Clone em410x tag with pm3 easy

hello. how can i clone a em 410x tag to a FlexMT with the pm3 easy? it dont works. here is the log.

[usb] pm3 → lf em 410x reader
[+] EM 410x ID 01083E049F

move to implant

[usb] pm3 → lf em 410x clone --id 01083E049F
[+] Preparing to clone EM4102 to T55x7 tag with ID 01083E049F (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff806089ba04cbcc

[+] Done
[?] Hint: try lf em 410x reader to verify
[usb] pm3 → lf em 410x reader
[+] EM 410x ID 0005397FB1

My question is, does the T5577 chip ID seem to change if you try other IDs in your clone statement, or is it more that the ID of the T5577 is not changing at all?

Also what firmware are you using? Post hw ver command output.

1 Like

it looks like it nothing changes.

[usb] pm3 → hw ver

[ Proxmark3 RFID instrument ]

[ CLIENT ]
client: RRG/Iceman/master/fde48cd 2021-04-15 20:46:27
compiled with Clang/LLVM Apple LLVM 12.0.0 (clang-1200.0.32.29) OS:OSX ARCH:x86_64

[ PROXMARK3 ]
firmware… PM3 GENERIC

[ ARM ]
bootrom: RRG/Iceman/master/fde48cd 2021-04-15 20:46:52
os: RRG/Iceman/master/fde48cd 2021-04-15 20:47:07
compiled with GCC 10.2.1 20201103 (release)

[ FPGA ]
LF image built for 2s30vq100 on 2020-07-08 at 23: 8: 7
HF image built for 2s30vq100 on 2020-07-08 at 23: 8:19
HF FeliCa image built for 2s30vq100 on 2020-07-08 at 23: 8:30

[ Hardware ]
–= uC: AT91SAM7S512 Rev A
–= Embedded Processor: ARM7TDMI
–= Internal SRAM size: 64K bytes
–= Architecture identifier: AT91SAM7Sxx Series
–= Embedded flash memory 512K bytes ( 53% used )

[usb] pm3 →

Hmm ok and where are you placing your t5577 disc on the proxmark3? Have you also tried putting some space between like 2cm to 5cm during the write process?

nothing changes. the clone command shows ok if there are no tag at the reader to

ok hmm… I think maybe its time to explore a wipe command on the T5577 to see if it can be wiped / changed

lf t5 wipe

Once run succesfully, the lf search command should fail to return anything… but the lf t5 detect should detect a T5577 chip. Keep in mind that write commands to the T5577 chip do not check themselves… the RF is output but the chip is not checked to confirm the write process succeeded… so you can’t assume a successful command execution means the chip has been successfully written to.

it shows the same. i have used the white cloner before. can it be the problem?

ahhhhhhhh

yes that is a problem.

first possibility is the setting of a password on the T5577… the white cloners will often set a password… i think there is such a password that is basically universal across the white cloners which has been documented here on this forum, but I have no idea where… @Pilgrimsmaster might recall… he holds the entirety of this forum in his librarian mind :slight_smile:

the other issue with the white cloner is that it is known to some how “alter” the configuration of the T5577 in a way that is definitely not for the better… but I think (think) the wipe command may fix that… but you will need to use the wipe command with the password to actually wipe it.

1 Like

maybe…
you could check this out and try it

the syntax may have changed since @TomHarkness found it, but the principle should be the same

1 Like

AlertIlliterateJumpingbean-size_restricted

3 Likes

it looks like it’s the wrong password. none of the lf t5 detect commands works.
i get the error
[!] :warning: Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’

Here, try the Blue Cloner Password…Just incase

Again, the syntax may have changed, just follow through the prompts as the Proxmark steps you through it

2 Likes

I just had another thought :bulb:

Test mode !!!

@fraggersparks has a short guide here, It definitely may be worth a try on both the White Cloner AND the blue cloner passwords

it don’t works. i found a guide but is there a way to do the same without a gui?
https://www.drassal.net/wp/index.php/2021/02/19/investigating-blue-125khz-rfid-tags-from-china-bought-off-amazon-with-a-proxmark3/

Did we confirm that you don’t have mismatched firmware?

You are running this on a iOS correct?

no on a mac

if i follow the link i posted and saved the data i get this. i don’t have a gui and can’t analyse the waveform. can someone with a gui do that? here is the files
https://drive.google.com/drive/folders/1cHk0LUXESffEhAGYd4EnXPkQK1FO38rP?usp=sharing

1 Like

@ Pilgrimsmaster
i reinstalled the pm3 client with gui. i get this image. how can i get the hex-data from the image?

Hi @jens you don’t need to do all that, just try using the commands @Pilgrimsmaster quoted;

Try and rewrite the bare config block 0 data using this command:

lf t55xx write b 0 d 000880E0 p 51243648 t

Then run a:

lf t55xx wipe

After this, see if you can run a:

lf t55 detect

and report back.

2 Likes

i can’t detect it at all now after success wipe and clone. i sniffed the password from the cloner but now no device detects it.
the passwords i found is
19920427
002F8F8F