xMagic cloning struggles


I used a proxmark 3 easy (iceman 805269ad4ac363a49ec4725fdd348863455841a7) to clone a keyfob to both a generic gen1a fob and the xMagic. The system uses more than just UID to authenticate. All dumps are identical and while the original key is hardened, the generic gen1a fob works without issue. The issue comes down to the fact that while the xMagic is recognized as a card by the security system, only the generic fob works.

I hate to take up y’alls time, but I am confused as to why the system disallows the xMagic chip while allowing the functionally identical fob.

I just tested it with the proxmark3 sim feature, and the dump worked perfectly fine. Why is it just the xMagic?

Probably the most likely scenario is that the reader is just not reading the xMagic at all due to its small antenna. Have you used the high frequency field detector keychain on the reader to determine the best location and orientation to present your xMagic to it with?

The reader beeps without unlocking, so I would assume it is being read.

In that case I would use the RDC to confirm that the reader is high frequency only. It’s possible that it is a dual frequency reader and what might be causing the beep is the t5577 chip in the xMagic.

If that’s the case then the reader may be picking up the low frequency chip first and then ignoring the high frequency chip, or simply not reading the high frequency chip at all.

You may be right, I will continue testing later, but it is possible that the system uses a dual frequency approach, as while one scanner is permissive with hf, another is restrictive and fails even though the hf is correct.

Thank you again for your help.

Any chance it could be a dual frequency reader picking up the LF side of the xMagic?

That is the case, I used a generic t5577 and it had the same beep. I believe the system is dual-freq auth as well, as some scanners do not open to the cloned standalone gen1a, but that may be due to gen1a detection (will try cloned gen2)

As long as you use a dual frequency card (or ring) you won’t get in.
The reader will read the LF much quicker then the HF. Once the LF read and denies, it won’t even look at the HF.
You either need to totally disable the LF on the reader (in software or hardware) or use a HF only tag

I am still going to test if it is a dual system, but assuming it is not, is there a way to temporarily disable the t5577 chip?

Not that I know of … But you can always drill the antenna out :roll_eyes:

It is a good thing then that it appears that the system is dual lf hf because it is hard to drill out an implant

(Funny enough, the lf chip in the key is a t5577)

Thank you all again for your help, I completely forgot to consider that it could be a dual system

1 Like

Sort of… just program it as something else or do a wipe on it so it doesn’t respond until programmed again.

Although I agree with this, I have also dealt with dual frequency readers and depending on the antenna layout and separation, it can be possible to isolate the antenna you want.
ie, if the LF is in the centre and HF is the perimiter, if you wanted HF you would approach from the outside perimeter and swipe inward, and if you wanted LF you would present straight to the centre and swipe outward.

Thats been my experience and I have had luck with that.
Your Kilometers may vary :wink:

1 Like

I wasn’t able to do it the few times I encountered dual frequency reader. It always read the LF first.

Hope the OP gets better results :crossed_fingers:

I’ll try that next time I have this issue :+1:

1 Like

Just change modes to an incompatiable mode, or
lf t5 wipe

Or do exactly what Amal just said :rofl:

1 Like