XM1+ cant write to blk 1

Hi everybody! I have some problems with my implant that I implanted last week. I have searched the web and discord, but I can’t find the answer anywhere. The implant is from the first batch of dangerous things XM1+ implant (s50 1kb standard: ISO14443A) that came out a few years ago (gen1).

I have a lot of mifare s50 gen1 fobs that I worked on before and tested all the steps involved before writing to the implant with my proxmark. But, now when I try to write to the implant it behaves oddly.

I can write to all sectors and blocks but not block 1 in sektor 0.

-I have the latest version of software for the proxmark
-I have good coupling with the proxmark (used hf tune and hf 14a reader -@) and the implant is oriented on the proxmark as shown in Amals Youtube video.
-I have no trauma or swelling left after the needle.
-I have tested all different commands, cwipe (error), cload (error), restore (writes all but block 1), csetblk (error), wrbl (error).
-Tested the remagic lua script.
-All the keys are FFFFFFFFFFFF.

this is an example of the output from the proxmark:

hf mf csetbl --blk 1 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[=] Writing block number: 1 data:FFFFFFFFFFFFFF078000FFFFFFFFFFFF
[#] write block send data error
[!!] Can’t write block. error=-1

[usb] pm3 → hf mf wrbl -k FFFFFFFFFFFF --blk 1 -d 00000000000000000000000000000000 --force
[=] Writing block no 1, key A - FFFFFFFFFFFF
[=] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[-] Write ( fail )

*(tested key B aswell)

hf search gives me
Output:

[+] UID: 00 56 78 BB
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities… Gen 1a
[+] Prng detection… weak

Does anyone have some tips or tricks? Maybe I am doing something wrong, or did I get a bad implant?

Thank you for your time

All of this combined makes me think coupling issues instead of a bad implant, the PM3 isn’t especially easy to get a good connection to x-series implants, and fresh implants are particularly difficult to couple to.

Wait a week or two and see if results improve

I 100% agree with @Aoxhwjfoavdlhsvfpzha , I’m just jumping in to say

Great write up @aws , The processes you followed and information you provided was great, it may seem small to you, but to us it means we don’t have to go back and forward with you dragging the information out.
It’s appreciated

“I have no NOTICABLE trauma or swelling left after the needle”

It will be there.

Something to consider as well… can you confirm gen1a using a proxmark3? There was a short time we sold legitimate mifare s50 1k chips as “xM1” … is your proxmark3 confirming it’s a magic chip?

It seems to think it is…

yeah I’m thinking we’re back to coupling issues tbh

Thank you, it’s true it can still have trauma even if it’s not noticeable. Will wait a week and try again.

Thank you for your time, will wait a week and try again

Hi again, had the implant for almost a month now. I can still read and write to all sectors and blocks, except block 1 in sektor 0. The Proxmark has no problem finding the tag. I have a ACR122U and it can detect the tag and it can write to all block but still not block 1 in sektor 0, same with my old Samsung phone (no magic commands so no UID change tested) cant write to block 1 in sektor 0.

It feels like its something wrong with the tag?

I’m no proxmark afficiando but might be worth having a look at this post to see if the remagic script or wiping as “hf mf cwipe wf” works if the problems is isolated to sector 0.

Thanks, have tried remagic but no change. the cwipe cant wipe block 1 so it fails.

My hunch is that either it’s a gen2 or a legit mifsre chip

have you tried MCT?

great for using with Mifare Classic gen2 IF it is a gen2

Hi Amal, its from you first batch of xM1+ implants (see attachment), and I can change the UID with gen1 commands so its not a generic mifare and it seems to be a gen1. I have tried to change block 1 with MCT aswell but sektor 0 block 1 will not change.
Nothing is working for that block.

Skärmbild 2024-03-26 1724231128×771 42.4 KB

Hmm ok let’s define exactly what you mean by sector 0 block 1?

1_L5ZiC5SUfc0kCSJW5Vxizg1400×1290 308 KB

Screenshot_20240326-2217451080×2196 190 KB

Can you scan your chip with tag info and post, highlighting what you’re trying to change?

Hi Amal, I am trying to change the implant with the proxmark as per my first post, for example :

hf mf wrbl -k FFFFFFFFFFFF --blk 1 -d 00000000000000000000000000000000 *(tested key B aswell)
and with:
hf mf csetbl --blk 1 -d FFFFFFFFFFFFFF078000FFFFFFFFFFFF

(and have tried restore, cwipe and cload and remagic lua script)

That´s the block 1 I am talking about, I guess that’s the Sector #0 Block #1 in your image

I only tried to change it with an android phone and the ACR122U when I realised the implant could not accept write commands to block 1 sector 0 with the proxmark. I still cant and never have been able to write to block 1 sector 0. As i wrote in my previous post I have a lot of magiccards that I tried on before writing to the implant, and had no problem at all. Attaching a image of from the Tag info app:

taginfo_DF408×836 44 KB

greatly appreciate your help

Let’s get something out of the way first… can you update sector 0 at all? For example, can you change the UID?

Yes I can change the UID and all other blocks, but not Sector #0 Block #1.

Ok and what is the process for changing the UID that you use? I’m sorry to break this down to the fundamentals but there’s either a problem with procedure or this chip just has an unwritable block 1 which I’ve never heard of before… still possible with grey market Chinese magic chips… but yeah let’s just walk through it bit by bit.

No problem at all, really appreciate your thoroughness. I have used both the csetuid and the csetblk to change the UID