Proxmark3 can't recover white copier tags - what now?

I’m trying to recover tags I have tried to program with my chinese white copier and also make some that are similar to the ones that came with it.

More details:
Lock info:
About the tags that came with it: they are not writable by anything and are (if I can say so) EM4100 emulators. My Arduino copier shows no write “emotions” to them. Proxmark3 can’t write anything. I’d say they are EM4100 emulators because my house has a write filter - if the tag is writable, even if it’s enrolled, the door doesn’t open. The ones that came with the device do open the door, and the ones I buy do not.

Recovery status:
Nothing helped. Before I could program T55XX cards as HID, now I cannot. Trying to reset with wipe, traceability fake, type block edit, AA55BBBB password (and with testmode write!) doesn’t help much. It’s changing a bit (p1detect shows that this is downlink fixed byte and that’s it) and then dumps with 00FF0F0F everywhere, then doesn’t dump, etc etc etc… I also tried to run lf sniff but after 2 seconds the command just quits. What’s up with that then?

Behavior:
If these are actually getting pinlocked or something, they should then bypass the filters in our house in the assumption of them being write protected. They do not.

What does all of this mean for these tags?
P.S. my white copier was bought in 2022 summer.

Can’t be of much help, but maybe you haven’t seen this and there is a helpful detail:

maybe the Unlock section?

2 Likes

I very well have seen the AA55BBBB part. Didn’t help.

I tried to sniff the write, only got binary data. Nothting useful from what I can see, threshold was 128/128.
Enjoy my logs:

Oh, other than that, the write went (or didn’t go all the way through for the proxmark)
NRZ: 00110011001100110011001100110011000011001100110011001100001110101010101011101110101011101110101011101010111010101010101011101010101011101010111011101110111011101110111100000000111100110011001100110011001100110011000011001100110011001100110011001100110011001100110011001100110011110011001100110000111100001111000011100111010101010101010101010101010111010111010101110101010101010101011101011101010101010101011110000000011110011001100110011001100110011001100001100110011001100110011001100110011001100110011001100110
ASK Manchester: 0111000000011100100000000110100001100100001000011110111010001101111100000001110010000000011010000110010000100001111011101000110111110000000111001000000001101000011001000010000111101110100

Some further great work by @TomHarkness
that you can try

Scroll down to this section,
ISSUE #2 - THE WHITE CLONER AND “ID” MODE

in this link

Well, I’ve also read it. No help too (remember me mentioning test mode writes?)

Oh wait, I found something. 19920427. That works for most of the tags I have, except the ones that came with it which don’t detect with any protocol at all.


Weird. Last time I ran the check passwords command it returned nothing.

Well, I guess this is settled.
Other than that, if I were to examine the weird tags I have, what could they be? I have some of these chinese tags which are a very weird format that I don’t know, and I have “H5.5” and “H7” tags from iKEY. I’m trying to find a way to write those, and they don’t appear to be EM4X50’s or 70’s. iKey suggests using their TMD copiers, but buying a TMD-3R for $130 doesn’t seem to be the smartest idea. Sure, I could sniff the write process and suggest something on GitHub but the time to figure it out, eh.

TLDR: password was 19920427, curious about the mystical chinese tags and the H5.5 + H7 ones from iKEY.

Quick edit: stopped reading… perhaps lucky case. PM3 config error? forgot I wrote new pass 0x0