xM1 Proxmark ATQA:00 Anticollision Error

nothing really… I would see if iceman wants to take a stab at it… maybe send back to me first then I will clean and sterilize it, then i can send it to him (if he wants to look at it)

1 Like

Discovered this at a client of ours. I proxmarked one of their access tags, accidentally t5577 wiped it and the wipe actually stuck. Made for a crap evening for the guy using it to get in later that day.

Rewrote it the next day and am now forbidden from having client access cards.

1 Like

haha oh man this happened to me with someone working for the gubmint… they had an access fob and it was T5577 and it got fucked accidentally… i wrote my implant ID to it hahah.

the real shit thing is, people are horrendously stupid. in your case and mine, the biiiigg kerfuffle is over the tag getting messed up, not in the fact the entire system is insecure and completely fragile… oh no… don’t be alarmed over the condition of your crap “security” system… let’s shoot the messenger, kinda.

2 Likes

maybe send back to me first

Not too sure how possible the removal process is going to be since my installer isn’t comfortable doing it.
Ive got a feeling my doctor is going to say that its not doing any harm or causing issues thus removal isn’t needed. Will still contact them anyway, just in case.

then i can send it to him [Iceman](if he[Iceman] wants to look at it)

Let me know of his decision and please make him aware of my appreciation for helping.

I have also used the orange floaty button and submitted the form.

Thankfully, I had the id saved from the console log, so rewriting it wasn’t hard.

Discovered this back in my pre-DT days, actually.

As I understand it, there’s a knockoff of the S50 chip known as a Fm11rf08. It’s known to be used in the Ukraine in their actual train passes, but has a really crap RNG and is identifiable that way. I believe, but can’t be sure, that the companies making magic s50’s (which is the term I used to get them) are using a variant of that chip as iirc they share the RNG vulnerability with it. Not sure who makes it, but know they’re doing it in big quantities (one manufacturer wanted me to buy 12,000).

Ah, the RNG vuln is they replay NACK with probability 1 instead of 1/256. Info came from the Darkside paper.

Fudan makes this… a Chinese company. I’ve spoken to them about making “legit” magic chips before. They are considering it… but it’s not something they want to attempt right now… don’t want to rock the boat.

Jirvin I have tried everything you have been told in both threads. I am in the same boat nothing seems to be bringing this chip back.

I am also in this situation with my xM1+. I am curious if anything has come of this with Iceman.
Just playing around with it and a gen1a fob I have, if I run a
“hf mf csetblk 0 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF”
Followed by a
“hf mf cgetblk 0”
I get back “FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF” from the fob, and
“18 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F” from the xM1+
Just thought that it was interesting and might give someone more familiar with proxmark a hint.

The issue with my particular implant was that it had a memory issue and was replaced.

However, getting an ATQA of 0000 would mean it can’t answer to anticollision so can’t tell you details about the tag. You should also understand what block 0 is used for. Writing it with all Fs will mean you have set the UID, BCC0, ATQA & SAK to Fs which isn’t correct.

Given when you wrote the same to the implant and got a different result than the expected isn’t great. There are some lua scripts on the proxmark which fixes the usual ATQA issuee that might be worth while trying.

Some questions:
How long have you had the implant?
Has it worked previously?
How often do you use it?
If you have a proxmark, try and use hf mf csetuid and post the output from hf 14a list

If you’re also on the discord feel free to ping me (same name) as I’m not too active on here.

1 Like

Thanks for the response @Jirvin! I do understand that the uid the configuration and a parity check are all stored within blk 0, and I don’t hope to do any calculations or writing my own, I’ve been copying a known good blk 0 or using the automated tools such as the hf mf csetuid or cwipe with uid atqa and sac numbers. My writing it with all f’s was a last ditch effort in frustration since it already had all 0’s in it. But before writing it there I tested on a fob and could get the fob back to functioning without problems. It did show that something is super different between the implant and fob though… I have tried the hf_mf_magicrevive.lua script on the latest Iceman rrg firmware to no avail.
I got my implant installed around a year ago, purchased maybe 13 months ago.
It has worked previously, I’ve had it with ndef business card on it most of the time and I’ve done successful uid changes previously.
I do not use it often. I was traveling a lot prior to covid and had planned on using it to replace my hotel keycards, that hasn’t happened recently though.
I am using a proxmark rdv4.

Summary

[usb] pm3 --> hf 14a list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 202 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) |
CRC | Annotation
------------±-----------±----±------------------------------------------------------------------------±----
±-------------------
0 | 992 | Rdr |52(7) | | WUPA
2100 | 4468 | Tag |00 00 | |
7040 | 11808 | Rdr |50 00 57 cd | ok |
HALT
148352 | 149344 | Rdr |40(7) | |
MAGIC WUPC1
150708 | 151284 | Tag |0a(3) | |
155392 | 156640 | Rdr |41 | |
MAGIC WIPEC
157748 | 158324 | Tag |0a(3) | |
162432 | 167200 | Rdr |50 00 57 cd |
ok | HALT
303744 | 304736 | Rdr |40(7) | |
MAGIC WUPC1
306100 | 306676 | Tag |0a(3) | |
310784 | 312096 | Rdr |43 | |
MAGIC WUPC2
313140 | 313716 | Tag |0a(3) | |
317824 | 322528 | Rdr |a0 00 5f b1 | ok
| WRITEBLOCK(0)
323636 | 324212 | Tag |0a(3) | |
328704 | 349600 | Rdr |01 02 03 04 04 08 04 00 00 00 00 00 00 00
00 00 b9 cb | ok |
392116 | 392692 | Tag |0a(3) | |
394496 | 399264 | Rdr |50 00 57 cd |
ok | HALT

I will see if I can hop in the discord as well.

1 Like