CLONING - Blue Cloner How To

Blue EM / HID Cloner:
image

**PRE-AMBLE**

@TomHarkness thread is the main source of this information and it could probably be used as a wiki. I have taken most of his information and condensed it down to just the HOW TO! rather than the reasons why etc. I do, however, highly recommend you read his thread in conjunction with this.
Also, a lot of information is from the Godfather himself @amal throughout this forum and the DT website, when they used to sell it.

There are many people on here with a lot more knowledge than myself, I am just copying, pasting and regurgitating things I have seen/ read and heard and compiling them to hopefully make an easy to follow HOW TO guide with the goal of have a single repository, help people make better decisions and hopefully reduce the number of repetitive questions on the forum.
Feel free to offer updates, corrections, and further info

.

**CLONE**

The xEM Cloner can copy any 125kHz EM41xx/EM4200 or HID ProxCard II tag ID to the Dangerous things xEM chip or NExT

Put the Blue-Cloner next to the source tag/fob and press the “read” button

Place the Blue-Cloner next to your xEM, or NExT chip and press the “write” button ( hold everything firmly and steady… no movement… wait at least 3 seconds before doing anything… if you get beeps, you should be good… no beeps, reposition and try again)

The source ID will be copied into your xEM chip!

OR Still no beeps???

Take your Blue cloner… take it apart… see the rectangle antenna wire? With the case apart, you can lay that wire directly on top of and perpendicular to the NExT as it rests under the skin
Once you’ve got it positioned well, REPEAT as above

DONE (OR no beeps!!! buy a Proxmark and LF antenna OR find someone to help OR wait for the DT Cloner)
SO NOW YOU ARE DONE

However

  • *The Blue-Cloner will write the source ID to your xEM tag, then set a password after writing. This protects the xEM chip from other malicious writers, but it also means your xEM requires a password to write data to it.
  • This does not affect the Blue-Cloner – it will continue to function properly – but if you wish to write to your xEM using any other writer, you will need to ensure the writer can authenticate first using the password 51243648. See UNLOCK Below!!!

.

**UNLOCK**

Firstly You will
Need:-
A Proxmark or Find somebody to help
Highly Recommend
ProxLF antenna for the Proxmark3 RDV4
Suggest
spare t5577 keychain fobs, break them, un-break them and learn as you go.

The stock proxmark3, proxmark3 RDV2 and proxmark3 easy antennas are NOT designed to work with the cylindrical antennas in xEM’s or NExTs. This causes a few issues with accuracy when we try to read / write to the chip so a Proxmark and LF antenna is recommended but not always necessary. (DT antenna only compatible with PM3 RDV4)

All Blue-Cloners set the same password:
51243648, and can be unlocked with a proxmark3

A tip on coil placement:

  1. Try and issue an lf t55xx detect command. If the Proxmark can detect the chip then you are close to a good spot (if the chip is locked the Proxmark will not return anything - this is part of what makes unlocking implants & antenna placement tricky)
  2. After the lf t55xx detect, issue an lf t55xx trace a few times, if the proxmark returns the t55 tractability data screen you are in the “sweet spot” and writes should work cleanly.

Therefore the Proxmark commands are as follows:-
lf t55xx detect
lf t5 trace
example result T55x7 Trace Information

ACL Allocation class (ISO/IEC 15963-1) : 0xE0 (224)
MFC Manufacturer ID (ISO/IEC 7816-6) : 0x15 (21) - ATMEL France
CID : 0x01 (1) - ATA5577M1
ICR IC Revision : 2
Manufactured
Year/Quarter : 2014/2
Lot ID : 727
Wafer number : 16
Die Number : 8968

Raw Data - Page 1
Block 1 : 0xE0150A48 11100000000101010000101001001000
Block 2 : 0x2D782308 00101101011110000010001100001000

lf t55xx wipe

lf t55xx write b 1 d E0150A48 1
lf t55xx write b 2 d 2D782308 1

Based on the above information our implants can be unlocked with the following commands and block data
Included are the Block 0 configuration settings for all common modes with and without password protection:

EM4100 NO PWD-------------------00148041
EM4100 PWD ACTIVE-------------00148051
HID NO PWD-------------------------00107060
HID PWD ACTIVE-------------------00107071
BLANK t55 config--------------------00088040

Blue HID / EM Cloner:
lf t55xx write b 0 d ******** p 51243648

Note that where ******** you need to put the correct Analogue Block 0 settings for the specific mode that you currently have the xEM in.

.

REFERENCE INFORMATION

@tomharkness thread
DT Blue cloner
proxmark lf t55 operations
ATA5577C datasheet
xEM_Atmel-9187-RFID-ATA5577C_Datasheet.pdf

3 Likes