One of the primary reasons people are choosing to implant subdermal RFID chips is to securely keep their keyless entry cards on their person at all time. Many residential and commercial buildings are implementing RFID door systems as physical security becomes more and more a part of the public consciousness, and a few of the RFID chips created by Dangerous Things offer a convenient albeit unconventional method of ensure that you never lock yourself out of your home or office.
In this tradecraft tutorial, we will be using the Proxmark3 RDV4 via the RFID app to clone a LF RFID card key to the Dangerous Things NeXT Bio Chip. Our target lock system utilizes EM-41XX tags, but this procedure can be easily be followed for and LF tags compatible with the T5577 chipset. If you are considering implanting an RFID chip for this or a similar purpose, make sure you read our article on choosing the right bio chip for your needs.
Setting Up the LF Ferrite Antenna with Proxmark3 RDV4
For best results in writing to your NExT or xEM subdermal RFID chip, you may want to replace the Proxmark3 RDV4’s default antenna set with the LF Ferrite Antenna designed by Proxgrind and Tom Harkness specifically for use with Dangerous Things LF chips. For more information on how to install this antenna, refer to a previous article in this series walking through assembly of the device and installing the modular antennas.
Once installed, turn on the PM3 and the BLE module. Open the RFID Tools App, connect to the device, and open the Red Team Terminal. Now use the easy button to execute the hw tune command so that you can verify the antenna is successfully installed.
Reading Subdermal RFID Chips
Before cloning your target card, ensure that you can properly and read and write to the NExT or xEM chip by issuing the lf search command while holding the ferrite antenna up to the skin above your chip, adjusting alignment until the PM3 detects the tag.
In our case, LF chip is already written with EM41XX card data and appears in the terminal as: EM TAG ID 06003C071E. The NeXT chip is also capable of emulating EM4200, HID 1326 ProxCard II, HID 1346 ProxCard III, and Indala card, which covers a wide variety of commercial RFID access systems in the wild.
Once you can reliably read your chip using the ferrite antenna, you are ready to copy and clone your target card.
Cloning RFID Card Data
The Proxmark3 RDV4 makes quick work of extracting LF RFID card data from a target. The process is as simple as placing the target tag or card with reading range, inputing the command lf em410x_read, and tapping the send button. Once the tag is successfully read, the client will print out the extracted card data and store it to memory.
Tap and hold on the Tag ID to select and copy this value to your clipboard. Input the command lf em410x_write and then paste the tag ID value into this command followed by a space and the number 1. Place the ferrite antenna in the same position and orientation on the skin above your NExT or xEM chip and tap send to write the card data to your subdermal RFID chip.
You should now have an exact clone of the target card copied to your bio chip, and it will interact with any LF reader as if it were this card. Test that the process has been successful by opening the lock with your subdermal chip. You may need to experiment with the position and orientation of your chip with respect to the reader, and you may need to come into direct contact depending on the strength of the antenna.
This tradecraft represents just one of the many ways you can use your NExT or xEM bio chip to interact with RFID readers in the wild. Not all cards can be cloned, but your chip can also be used with its own unique tag data as a registered card if you have access to the system. This allows you to integrate a single tag ID across a wide variety of both off-the-shelf and DIY applications.
Project Resources
Dangerous Things Implantable RFID Chips - Writing LF Proxcard Data to the NExT and xEM Chips Using the Proxmark3 RDV4
Tradecraft Materials:
- Proxmark3 RDV4
Ferrite LF Antenna
Blue Shark Module
Firmware fork supporting RFID Tools App (https://www.dropbox.com/s/416lsrqpr2lfeis/%5BCompiled%5DPM3-RRG-20190812.rar?dl=0)
- Android Device
RRG RFID Tools App (https://github.com/RfidResearchGroup/RFIDtools or Google Play App Market)
- Target Card
LF Proxcard (EM41xx)
- Dangerous Things Implantable RFID Chip
NExT or xEM models
Setting Up the PM3
1. Open RFID Tools App on your Android device
2. Power up your Proxmark3 RDV4 with Blue Shark Module and turn on Bluetooth
3. Connect the Proxmark3 to the RFID Tools App
4. Open Red Team Terminal
Reading the Subdermal Chip
1. Place the ferrite antenna up to the skin above the subdermal chip
2. Identify the subdermal chip
lf search
3. Adjust the position and alignment of the antenna until the tag is found
4. Note the position and alignment of the antenna for later reading and writing
Reading the Target Card
1. Place the Target Card in proximity to the PM3 antenna
2. Read the Target Card
lf em4 10x_read
3. Copy the Tag ID value to your clipboard, or otherwise note this value for later use
Writing Target Card Data to the Subdermal Chip
1. Place PM3 in same position as noted above
2. Write card data to the subdermal chip, using the Tag ID of the Target Card
lf em 410x_write [TagID]ex. lf em 410x_write 12B685D58C 1
3. Your Subdermal Chip will now behave as it was the Target Card when interacting with RFID readers