Next-Flip / Momentum-Firmware

🐬 Feature-rich, stable and customizable Flipper Firmware
https://momentum-fw.dev
GNU General Public License v3.0
4.85k stars 200 forks source link

Electra protocol support in v2 #124

Open devpwnz opened 6 months ago

devpwnz commented 6 months ago

Describe the bug.

I am trying to read an Electra tag, but it does not identify it at all. With older firmware, it would show up as EM4100. If I remember correctly, they would coincide, but the Electra tags have some extra bytes to the serial. Am I doing something wrong?

Reproduction

Open RFID - Scan Electra Tag - Nothing Happens.

Target

No response

Logs

No response

Anything else?

No response

Willy-JL commented 6 months ago

Electra tags got proper support in 002, maybe yours works a bit differently. Take a raw dump and upload it, also maybe @Leptopt1los knows more

Leptopt1los commented 6 months ago

@Willy-JL @devpwnz need debug logs first

Willy-JL commented 6 months ago

@devpwnz

Rfid > read raw, post the dump here

Connect to https://lab.flipper.net, go to CLI, type "log debug", try to scan the tag on flipper, then post the log output here

devpwnz commented 6 months ago

I'm attaching the RAW readings here. Electra-raw.zip

And the log. debug-electra.txt

@Leptopt1los @Willy-JL

Also, thank you Willy for pointing out the debug. I had no idea how I was supposed to do it, and it would have been my next question.

Leptopt1los commented 6 months ago

@devpwnz is it original electra tag? definitely not copy? can you attach pic of it?

devpwnz commented 6 months ago

I have an addendum. At the beginning, when I got the Flipper, I tried scanning the Electra tag, which was read as a an EM4100. I then tried to write it back to the tag, which probably worked and would explain the last 0's from my tag :)

Yes, it is an original tag, older one.

@Leptopt1los

Leptopt1los commented 6 months ago

@devpwnz this is extremely unlikely. as far as I know, electra tags do not implement the t5577 protocol

as for your tag, it's quite easy to correct its reading. the problem is that this solution will be less elegant (you will have to store an additional 5 bytes). epilogue filler does not actually affect the detection of the tag by the intercom, so theoretically we can transmit anything instead. but I am disgusted by the idea that a copy taken by a flipper will differ from the original tag, even if it does not affect its performance

it would be nice to find a second tag that won't be readable either, so that we have a more relevant sample to analyze the need to adjust the solution. Could you purchase a second copy of the key for the same intercom in the electra office? I think the data from reading the second instance can help us to say more confidently whether this situation is the norm or the exception

as for the immediate solution, I suggest you install the firmware version 01, read the tag, remember its id. then flash back to 02 and manually add the electra tag with id XX XX XX XX XX 7E 1E FF, where XX is the em4100 id, read on version 01

by the way, information about the success/failure of emulating this tag on your intercom would also be quite useful

Willy-JL commented 6 months ago

Thank you for looking into it and for the very detailed explanation Lept ❤️🙏

devpwnz commented 6 months ago

@Leptopt1los

I have read another tag yesterday, that was enrolled at the same time as my tag and on the same device and it was read correctly.

If know that Electra also sells tag cloners, it-s called PRG.400 and uses PRO-TAG software. They don't sell 2 types of tags, so I'm guessing that their tags are also writable. We have a place where we copy keys and whatnot, and they used to clone Electra tags on other Electra tags, and after a little while, they clone it on .. clones, not Electra brand.

Thus, I'm inclined to think that my read/write actually worked, but it left zeroes at the end.

I see you are proposing to leave 7E 1E FF at the end, but when presenting the tag in debug mode, they appear at the beginning. Also, my tag still works on the original reader, as it is.

Thank you very much for your response, and @Willy-JL for being so interested in getting to the bottom of this.