Blue EM / HID Cloner:
@TomHarkness thread is the main source of this information and it could probably be used as a wiki. I have taken most of his information and condensed it down to just the HOW TO! rather than the reasons why etc. I do, however, highly recommend you read his thread in conjunction with this.
Also, a lot of information is from the Godfather himself @amal throughout this forum and the DT website, when they used to sell it.
There are many people on here with a lot more knowledge than myself, I am just copying, pasting and regurgitating things I have seen/ read and heard and compiling them to hopefully make an easy to follow HOW TO guide with the goal of have a single repository, help people make better decisions and hopefully reduce the number of repetitive questions on the forum.
Feel free to offer updates, corrections, and further info
Put the Blue-Cloner next to the source tag/fob and press the “read” button
Place the Blue-Cloner next to your xEM, or NExT chip and press the “write” button ( hold everything firmly and steady… no movement… wait at least 3 seconds before doing anything… if you get beeps, you should be good… no beeps, reposition and try again)
The source ID will be copied into your xEM chip!
OR Still no beeps???
Take your Blue cloner… take it apart… see the rectangle antenna wire? With the case apart, you can lay that wire directly on top of and perpendicular to the NExT / xEM as it rests under the skin
Once you’ve got it positioned well, REPEAT as above
OPTIONAL MODIFICATION IMPROVEMENT By @Rosco
- *The Blue-Cloner will write the source ID to your xEM tag, then set a password after writing. This protects the xEM chip from other malicious writers, but it also means your xEM requires a password to write data to it.
- This does not affect the Blue-Cloner – it will continue to function properly – but if you wish to write to your xEM using any other writer, you will need to ensure the writer can authenticate first using the password 51243648. See UNLOCK Below!!!
The stock proxmark3, proxmark3 RDV2 and proxmark3 easy antennas are NOT designed to work with the cylindrical antennas in xEM’s or NExTs. This causes a few issues with accuracy when we try to read / write to the chip so a Proxmark and LF antenna is recommended but not always necessary. (DT antenna only compatible with PM3 RDV4)
All Blue-Cloners set the same password:
51243648, and can be unlocked with a proxmark3
A tip on coil placement:
- Try and issue an lf t55xx detect command. If the Proxmark can detect the chip then you are close to a good spot (if the chip is locked the Proxmark will not return anything - this is part of what makes unlocking implants & antenna placement tricky)
- After the lf t55xx detect, issue an lf t55xx trace a few times, if the proxmark returns the t55 tractability data screen you are in the “sweet spot” and writes should work cleanly.
Therefore the Proxmark commands are as follows:-
lf t55xx detect
lf t5 trace
example result T55x7 Trace Information
ACL Allocation class (ISO/IEC 15963-1) : 0xE0 (224)
MFC Manufacturer ID (ISO/IEC 7816-6) : 0x15 (21) - ATMEL France
CID : 0x01 (1) - ATA5577M1
ICR IC Revision : 2
Year/Quarter : 2014/2
Lot ID : 727
Wafer number : 16
Die Number : 8968
Raw Data - Page 1
Block 1 : 0xE0150A48 11100000000101010000101001001000
Block 2 : 0x2D782308 00101101011110000010001100001000
lf t55xx wipe
lf t55xx write b 1 d E0150A48 1
lf t55xx write b 2 d 2D782308 1
Based on the above information our implants can be unlocked with the following commands and block data
Included are the Block 0 configuration settings for all common modes with and without password protection:
EM4100 NO PWD-------------------00148041
EM4100 PWD ACTIVE-------------00148051
HID NO PWD-------------------------00107060
HID PWD ACTIVE-------------------00107071
BLANK t55 config--------------------00088040
Blue HID / EM Cloner:
lf t55xx write b 0 d ******** p 51243648
Note that where ******** you need to put the correct Analogue Block 0 settings for the specific mode that you currently have the xEM in.