2020-11-29 08:35:12 +08:00
# Notes on Cloner guns
2021-12-31 18:04:05 +08:00
< a id = "Top" > < / a >
2020-11-29 08:35:12 +08:00
This document is based mostly on information posted on http://www.proxmark.org/forum/viewtopic.php?pid=39903#p39903
2021-12-31 17:08:16 +08:00
# Table of Contents
2020-11-29 08:35:12 +08:00
- [Notes on Cloner guns ](#notes-on-cloner-guns )
2021-12-31 17:08:16 +08:00
- [Table of Contents ](#table-of-contents )
2020-11-29 08:35:12 +08:00
- [Blue and black cloners ](#blue-and-black-cloners )
- [White cloner (pre 2015) ](#white-cloner-pre-2015 )
- [White cloner (after 2016) ](#white-cloner-after-2016 )
- [White cloner (after 2016 D Quality) ](#white-cloner-after-2016-d-quality )
- [Restore page1 data ](#restore-page1-data )
- [Sniffing the comms ](#sniffing-the-comms )
# Blue and black cloners
2021-12-31 17:08:16 +08:00
^[Top](#top)
2020-11-29 08:35:12 +08:00
3 variants:
1. EM cloner
2. HID cloner
3. EM/HID cloner
Quality varies my manufacturer (Quality A (Good) until D (Bad))
They set a password on block 7 of the chip and set the password enable bit in block 0
```
Standard password is normally: 51243648
```
**Be sure to purchase the EM/HID version**
# White cloner (pre 2015)
2021-12-31 17:08:16 +08:00
^[Top](#top)
2020-11-29 08:35:12 +08:00
Multifrequency
Buttons light up BLUE
Reads data correctly
Coil performance acceptable
```
Standard password is normally (for T55xx): AA55BBBB
Standard password 13,56mHz: individual per white cloner
```
# White cloner (after 2016)
2021-12-31 17:08:16 +08:00
^[Top](#top)
2020-11-29 08:35:12 +08:00
Multifrequency
Buttons light up WHITE
Data scrambled (variable per individual cloner, possibly due to prevent legal issues)
Coil performance good
```
Standard password is normally (for T55xx): AA55BBBB
Standard password 13,56mHz: individual per white cloner
```
# White cloner (after 2016 D Quality)
2021-12-31 17:08:16 +08:00
^[Top](#top)
2020-11-29 08:35:12 +08:00
Multifrequency (it says so but it doesn't)
Only works for EM/HID card (125kHz)
High frequency not working
```
Standard password is normally (for T55xx): AA55BBBB
```
**Note: Sets the HID card in TEST MODE**
# Restore page1 data
2021-12-31 17:08:16 +08:00
^[Top](#top)
2020-11-29 08:35:12 +08:00
```
2021-03-08 05:00:33 +08:00
lf t55xx write -b 1 -d E0150A48 --pg1
2024-02-23 07:25:54 +08:00
lf t55xx write -b 2 -d 2D782308 --pg1
2020-11-29 08:35:12 +08:00
```
# Sniffing the comms
2021-12-31 17:08:16 +08:00
^[Top](#top)
2020-11-29 08:35:12 +08:00
The T55x7 protocol uses a pwm based protocol for writing to tags. In order to make decoding easier try the new command as seen below instead. It will try to extract the data written.
```
-- after threshold limit 20 is triggered, skip 10000 samples before collecting samples.
2021-03-08 18:31:40 +08:00
lf config -s 10000 -t 20
2020-11-29 08:35:12 +08:00
lf t55xx sniff
-- if you have a save trace from before, try
data load -f xxxxxxx.pm3
2021-03-08 18:31:40 +08:00
lf t55xx sniff -1
2020-11-29 08:35:12 +08:00
```
It uses the existing `lf sniff` command to collect the data, so setting that first as per normal sniffing is recommended. Once you have a sniff, you can "re-sniff" from the stored sniffed data and try different settings, if you think the data is not clean.
2021-04-16 06:21:22 +08:00
As normal, the cloner may write data past the end of the 40K sample buffer. So using the `lf config -s <x bytes>` then re-run the sniff to see if there is more data.
