xM1 Proxmark ATQA:00 Anticollision Error

Hi Everyone,

I was trying to put something on the xM1 but never really got far. I practiced on similar tags/cards to the xM1 so I was familiar with the process. I was trying to put the practice into action and write to the xM1 but got some odd errors.

Find below a screenshot (proxmark is a PM3 Easy) detailing the error, some additional info and fixes I tried (that dont want to stick).
Currently just looking to get the xM1 to be reply properly by “hf search” and Ill call it a day and do more reading before writing anything to it again.
Happy for any suggestion, advice and can provide further screenshots/info if needed.

BadProxmark1258×1633 136 KB

Hi again,
Small update with some more info but no solution (yet).

I am running a PM3 Easy and have updated the client (Iceman fork), bootrom (Iceman) and OS (Iceman). Big thanks to Iceman!

[usb] pm3 --> hw ver

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/v4.9237-618-g84a49bf0 2020-07-23 23:29:11
  compiled with GCC 7.5.0 OS:Linux ARCH:x86_64

 [ PROXMARK3 ]

 [ ARM ]
  bootrom: RRG/Iceman/master/v4.9237-618-g84a49bf0 2020-07-23 22:32:11
       os: RRG/Iceman/master/v4.9237-618-g84a49bf0 2020-07-23 22:32:18
  compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599]

 [ FPGA ]
  LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
  HF image built for 2s30vq100 on 2020-01-12 at 15:31:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 227408 bytes (43%) Free: 296880 bytes (57%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

I done some reading and looks like the tag is ‘damaged’ and needs repair. From what Ive read that should solve a bad block 0 on a magic tag is:
*Rewriting UID, ATQA & SAK - hf mf csetuid
*Running the scripts Remagic.lua & formatMifare.lua

I have tried the above and still have the same issue as before. Not sure if I have mistake the problem as something else thus these steps wouldnt work anyway.
Here are the output of the commands following a test (hf 14a read) to see if it has worked.

Rewriting UID, ATQA & SAK with csetuid:

[usb] pm3 --> hf mf csetuid 01020304 0004 08 w
--wipe card:YES  uid:01 02 03 04
[#] Assuming Magic Gen 1B tag. [wupC2 failed]
[#] wupC1 error
[-] ⛔ couldn't get old data. Will write over the last bytes of Block 0.
[+] new block 0:  01 02 03 04 04 08 04 00 00 00 00 00 00 00 00 00
[+] Old UID : 00 00 00 00
[+] New UID : 01 02 03 04
[usb] pm3 --> hf 14a read
[=] Card doesn't support standard iso14443-3 anticollision
[+] ATQA: 00 00

Running some scripts that should help ‘revive’ a bad magic tag:

[usb] pm3 --> scr ru remagic.lua
[+] executing lua /usr/local/bin/../share/proxmark3/luascripts/remagic.lua
[+] args ''
hf 14a raw -p -a -b 7 40
received 1 bytes
0A
hf 14a raw -p -a 43
received 1 bytes
0A
hf 14a raw -c -p -a A000
received 1 bytes
0A
hf 14a raw -c -p -a 01020304049802000000000000001001
received 1 bytes
0A
hf 14a raw -c -a 5000
received 0 bytes
hf mf csetbl 3 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number: 3 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 7 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number: 7 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 11 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:11 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 15 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:15 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 19 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:19 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 23 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:23 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 27 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:27 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 31 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:31 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 35 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:35 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 39 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:39 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 43 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:43 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 47 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:47 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 51 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:51 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 55 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:55 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 59 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:59 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 63 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:63 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF

[+] finished remagic.lua

[usb] pm3 --> hf 14a re
[=] Card doesn't support standard iso14443-3 anticollision
[+] ATQA: 00 00

If it helps anyone (seen it commonly asked for when troubleshooting) here is the output from hf 14a list:

[usb] pm3 --> hf 14a li
[=] downloading tracelog from device
[+] Recorded activity (trace len = 21 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2100 |       4468 | Tag |00  00                                                                   |     |

If anyone has any suggestions to what has happened or what to try, I’m all ears. Please make me aware if you believe this tag is bricked (not worth trying to revive) and please explain why you think this. I really want to learn more about this particular issue so happy for any advice. Thanks in advance.

Looking at the list command,

The reader is only sending a single command before the tag responds with something invalid.

I suspect the tag is dead, and the revival scripts aren’t working because they can’t ‘select’ the card and put it in a wake up/ready state.

That said, I haven’t done much tag-revival research, and of course being an implant makes it more complex. If I was a standard tag I would have just put in an a ‘fix one day’ pile and moved on with my day.

Good luck, and thanks for documenting all you’ve tried!

When I fried an M1 S50, I fixed it with “hf mf cwipe” then running the remagic.lua script. I never had to use the mifare format script.

The fact the search, read, nor info give you anything is concerning. A cwipe will null out the card, and remagic.lua will add all the mifare magic you stripped from it with the cwipe. In the end, I’m wondering if you have a really poor connection and it’s just not communicating. Did you try reading the tag with a phone to verify it before messing with proxmark read/write?

Thanks for the reply and info!

I suspect the tag is dead, and the revival scripts aren’t working because they can’t ‘select’ the card and put it in a wake up/ready state

I was thinking along the same lines but I’m, by no means, a Proxmark/RFID expert. Hoping this the tag isnt really dead and just playing with me.

If [it] was a standard tag…

Before I got my implants, I got a bunch of magic gen1a tags to practice on and so far havent bricked any. I tried to ‘simulate’ the same issue Im having with the xM1 on another magic tag and what I mentioned above ‘fixed it’.

…I would have just put in an a ‘fix one day’ pile and moved on with my day.

Its sort of in that pile already since I cant use it in the mean time and run out of ideas how to fix it. Just hope it can be revived since its money spent and taking up some real estate.

Thanks for the reply and advice!

When I fried an M1 S50, I fixed it with “hf mf cwipe” then running the remagic.lua script.

In the past when tags were playing up I would do the same to get a fresh start/reset the tag and over. That was my first thought when this happened to my xM1 but with no avail.

I never had to use the mifare format script.

I believe its similar to cwipe but for tags that dont answer to backdoor commands.

The fact the search, read, nor info give you anything is concerning. A cwipe will null out the card, and remagic.lua will add all the mifare magic you stripped from it with the cwipe.

This was my understanding as well despite it not working in practice. I think I have tried a cwipe then remagic.lua before but I will try it again (with hf 14a read & hf 14a list for verification) and document the output below:

[usb] pm3 --> hf mf cwipe
 🕛 wipe block 59[#] write block send data error
[!] ⚠️  retry block 59 ...
 🕛 wipe block 63
[+] Card wiped successfully
[usb] pm3 --> scr run remagic.lua --help
[+] executing lua /usr/local/bin/../share/proxmark3/luascripts/remagic.lua
[+] args '--help'
hf 14a raw -p -a -b 7 40
received 1 bytes
0A
hf 14a raw -p -a 43
received 1 bytes
0A
hf 14a raw -c -p -a A000
received 1 bytes
0A
hf 14a raw -c -p -a 01020304049802000000000000001001
received 1 bytes
0A
hf 14a raw -c -a 5000
received 0 bytes
hf mf csetbl 3 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number: 3 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 7 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number: 7 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 11 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:11 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 15 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:15 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 19 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:19 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 23 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:23 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 27 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:27 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 31 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:31 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 35 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:35 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
[#] wupC1 error
[!!] 🚨 Can't write block. error=-1
hf mf csetbl 39 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:39 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 43 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:43 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 47 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:47 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
[#] wupC1 error
[!!] 🚨 Can't write block. error=-1
hf mf csetbl 51 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:51 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
[#] write block send command error
[!!] 🚨 Can't write block. error=-1
hf mf csetbl 55 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:55 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 59 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:59 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
hf mf csetbl 63 FFFFFFFFFFFFFF078000FFFFFFFFFFFF
--block number:63 data:FF FF FF FF FF FF FF 07 80 00 FF FF FF FF FF FF
[#] wupC1 error
[!!] 🚨 Can't write block. error=-1

[+] finished remagic.lua

[usb] pm3 --> hf 14a re
[=] Card doesn't support standard iso14443-3 anticollision
[+] ATQA: 00 00
[usb] pm3 --> hf 14a li
[=] downloading tracelog from device
[+] Recorded activity (trace len = 21 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2100 |       4468 | Tag |00  00                                                                   |     |

In the end, I’m wondering if you have a really poor connection and it’s just not communicating.

I dont think so as the antenna on the proxmark is flat on the skin or roughly 1mm off. Also when I dont quite get the positioning right I get an error like no tag is there:

[usb] pm3 --> hf 14a re
[!] ⚠️  iso14443a card select failed

Did you try reading the tag with a phone to verify it before messing with proxmark read/write?

Yes, I also have a NExT. First thing I did was get a successful read and take a photo of the output. I didnt do it with a phone but the proxmark initially and all was well despite worrying for a little after not getting any reads (due to bad antenna placement and orientation).
Original read of the xM1 before any writing is as follows:

proxmark3> hd sea
UID : 03 04 0d 1c
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK

Valid ISO14443A Tag Found - Quiting Search

Any new ideas or info you think of please let me know as Im at a loss just now. I will be looking into this more and try to better understand what could be the issue. Any new steps I take to try to revive the tag I will document. Thanks again!

Sounds like you might need to get the attention of @amal to have a look through your results.(That should have done it)
Then he may likely ask you to “click the floaty orange help button”

…get the attention of @amal…

I thought about that but wanted to exhaust all other options since it was a result of my doing; not the fault of DT.

floaty orange help button

That damn floaty button.

Also, 39 tabs? Nice nice

I like the way you think , I also like to leave him alone to get on with EVERYTHING else where possible.

Haha, they are generally something to do with my “to do” list, currently rocking ONLY 24…Winning

Thanks again for the help @Pilgrimsmaster

I also like to leave him alone to get on with EVERYTHING else where possible.

I’ll try to work on fixing the issue and if @amal has any ‘executive’ ideas Im happy to discuss. I know this is my issue caused by me thus (ideally) should be solved by me. But my knowledge has been exhausted so happy to any and all suggestions.

…they are generally something to do with my “to do” list, currently rocking ONLY 24…

Ever since trying to tackle this issue I’ve had a similar ‘work flow’ but dont let myself see beyond 10, I know I’d get lost too easily

Winning

Hahah makes one of us! Hopefully soon to be two???

Honestly the first hurdle I saw was fixing the UID blocks in sector 0 because there are some clear issues there… or were… did sector 0 get sorted out?

Hi Amal, thanks for replying!

The UID & Sector 0 have not been sorted. The commands (hf mf csetuid 01020304) appear to run successfully but the same error is returned. I have also tried hf mf csetblk 0 <32HEX> with no avail.

Command output setting UID with backdoor command and trying to verify the changes.

[usb] pm3 --> hf mf csetuid 22222222 0004 08
--wipe card:NO  uid:22 22 22 22
[+] old block 0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[+] new block 0:  22 22 22 22 00 08 04 00 00 00 00 00 00 00 00 00
[+] Old UID : 00 00 00 00
[+] New UID : 22 22 22 22
[usb] pm3 --> hf mf cgetsc 0

  # | data    |  Sector | 00/ 0x00
----+------------------------------------------------
  0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  1 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  2 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  3 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[usb] pm3 --> hf 14a re
[=] Card doesn't support standard iso14443-3 anticollision
[+] ATQA: 00 00

Command output setting block 0 using backdoor command and trying to verify.
Before trying to write anything to the card I dumped it to a file. From that I copied block 0 and pasted it into the csetblk command.

[usb] pm3 --> hf mf csetblk 0 03040d1c16080400010f010d0508181d
--block number: 0 data:03 04 0D 1C 16 08 04 00 01 0F 01 0D 05 08 18 1D
[usb] pm3 --> hf mf cgetblk 0
--block number: 0
data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[usb] pm3 --> hf 14a read
[=] Card doesn't support standard iso14443-3 anticollision
[+] ATQA: 00 00

Happy for any ideas or suggestions as always.

Asked Iceman for ideas, and incidentally signed up for his Patreon, which I encourage everyone else with a few spare bucks a month to do.

Screenshot_20200726-1805581080×1920 204 KB

Asked Iceman for ideas

Might’ve beat you to that but I appreciate it. See my post on the proxmark fourm, basically only Iceman replied so far

incidentally signed up for his [Iceman’s] Patreon

Congrats, have been meaning to sign up for a while now. COVID has, sadly, made that more difficult.

I saw this from your post…

Please note I am using a PM3 Easy and have disconnected my LF antenna, makes reading the implant easier as I can make it flat.

What I think this means is that you are positioning your hand over the pm3 easy, so removing the LF antenna makes that easier… however… the HF coil is actually on the bottom PCB. This separation is good for cards but terrible for implants. Flip the pm3 over and put your hand on the bottom pcb. Take a peek in there and you’ll see the HF coil is printed on tbe bottom PCB not the top one with the silkscreening.

Photos speak louder than words so attach some pix of you with your hand on the pm3 for confirmation. Frankly if you were positioning your hand over it on the top PCB, I’m shocked you got anything to work at all.

some pix

Here are some pix and explanation of whats happening.

Here is the PM3 Easy without the LF antenna, middle layer and all the stand off removed.

NakedProx3159×1595 2.35 MB

To make it easier to show and also helps me with alignment, I put some sharpie around where my xM1 sits.

MarkedSpot3199×1896 1.6 MB

This is a good image that shows the PM3 resting atop the implant making sure the antenna is perpendicular to the implant. I usually extend my small finger/pinky a little to help with stability.

BetterFlatRead3174×3733 3.95 MB

Not the best image but it can be see that the PM3 is just resting on the hand at a little angle paying particular attention to the antenna:implant placement.

FlatRead2869×1921 3.03 MB

…if you were positioning your hand over it on the top PCB…

I somewhat started like that. I done it with the PM3 stripped back to a single board and would rest my hand as best I could perpendicular to the antenna but this was never consistent.

Hmm yeah that looks good to me… dang

Thanks for the reply and glad to know its not something small Im doing wrong (although that would be an easy fix ).

@amal I remember reading somewhere (will update if I find the source) that the xM1 chips are acquired from a grey market vendor so there is no guarantee its a ‘genuine’ Gen1a. Is there any chance this is a Gen2 thats slipped through?
I understand to check this would be to issue a backdoor command and if it responds its a Gen1a (correct me if wrong). When I issues backdoor commands now the command ‘completes’ but the changes dont stick on the tag.

proxmark3> hf mf  cetuid 03040d1c 0004 08
uid:03 04 0d 1c
--atqa:00 04 sak:08
Chinese magic backdoor commands (GEN1a) detected
old block 0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
new block 0:  03 04 0d 1c 16 08 04 00 00 00 00 00 00 00 00 00
old UID:00 00 00 00
new UID: 03 04 0d 1c

proxmark3> hf mf cgetsc 0
--sector number:0
Chinese magic backdoor commands (GEN1a) detected
block 0 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
block 1 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
block 2 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
block 3 data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Trailer decoded:
Key A: 000000000000
Key B: 000000000000
Access block 0: read AB; write AB; increment AB; decrement transfer restore AB
Access block 1: read AB; write AB; increment AB; decrement transfer restore AB
Access block 2: read AB; write AB; increment AB; decrement transfer restore AB
Access block 3: read A by A; read ACCESS by A; read B by A; write B by A
UserData: 00

In case there is no hope in reviving the tag, it may come to the point in removing (& replacing?) it. I got it installed on 22/07/20 so still fairly fresh. I know encapsulation makes the implants harder to remove and since mine is still new, how long roughly should I expect to wait before encapsulation has properly set in around the implant?
I ask as if I can get the implant remove before then the process should be easier but also dont want to give up on trying to revive the implant until all options are exhausted. Im treating removal as a very very last case option but its not out of the question.

Im still open to suggestions and trying anything, thanks in advance!

This one?