White Cloner - Password found!


#1

Hi All,

Very quick post to get this out there.

I’ve been working to figure out the password that gets set by the well known WHITE Chinese cloner when writing to tags. A friend has a locked xEM implanted so there was some real motivation to get this password for him. There is one known pass already on the proxmark forum but unfortunately it is only for some very old models.

If you have an xEM that you have locked with the Cloner pictured and wish to be able to write to it with other devices. You can unlock it with the password:

AA55BBBB

The full command is: lf t55xx write b 0 d 00148041 p AA55BBBB

A tip for coil / tag orientation - before writing the password. Make sure that you find a position where you can not only do an “lf search” and get a valid tag result but MAKE SURE that you are able to run "lf t55xx p1detect and get a valid t55xx tag found message. This will ensure you have VERY good coupling / positioning as you can never get a good p1 detect with bad coupling / positioning.


Cheers,
TH


#2

Do you have a write-up of how this was sniffed using the proxmark 3? Any guides or resources would be great.