I 've followed the above steps mentioned by you (downloaded the firmware, patched the files, compiled the firmware), made raw recordings of 2 of my tags and replay them to the reader, but there is no reaction from the reader.
What software do you use for analysing the raw files? I want to be sure that they are consistent (not empty).
As written above, the standard firmware, “125 kHz RFID” app command line interface:
$ rfid raw_analyze /ext/lfrfid/RfidRecord.ask.raw
My tag dumps are around 19KiB (note that there could be some dumps that don’t work - probably some synchronization issues, but majority of them works ok - more then 75%).
I’ve made several dumps using the same rfid tag and most of them are around 22kB. After analyzing them, the result is almost the same as the one below.
I tried to emulate them using the serial console and directly from flipper (using your modified scripts), but the Electra reader is not reading them.
I’m not able to attach the raw file here (Permission denied)
>: rfid raw_analyze /ext/lfrfid/RfidRecord.ask.raw
[32 131] [32 99]
[316 511] [316 195]
[316 512] [316 196]
[316 510] [316 194]
[317 511] [317 194]
[317 511] [317 194]
[317 511] [317 194]
[316 511] [316 195]
[317 512] [317 195]
[316 510] [316 194]
[317 511] [317 194]
[317 512] [317 195]
[315 511] [315 196]
[316 510] [316 194]
[316 511] [316 195]
[316 511] [316 195]
[315 511] [315 196]
[316 511] [316 195]
[315 510] [315 195]
[316 510] [316 194]
[316 510] [316 194]
[315 511] [315 196]
[572 767] [572 195]
[316 511] [316 195]
[316 511] [316 195]
[316 511] [316 195]
[316 511] [316 195]
[315 511] [315 196]
[315 511] [315 196]
[315 511] [315 196]
[315 791] [315 476]
[288 487] [288 199]
[314 511] [314 197]
[314 511] [314 197]
[314 511] [314 197]
[314 511] [314 197]
[315 511] [315 196]
[570 767] [570 197]
[314 791] [314 477]
[547 743] [547 196]
[315 511] [315 196]
[315 791] [315 476]
[547 743] [547 196]
[316 790] [316 474]
[289 487] [289 198]
[315 511] [315 196]
[571 1047] [571 476]
[547 1022] [547 475]
[549 1023] [549 474]
[291 488] [291 197]
[571 766] [571 195]
[317 790] [317 473]
[290 488] [290 198]
[572 1046] [572 474]
[291 488] [291 197]
[316 510] [316 194]
[573 1046] [573 473]
[291 488] [291 197]
[572 1046] [572 474]
[550 743] [550 193]
[318 511] [318 193]
[318 791] [318 473]
[291 487] [291 196]
[316 510] [316 194]
[574 1047] [574 473]
[291 487] [291 196]
[575 1047] [575 472]
[550 1023] [550 473]
[292 487] [292 195]
[575 1046] [575 471] <FOUND EM4100>
Frequency: 125000.000000
Duty Cycle: 0.500000
Warns: 0
Pulse sum: 25554
Duration sum: 43597
Average: 0.586141
Protocol: EM4100 [03 E8 56 82 C9]
FC: 086, Card: 33481
Maybe it matters and newer hw from Electra has additional security mechanism (though I doubt), but I’ve tested on 3 different Electra readers PES.A255 (https://www.electra.ro/en/produse/video-and-audio-door-phones/pass-analog-system/pes-a255) and worked ok:
- ACC when using the right tag dump
- ERR when using an incorrect tag dump (from another location)
- no message when using a corrupted tag dump (though I could notice some reaction from the reader - for the PES.A255, the dots disappears from the display meaning it was reading but waiting for the additional Electra specific bits)
I get no reaction from both readers - the main unit which looks like the PES.A255 and the extension which looks like this one: Kit extensie control acces videointerfon/interfon Electra, EXTENSIE CA - A2t.ro.
As mentioned above, Electra adds some extra bits to the standard EM4100. For the dumps I’ve analyses, they add the same bits, no-matter the actual data. I’ve found 2 variants:
- 16 bits: 0x7E1E (0b111111000011110)
- 64 bits: 0x7E1EAAAAAAAAAAAA
Tested Emulate with the patch bellow and works ok (Electra reader PES.A255).
Fixes:
a. short time workaround is to alternate between actual data and Electra data (see PoC patch bellow)
b. long time implementation would be to add an Electra EM4100 protocol option.
From a4736d395efaeb328849a2cf0b6327faa764bc34 Mon Sep 17 00:00:00 2001
From: Dan Caprita <[email protected]>
Date: Thu, 3 May 2023 22:29:09 +0300
Subject: [PATCH] [RFID] Add ELECTRA extra data: 0x7E1E[AAAAAAAAAAAA]
Signed-off-by: Dan Caprita <[email protected]>
---
lib/lfrfid/protocols/protocol_em4100.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/lib/lfrfid/protocols/protocol_em4100.c b/lib/lfrfid/protocols/protocol_em4100.c
index 4b720dff..a3be54f2 100644
--- a/lib/lfrfid/protocols/protocol_em4100.c
+++ b/lib/lfrfid/protocols/protocol_em4100.c
@@ -35,10 +35,13 @@ typedef uint64_t EM4100DecodedData;
#define EM_READ_LONG_TIME_LOW (EM_READ_LONG_TIME - EM_READ_JITTER_TIME)
#define EM_READ_LONG_TIME_HIGH (EM_READ_LONG_TIME + EM_READ_JITTER_TIME)
.
+#define EM_ELECTRA_DATA 0x7E1EAAAAAAAAAAAA
+
typedef struct {
uint8_t data[EM4100_DECODED_DATA_SIZE];
.
EM4100DecodedData encoded_data;
+ EM4100DecodedData encoded_data_old;
uint8_t encoded_data_index;
bool encoded_polarity;
.
@@ -237,6 +240,13 @@ LevelDuration protocol_em4100_encoder_yield(ProtocolEM4100* proto) {
proto->encoded_polarity = true;
proto->encoded_data_index++;
if(proto->encoded_data_index >= 64) {
+ // alternate between actual data and Electra data
+ if (proto->encoded_data != EM_ELECTRA_DATA) {
+ proto->encoded_data_old = proto->encoded_data;
+ proto->encoded_data = EM_ELECTRA_DATA;
+ } else {
+ proto->encoded_data = proto->encoded_data_old;
+ }
proto->encoded_data_index = 0;
}
}
--.
2.17.1
1 Like
CrazyClara from github can help us to
Do you have more details?
1 Like
ClaraCrazy is admin of a GitHub repo with a forked Flipper firmware by a person named… I bet you can guess… Clara.
I’m not sure it’s relevant to the conversation though. @Catalin_Constantinescu did she offer to help with this?
I know who she is and I appreciate her work, but I didn’t see the connection with the current topic, that’s why I asked for more details
1 Like
Tested patch above with Electra extra bits and works also with the PASS Digital range (P4S.A91I) → https://www.electra.ro/en/produse/video-and-audio-door-phones/pass-digital-system/p4s-a91i
Universal master key: 0XFFFFFFFFFF
1 Like
I don’t either.
i have tested the above patch and it is working with extension (Kit extensie control acces videointerfon/interfon Electra, EXTENSIE CA - A2t.ro) but not with the main unit which looks identical with Electra PES.A255.
1 Like
I’ve manage to write and test successful some tags using regular RFID EM4305/T5577 125KHz tags. Needed to add the 2 extra blocks (1 block=32 biti) with the Electra preamble mentioned above ( 0x7E1EAAAA, 0xAAAAAAAA) before the 2 blocks read by the flipper according to EM4100 protocol.
Notes:
- the preamble could be different, but the one mentioned above was tested and worked on at least 10 readers of 2 different types (analog PES.A255, digital P4S.A91I) in me region. Need to get a workable raw dump that can be analyzed if the preamble mentioned above doesn’t work.
- Chinese blue or white cloners add write password (and probably switch to test mode), so you can’t write anymore the writable tags with flipper if you used that cloners before.
1 Like
Please dcaprita, teach us how to do the magic that you do. You just make us look stupid. You can do it but we can’t. Tell us how you do it, what device do you use what commands etc. How can I clone Electra on T5577, how can I add the 2 block of Electra, in what order. Or how can I make the Flipper emulate Electra from A - Z, tell us like we are some little stupid flippers with zero knowledge. Flipper Zero is great because it is easy to use. If it was only for rocket science geeks they wouldn’t sell as much devices. Thanks
1 Like
Updated patch to support also writing ELECTRA tags.
Let me know if it works for you and I could add dedicate EM4100 type for ELECTRA. For now, I’ve enabled it only in Debug mode so that you can easily switch it off when not needed.
Steps for testing this are provided above (Electra intercom - #39 by dcaprita) and are generic for any flipper patch: clone sources, patch, build, flash.
From 208424076e5d86e691d25d2b5e061cf9bafa6485 Mon Sep 17 00:00:00 2001
From: Dan Caprita <[email protected]>
Date: Tue, 16 May 2023 18:52:00 +0300
Subject: [PATCH] [RFID] Add ELECTRA support: * for EM4100 emulation * write to
EM4305/T5577 tags
Note: Enable Debug to activate ELECTRA support
Settings->System->Debug=ON
Signed-off-by: Dan Caprita <[email protected]>
---
lib/lfrfid/protocols/protocol_em4100.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/lib/lfrfid/protocols/protocol_em4100.c b/lib/lfrfid/protocols/protocol_em4100.c
index 4b720dff..f27f9630 100644
--- a/lib/lfrfid/protocols/protocol_em4100.c
+++ b/lib/lfrfid/protocols/protocol_em4100.c
@@ -2,6 +2,7 @@
#include <toolbox/protocols/protocol.h>
#include <toolbox/manchester_decoder.h>
#include "lfrfid_protocols.h"
+#include <furi_hal_rtc.h>
typedef uint64_t EM4100DecodedData;
@@ -35,10 +36,13 @@ typedef uint64_t EM4100DecodedData;
#define EM_READ_LONG_TIME_LOW (EM_READ_LONG_TIME - EM_READ_JITTER_TIME)
#define EM_READ_LONG_TIME_HIGH (EM_READ_LONG_TIME + EM_READ_JITTER_TIME)
+#define EM_ELECTRA_DATA 0x7E1EAAAAAAAAAAAA
+
typedef struct {
uint8_t data[EM4100_DECODED_DATA_SIZE];
EM4100DecodedData encoded_data;
+ EM4100DecodedData encoded_data_old;
uint8_t encoded_data_index;
bool encoded_polarity;
@@ -237,6 +241,15 @@ LevelDuration protocol_em4100_encoder_yield(ProtocolEM4100* proto) {
proto->encoded_polarity = true;
proto->encoded_data_index++;
if(proto->encoded_data_index >= 64) {
+ if(furi_hal_rtc_is_flag_set(FuriHalRtcFlagDebug)) {
+ // alternate between actual data and Electra data
+ if (proto->encoded_data != EM_ELECTRA_DATA) {
+ proto->encoded_data_old = proto->encoded_data;
+ proto->encoded_data = EM_ELECTRA_DATA;
+ } else {
+ proto->encoded_data = proto->encoded_data_old;
+ }
+ }
proto->encoded_data_index = 0;
}
}
@@ -265,6 +278,17 @@ bool protocol_em4100_write_data(ProtocolEM4100* protocol, void* data) {
request->t5577.block[1] = protocol->encoded_data;
request->t5577.block[2] = protocol->encoded_data >> 32;
request->t5577.blocks_to_write = 3;
+ if(furi_hal_rtc_is_flag_set(FuriHalRtcFlagDebug)) {
+ // override and add Electra data when Settings->System->Debug=ON
+ request->t5577.block[0] =
+ (LFRFID_T5577_MODULATION_MANCHESTER | LFRFID_T5577_BITRATE_RF_64 |
+ (4 << LFRFID_T5577_MAXBLOCK_SHIFT));
+ request->t5577.block[1] = EM_ELECTRA_DATA >> 32;
+ request->t5577.block[2] = (uint32_t)EM_ELECTRA_DATA;
+ request->t5577.block[3] = protocol->encoded_data >> 32;
+ request->t5577.block[4] = protocol->encoded_data;
+ request->t5577.blocks_to_write = 5;
+ }
result = true;
}
return result;
--
2.34.1
6 Likes
I have tested the writing process on a T5577 tag and it is working perfectly!
Thank you! 
1 Like
I also managed to clone an “electra” branded card on a blank t55xx. The proxmark sees the 2 blocks with defined data (EM_ELECTRA_DATA 0x7E1EAAAAAAAAAAAA).
I gave up on step 2 from the instructions in post 39, because I was getting errors. I manually edited the file protocol_em4100.c"…\lib\lfrfid\protocols\protocol_em4100.c" in notepad (I put in the lines marked with +).
Thank you! 
1 Like
Thanks, @dcaprita! This is works brilliantly! Any chance of upstreaming the patch? I see that the issue tracking this is EM4100 RFID issue: Emulation does not work · Issue #1500 · flipperdevices/flipperzero-firmware · GitHub
1 Like
Any chance to get the Electra keyfob emulation functionality in the firmware release?
1 Like