White Cloner locked em4305 chip, trying to recover password with PM3 Easy

Before I knew any better, I bought a White Cloner to re-write Galaxy’s Edge kyber crystals (em4305 chips pretending to be em4100).
It works fine for that, I can change the code from what it shipped with, to any code I want to. Down side is, the White Cloner password protected the chip with an unknown password. So I can keep changing it with the White Cloner, but I can’t change it with anything else (:flipperzero_white: :pm3_easy:).
The “Rfid Signal Writer Analysis” tab in this document with Galaxy’s Edge information shows how to use a :pm3_easy: to sniff the write command the White Cloner is sending, and pull the password for the em4305 out of the bitstream.
I’ve been staring at the data plot for hours, zooming in, zooming out, scrolling through it, and I’m not seeing the “write a password to page 2” bitstream (0001010100001).
Would someone please explain like I’m 5, which one of these blocks should I be trying to decode?
Thanks again.
pm3_data_file.zip (25.6 KB)

I got the t5577s unlocked, but the em4305s seem to have a different code. I tried every password I posted in that thread on the em4305 chips before trying this sniff procedure.

You could try the tear off process?

I used an app on my flipper to brute force the password of an old implant that I used a terrible cloner on years ago. Lost control of that implant for like 7 years before I got it back.


I’ll give that a try, thank you!

The Iceman firmware on the :pm3_easy: has a brute-force, and “try a list of known passwords”. I read in another thread here that a full brute-force of the 4 byte address space would take around 34 years, so I was hoping for something more surgical. Thank you for the suggestion. How long did it take to guess the password on your implant?

I found this post about Proxmark tear-off developments which indicates that having a password set blocks the tear-off process (since you have to provide the password in order to write the PROTECT bits) but it did introduce a sniff command specific to em4x05 that I’ll have to try out today.

1 Like

I used a library of known common passwords and it took maybe 2 minutes or so.

1 Like

any luck?

Not so far.
Yesterday I searched the Discord for iceman firmware, and came across a suggestion of running an lf sniff, saving the data, then increase the packet skip by (samples recorded)x(.75), repeat… I didn’t get any em4x05 commands doing that, but I only stayed at it for half an hour or so. I intend to try more samples this weekend, if I can’t make time before then.

Also, this cloner isn’t just blasting writes into the aether. It attempts much longer when it fails into thin air, than when it successfully writes an existing chip. Which I found interesting.

Worst case, at least the tags are still writable. I may cut my losses.