xMagic Chip Implant
The xMagic implant contains two microchips inside which are fully re-programmable to emulate a range of common types of cards, fobs, and access badges in both 13.56MHz and 125kHz frequencies.
$149.00
More Details
WARNING This kit definitely contains dangerous things. While our x-series chip implants have undergone several quality checks during manufacture, and have been put through a battery of tests, they have not been certified by any government regulatory agency for implantation or use inside the human body. Use of this device is strictly at your own risk.The xMagic kit contains the xMagic chip implant and all the sterile procedure materials required for a professional to perform installation. The xMagic has two chips inside, a 13.56MHz ISO14443-A compliant “Magic” Mifare S50 Classic 1k gen1a emulator chip, and a 125kHz T5577 emulator chip. Both chips are encased in a biologically safe 3x15mm cylindrical bioglass tube. The bioglass cylinder is laser sealed and the finished xMagic is tested for function before loading into the injector assembly. Then the injector assembly with xMagic tag inside is placed into a sterilization pouch and sterilized with ethylene oxide (EtO) gas.
What’s so great about the xMagic?
Generally speaking, RFID and NFC chips have read-only unique IDs. These are used as a sort of serial number, which cannot be changed. The xMagic has two different chips inside which are designed to emulate many different types of commonly used simple RFID chips found in access badges, key fobs, gym cards, etc. This means you can copy or clone both the ID (serial number) of many types of chips to the xMagic!
13.56MHz Magic Mifare 1k gen1a
One of the chips in the xMagic is the “Magic Mifare 1k” emulator chip. For many years the Mifare MF1ICS50 1k chip was used for all kinds of applications as a “secure chip” for everything from access control to stored value cards, and used for making localized payments within closed systems like public transit and laundry services. However, it uses a security mechanism called “crypto1” which is a simple, proprietary encryption mechanism that has anything to do with modern cryptography standards. Even though crypto1 has been broken for many years now, the Mifare Classic 1k is still commonly used in all sorts of access control systems. That means you can crack the security on those cards and clone their content (including the ID “serial number”) to your xMagic using devices like our Proxmark3!
125kHz T5577
In addition to the Magic Mifare 1k emulator chip inside the xMagic, we also have the 125kHz T5577 chip which is designed to be able to emulate a wide array of chip types in the 125kHz range. Typically key fobs and access cards used for things like gym memberships, gates, apartment complexes, etc. which use a 125kHz chip are very cheap and have no encryption or security at all, making it extremely easy to copy an ID from one of these devices into your T5577 emulator chip using our Proxmark3 device!
What can this chip implant do?
• Copy certain HF 13.56MHz chip IDs to this chip
• Copy certain LF 125kHz chip IDs to this chip
• Some types of access control applications
• Scan this chip implant to log into your computer
What this chip implant can’t do
• Share data with NFC enabled smartphones
• Trigger events on NFC devices like smartphones
• Can’t make payments with this chip implant
• Chip implants can’t be used for GPS or tracking
Important Things To Know
13.56MHz Magic Mifare Classic 1k Emulator
- Emulates Mifare MF1ICS50 1k chip with “Chinese Magic Backdoor” (CMB) or writeable sector 0.
- 4 byte ID and all of sector 0 is writable using CMB commands
- Proxmark3 can clone Mifare Classic 1k badges, fobs, cards, etc. to xMagic
- 10 year data retention rated for 100k writes per memory block
- Pre-tested and pre-loaded in sterile injection assembly
- No “anti-migration” coating means easy removal/replacement
125kHz T5577 LF Chip Emulator
- Emulate common EM41xx, EM4200, HID, Indala (and more!) chips
- Proxmark3 can clone common 125kHz badges, fobs, cards, etc. to xMagic
- T5577 chip is preprogrammed in EM41xx mode with a 40 bit unique ID
- 10 year data retention rated for 100k writes per memory block
- Pre-tested and pre-loaded in sterile injection assembly
- No “anti-migration” coating means easy removal/replacement
Kit Contents
The kit contains the following products and materials, which are designed to enable you to bring the kit to a professional installation partner for installation.
- 1 sterile injector assembly, pre-loaded with xMagic chip implant
- xMagic encased in 3mm by 15mm bioglass cylinder with non-toxic epoxy
- Want an analog? Check out the STL
- 2 antiseptic wipes to disinfect installation site
- 1 sterile gauze pad for post-installation wound care
- 1 sterile expandable-fabric adhesive bandage
- 1 pair of non-sterile, non-latex procedure gloves
Kit Extras
The following accessories also come with the kit. These accessories are “field detection” tools designed to assist you with identifying the type of readers you may encounter, but also the best location and orientation to present your xMagic chip implant to any reader to get reliable performance.
- 1 RFID Diagnostic Card
- 1 13.56MHz Field Detector Keychain
- 1 125kHz Field Detector Keychain
Our X Field Detectors (XFD) will show you the best position and orientation to present your chip implant to any readers of the same frequency, while our RFID Diagnostic Card will tell you all about the frequency and duty cycles of random readers you encounter in the wild.
Difference between gen1a and gen2
The basic differences between the gen1a and gen2 have to do with how each chip type enables sector 0 to be written to. Sector 0 is where the chip ID lives, as well as some other information like manufacturer details and the MAD or Mifare Application Directory data. Normally sector 0 on Mifare 1kB chips is read-only and cannot be changed. Cloning a “real” Mifare 1kB chip to a magic Mifare chip requires copying all of the sector 0 data from the source chip to the magic chip. A gen1a magic Mifare chip allows sector 0 to be written to only after sending a special command to it. A gen2 magic mifare chip uses the normal access bits and keys A and B to control access to sector 0, just like any other memory sector in the chip. This means normal write commands can work with sector 0 on a gen2 magic mifare chip. For an in-depth explanation, please check out this post on our community forum.
pros and cons
• gen1a pros; backdoor command disables all keys and access controls on all sectors. Every sector is writable regardless of key settings. Impossible to lock a sector out.
• gen1a cons; can’t send the backdoor command with android apps, must use special programmer like a proxmark3. some readers actively detect gen1a and reject reads.
• gen2 pros; can program in the field using android MCT app for easy changing or programming while on the go. much harder to detect by readers looking for magic chips.
• gen2 cons; it is possible to get locked out of sectors if improperly programmed.
How to clone cards, fobs, etc. to the xMagic
Proxmark3
By far the most powerful tool you can use to work with RFID chips is the Proxmark3. It’s an open source RFID diagnostics and security research tool, so it comes in many flavors, shapes, and sizes. It’s flexibility and ability to update the firmware to support the latest security tactics and tools means it’s a great investment for anyone wanting to experiment with RFID. Here are some example videos that show how to use the Proxmark3 to clone both Mifare 1k and T5577 cards and fobs.
Mifare S50 Classic 1kB cloning
The original 4 byte “Classic” 1k Mifare card has only 4 bytes for an ID, and uses the vulnerable version of Crypto1 protocol. NXP (the company who makes Mifare chips) released a number of different updated versions of Mifare chips, including the Mifare Plus 1k and a Mifare “Classic” 1k EV1 (evolution one) chip. The memory structures of these new chips are identical to the original vulnerable “Classic” 1k chips but they have been updated with improved cryptographic algorithms and have 7 byte IDs not 4 byte IDs. While new attacks on these new chip types do exist, success is limited and you will not be able to copy the complete 7 byte ID number to the xMagic since the mifare emulator chip inside only supports 4 byte IDs.
You can check the chip type in your 13.56MHz card and fobs using the Proxmark3 or in some cases by scanning them with an NFC capable Android phone using the TagInfo app.
125kHz chip cloning
There are many types of 125kHz chips in use today that can be emulated by the T5577 chip in the xMagic. They have no security features, just different communication protocols. The T5577 chip is highly configurable so it may emulate many types of these communication protocols, making it a highly versatile chip! You can use the Proxmark3 to clone the following types of 125kHz LF (low frequency) chips to the xMagic. Currently that list includes; AWID, COTAG, EM, FDX-B, Gallagher, Guarall Prox II, HID Prox, Idteck, ioProx, Jablotron, Keri, Motorola, Nedap, NexWatch, Noralsy, PAC/Stanley, Paradox, Presco, Farpointe/Pyramid, Securakey, and Viking.