Unlock tags written with multifrequency chinese cloner

mikelelere · 2018-10-11 23:23:17

Hi. Does anybody know whether this DANIU SK-68 multifrequency chinese cloner sets a password when writing to a tag?

I've tried all the different known passwords and no joy. I've also tried sniffing the password using both a proxmark and a RTL-SDR dongle tuned to 125KHz in direct mode. I couldn't match the sniffed data to neither T55xx nor EM4305 commands...

Thanks

Last edited by mikelelere (2018-10-11 23:24:54)

Slack · 2018-10-12 01:55:16

Try A5B4C3D2

- Slack

Spyder · 2018-10-12 02:07:20

The code was AA55BBBB on mine.

mikelelere · 2018-10-12 09:57:42

Hi, thanks for the responses. I tried both passwords but unfortunately none of them work.

I'm attaching a WAV file (can be opened with Audacity, for example) with the data I sniffed using the RTL-SDR device (it is already AM demodulated) just in case anyone wants to help to decode it. The capture includes 4 "Write" button presses. Each button press seems to generate 7 pulse trains. The leading 3 pulse trains can be matched to three AT55xx standard writes (no password) to blocks 0, 1, and 2 (the third pulse train writes the data 0x00188040 to block 0). It seems to me that the interesting stuff is in the following four pulse trains. I've tried to match these four to AT55xx commands but I failed. The first pulse train is too long to match any command, while the others are only 69 bits long (70 bits are needed for a protected write command according to the datasheet). Thanks.

Last edited by mikelelere (2018-10-18 20:25:04)

anybody · 2018-10-15 12:12:58

Did you try to read block 7?

mikelelere · 2018-10-15 13:22:20

anybody wrote:

Did you try to read block 7?

Yes, I did. I cannot read any blocks in the tag using t55 commands. Furthermore, the tag is no longer recognized as a T5577 (not even using lf t55 detect), but as an EM4100 (it reports an ID when sending the lf search u command). I can however write to the tag using the chinese cloner...

Violet · 2018-10-15 23:32:03

I apologize if posting a link to another forum is taboo.

You may find a solution on this thread over at Dangerous Things:
https://forum.dangerousthings.com/t/xem-cloning-emulation-modes-and-the-perils-of-chinese-cloners/1547

TomHarkness found the white multifrequency cloner did something that required use of Test Mode when trying to remove the password to recover a T5577 tag.

Maybe that will help?

mikelelere · 2018-10-16 09:05:04

Violet wrote:

I apologize if posting a link to another forum is taboo.
You may find a solution on this thread over at Dangerous Things:
https://forum.dangerousthings.com/t/xem-cloning-emulation-modes-and-the-perils-of-chinese-cloners/1547
TomHarkness found the white multifrequency cloner did something that required use of Test Mode when trying to remove the password to recover a T5577 tag.
Maybe that will help?

Thanks for the pointer. I visited that thread earlier while searching for known passwords for the cloner, and I tried unlocking the tag with different known passwords in test mode (including these provided in some replies in this thread). Did not work. The multifrequency cloner I own is not the same as the one in that thread. Mine is a cheaper version...

anybody · 2018-10-17 14:35:57

Try pwd 00 00 00 00 and 05 00 00 00

Last edited by anybody (2018-10-18 10:04:23)

mikelelere · 2018-10-18 20:23:43

anybody wrote:

Try pwd 00 00 00 00 and 05 00 00 00

I did try indeed (and some others very similar like 12345678). Did not work. Thanks.

Last edited by mikelelere (2018-10-18 20:24:09)

duckwc · 2018-10-19 09:18:03

Hi,

I hope it's a good place to share here. My cloner was iclone 3 model:
iclone

I couldn't find any way to demodulate automatically the LF signal on the PM3, so I ended up doing it manually and found the password for this one, which I couldn't find anywhere listed:

0x19920427

I hope this can help someone...

anybody · 2018-11-01 06:38:34

mikelelere, can you attach another trace from your Chinese reader, for comparison?

Galahad8 · 2018-12-04 15:58:23

I bought one like your device from TaoBao.
Have same problem. It will lock card after update card info. After that I can't use other device to change card except Chinese cloner.
Anyone could tell me how to sniffer cloner when write a card.

Proxmark3 community

Announcement

#1 2018-10-11 23:23:17

Unlock tags written with multifrequency chinese cloner

#2 2018-10-12 01:55:16

Re: Unlock tags written with multifrequency chinese cloner

#3 2018-10-12 02:07:20

Re: Unlock tags written with multifrequency chinese cloner

#4 2018-10-12 09:57:42

Re: Unlock tags written with multifrequency chinese cloner

#5 2018-10-15 12:12:58

Re: Unlock tags written with multifrequency chinese cloner

#6 2018-10-15 13:22:20

Re: Unlock tags written with multifrequency chinese cloner

#7 2018-10-15 23:32:03

Re: Unlock tags written with multifrequency chinese cloner

#8 2018-10-16 09:05:04

Re: Unlock tags written with multifrequency chinese cloner

#9 2018-10-17 14:35:57

Re: Unlock tags written with multifrequency chinese cloner

#10 2018-10-18 20:23:43

Re: Unlock tags written with multifrequency chinese cloner

#11 2018-10-19 09:18:03

Re: Unlock tags written with multifrequency chinese cloner

#12 2018-11-01 06:38:34

Re: Unlock tags written with multifrequency chinese cloner

#13 2018-12-04 15:58:23

Re: Unlock tags written with multifrequency chinese cloner

Board footer