Electra intercom

I get no reaction from both readers - the main unit which looks like the PES.A255 and the extension which looks like this one: Kit extensie control acces videointerfon/interfon Electra, EXTENSIE CA - A2t.ro.

As mentioned above, Electra adds some extra bits to the standard EM4100. For the dumps I’ve analyses, they add the same bits, no-matter the actual data. I’ve found 2 variants:

• 16 bits: 0x7E1E (0b111111000011110)
• 64 bits: 0x7E1EAAAAAAAAAAAA
  Tested Emulate with the patch bellow and works ok (Electra reader PES.A255).

Fixes:
a. short time workaround is to alternate between actual data and Electra data (see PoC patch bellow)
b. long time implementation would be to add an Electra EM4100 protocol option.

From a4736d395efaeb328849a2cf0b6327faa764bc34 Mon Sep 17 00:00:00 2001
From: Dan Caprita <[email protected]>
Date: Thu, 3 May 2023 22:29:09 +0300
Subject: [PATCH] [RFID] Add ELECTRA extra data: 0x7E1E[AAAAAAAAAAAA]

Signed-off-by: Dan Caprita <[email protected]>
---
 lib/lfrfid/protocols/protocol_em4100.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/lfrfid/protocols/protocol_em4100.c b/lib/lfrfid/protocols/protocol_em4100.c
index 4b720dff..a3be54f2 100644
--- a/lib/lfrfid/protocols/protocol_em4100.c
+++ b/lib/lfrfid/protocols/protocol_em4100.c
@@ -35,10 +35,13 @@ typedef uint64_t EM4100DecodedData;
 #define EM_READ_LONG_TIME_LOW (EM_READ_LONG_TIME - EM_READ_JITTER_TIME)
 #define EM_READ_LONG_TIME_HIGH (EM_READ_LONG_TIME + EM_READ_JITTER_TIME)
.
+#define EM_ELECTRA_DATA 0x7E1EAAAAAAAAAAAA
+
 typedef struct {
     uint8_t data[EM4100_DECODED_DATA_SIZE];
.
     EM4100DecodedData encoded_data;
+    EM4100DecodedData encoded_data_old;
     uint8_t encoded_data_index;
     bool encoded_polarity;
.
@@ -237,6 +240,13 @@ LevelDuration protocol_em4100_encoder_yield(ProtocolEM4100* proto) {
         proto->encoded_polarity = true;
         proto->encoded_data_index++;
         if(proto->encoded_data_index >= 64) {
+            // alternate between actual data and Electra data
+            if (proto->encoded_data != EM_ELECTRA_DATA) {
+                proto->encoded_data_old = proto->encoded_data;
+                proto->encoded_data = EM_ELECTRA_DATA;
+            } else {
+                proto->encoded_data = proto->encoded_data_old;
+            }
             proto->encoded_data_index = 0;
         }
     }
--.
2.17.1

CrazyClara from github can help us to

Do you have more details?

ClaraCrazy is admin of a GitHub repo with a forked Flipper firmware by a person named… I bet you can guess… Clara.
I’m not sure it’s relevant to the conversation though. @Catalin_Constantinescu did she offer to help with this?

I know who she is and I appreciate her work, but I didn’t see the connection with the current topic, that’s why I asked for more details

Tested patch above with Electra extra bits and works also with the PASS Digital range (P4S.A91I) → https://www.electra.ro/en/produse/video-and-audio-door-phones/pass-digital-system/p4s-a91i

Universal master key: 0XFFFFFFFFFF

I don’t either.

i have tested the above patch and it is working with extension (Kit extensie control acces videointerfon/interfon Electra, EXTENSIE CA - A2t.ro) but not with the main unit which looks identical with Electra PES.A255.

I’ve manage to write and test successful some tags using regular RFID EM4305/T5577 125KHz tags. Needed to add the 2 extra blocks (1 block=32 biti) with the Electra preamble mentioned above ( 0x7E1EAAAA, 0xAAAAAAAA) before the 2 blocks read by the flipper according to EM4100 protocol.

Notes:

1. the preamble could be different, but the one mentioned above was tested and worked on at least 10 readers of 2 different types (analog PES.A255, digital P4S.A91I) in me region. Need to get a workable raw dump that can be analyzed if the preamble mentioned above doesn’t work.
2. Chinese blue or white cloners add write password (and probably switch to test mode), so you can’t write anymore the writable tags with flipper if you used that cloners before.

Please dcaprita, teach us how to do the magic that you do. You just make us look stupid. You can do it but we can’t. Tell us how you do it, what device do you use what commands etc. How can I clone Electra on T5577, how can I add the 2 block of Electra, in what order. Or how can I make the Flipper emulate Electra from A - Z, tell us like we are some little stupid flippers with zero knowledge. Flipper Zero is great because it is easy to use. If it was only for rocket science geeks they wouldn’t sell as much devices. Thanks

Updated patch to support also writing ELECTRA tags.
Let me know if it works for you and I could add dedicate EM4100 type for ELECTRA. For now, I’ve enabled it only in Debug mode so that you can easily switch it off when not needed.

Steps for testing this are provided above (Electra intercom - #39 by dcaprita) and are generic for any flipper patch: clone sources, patch, build, flash.

From 208424076e5d86e691d25d2b5e061cf9bafa6485 Mon Sep 17 00:00:00 2001
From: Dan Caprita <[email protected]>
Date: Tue, 16 May 2023 18:52:00 +0300
Subject: [PATCH] [RFID] Add ELECTRA support: * for EM4100 emulation * write to
 EM4305/T5577 tags

Note: Enable Debug to activate ELECTRA support
      Settings->System->Debug=ON

Signed-off-by: Dan Caprita <[email protected]>
---
 lib/lfrfid/protocols/protocol_em4100.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/lib/lfrfid/protocols/protocol_em4100.c b/lib/lfrfid/protocols/protocol_em4100.c
index 4b720dff..f27f9630 100644
--- a/lib/lfrfid/protocols/protocol_em4100.c
+++ b/lib/lfrfid/protocols/protocol_em4100.c
@@ -2,6 +2,7 @@
 #include <toolbox/protocols/protocol.h>
 #include <toolbox/manchester_decoder.h>
 #include "lfrfid_protocols.h"
+#include <furi_hal_rtc.h>
 
 typedef uint64_t EM4100DecodedData;
 
@@ -35,10 +36,13 @@ typedef uint64_t EM4100DecodedData;
 #define EM_READ_LONG_TIME_LOW (EM_READ_LONG_TIME - EM_READ_JITTER_TIME)
 #define EM_READ_LONG_TIME_HIGH (EM_READ_LONG_TIME + EM_READ_JITTER_TIME)
 
+#define EM_ELECTRA_DATA 0x7E1EAAAAAAAAAAAA
+
 typedef struct {
     uint8_t data[EM4100_DECODED_DATA_SIZE];
 
     EM4100DecodedData encoded_data;
+    EM4100DecodedData encoded_data_old;
     uint8_t encoded_data_index;
     bool encoded_polarity;
 
@@ -237,6 +241,15 @@ LevelDuration protocol_em4100_encoder_yield(ProtocolEM4100* proto) {
         proto->encoded_polarity = true;
         proto->encoded_data_index++;
         if(proto->encoded_data_index >= 64) {
+            if(furi_hal_rtc_is_flag_set(FuriHalRtcFlagDebug)) {
+                // alternate between actual data and Electra data
+                if (proto->encoded_data != EM_ELECTRA_DATA) {
+                    proto->encoded_data_old = proto->encoded_data;
+                    proto->encoded_data = EM_ELECTRA_DATA;
+                } else {
+                    proto->encoded_data = proto->encoded_data_old;
+                }
+            }
             proto->encoded_data_index = 0;
         }
     }
@@ -265,6 +278,17 @@ bool protocol_em4100_write_data(ProtocolEM4100* protocol, void* data) {
         request->t5577.block[1] = protocol->encoded_data;
         request->t5577.block[2] = protocol->encoded_data >> 32;
         request->t5577.blocks_to_write = 3;
+        if(furi_hal_rtc_is_flag_set(FuriHalRtcFlagDebug)) {
+            // override and add Electra data when Settings->System->Debug=ON
+            request->t5577.block[0] =
+                (LFRFID_T5577_MODULATION_MANCHESTER | LFRFID_T5577_BITRATE_RF_64 |
+                (4 << LFRFID_T5577_MAXBLOCK_SHIFT));
+            request->t5577.block[1] = EM_ELECTRA_DATA >> 32;
+            request->t5577.block[2] = (uint32_t)EM_ELECTRA_DATA;
+            request->t5577.block[3] = protocol->encoded_data >> 32;
+            request->t5577.block[4] = protocol->encoded_data;
+            request->t5577.blocks_to_write = 5;
+        }
         result = true;
     }
     return result;
-- 
2.34.1

I have tested the writing process on a T5577 tag and it is working perfectly!
Thank you!

I also managed to clone an “electra” branded card on a blank t55xx. The proxmark sees the 2 blocks with defined data (EM_ELECTRA_DATA 0x7E1EAAAAAAAAAAAA).
I gave up on step 2 from the instructions in post 39, because I was getting errors. I manually edited the file protocol_em4100.c"…\lib\lfrfid\protocols\protocol_em4100.c" in notepad (I put in the lines marked with +).
Thank you!

Thanks, @dcaprita! This is works brilliantly! Any chance of upstreaming the patch? I see that the issue tracking this is EM4100 RFID issue: Emulation does not work · Issue #1500 · flipperdevices/flipperzero-firmware · GitHub

Any chance to get the Electra keyfob emulation functionality in the firmware release?

Very cool, vă targetez așa
Am făcut sever de discord pe romania Flipper Zero Romania neoficial

First, thanks for the great work, time and effort put into this.

I just tried it and maybe I missed something or didn’t understand something… Did everything said above… Seemed to work, patched… compiled… flashed. My reader still doesn’t detect the flipper emulation (raw or otherwise).

Any way I can help debug and improve?

@Doideka where did you find the master key ? It works great on older models but on newer ones it doesn’t.

Also @dcaprita nice work. In my raw captures 0x7E1EAAA is not a preamble is an epilogue, could you please explain why did you put the blocks in this order ? specially why you put :

request->t5577.block[3] = protocol->encoded_data >> 32;
request->t5577.block[4] = protocol->encoded_data;

instead of :

request->t5577.block[3] = protocol->encoded_data;
request->t5577.block[4] = protocol->encoded_data >> 32;

Can someone help me to clone electra to t5577 with proxmark 3 iceman ? How to add some extra bytes ? Which commands I have to use ?