Hello dear biohacker friends,
Earlier this year, we were excited to bring the xM1+ to you. Our older xM1 product was a Mifare “Classic” S50 1K chip from NXP in 2mm x 12mm glass tube. The “Mifare Classic” chip has been used for decades in millions of deployments, and is still quite popular regardless of the vulnerabilities discovered with it’s proprietary “Crypto1” security key protection scheme. Because of the continued popularity of this now legacy chip, we decided to leverage a product from a Chinese chip supplier that specialized in “emulating” the Mifare S50 1k chip’s functionality, with an added feature -
allowing a special command to be issued that rendered all security on the chip moot. Furthermore this command allowed sector 0, which contains the chips UID, manufacturer, and Mifare Application Directory data, to be altered. This meant you could hack and clone an existing Mifare S50 1k card or tag to your xM1+, including the ID number, and use it with these legacy systems instead of the original card, keyfob, or tag. This type of “emulator” chip is called a “generation 1” or gen1 “Chinese Magic Backdoor” chip, or sometimes called a “mifare zero” chip (since sector 0 is writable). There are other chips that perform the same function, however they have no special command… sector 0 is simply unlocked, and can be written to. These are colloquially referred to as “gen2”.
The difference between gen1 and gen2 is, the gen1 chips with the special command are completely unsecured… meaning once the special command is issued, it does not matter what the access key settings are for each sector, you can simply overwrite any sector, without even needing to know the access keys or perform a crypto1 authentication. A gen2 chip functions more like a straightforward legitimate Mifare S50 1k chip, meaning you will need proper access keys and will need to perform authentication before you can write to any sector, including sector 0. There are pros and cons to each chip type, and for the purposes of an implant, the gen1 chip has clear advantages.
Unfortunately, there were delays in getting the xM1+ manufactured, and our pre-sale customers began questioning the status of their orders. I put pressure on our chip supplier to please expedite delivery of the bare die chips so we could produce the xM1+ in our factory. So, rather than honor the specifications we supplied for the die chip order, they chose to simply fill the order with a “mixed bag” of chips. Because it is not possible to test high frequency x-series products once inside the injection assembly, we test each and every x-series chip beforehand. Unfortunately our test procedure was a simple read test to ensure it performed well and was not a “dud”. This resulted in our missing the fact that some of the chips used to make the xM1+ were not to our specifications. We’ve since updated our mid-manufacturing test procedure to include a full functional test. After further delays getting the xM1+ injector assemblies sterilized, we received and spot-checked the batch by opening a handful of injectors, ejecting the chips, and testing them. They all checked out fine, so we confidently shipped to customers.
We first found out about this potential issue by way of a forum post by @mzombie , detailing that when scanning his xM1+ with the proxmark3 RFID diagnostic device, it was reporting that “No chinese magic backdoor command detected”. I immediately began testing the handful of xM1+ glass chips I had on my desk, and found they all responded to the proxmark3 as they should… so I started opening injectors and ejecting chips for testing. I began to find chips that indicated “no chinese magic backdoor command detected”. I then performed a write test to block 0 to find that, in fact, I could update some of these xM1+ chips that way… meaning they were likely gen2 chips… so I immediately halted sales of the xM1+ and issued an email warning to all xM1+ customers, alerting them to the fact there could be an issue and to hold off doing anything with their xM1+ chips.
We’ve since confirmed with the supplier that many gen2 chips have been mixed in with gen1 chips, however their gen2 chips are not “stable” so some may not work at all or not work as expected. This is terrible news. Infuriating news. I’m deeply sorry and apologize to our intrepid customers who are on this adventure with us. I’m especially sorry to those of you who have already installed your xM1+… you trust that our products are fully tested and top quality, and this is a black mark on that trust. I hope we can rebuild that trust.
Right now we are working out a permanent solution to the problem so we can get the xM1+ back on the market, but we have no ETA for this since we need to have a long interaction with our bare die chip vendor, and possibly source an alternative. The immediate solution we have worked out for current customers is this - you do not have to return anything to us… but moving forward you can choose one of the following options;
We can issue you a refund. Or…
We have tested a number of xM1+ chips to ensure they are functional and contain a gen1 chip. To do this we had to remove the chips from the sterile injector assembly. We can ship you an xM1+ in a small vial with chlorhexidine. You can take this to one of our piercing partners and have them install it using an 8g needle and taper.
Please fill out this form to let us know what you’d like to do. Thank you for your grace and patience as we work through this issue.