Electra intercom

lf search
ID:[+] EM 410x ID 03E8A955A1
lf em 410x clone --id 03E8A955A1
lf t55 detect
lf t55 dump
We read blocks 1 and 2

lf t55 wipe

lf t55xx write -b 0 -d 00148080
lf t55xx write -b 1 -d FF80DD8D
lf t55xx write -b 2 -d 24A5507A
lf t55xx write -b 3 -d 7E1EAAAA
lf t55xx write -b 4 -d AAAAAAAA

1. The FF… master key was the logical one to be tested. I consider it a security risk and implementation flaw from Electra side together with 0x7E1EAAAAAAAAAAAA extra data (security through obscurity it’s not the right approach especially it could be easily mitigated as the protocol supports password protection for both write and read). I tried it on at least 4 different readers (analog and digital) and worked ok.

2.a Order is the one that was decoded from the raw dump. Also the https://ww1.microchip.com/downloads/en/DeviceDoc/ATA5577C-Read-Write-LF-RFID-IDIC-100-to-150-kHz-Data-Sheet-DS70005357B.pdf → 4.11 Tag-to-Reader Communication states : “In Regular-Read mode, data from the memory are transmitted serially, starting with block 1, bit 1, up to the last block (for example, 7), bit 32.”. Using the original endianess in the flipper code didn’t worked.
2.b Preamble vs epilogue: it should matter to much as the block are transmitted in a loop: “The data stream starts with block 1, bit 1, continues through MAXBLK bit 32, and if in Regular-Read mode, cycles continuously.”

Brute forcing common values, nothing special. Also I use a custom firmware which I dont know if im allowed to specify but includes the option to emulate raw data without using CLI. I did not test it since I had no time to play with the F0 anymore

PROXMARK3

lf search
ID:[+] EM 410x ID 03E8A955A1
lf em 410x clone --id 03E8A955A1

lf t55xx write -b 0 -d 00148080
lf t55xx write -b 3 -d 7E1EAAAA
lf t55xx write -b 4 -d AAAAAAAA

or lua script
1.1.5 - fix errors
electra.zip (1.9 KB)

Could someone say how to emulate the Electra tag with Flipper? The raw rfid emulation doesn’t work with electra.

@philiplykov Electra intercom - #55 by dcaprita works for me.

@dcaprita there seems to be some problem with the patch.
Entering the added lines manually works for me.

any progress on updating the original firmware including Electra cards?
does anyone have an already compiled firmware to share with dcaprita changes? whenever I try to compile and download the firmware with the changes I have errors starting rfid app (missing imports).
thank you!

I need help bro.Do you have a video explaining how we can do it?Thabk you!!

New problem appeared. I tried emulating a key fob for the Electra Smart+ line and the same behaviour appears. Read RAW works fine, EMULATE Raw works fine, but no response from access unit what-so-ever Could it be that it is yet a new protocol? @dcaprita

LATER EDIT: Apparently it uses EM215 protocol if that means anything.

I can provide RAW files for the fob if anyone is willing to analyze it.
Unit in question is the unit from Residential Touch Line: https://www.electra.ro/ro/produse/videointerfoane-si-interfoane/gama-touch-line/rezidential/terminale-1/vpm-0bf03-elbe5-1

On their website it states that ELECTRA access systems only work with electra RFID tags. So we could be talking about aditional security once again.

Also, regarding the post of Mr. Caprita, I posted a link to the compiled binaries with patched files and the repository to check the changes below:

Thanks to mr. @dcaprita <3 for all the help in discovering the ELECTRA secret .

Bellow, is a link to the compiled UNLEASHED firmware for everyone that needs it

INSTALATION:

Step 1: Download the archive
Step 2: Unzip the archive. You should get a folder named baked_firmware.
Step 3: Use Q-Flipper on Windows to flash firmware to device (“Add from file…” option to the right of the current firmware number on the firmware tab)
Step 4: Select .tgz file and flash to FlipperZero.

Also, if anyone is interested about how the files look after the modifications, I will leave a link to my github fork below, for which i already made a pull request, so maybe it will be included in future updates of the UNLEASHED firmware.

The pull request link for this update is:

This patch targets the UNLEASHED firmware for flipper zero! I haven’t made the changes to the official version of the FW as I never use it myself. It can be done in a similar manner if anyone is interested

Hope this helps everyone, and Happy Holidays! Santa came early this year

Can you try update the X F W on GitHub. I got stuck on some of the files can’t find all the functions.

Any news on this?

I was getting my hopes up with firmware version 0.99.1 that said:
“LF RFID: extended EM4100 support (exotic coding and baud rates), various improvements.”

but emulated Electra tags are still not working for me.

Maybe we could all centralize the discussion at EM4100 RFID issue: Emulation does not work · Issue #1500 · flipperdevices/flipperzero-firmware · GitHub ?

check the latest build. I’ve spend a few hours patching manually before finding out someone did it properly. tested and working. electra cards are detected correctly. flipperzero-firmware/lib/lfrfid/protocols/protocol_electra.c at dev · flipperdevices/flipperzero-firmware · GitHub

Tested the new release and it works also for writing on t5577 fobs.
Anyone managed to write a master fob? I tried with FFFFFFFFFFxxxx but it seems it works only for 2 out of 3 readers tried.

Sorry for barging in without reading most of the thread. As a Romanian I am also surrounded by Electra intercom systems. So far I could only test the one in my apartment building. Here are my results:
From the back entrance, usually, when I press my fob to the reader, the intercom beeps a few times and opens the door. When I press the Flipper to the reader, sometimes, like 2/10 times it WILL open the door, but without the beeps. Other times it will do nothing.
From the front entrance, it wouldn’t work at all, but I suspect the reader on the intercom is defective since it sometimes doesn’t recognize the original fob either.
As fun of a toy as this is, what I hoped for was to replace all my electronic keys, cards and remotes with the Flipper. But if it can’t open intercoms and it also won’t store my Nice FlorS remote commands for the garage and gate… at this point in time, for me, it’s a very expensive IR blaster and snake game.

Mai exista grupul? Invitatia a expirat.
Is the group still active? The invite link is expired.

Can I just say how impressed I am with this community? One day I post about this topic and the next day a firmware update comes out which recognizes the Electra protocol and works perfectly.

Nothing but a coincidence, but yup, looks exciting.

So far I was unable to write the master key FF FF FF FF FF FF FF to my t5577 fobs using the latest version of un***** with Electra support …
Other “Electra” random keys write/read just fine to my t5577 chips…

Yes from my tests you cannot write all FF on the fob. but writing FFFFFFFFFFxxxx I could enter with the fob on slave Electra readers. on the main reader it shows me an error.
Maybe someone knows what is the problem.