xEM won't write to blocks 0, 1, or 2 but will write to 3

Support
1

I have an implanted xEM. Implanted 5 weeks ago. Tried writing with Proxmark3 Easy and Flipper Zero. The problem is that it won’t write to Blocks 0, 1, or 2, but it can write to 3 - 6 (haven’t tried others). Antenna is custom wound over ferrite as found on the board here. Any help would be very much appreciated. Here is relevant info

[usb] pm3 --> hw version

 [ Proxmark3 RFID instrument ]

 [ Client ]
  Iceman/master/v4.18341-suspect 2024-03-20 23:31:54 20d6f7f37
  compiled with............. GCC 13.2.0
  platform.................. Linux / x86_64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... present
  Python script support..... present
  Lua SWIG support.......... present
  Python SWIG support....... present

 [ Proxmark3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: Iceman/master/v4.18341-suspect 2024-03-20 23:31:54 20d6f7f37
       os: Iceman/master/v4.18341-suspect 2024-03-20 23:31:54 20d6f7f37
  compiled with GCC 12.2.1 20221205

 [ FPGA ]
  fpga_pm3_lf.ncd image 2s30vq100 2024-02-03 15:12:10
  fpga_pm3_hf.ncd image 2s30vq100 2024-02-03 15:12:20
  fpga_pm3_felica.ncd image 2s30vq100 2024-02-03 15:12:41
  fpga_pm3_hf_15.ncd image 2s30vq100 2024-02-03 15:12:31

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev A
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 62% used )

[usb] pm3 --> lf t5 info

[=] --- T55x7 Configuration & Information ---------
[=]  Safer key                 : 6 - passwd
[=]  reserved                  : 0
[=]  Data bit rate             : 5 - RF/64
[=]  eXtended mode             : No
[=]  Modulation                : 8 - Manchester
[=]  PSK clock frequency       : 0 - RF/2
[=]  AOR - Answer on Request   : No
[=]  OTP - One Time Pad        : No
[=]  Max block                 : 2
[=]  Password mode             : No
[=]  Sequence Terminator       : No
[=]  Fast Write                : No
[=]  Inverse data              : No
[=]  POR-Delay                 : No
[=] -------------------------------------------------------------
[=]  Raw Data - Page 0, block 0
[=]  60148040 - 01100000000101001000000001000000
[=] --- Fingerprint ------------

[usb] pm3 --> lf sear

[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] EM 410x ID 01A8FB6139
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : 8015DF869C
[=] HoneyWell IdentKey
[+]     DEZ 8          : 16474425
[+]     DEZ 10         : 2835046713
[+]     DEZ 5.5        : 43259.24889
[+]     DEZ 3.5A       : 001.24889
[+]     DEZ 3.5B       : 168.24889
[+]     DEZ 3.5C       : 251.24889
[+]     DEZ 14/IK2     : 00007130014009
[+]     DEZ 15/IK3     : 000550122784412
[+]     DEZ 20/ZK      : 08000105131508060912
[=]
[+] Other              : 24889_251_16474425
[+] Pattern Paxton     : 34578233 [0x20F9F39]
[+] Pattern 1          : 16686602 [0xFE9E0A]
[+] Pattern Sebury     : 24889 123 8085817  [0x6139 0x7B 0x7B6139]
[+] VD / ID            : 001 / 2835046713
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
[usb] pm3 --> lf t5 trace
[=] --- T55x7 Trace Information ----------------------------------
[=]  ACL Allocation class (ISO/IEC 15963-1)  : 0xE0 ( 224 )
[=]  MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x15 ( 21 ) - ATMEL France
[=]  CID                                     : 0x01 ( 1 ) - ATA5577M1
[=]  ICR IC Revision                         : 2
[=]  Manufactured
[=]      Year/Quarter... 2015/1
[=]      Lot ID......... 2647
[=]      Wafer number... 9
[=]      Die Number..... 975
[=] -------------------------------------------------------------
[=]  Raw Data - Page 1
[=]      Block 1... E0150A54 - 11100000000101010000101001010100
[=]      Block 2... A57483CF - 10100101011101001000001111001111

[usb] pm3 --> lf t5 det
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
[=]  Bit rate.......... 5 - RF/64
[=]  Inverted.......... No
[=]  Offset............ 33
[=]  Seq. terminator... Yes
[=]  Block0............ 60148040 (auto detect)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... No

[usb] pm3 --> lf t5 dump

[=] ------------------------- T55xx tag memory -----------------------------

[+] Page 0
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 60148040 | 01100000000101001000000001000000 | `..@
[+]  01 | FF80748F | 11111111100000000111010010001111 | ..t.
[+]  02 | AEC19A54 | 10101110110000011001101001010100 | ...T
[+]  03 | 6656966A | 01100110010101101001011001101010 | fV.j
[+]  04 | 00000000 | 00000000000000000000000000000000 | ....
[+]  05 | 00000000 | 00000000000000000000000000000000 | ....
[+]  06 | 00000000 | 00000000000000000000000000000000 | ....
[+]  07 | 00000000 | 00000000000000000000000000000000 | ....

[+] Page 1
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 60148040 | 01100000000101001000000001000000 | `..@
[+]  01 | E0150A54 | 11100000000101010000101001010100 | ...T
[+]  02 | A57483CF | 10100101011101001000001111001111 | .t..
[+]  03 | 00000000 | 00000000000000000000000000000000 | ....
[+] Saved 48 bytes to binary file `/home/user/lf-t55xx-FF80748F-AEC19A54-6656966A-dump-001.bin`
[+] Saved to json file `/home/user/lf-t55xx-FF80748F-AEC19A54-6656966A-dump-001.json`
[usb] pm3 --> hw tune

[=] -------- Reminder ----------------------------
[=] `hw tune` doesn't actively tune your antennas.
[=] It's only informative.
[=] Measuring antenna characteristics...
 🕛   9

[=] -------- LF Antenna ----------
[+] 125.00 kHz ........... 32.76 V
[+] 134.83 kHz ........... 22.89 V
[+] 126.32 kHz optimal.... 32.82 V
[+]
[+] Approx. Q factor measurement
[+] Frequency bandwidth... 8.7
[+] Peak voltage.......... 9.5
[+] LF antenna............ ok

[=] -------- HF Antenna ----------
[+] 13.56 MHz............. 14.90 V
[+]
[+] Approx. Q factor measurement
[+] Peak voltage.......... 4.3
[+] HF antenna ( ok )

[=] -------- LF tuning graph ------------
[+] Orange line - divisor 95 / 125.00 kHz
[+] Blue line - divisor   88 / 134.83 kHz

[!] ⚠️  You appear to be on an environment without an X11 server or without DISPLAY environment variable set.
[!] ⚠️  Plot may not work until you resolve these issues.


[=] Q factor must be measured without tag on the antenna

[usb] pm3 --> lf t5 write -b 0 -d 000880E0 --verify
[=] Writing page 0  block: 00  data: 0x000880E0
[!] ⚠️  Write could not validate the written data
[usb] pm3 --> lf t5 write -b 1 -d 00000000 --verify
[=] Writing page 0  block: 01  data: 0x00000000
[!] ⚠️  Write could not validate the written data
[usb] pm3 --> lf t5 write -b 2 -d 00000000 --verify
[=] Writing page 0  block: 02  data: 0x00000000
[!] ⚠️  Write could not validate the written data
[usb] pm3 --> lf t5 write -b 3 -d 00000000 --verify
[=] Writing page 0  block: 03  data: 0x00000000
[+] Write OK, validation successful
[usb] pm3 --> lf t5 write -b 4 -d 00000000 --verify
[=] Writing page 0  block: 04  data: 0x00000000
[+] Write OK, validation successful
[usb] pm3 --> lf t5 write -b 5 -d 00000000 --verify
[=] Writing page 0  block: 05  data: 0x00000000
[+] Write OK, validation successful
[usb] pm3 --> lf t5 write -b 6 -d 00000000 --verify
[=] Writing page 0  block: 06  data: 0x00000000
[+] Write OK, validation successful
[usb] pm3 --> lf t5 dump

[=] ------------------------- T55xx tag memory -----------------------------

[+] Page 0
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 60148040 | 01100000000101001000000001000000 | `..@
[+]  01 | FF80748F | 11111111100000000111010010001111 | ..t.
[+]  02 | AEC19A54 | 10101110110000011001101001010100 | ...T
[+]  03 | 00000000 | 00000000000000000000000000000000 | ....
[+]  04 | 00000000 | 00000000000000000000000000000000 | ....
[+]  05 | 00000000 | 00000000000000000000000000000000 | ....
[+]  06 | 00000000 | 00000000000000000000000000000000 | ....
[+]  07 | 00000000 | 00000000000000000000000000000000 | ....

[+] Page 1
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 60148040 | 01100000000101001000000001000000 | `..@
[+]  01 | E0150A54 | 11100000000101010000101001010100 | ...T
[+]  02 | A57483CF | 10100101011101001000001111001111 | .t..
[+]  03 | 00000000 | 00000000000000000000000000000000 | ....
[+] Saved 48 bytes to binary file `/home/user/lf-t55xx-FF80748F-AEC19A54-dump-001.bin`
[+] Saved to json file `/home/user/lf-t55xx-FF80748F-AEC19A54-dump-001.json`
[usb] pm3 -->
2

Can I ask what your goal is manually writing to block 0 etc ?

1 Like
3

Sorry I forgot to mention that my need is to clone an HID Prox card, which won’t work. I am trying the write commands to troubleshoot why it won’t work. Here is some additional data. Let me know if this is a good way to go about it.

Trying to clone original access fob:
Note: xx is to obfuscate the actual key

[=]
[=] Checking for known tags...
[=]
[+] [H10301  ] HID H10301 26-bit                FC: 1xx  CN: 432xx  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC: 31xx  CN: 22xx  parity ( ok )
[=] found 2 matching formats
[+] DemodBuffer:
[+] 1D555955556A95AA6656966A

[=] raw: 0000000000000020078f51xx

[+] Valid HID Prox ID found!``
type or paste code here

Here is what I get when I try:

[=]
[=] Checking for known tags...
[=]
[+] EM 410x ID 01A8FB6139
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : 8015DF869C
[=] HoneyWell IdentKey
[+]     DEZ 8          : 16474425
[+]     DEZ 10         : 2835046713
[+]     DEZ 5.5        : 43259.24889
[+]     DEZ 3.5A       : 001.24889
[+]     DEZ 3.5B       : 168.24889
[+]     DEZ 3.5C       : 251.24889
[+]     DEZ 14/IK2     : 00007130014009
[+]     DEZ 15/IK3     : 000550122784412
[+]     DEZ 20/ZK      : 08000105131508060912
[=]
[+] Other              : 24889_251_16474425
[+] Pattern Paxton     : 34578233 [0x20F9F39]
[+] Pattern 1          : 16686602 [0xFE9E0A]
[+] Pattern Sebury     : 24889 123 8085817  [0x6139 0x7B 0x7B6139]
[+] VD / ID            : 001 / 2835046713
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
[usb] pm3 --> lf t5 detect
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
[=]  Bit rate.......... 5 - RF/64
[=]  Inverted.......... No
[=]  Offset............ 33
[=]  Seq. terminator... Yes
[=]  Block0............ 60148040 (auto detect)
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... No

[usb] pm3 --> lf hid clone -w H10301 --fc 1xx --cn 432xx
[=] Preparing to clone HID tag
[+] [H10301  ] HID H10301 26-bit                FC: 1xx  CN: 432xx  parity ( ok )
[?] Hint: try `lf hid reader` to verify
[=] Done!
[usb] pm3 --> lf sear

[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] EM 410x ID 01A8FB6139
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : 8015DF869C
[=] HoneyWell IdentKey
[+]     DEZ 8          : 16474425
[+]     DEZ 10         : 2835046713
[+]     DEZ 5.5        : 43259.24889
[+]     DEZ 3.5A       : 001.24889
[+]     DEZ 3.5B       : 168.24889
[+]     DEZ 3.5C       : 251.24889
[+]     DEZ 14/IK2     : 00007130014009
[+]     DEZ 15/IK3     : 000550122784412
[+]     DEZ 20/ZK      : 08000105131508060912
[=]
[+] Other              : 24889_251_16474425
[+] Pattern Paxton     : 34578233 [0x20F9F39]
[+] Pattern 1          : 16686602 [0xFE9E0A]
[+] Pattern Sebury     : 24889 123 8085817  [0x6139 0x7B 0x7B6139]
[+] VD / ID            : 001 / 2835046713
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands
[usb] pm3 -->```

I also tried indala:
```[usb] pm3 --> lf indala clone --fc 31xx --cn 22xx
[=] Using Indala 64 bit, FC 122 CN 2251
[=] Preparing to clone Indala 64 bit to T55x7 raw A0000000E34BE8xx
[+] Blk | Data
[+] ----+------------
[+]  00 | 00081040
[+]  01 | A0000000
[+]  02 | E34BE8xx
[=] Block0 write detected, running `detect` to see if validation is possible
[+] Done
[?] Hint: try `lf indala reader` to verify
[usb] pm3 --> lf sear

[=] Note: False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[+] EM 410x ID 01A8FB6139
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID      : 8015DF869C
[=] HoneyWell IdentKey
[+]     DEZ 8          : 16474425
[+]     DEZ 10         : 2835046713
[+]     DEZ 5.5        : 43259.24889
[+]     DEZ 3.5A       : 001.24889
[+]     DEZ 3.5B       : 168.24889
[+]     DEZ 3.5C       : 251.24889
[+]     DEZ 14/IK2     : 00007130014009
[+]     DEZ 15/IK3     : 000550122784412
[+]     DEZ 20/ZK      : 08000105131508060912
[=]
[+] Other              : 24889_251_16474425
[+] Pattern Paxton     : 34578233 [0x20F9F39]
[+] Pattern 1          : 16686602 [0xFE9E0A]
[+] Pattern Sebury     : 24889 123 8085817  [0x6139 0x7B 0x7B6139]
[+] VD / ID            : 001 / 2835046713
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[+] Chipset detection: T55xx
[?] Hint: try `lf t55xx` commands

Current dump:
```[usb] pm3 --> lf t5 dump

[=] ------------------------- T55xx tag memory -----------------------------

[+] Page 0
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 60148040 | 01100000000101001000000001000000 | `..@
[+]  01 | FF80748F | 11111111100000000111010010001111 | ..t.
[+]  02 | AEC19A54 | 10101110110000011001101001010100 | ...T
[+]  03 | 6656966A | 01100110010101101001011001101010 | fV.j
[+]  04 | 00000000 | 00000000000000000000000000000000 | ....
[+]  05 | 00000000 | 00000000000000000000000000000000 | ....
[+]  06 | 00000000 | 00000000000000000000000000000000 | ....
[+]  07 | 00000000 | 00000000000000000000000000000000 | ....

[+] Page 1
[+] blk | hex data | binary                           | ascii
[+] ----+----------+----------------------------------+-------
[+]  00 | 60148040 | 01100000000101001000000001000000 | `..@
[+]  01 | E0150A54 | 11100000000101010000101001010100 | ...T
[+]  02 | A57483CF | 10100101011101001000001111001111 | .t..
[+]  03 | 00000000 | 00000000000000000000000000000000 | ....
[+] Saved 48 bytes to binary file `/home/user/lf-t55xx-FF80748F-AEC19A54-6656966A-dump-002.bin`
[+] Saved to json file `/home/user/lf-t55xx-FF80748F-AEC19A54-6656966A-dump-002.json````
4

Have you tried cloning to the target tag with some other device that may have said a password? Generally speaking a t5577 chip will not accept new configurations if a password is set and you are not submitting a matching password.

1 Like
5

Within the first few days I tried to clone with a black chinese cloner (see pic) X-Copy1 or something. It failed to write and I gave up after a few tries. This was before I knew about the issues with the cloners. Is there a way to check if there is a password without destroying the chip if there isn’t one? Can you tell me the process which locks the blocks with a password without setting bit 28 on? Thanks.

cloner
cloner1343×1080 319 KB

6

I guess the ultimate question is: assuming good coupling and no software issues and given what I have tried in so far, is there any scenario at all besides password protection in which the t5577 in the xEM would refuse to write to block 0, block 1, and block 2 on page 0 but is still able write to the other blocks?

Is it possible the bit 0 (L) for those blocks got set somehow?

7

thats probably the problem.

Generally speaking there are a few common passwords, but im not sure of the Black cloner one.

It might. e a white cloner in a black case, so that could be a good starting point.

Let me findnyou some resources to try.

Give me a bit, as i am tied up with something else at tbe moment.

But heres a start

1 Like
8

as you can see from my rushed reply and spelling mistakes…

Heres some good info to try.

If these dont work, we can try to sniff your password.

But try those :point_up: for now

2 Likes
9

Can you tell me why I am able to write to blocks 3 - 6 if there would be a password set? I am reading datasheets and forum posts but this field is a little too much for me to become fully educated within a short time frame, so pardon my confusion. According to the datasheet the configuration for the T5577 has bit 28 determine whether or not to apply the password lock. Since the T5577 is emulating other cards, would they also have a password lock setting that is independent of this bit?