasn’t ‘bricked’, but OS X did not recognize it, so I had to install Ubuntu via VMWare.

  2. The Iceman firmware/software combo was able to successfully reprogram the chip

Hope this helps someone struggling with the same issues.

-Jason

3 Likes
48

If you get your pm3 into that state on OS X. The fix is to:

  1. Get the flash command ready to flash-all (use flash-all.sh is easier)

  2. Hold the button down while plugging in, Keep it held throughout the entire flashing process.

  3. Once flash completes release button and use as normal.

If, this still doesn’t allow you to see your pm3 with “ls /dev/cu.*” command. You may need to delete the old kernel extension and then reboot first:

sudo rm -rf /System/Library/Extensions/Proxmark3.kext

2 Likes
49

Year & abit later, we finally got around to messing with DT’s new LF antenna we got a few months back.

Unfortunately even with Tom’s custom designed antenna & our proxmark rdv4 there’s still no reviving that bricked xEM. :crying_cat_face: We get pretty much the same results as we had with the PM3Easy & our homebrew LF antennas.

Ah well…

50

so i have the same issue with the proxmark3 easy now i do get a read

[usb] pm3 → lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] Indala - len 234, Raw: 80000000000000000000000000000000000000000000000000000000

[+] Valid Indala ID found!

i dont know if that means its recoverable when i do lf config i get this

usb] pm3 → lf config
[#] LF Sampling config
[#] [q] divisor…95 ( 125.00 kHz )
[#] [b] bits per sample…8
[#] [d] decimation…1
[#] [a] averaging…No
[#] [t] trigger threshold…0
[#] [s] samples to skip…0
[#] LF Sampling Stack
[#] Max stack usage…5584 / 8480 bytes

and lf search u gives me this
usb] pm3 → lf search u
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[-] :no_entry: No known 125/134 kHz tags found!

[=] Checking for unknown tags:

[-] :no_entry: no repeating pattern found, try increasing window size
[=] Possible auto correlation of 8 repeating samples
[=] Possible 1 bytes
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111
11111111111111111111111111111111

Unknown ASK Modulated and Manchester encoded Tag found!
if it does not look right it could instead be ASK/Biphase - try ‘data rawdemod ab’
[usb] pm3

51

Do you get any response to lf t55xx detect ?

52

I’m having the same problem, NExT chip with the ProxLF antenna, getting the following on an lf search but nothing on an lft55xx detect??

[usb] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[!] :warning: (em4x50) timeout while waiting for reply.
[+] EM410x pattern found

EM TAG ID : 7130005159

Possible de-scramble patterns

Unique TAG ID : 8E0C008A9A
HoneyWell IdentKey {
DEZ 8 : 00020825
DEZ 10 : 0805327193
DEZ 5.5 : 12288.20825
DEZ 3.5A : 113.20825
DEZ 3.5B : 048.20825
DEZ 3.5C : 000.20825
DEZ 14/IK2 : 00486136631641
DEZ 15/IK3 : 000610086718106
DEZ 20/ZK : 08140012000008100910
}
Other : 20825_000_00020825
Pattern Paxton : 1897172825 [0x71148F59]
Pattern 1 : 50954 [0xC70A]
Pattern Sebury : 20825 0 20825 [0x5159 0x0 0x5159]

[+] Valid EM410x ID found!

[+] Chipset detection: T55xx
[!] :warning: (em4x50) timeout while waiting for reply.
Couldn’t identify a chipset

53

Did you run init_rdv4?

54

Yup, did a fresh install and flash and configuration before trying again.

This is my lf t55xx config output fyi:

[usb] pm3 → lf t55xx config
[=] Chip Type : T55x7
[=] Modulation : ASK
[=] Bit Rate : 0 - RF/8
[=] Inverted : No
[=] Offset : 0
[=] Seq. Term. : No
[=] Block0 : 0x00000000
[=] Downlink Mode : default/fixed bit length
[=] Password Set : No

55

hw status

56

[usb] pm3 → hw status
[#] Memory
[#] BigBuf_size…42264
[#] Available memory…42264
[#] Tracing
[#] tracing …1
[#] traceLen …0
[#] dma8 memory…-2111904
[#] dma16 memory…-2111904
[#] toSend memory…-2111904
[#] Current FPGA image
[#] mode… LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
[#] Flash memory
[#] Baudrate…24 MHz
[#] Init…OK
[#] Memory size…2 mbits / 256 kb
[#] Unique ID…0xD5690C23DF50422A
[#] Smart card module (ISO 7816)
[#] version…v3.11
[#] LF Sampling config
[#] [q] divisor…95 ( 125.00 kHz )
[#] [b] bits per sample…8
[#] [d] decimation…1
[#] [a] averaging…No
[#] [t] trigger threshold…0
[#] [s] samples to skip…0
[#] LF Sampling Stack
[#] Max stack usage…4112 / 8480 bytes
[#] LF T55XX config
[#] [r] [a] [b] [c] [d] [e] [f] [g]
[#] mode |start|write|write|write| read|write|write
[#] | gap | gap | 0 | 1 | gap | 2 | 3
[#] ---------------------------±----±----±----±----±----±----±-----
[#] fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | N/A | N/A |
[#] long leading reference | 29 | 17 | 18 | 50 | 15 | N/A | N/A |
[#] leading zero | 29 | 17 | 18 | 40 | 15 | N/A | N/A |
[#] 1 of 4 coding reference | 29 | 17 | 15 | 31 | 15 | 47 | 63 |
[#]
[#] HF 14a config
[#] [a] Anticol override…No (follow standard)
[#] [b] BCC override…No (follow standard)
[#] [2] CL2 override…No (follow standard)
[#] [3] CL3 override…No (follow standard)
[#] [r] RATS override…No (follow standard)
[#] Transfer Speed
[#] Sending packets to client…
[#] Time elapsed…500ms
[#] Bytes transferred…286208
[#] Transfer Speed PM3 → Client = 572416 bytes/s
[#] Various
[#] Max stack usage…4112 / 8480 bytes
[#] DBGLEVEL…1 ( ERROR )
[#] ToSendMax…-1
[#] ToSend BUFFERSIZE…2308
[#] Slow clock…30508 Hz
[#] Installed StandAlone Mode
[#] HF - Reading Visa cards & Emulating a Visa MSD Transaction(ISO14443) - (Salvador Mendoza)
[#] Flash memory dictionary loaded
[#] Mifare…933 keys
[#] T55x7…110 keys
[#] iClass…7 keys
[usb] pm3

57

From an t55xx info and dump although still getting nothing from the detect…

[usb] pm3 → lf t55xx info

— T55x7 Configuration & Information ---------

Safer key : 15
reserved : 15
Data bit rate : 63 - RF/128
eXtended mode : Yes - Warning
Modulation : 0x1F (Unknown)
PSK clock frequency : 3 - (Unknown)
AOR - Answer on Request : Yes
OTP - One Time Pad : Yes - Warning
Max block : 7
Password mode : Yes
Sequence Start Marker : Yes
Fast Write : Yes
Inverse data : Yes
POR-Delay : Yes

Raw Data - Page 0, block 0
0xFFFFFFFF .1111111111111111111111111111111

lf t55xx dump

00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000

58

Its getting late so i’ll be off till tomorrow soon but now when I do an lf search i’m getting;

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[!] :warning: (em4x50) timeout while waiting for reply.
[-] :no_entry: No known 125/134 kHz tags found!
[!] :warning: (em4x50) timeout while waiting for reply.
Couldn’t identify a chipset
[usb] pm3

So even less info than before. I really hope this NExT implant isn’t bricked as its brand new, only went in on Monday and this is the first time using it…

59

took a few attempt ad actually shiffing the implant a little but i got this

[usb] pm3 → lf t55xx detect
[=] Chip Type : T55x7
[=] Modulation : PSK1
[=] Bit Rate : 1 - RF/16
[=] Inverted : No
[=] Offset : 59
[=] Seq. Term. : No
[=] Block0 : 0xD006140D
[=] Downlink Mode : long leading reference
[=] Password Set : No

[usb] pm3 → lf t55xx detect
[!] :warning: Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
[usb] pm3 → lf t55xx detect
[!] :warning: Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’
[usb] pm3 → lf t55xx detect
[=] Chip Type : T55x7
[=] Modulation : PSK2
[=] Bit Rate : 1 - RF/16
[=] Inverted : No
[=] Offset : 40
[=] Seq. Term. : No
[=] Block0 : 0x80042F75
[=] Downlink Mode : leading zero reference
[=] Password Set : No

[usb] pm3

[usb] pm3 → hw status
[#] Memory
[#] BigBuf_size…44136
[#] Available memory…44136
[#] Tracing
[#] tracing …1
[#] traceLen …0
[#] dma8 memory…-2110032
[#] dma16 memory…-2110032
[#] toSend memory…-2110032
[#] Current FPGA image
[#] mode… LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
[#] LF Sampling config
[#] [q] divisor…95 ( 125.00 kHz )
[#] [b] bits per sample…8
[#] [d] decimation…1
[#] [a] averaging…No
[#] [t] trigger threshold…0
[#] [s] samples to skip…0
[#] LF Sampling Stack
[#] Max stack usage…5508 / 8480 bytes
[#] LF T55XX config
[#] [r] [a] [b] [c] [d] [e] [f] [g]
[#] mode |start|write|write|write| read|write|write
[#] | gap | gap | 0 | 1 | gap | 2 | 3
[#] ---------------------------±----±----±----±----±----±----±-----
[#] fixed bit length (default) | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
[#] long leading reference | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
[#] leading zero | 31 | 20 | 18 | 40 | 15 | N/A | N/A |
[#] 1 of 4 coding reference | 31 | 20 | 18 | 34 | 15 | 50 | 66 |
[#]
[#] Transfer Speed
[#] Sending packets to client…
[#] Time elapsed…500ms
[#] Bytes transferred…278528
[#] Transfer Speed PM3 → Client = 557056 bytes/s
[#] Various
[#] Max stack usage…5508 / 8480 bytes
[#] DBGLEVEL…1 ( ERROR )
[#] ToSendMax…9
[#] ToSend BUFFERSIZE…2308
[#] Slow clock…30677 Hz
[#] Installed StandAlone Mode
[#] HF - Reading Visa cards & Emulating a Visa MSD Transaction(ISO14443) - (Salvador Mendoza)
[usb] pm3

and ifi would have know at the time bought it it was sold to me as a rv4 found out afterwords its the easy so that was big downer

60

The detect working sometimes and failing others means you aren’t in the exact right spot. Once you get a detect to work, don’t move at all (some people even tape it in place or bandage it)

Then double check with a few more detects, then a lf t55xx trace

If it tells you who made the chip and other details, then you are good to write.