xM1 unlock block 0

Hello Guys

I have an xM1 implant that i want to unlock block 0 to change the uid. I want to do this with an arduino and either the pn532 or the rc522.

I read that the pn532 is reliable with the x series implants, but is there a library to unlock block 0 like the one from miguelbalboa https://github.com/miguelbalboa/rfid/ ?

The rc522’s field is pretty weak and does often not read the implant. if anybody has experience in building antennas this would also help.

I am pretty new to arduino and nfc but i have some experience in programming.

Regards k4lin

Edit: maybe it’s important to know what i want to make: i want to make a portable uid cloner that i can connect via BLE to my phone and send commands. It’s a project for the end of my apprenticeship

1 Like

Some people have built antennas specifically for use with implants. Here is a thread about one: DIY LF antenna for Proxmark 3 Easy

However, it’s probably easier to get a Proxmark for chip programming purposes.

I don’t know much about the magic M1 chips but that comment changes a few things.

I’d recommend getting a magic M1 card for testing. being able to leave the card on the reader should make your life easier. Also, check if you can port the library that you have to the NFC chip that works best? And read the datasheets for the RC522 and PN532.

1 Like

Hi @k4lin,
Just stumbled onto this after successfully cloning a tag onto my xM1 with RC522 and Arduino.
Check out the ChangeUID sample code in the rc522 library and make the following modification in setup():

void setup() {
  Serial.begin(9600);  // Initialize serial communications with the PC
  while (!Serial);     // Do nothing if no serial port is opened (added for Arduinos based on ATMEGA32U4)
  SPI.begin();         // Init SPI bus
  mfrc522.PCD_Init();  // Init MFRC522 card
  mfrc522.PCD_SetAntennaGain(0x07<<4); // <--- Add this line to set antenna gain to max!
                                       //  This will make the antenna too sensitive to read a normal card but it will pick up xM1.
                                       //Add this line to any example code to read,write from your chip. Set it back to 0x04 << 4 for default
  Serial.println(F("Warning: this example overwrites the UID of your UID changeable card, use with care!"));

Hope that helps. I was banging my head against the wall for the past few days trying to get the reader to work on a Pi, only to reallise it has all been done brilliantly for Arduino


@cells-called-nick nice thanks. I i will try this today.

The unbrickUID code is also super useful… My heart sank after my code set block0 to all zeros and no nfc devices could recognise the chip. Careful :stuck_out_tongue:

1 Like

@k4lin did you get it to work? I’m working on a similar project: Portable UID cloner for the times you must absolutely clone a fob this very instant :wink:
If you’re making progress I’d like to collaborate a bit :slight_smile:
I’m also about to start working on a text compression script for storing large amounts of keys/passwords/mnemonics etc on limited memory space.

If the hardnested and other attack code coil be ported from the proxmark3 to be used with the RC522 that might be interesting… not sure if the RC522 can do the necessary timings etc though

I don’t own a proxmark3 and have barely glanced at the code. Which specific tools would you be interested in having ported to Adruino+RC522? I’m happy to look into whatever you point me to, and continue developing a ISO14443 toolkit for programming your x-series chips.
(On a side note: Is there a non-invasive way to stop the KBR beeping so damn loud? :hear_no_evil:)

How about a little invasive???
Remove the feet
unscrew x 4 screws
expose the “beeper” fill with hot glue or similar

5 mins and reversible…
That’s kinda invasive, with a little consent…

1 Like

There are easier options I think… GitHub has a few code examples

1 Like

That’s exactly what I was thinking. Ok, screwdriver and solder it is :wink:


I think i could implement the dictionary+ brute-force crypto1 attack on Arduino and make an on-the-fly MF classic cloner. No idea how quick or practical it would be but I’m treating this as a learning experience. I tend to reinvent the wheel a lot in my coding projects :wink:


@cells-called-nick im sorry, I didn’t have the time to try but i will tell you as soon as I tried it

@cells-called-nick it didn’t work. I think i need an rc522 that can handle 5v :thinking:

It only works for me if I hold the chip exactly perpendicular to and crossing the antenna coil on it’s long edge. Mine runs off 3.3 volts as well but there may be differences between rc522 ic :man_shrugging:
Running it off 5v there was a noticeably increased range when reading cards, but i don’t know how potentially damaging that could be to the rc522. They are cheap though :wink:
where’s your implant? I have my XM1 in the outside edge of my hand and it’s a fair bit shallower than the one’s between thumb and index.
Do you get no reading at all adding the antenna gain line to the readUI code?

The library also sets several variables for easier reference of the gain values…

MFRC522::antenna_gain_max and MFRC522::antenna_gain_avg are the two most useful.


After playing around with it a bit more, It seems to work best with gain
RxGain_38dB = 0x05 << 4
RxGain_43dB = 0x06 << 4
Try a few more settings. As @Zwack referenced, you can find the gain values in the header file.

1 Like

@Zwack @cells-called-nick thanks for the help guys :grin:


Have either of you tried this with an implanted x series? I think based on the comments I am seeing that I might need to switch to the PN532 for those.