Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-10-11 23:23:17

mikelelere
Contributor
Registered: 2017-11-14
Posts: 6

Unlock tags written with multifrequency chinese cloner

Hi. Does anybody know whether this DANIU SK-68 multifrequency chinese cloner sets a password when writing to a tag?

I've tried all the different known passwords and no joy. I've also tried sniffing the password using both a proxmark and a RTL-SDR dongle tuned to 125KHz in direct mode. I couldn't match the sniffed data to neither T55xx nor EM4305 commands...

Thanks

Last edited by mikelelere (2018-10-11 23:24:54)

Offline

#2 2018-10-12 01:55:16

Slack
Contributor
Registered: 2018-08-13
Posts: 5

Re: Unlock tags written with multifrequency chinese cloner

Try A5B4C3D2

- Slack

Offline

#3 2018-10-12 02:07:20

Spyder
Contributor
Registered: 2017-12-20
Posts: 21

Re: Unlock tags written with multifrequency chinese cloner

The code was AA55BBBB on mine.

Offline

#4 2018-10-12 09:57:42

mikelelere
Contributor
Registered: 2017-11-14
Posts: 6

Re: Unlock tags written with multifrequency chinese cloner

Hi, thanks for the responses. I tried both passwords but unfortunately none of them work.

I'm attaching a WAV file (can be opened with Audacity, for example) with the data I sniffed using the RTL-SDR device (it is already AM demodulated) just in case anyone wants to help to decode it. The capture includes 4 "Write" button presses. Each button press seems to generate 7 pulse trains. The leading 3 pulse trains can be matched to three AT55xx standard writes (no password) to blocks 0, 1, and 2 (the third pulse train writes the data 0x00188040 to block 0). It seems to me that the interesting stuff is in the following four pulse trains. I've tried to match these four to AT55xx commands but I failed. The first pulse train is too long to match any command, while the others are only 69 bits long (70 bits are needed for a protected write command according to the datasheet). Thanks.

Last edited by mikelelere (2018-10-18 20:25:04)

Offline

#5 2018-10-15 12:12:58

anybody
Contributor
Registered: 2016-12-20
Posts: 36

Re: Unlock tags written with multifrequency chinese cloner

Did you try to read block 7?

Offline

#6 2018-10-15 13:22:20

mikelelere
Contributor
Registered: 2017-11-14
Posts: 6

Re: Unlock tags written with multifrequency chinese cloner

anybody wrote:

Did you try to read block 7?

Yes, I did. I cannot read any blocks in the tag using t55 commands. Furthermore, the tag is no longer recognized as a T5577 (not even using lf t55 detect), but as an EM4100 (it reports an ID when sending the lf search u command). I can however write to the tag using the chinese cloner...

Offline

#7 2018-10-15 23:32:03

Violet
Contributor
Registered: 2018-09-13
Posts: 11

Re: Unlock tags written with multifrequency chinese cloner

I apologize if posting a link to another forum is taboo.

You may find a solution on this thread over at Dangerous Things:
https://forum.dangerousthings.com/t/xem-cloning-emulation-modes-and-the-perils-of-chinese-cloners/1547

TomHarkness found the white multifrequency cloner did something that required use of Test Mode when trying to remove the password to recover a T5577 tag.

Maybe that will help?

Offline

#8 2018-10-16 09:05:04

mikelelere
Contributor
Registered: 2017-11-14
Posts: 6

Re: Unlock tags written with multifrequency chinese cloner

Violet wrote:

I apologize if posting a link to another forum is taboo.

You may find a solution on this thread over at Dangerous Things:
https://forum.dangerousthings.com/t/xem-cloning-emulation-modes-and-the-perils-of-chinese-cloners/1547

TomHarkness found the white multifrequency cloner did something that required use of Test Mode when trying to remove the password to recover a T5577 tag.

Maybe that will help?

Thanks for the pointer. I visited that thread earlier while searching for known passwords for the cloner, and I tried unlocking the tag with different known passwords in test mode (including these provided in some replies in this thread). Did not work. The multifrequency cloner I own is not the same as the one in that thread. Mine is a cheaper version...

Offline

#9 2018-10-17 14:35:57

anybody
Contributor
Registered: 2016-12-20
Posts: 36

Re: Unlock tags written with multifrequency chinese cloner

Try pwd 00 00 00 00 and 05 00 00 00

Last edited by anybody (2018-10-18 10:04:23)

Offline

#10 2018-10-18 20:23:43

mikelelere
Contributor
Registered: 2017-11-14
Posts: 6

Re: Unlock tags written with multifrequency chinese cloner

anybody wrote:

Try pwd 00 00 00 00 and 05 00 00 00

I did try indeed (and some others very similar like 12345678). Did not work. Thanks.

Last edited by mikelelere (2018-10-18 20:24:09)

Offline

#11 2018-10-19 09:18:03

duckwc
Contributor
Registered: 2018-10-12
Posts: 8

Re: Unlock tags written with multifrequency chinese cloner

Hi,

I hope it's a good place to share here. My cloner was iclone 3 model:
iclone

I couldn't find any way to demodulate automatically the LF signal on the PM3, so I ended up doing it manually and found the password for this one, which I couldn't find anywhere listed:

0x19920427

I hope this can help someone...

Offline

#12 2018-11-01 06:38:34

anybody
Contributor
Registered: 2016-12-20
Posts: 36

Re: Unlock tags written with multifrequency chinese cloner

mikelelere, can you attach another trace from your Chinese reader, for comparison?

Offline

#13 2018-12-04 15:58:23

Galahad8
Contributor
Registered: 2018-12-04
Posts: 8

Re: Unlock tags written with multifrequency chinese cloner

I bought one like your device from TaoBao.
Have same problem. It will lock card after update card info. After that I can't use other device to change card except  Chinese cloner.
Anyone could tell me how to sniffer cloner when write a card.

Offline

Board footer

Powered by FluxBB