Clone em410x tag with pm3 easy

Pilgrimsmaster · April 20, 2021, 9:16pm

AlertIlliterateJumpingbean-size_restricted

jens · April 20, 2021, 10:22pm

it looks like it’s the wrong password. none of the lf t5 detect commands works.
i get the error
[!] Could not detect modulation automatically. Try setting it manually with ‘lf t55xx config’

Pilgrimsmaster · April 20, 2021, 11:47pm

Here, try the Blue Cloner Password…Just incase

Again, the syntax may have changed, just follow through the prompts as the Proxmark steps you through it

Pilgrimsmaster · April 20, 2021, 11:50pm

I just had another thought

Test mode !!!

@fraggersparks has a short guide here, It definitely may be worth a try on both the White Cloner AND the blue cloner passwords

jens · April 20, 2021, 11:56pm

it don’t works. i found a guide but is there a way to do the same without a gui?
https://www.drassal.net/wp/index.php/2021/02/19/investigating-blue-125khz-rfid-tags-from-china-bought-off-amazon-with-a-proxmark3/

Pilgrimsmaster · April 21, 2021, 12:06am

Did we confirm that you don’t have mismatched firmware?

You are running this on a iOS correct?

jens · April 21, 2021, 12:18am

no on a mac

jens · April 21, 2021, 10:06pm

if i follow the link i posted and saved the data i get this. i don’t have a gui and can’t analyse the waveform. can someone with a gui do that? here is the files
https://drive.google.com/drive/folders/1cHk0LUXESffEhAGYd4EnXPkQK1FO38rP?usp=sharing

jens · April 22, 2021, 10:53pm

@ Pilgrimsmaster
i reinstalled the pm3 client with gui. i get this image. how can i get the hex-data from the image?

amal · April 23, 2021, 5:17pm

Hi @jens you don’t need to do all that, just try using the commands @Pilgrimsmaster quoted;

Try and rewrite the bare config block 0 data using this command:

lf t55xx write b 0 d 000880E0 p 51243648 t

Then run a:

lf t55xx wipe

After this, see if you can run a:

lf t55 detect

and report back.

jens · April 23, 2021, 7:55pm

i can’t detect it at all now after success wipe and clone. i sniffed the password from the cloner but now no device detects it.
the passwords i found is
19920427
002F8F8F

amal · April 23, 2021, 8:30pm

Ok so now try to write with a clone command

jens · April 23, 2021, 8:53pm

nothing happens

amal · April 23, 2021, 11:34pm

If you’d like to try doing a remote session we can see if your t5577 is recoverable…

jens · April 24, 2021, 3:46pm

Yes pls. how do we solve it in the best way? should I open up an ssh connection

ItaBeAight · April 24, 2021, 5:06pm

Is that the latest version of iceman on your PM3 easy? If so, I believe they changed the command adding a (-) before the p.

Example: lf t55xx detect -p 12345678

Try that command with your different cloner passwords and see if anything happens.

jens · April 24, 2021, 11:11pm

@amal I have sent ssh account details to you And put the antenna.

amal · April 27, 2021, 4:24pm

I just SSH’d to the machine and the firmware is compiled for an RDV4 not the PM3OTHER version… that could definitely be causing some problems.

jens · April 27, 2021, 7:31pm

now i have upgraded the firmware

Pablo98 · November 24, 2022, 9:14pm

Hi Jens,

I had the same problem and the same password on the Chinese cloner .
Follow this step and it will work Proxmark 3 - Manually setting and removing passwords on T55xx chips

lf t55xx detect -p 19920427

lf t55xx write -b 0 -d 00107060 -p 19920427 etc …