xEM cloner project, wrong password, and Ebay

I currently have two “xEM cloners”, one that I bought from DT and the other was the lower model that I purchased off of Ebay. The lower down model from Ebay appears to have a different password set on it than the one from DT because I can still copy info to my tag from the cheap one, but not from the Dangerous Things one.


Now, to some extent, this isn’t your problem. I was the one who bought a reader from China that I knew nothing about, but, on the flip side I ordered your xEM cloner on Oct 27th (Order #5039) at the full price when it appears you have been aware of this problem since well before that date. (xEM cloner project thread created in June, my order was in late October) I may not know the full story, but from my side at least it looks like I got the short end of the stick.

I’m not mad, and I don’t really care, what’s done is done, but, given that I’d still like to buy an NFC tag for my other hand and a magnet too I’d like to know that DT cares, so, can you help me recover the password from the cheap reader? I assume that if you were able to get the password out of your reader that I can get it out of mine. Probably though the serial interface on the board on the inside? (both readers have the exact same PCB, only difference is -I’m assuming- the chip in the DT one is better and can do more types of RFID 125khz tags, as it can read my mother’s parking garage tag but the Ebay one can not)

I don’t have a PROXMARK3 but I do have a pile of arduinos, experience programming, and a chip that can do read/write of 125khz tags for arduino, and a pile of the crappy blue key chain tags: https://www.seeedstudio.com/125Khz-RFID-module-UART-p-171.html

Hi Vega,

Actually that password was not removed from the board or code decompile, it was ferreted out of the manufacturer after we tested the cloner here in the office and noticed it was locking tags.

We would like to support you in assisting with the xEM Cloner Project any way possible. I will PM you shortly. In the mean time, take note that some Chinese outfits are starting to crank out some cheaper (hopefully just lower priced) versions of the ProxMark - http://www.elechouse.com/elechouse/index.php?main_page=product_info&cPath=90_93&products_id=2264

Hi, sorry I am a bit late but another common password for these cloners is 000D8787. Let me know if that works.

The password can be brute forced but you would need a PM3

what command can I use to brute force? I do have a pm3 and Im in the same situation

As far as I know there is no command. You will have to either write an update for the PM3 firmware yourself to do pen-testing, or write a host script of some kind that uses the PM3 to try different passwords.