i have tested the above patch and it is working with extension (Kit extensie control acces videointerfon/interfon Electra, EXTENSIE CA - A2t.ro) but not with the main unit which looks identical with Electra PES.A255.
I’ve manage to write and test successful some tags using regular RFID EM4305/T5577 125KHz tags. Needed to add the 2 extra blocks (1 block=32 biti) with the Electra preamble mentioned above ( 0x7E1EAAAA, 0xAAAAAAAA) before the 2 blocks read by the flipper according to EM4100 protocol.
Notes:
- the preamble could be different, but the one mentioned above was tested and worked on at least 10 readers of 2 different types (analog PES.A255, digital P4S.A91I) in me region. Need to get a workable raw dump that can be analyzed if the preamble mentioned above doesn’t work.
- Chinese blue or white cloners add write password (and probably switch to test mode), so you can’t write anymore the writable tags with flipper if you used that cloners before.
Please dcaprita, teach us how to do the magic that you do. You just make us look stupid. You can do it but we can’t. Tell us how you do it, what device do you use what commands etc. How can I clone Electra on T5577, how can I add the 2 block of Electra, in what order. Or how can I make the Flipper emulate Electra from A - Z, tell us like we are some little stupid flippers with zero knowledge. Flipper Zero is great because it is easy to use. If it was only for rocket science geeks they wouldn’t sell as much devices. Thanks
Updated patch to support also writing ELECTRA tags.
Let me know if it works for you and I could add dedicate EM4100 type for ELECTRA. For now, I’ve enabled it only in Debug mode so that you can easily switch it off when not needed.
Steps for testing this are provided above (Electra intercom - #39 by dcaprita) and are generic for any flipper patch: clone sources, patch, build, flash.
From 208424076e5d86e691d25d2b5e061cf9bafa6485 Mon Sep 17 00:00:00 2001
From: Dan Caprita <[email protected]>
Date: Tue, 16 May 2023 18:52:00 +0300
Subject: [PATCH] [RFID] Add ELECTRA support: * for EM4100 emulation * write to
EM4305/T5577 tags
Note: Enable Debug to activate ELECTRA support
Settings->System->Debug=ON
Signed-off-by: Dan Caprita <[email protected]>
---
lib/lfrfid/protocols/protocol_em4100.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/lib/lfrfid/protocols/protocol_em4100.c b/lib/lfrfid/protocols/protocol_em4100.c
index 4b720dff..f27f9630 100644
--- a/lib/lfrfid/protocols/protocol_em4100.c
+++ b/lib/lfrfid/protocols/protocol_em4100.c
@@ -2,6 +2,7 @@
#include <toolbox/protocols/protocol.h>
#include <toolbox/manchester_decoder.h>
#include "lfrfid_protocols.h"
+#include <furi_hal_rtc.h>
typedef uint64_t EM4100DecodedData;
@@ -35,10 +36,13 @@ typedef uint64_t EM4100DecodedData;
#define EM_READ_LONG_TIME_LOW (EM_READ_LONG_TIME - EM_READ_JITTER_TIME)
#define EM_READ_LONG_TIME_HIGH (EM_READ_LONG_TIME + EM_READ_JITTER_TIME)
+#define EM_ELECTRA_DATA 0x7E1EAAAAAAAAAAAA
+
typedef struct {
uint8_t data[EM4100_DECODED_DATA_SIZE];
EM4100DecodedData encoded_data;
+ EM4100DecodedData encoded_data_old;
uint8_t encoded_data_index;
bool encoded_polarity;
@@ -237,6 +241,15 @@ LevelDuration protocol_em4100_encoder_yield(ProtocolEM4100* proto) {
proto->encoded_polarity = true;
proto->encoded_data_index++;
if(proto->encoded_data_index >= 64) {
+ if(furi_hal_rtc_is_flag_set(FuriHalRtcFlagDebug)) {
+ // alternate between actual data and Electra data
+ if (proto->encoded_data != EM_ELECTRA_DATA) {
+ proto->encoded_data_old = proto->encoded_data;
+ proto->encoded_data = EM_ELECTRA_DATA;
+ } else {
+ proto->encoded_data = proto->encoded_data_old;
+ }
+ }
proto->encoded_data_index = 0;
}
}
@@ -265,6 +278,17 @@ bool protocol_em4100_write_data(ProtocolEM4100* protocol, void* data) {
request->t5577.block[1] = protocol->encoded_data;
request->t5577.block[2] = protocol->encoded_data >> 32;
request->t5577.blocks_to_write = 3;
+ if(furi_hal_rtc_is_flag_set(FuriHalRtcFlagDebug)) {
+ // override and add Electra data when Settings->System->Debug=ON
+ request->t5577.block[0] =
+ (LFRFID_T5577_MODULATION_MANCHESTER | LFRFID_T5577_BITRATE_RF_64 |
+ (4 << LFRFID_T5577_MAXBLOCK_SHIFT));
+ request->t5577.block[1] = EM_ELECTRA_DATA >> 32;
+ request->t5577.block[2] = (uint32_t)EM_ELECTRA_DATA;
+ request->t5577.block[3] = protocol->encoded_data >> 32;
+ request->t5577.block[4] = protocol->encoded_data;
+ request->t5577.blocks_to_write = 5;
+ }
result = true;
}
return result;
--
2.34.1
I have tested the writing process on a T5577 tag and it is working perfectly!
Thank you!
I also managed to clone an “electra” branded card on a blank t55xx. The proxmark sees the 2 blocks with defined data (EM_ELECTRA_DATA 0x7E1EAAAAAAAAAAAA).
I gave up on step 2 from the instructions in post 39, because I was getting errors. I manually edited the file protocol_em4100.c"…\lib\lfrfid\protocols\protocol_em4100.c" in notepad (I put in the lines marked with +).
Thank you!
Thanks, @dcaprita! This is works brilliantly! Any chance of upstreaming the patch? I see that the issue tracking this is EM4100 RFID issue: Emulation does not work · Issue #1500 · flipperdevices/flipperzero-firmware · GitHub
Any chance to get the Electra keyfob emulation functionality in the firmware release?
First, thanks for the great work, time and effort put into this.
I just tried it and maybe I missed something or didn’t understand something… Did everything said above… Seemed to work, patched… compiled… flashed. My reader still doesn’t detect the flipper emulation (raw or otherwise).
Any way I can help debug and improve?
@Doideka where did you find the master key ? It works great on older models but on newer ones it doesn’t.
Also @dcaprita nice work. In my raw captures 0x7E1EAAA is not a preamble is an epilogue, could you please explain why did you put the blocks in this order ? specially why you put :
request->t5577.block[3] = protocol->encoded_data >> 32;
request->t5577.block[4] = protocol->encoded_data;
instead of :
request->t5577.block[3] = protocol->encoded_data;
request->t5577.block[4] = protocol->encoded_data >> 32;
Can someone help me to clone electra to t5577 with proxmark 3 iceman ? How to add some extra bytes ? Which commands I have to use ?
lf search
ID:[+] EM 410x ID 03E8A955A1
lf em 410x clone --id 03E8A955A1
lf t55 detect
lf t55 dump
We read blocks 1 and 2
lf t55 wipe
lf t55xx write -b 0 -d 00148080
lf t55xx write -b 1 -d FF80DD8D
lf t55xx write -b 2 -d 24A5507A
lf t55xx write -b 3 -d 7E1EAAAA
lf t55xx write -b 4 -d AAAAAAAA
- The FF… master key was the logical one to be tested. I consider it a security risk and implementation flaw from Electra side together with 0x7E1EAAAAAAAAAAAA extra data (security through obscurity it’s not the right approach especially it could be easily mitigated as the protocol supports password protection for both write and read). I tried it on at least 4 different readers (analog and digital) and worked ok.
2.a Order is the one that was decoded from the raw dump. Also the https://ww1.microchip.com/downloads/en/DeviceDoc/ATA5577C-Read-Write-LF-RFID-IDIC-100-to-150-kHz-Data-Sheet-DS70005357B.pdf → 4.11 Tag-to-Reader Communication states : “In Regular-Read mode, data from the memory are transmitted serially, starting with block 1, bit 1, up to the last block (for example, 7), bit 32.”. Using the original endianess in the flipper code didn’t worked.
2.b Preamble vs epilogue: it should matter to much as the block are transmitted in a loop: “The data stream starts with block 1, bit 1, continues through MAXBLK bit 32, and if in Regular-Read mode, cycles continuously.”
Brute forcing common values, nothing special. Also I use a custom firmware which I dont know if im allowed to specify but includes the option to emulate raw data without using CLI. I did not test it since I had no time to play with the F0 anymore
PROXMARK3
lf search
ID:[+] EM 410x ID 03E8A955A1
lf em 410x clone --id 03E8A955A1
lf t55xx write -b 0 -d 00148080
lf t55xx write -b 3 -d 7E1EAAAA
lf t55xx write -b 4 -d AAAAAAAA
or lua script
1.1.5 - fix errors
electra.zip (1.9 KB)
Could someone say how to emulate the Electra tag with Flipper? The raw rfid emulation doesn’t work with electra.
@philiplykov Electra intercom - #55 by dcaprita works for me.
@dcaprita there seems to be some problem with the patch.
Entering the added lines manually works for me.
any progress on updating the original firmware including Electra cards?
does anyone have an already compiled firmware to share with dcaprita changes? whenever I try to compile and download the firmware with the changes I have errors starting rfid app (missing imports).
thank you!
I need help bro.Do you have a video explaining how we can do it?Thabk you!!