RFID cloning to implanted tags

edited March 2015 in RFID/NFC
People often ask about the possibility of copying (cloning is the term used when talking about copying an RFID tag) their existing RFID cards to implanted chips. Up until now this has not been possible, myself and Amal among others have discouraged the idea as being impractical. The best people could do was to add the ID of their new implant to the control system, which is often not possible for work or school access systems.


I've been hinting for a while that I've got some cool new implants, one of these is an RFID chip which allows cloning of some existing access cards.


The new chip is a T5577, this type of chip is often used for cloning RFID cards, but until now it has not been available in an implant form factor.


Below is a picture of the new chip:


image


Most RFID implants are 2x12mm, this chip is much smaller at only 1.4x8mm. Less than half the volume of the older 
chips, with a noticeably smaller needle (14 gauge) leading to less tissue trauma and therefore faster healing. The image below shows a standard 2x12mm chip and 12 gauge needle at the top, and the new chip and needle at the bottom:

image



Tagged:
«13

Comments


  • Those of you who attended Grindfest Zero may have seen me cloning Cassox's work ID to one of these chips, he has implanted the chip and made a video of using it in his workplace, which you can watch here.


    These chips are not magic, they do not support cloning all types of RFID card, only some low frequency cards can be cloned, you will need to know how to clone the tag, and have the hardware to do it. Assuming you know how to clone a card, here is a list of card types that can be cloned to this implant:
    HID, EM410x and Indala. These are many but not all of the low frequency cards used for access control systems, such as doors, printers etc.


    These chips can be rewritten tens of thousands of times, aside from cloning other cards, these chips can be used to store arbitrary data, although their storage size is very limited at only 44 bytes.


    The full specs' for the ATA5577 IC used can be read here.


    In order to have these chips manufactured I had to place a large order, therefore I'm selling them to anyone who wants them on my site here.



    Questions? Comments?

  • edited March 2015
    Do you think its possible to get a virus on it since its re-writeable?
    Something like this guy did: 
    Scary things that you could upload to RFID that would hack any door to open or something like that.

    edit: it wasnt done by Michio but I meant the guy he was talking about
  • edited March 2015
    Zlekrat  While it is theoretically possible to create a virus for implants, the amount of space on the current RFIDs is so small that it's almost impossible.

    Even the smallest quine I've heard of is a too big to fit on this chip, but it may be possible with the larger NFC chips.
  • Let's play cyberpunk action film for a second: Can you use this chip to clone an xEM implant, as a backup in case someone removes your original chip or decides to keep your hand as a souvernir?
  • zombiegristle I don't have an xEM to test, but yes, I think it's compatible, so you could duplicate it using this chip.

    But if you want to go all cyberpunk action film, you can find someone who has an xEM implant, stand close to them to read their implant, clone to your implant and then impersonate them...
  • I would assume the actual cloning requires a reader, a computer, and some software, yes? Or is it actually just as simple as bringing the two chips in proximity?
  • zombiegristle  yeah, you need a reader and some software, but you don't need a computer necessarily, some readers allow operating in a standalone mode, which means the setup can be pretty discrete, about the size of a wallet. 
  • have you tested it with phones? I want one after seeing that demo but i'd only really be interested if it works with my phone as i have no other way of interacting with it and to clone anything onto it.
  • I don't know of any phones that work with 125KHz out of the box, you'd probably have to find an external reader with accompanying app.
  • drjaaz yeah, zombiegristle is right, these are Low Frequency chips, i.e.  125KHz, the kind of chip used in building access systems, not the high frequency chips used for NFC. I've never hard of a phone with a low frequency reader built in, but you can use an external reader like the proxmark3 with android phones.
  • see in that case we need a chip that can do both high and low. or I guess you could just have 2 chips one for building one for phones but that's no fun
  • Amal's got a couple of chips that use the high frequencies and play nice with smartphones, what specifically are you after that those will not accomplish?
  • I'm an all or nothing kind of guy. If I'm sticking a thing under my skin I don't want to have to change it out. So I'd ideally like something that'd work with my phone but could also be used for building access. I could just get both I guess. Since they're on different frequencies they shouldn't interfere. 

  • Yeah, I don't remember who it was but I know somebody has both chips in the same hand and says it doesn't cause any issues. I put mine in different hands, but may end up with a 3rd or even 4th chip and I'll just make sure to keep like frequency bands in opposite appendages.

    Or get an assortment of chips implanted along a forearm, in descending order of frequency and interoperability! When confronted with an unknown reader type, you just slowly scan down your arm until something beeps!
  • edited March 2015
    yeah, I've got high frequency NFC chips too, they work fine with phones.
    but having a chip that does both frequencies would be cool.... I may have to look into it.
  • @zombiegristle the xEM tag actually uses the ATA5577 chip inside, but it's been programmed to emulate an EM4102. You can clone other tags and badges to the xEM. We have not produced a manual on how to do this yet, but this is forthcoming.
  • edited March 2015
    @amal, that is awesome to hear.  I had no idea the xEM had that capability.

    @zombiegristle - I'm the one with the xEM and xNT in the same hand.
  • @aviin, haha yeah, we had no idea either but our first round test batch production of xEM tags used a true EM4200 chip, then we changed manufacturers very early on and they simply looked at our specifications and chose to use the ATA5577 chips they already had, and just programmed them to be compatible with the EM4200 and didn't let us know... so it's kinda like a bonus for everyone. I'm annoyed that they felt comfortable doing that and not telling us, but at the same time the end result is basically good for everyone. We only recently found out about it though so we're still playing catch up with the chip type and its capabilities. Once we have a good handle on it we will notify everyone who ordered an affected xEM tag.
  • Rough run down on options for cloning/writing to these chips.

    You need a Low Frequency RFID reader/writer device, there are a number of devices which work, covering a range of different costs and ease of use.

    1) Proxmark3. This is the top of the line device, works with all types of RFID/NFC chips, has functions for cloning to/from chips/cards. but it is somewhat complicated to use, and costs a lot. you can buy them here and read more info here. I have one of these and have used it to clone cards to my T5577 chips, I haven't tried it with Amal's xEM chips, but it should work fine with those too.

    Once you have the proxmark3 software working, it's pretty simple, place your card on the antenna and run the command "lf search", this will print the card ID (assuming it's one of the supported card types), then replace the card with the implant chip (i.e. hold the antenna to your skin), because the antenna coil in the chip is very small, it can be hard to write to it, I have found that it is best to align the chip perpendicular to the wires in the reader antenna, so that there is as much overlap between the two antennas as possible. then, depending on the card type, run the clone command, e.g. for HID cards: "lf hid clone XX" (where XX is the ID of the card you want to clone).
    Given how expensive Proxmark3s are, I suggest borrowing one from someone, you can often find people who own them at local hackerspaces.



    2) Rfidler. This is a newer device, it is similar to the proxmarx3, but only works with low frequency cards, which is fine for cloning to these chips. It is also much cheaper than a proxmark3. I don't have one of these, but the specs for it say it supports most low frequency cards and writing to the T5577 chips. I'm working on testing it soon, at which point I'll update this thread to let you know if it works.


    3) EM4x cloner. You can get very cheap RFID cloner devices on ebay, such as this one, they are cheap, easy to get and use i.e. just point it at the card to clone and press the button, then point at the implant and press the other button, but there are two major down sides. One is that only work for EM4x chips, not for HID or Indala. which is fine if you only intend to clone that type of card. The second, and more major is issue is that they often lock the chip. Not permanently, but in such a way that you can only use the same type of device to write to it in the future. There are ways to unlock it again, but be careful with these devices. I have tried on and it work with my T5577 chips.

    4) My biothemo reader device can write to T5577 chips, but it's not quite ready yet, should be done in a month or two, more info in this thread.

    5) other generic Low Frequency RFID reader/writer devices. There are a number of devices which support writing to T5577 chips. In theory they can all be used for cloning, but with out supporting software, you are pretty much on your own, and I imagine a lot of work.


  • Is there any easy way I can find out what frequency an existing card is using? 

    I've been googling to try and find specs for the UniCard system card that I have but no luck. I'm not sure if /any/ RFID reader will be able to tell me the frequency / find out the info for cloning or if you need a specific reader for different frequencies? 

    At the moment I have zero equipment. 
  • Kaylaj That depends on how you define "easy", if you can access a proxmark3, you can check the power levels on the low and high frequency antennas, and see which one reacts to the card. 


    Then you can try scanning for known card types at that frequency, and you stand a good chance of finding which card type it is.


    If you are unlucky and it's not one of the common card types, you can use the proxmark3 to decode the raw waveform, but that is super complicated, and unless you have a background in election engineering, I don't suggest it.



  • edited May 2015
    Implanted one of @AlexSmith's chips -- 

    Bit of effort to get the cloning to work (looks like it's a little deep?), but was okay in the end.

    I would suggest though that you clone the access card *before* implanting, because it's going to be a lot easier to test it like that. You can scan it while it's inside the packaging, so it'll still be sterile etc.
  • edited May 2015
    This reader was pointed out to me, I have not tested it, but I'm hopeful that it is a cheaper option to clone HID cards.
  • I just ordered this one - I'll report once all the pieces show up. 
  • meanderingman you know that device can only read (and therefore copy) EM cards, right? so it won't work with HID cards etc. this is fine if the card you want to copy is EM, but are you sure it is?
  • Mmm, good point. Well if it doesn't work I'll try the reader you just posted. I'm going to test that everything works before implantation obviously so it's just a matter of playing around and getting everything hooked up correctly. 
  • I have the reader/writer posted by @meanderingman. When I scanned an HID security card I got nothing. This should work with Dangerous Things' xEMi tag though.

    You can check out the software before you receive it. It's primitive.
  • Thanks for the heads up. I'll order the other cloner that Alex posted as well. 
  • edited May 2015
    I regret not having found this topic earlier.
    I've bought myself one of these , as the description mentioned it reading/writing EM4000, 4200 and 4300 families. The software is the same as @McSTUFF posted.
    It does not, however. read the emulated EM410x, let alone write to it.
    Thinking it might be a problem with the read area, i've switched out the coil for a circular polarized one. Still no dice.
    So, beware the chinese ATA5577 writers, they just don't seem to be compatible.
  • I apologize for the potential resurrection. I'm not sure how active these forums are. My question is in response to @AlexSmith. You mentioned purchasing a cheap eBay cloner that could potentially clone an HID badge to the newer ATA5577 chip Dangerous Things xEM implant. I'll be flat-out and say that I can't afford a Proxmark3. I'm looking to convert the chip that I implanted this very morning to an HID format that is functional at work. What was your experience with the reader re-linked below?  Did it clone HID->ATA5577 or just EM4100(xx) as with most of the other chinese exports?  Also, did using the device linked apply a passcode to the chip post-cloning as your original post indicated possible?  Thank you for any response!

    http://www.ebay.com/itm/221767640413
Sign In or Register to comment.