Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2018-10-11 23:23:17

mikelelere
Contributor
Registered: 2017-11-14
Posts: 5

Unlock tags written with multifrequency chinese cloner

Hi. Does anybody know whether this DANIU SK-68 multifrequency chinese cloner sets a password when writing to a tag?

I've tried all the different known passwords and no joy. I've also tried sniffing the password using both a proxmark and a RTL-SDR dongle tuned to 125KHz in direct mode. I couldn't match the sniffed data to neither T55xx nor EM4305 commands...

Thanks

Last edited by mikelelere (2018-10-11 23:24:54)

Offline

#2 2018-10-12 01:55:16

Slack
Contributor
Registered: 2018-08-13
Posts: 3

Re: Unlock tags written with multifrequency chinese cloner

Try A5B4C3D2

- Slack

Offline

#3 2018-10-12 02:07:20

Spyder
Contributor
Registered: 2017-12-20
Posts: 20

Re: Unlock tags written with multifrequency chinese cloner

The code was AA55BBBB on mine.

Offline

#4 2018-10-12 09:57:42

mikelelere
Contributor
Registered: 2017-11-14
Posts: 5

Re: Unlock tags written with multifrequency chinese cloner

Hi, thanks for the responses. I tried both passwords but unfortunately none of them work.

I'm attaching a WAV file (can be opened with Audacity, for example) with the data I sniffed using the RTL-SDR device (it is already AM demodulated) just in case anyone wants to try to decode it. The capture includes 4 "Write" button presses. Each button press seems to generate 7 pulse trains. The leading 3 pulse trains can be matched to three AT55xx standard writes (no password) to blocks 0, 1, and 2 (the third pulse train writes the data 0x00188040 to block 0). It seems to me that the interesting stuff is in the following four pulse trains. I've tried to match these four to AT55xx commands but I failed. The first pulse train is too long to match any command, while the others are only 69 bits long (70 bits are needed for a protected write command according to the datasheet). Thanks.

Last edited by mikelelere (2018-10-12 10:03:00)

Offline

#5 Yesterday 12:12:58

anybody
Contributor
Registered: 2016-12-20
Posts: 6

Re: Unlock tags written with multifrequency chinese cloner

Did you try to read block 7?

Offline

#6 Yesterday 13:22:20

mikelelere
Contributor
Registered: 2017-11-14
Posts: 5

Re: Unlock tags written with multifrequency chinese cloner

anybody wrote:

Did you try to read block 7?

Yes, I did. I cannot read any blocks in the tag using t55 commands. Furthermore, the tag is no longer recognized as a T5577 (not even using lf t55 detect), but as an EM4100 (it reports an ID when sending the lf search u command). I can however write to the tag using the chinese cloner...

Offline

#7 Yesterday 23:32:03

Violet
Contributor
Registered: 2018-09-13
Posts: 8

Re: Unlock tags written with multifrequency chinese cloner

I apologize if posting a link to another forum is taboo.

You may find a solution on this thread over at Dangerous Things:
https://forum.dangerousthings.com/t/xem-cloning-emulation-modes-and-the-perils-of-chinese-cloners/1547

TomHarkness found the white multifrequency cloner did something that required use of Test Mode when trying to remove the password to recover a T5577 tag.

Maybe that will help?

Offline

#8 Today 09:05:04

mikelelere
Contributor
Registered: 2017-11-14
Posts: 5

Re: Unlock tags written with multifrequency chinese cloner

Violet wrote:

I apologize if posting a link to another forum is taboo.

You may find a solution on this thread over at Dangerous Things:
https://forum.dangerousthings.com/t/xem-cloning-emulation-modes-and-the-perils-of-chinese-cloners/1547

TomHarkness found the white multifrequency cloner did something that required use of Test Mode when trying to remove the password to recover a T5577 tag.

Maybe that will help?

Thanks for the pointer. I visited that thread earlier while searching for known passwords for the cloner, and I tried unlocking the tag with different known passwords in test mode (including these provided in some replies in this thread). Did not work. The multifrequency cloner I own is not the same as the one in that thread. Mine is a cheaper version...

Offline

Board footer

Powered by FluxBB