EM4100 RFID issue: Emulation does not work

[swittenberger]

Describe the bug.

Hello, I've had 3 different EM4100 tags that I could copy without any issues, but when emulating the tag, the reader doesn't detect anything.

I've been told on discord that a reboot might help, but it didn't. What other info can I give?

Reproduction

1. Read EM4100 tag
2. Emulate EM4100 tag
3. Try to open the door with flipper
4. Notice it doesn't work.

Target

No response

Logs

No response

Anything else?

No response

[bettse]

I don't have first hand experience, but I've seen at least 3 other people with the same problem

[Astrrra]

I haven't been able to replicate this issue.

https://drive.google.com/file/d/1fyJLHXRghv-VP-zwfWvneXZ-uCqj5pWQ/view?usp=drivesdk

As I asked in the reddit thread, can you please attach a video of you trying to emulate the card? This sounds like you may be doing something wrong.

[swittenberger]

Hi, here is a video of the flipper not being able to emulate the RFID tag. https://drive.google.com/file/d/1clRwR54LT4bUGVUxHWEE8aykKtJO0XuV/view?usp=sharing

I will also check with a 2nd flipper as you did above, but that is a totally different case.

[Bertus-W]

I can successfully use the EM4100 emulation on this product: https://www.surepetcare.com/en-gb/pet-doors/microchip-cat-flap-connect

I'm using the dev branch

Although I must say that the detection loop is around the entire door. and probably very strong since the small pet chip implants need to be detected.

[Kritkatten]

Filmed the process as requested: link to onedrivre I've tried rebooting the device + trying the dev version. Same result.

[swittenberger]

A small update:

I've got my hands on another Flipper and was able to read from the flipper. (One emulates, the other reads) This works. I've tested emulation with beta firmware as well (just in case) and I could still reproduce the issue.

The manufacturer in my case is electra.ro https://electra.ro/ro/produse/videointerfoane-si-interfoane/gama-pass-digital/p4s-a91i

[WhiteThePanda]

Hello, my issue is pretty straightforward : Emulation of my tag works for the front door of the building, mailbox and other doors it is supposed to open (systematically): https://user-images.githubusercontent.com/61516945/182038788-6b4f807d-abf3-420f-8743-67f710db17f9.mp4

and doesn't work for the door of my own appartment(systematically): https://user-images.githubusercontent.com/61516945/182038791-9f130302-9a54-4a26-adee-ca7a54a4d012.mp4

The same key is supposed to open both. I also tried removing the silicon case.

[DrZlo13]

OK, this may be some kind of emulator protection method, or a hardware problem with concrete reader. I will return to this topic when I finish rewriting LF-RFID core.

[swittenberger]

Another update: I've tested another tag, on another reader of different make and it works without issues. I do think it might be a security thing then on the electra one.

[trupus]

Hey guys, I had also troubles emulating the tag on an electra reader.

The manufacturer in my case is electra.ro https://electra.ro/ro/produse/videointerfoane-si-interfoane/gama-pass-digital/p4s-a91i

Not sure if it's the exact same model as in this link, but it looks very similar to mine.

I also captured the RAW RFID data. Hope it helps.

[skotopes]

Please check latest release and reopen issue if problem persist.

[swittenberger]

@skotopes I just tested on Dev build d1c79a83. I also tested on the stable release 0.66.1. Door still won't open. I have reread the rfid just in case for this test, have not used the saved one (though I did try that as well)

https://drive.google.com/file/d/1l_reeBhEbq9uMtiGM9a-h2UJR6l6ayJF/view?usp=sharing

[trupus]

I had also the same problem with the latest rc today. But with a different reader this time (Flipper identified it as an EM4100 tag as well). Will try tomorrow again with the stable release.

Maybe also worth mentioning, my office has 2 doors, which you can open with the same key. It's a coworking space. The first door is "shared", but the second one can only be opened with my key. I can open the first door (and any "shared" reader in the office) with the Flipper, but the second reader is just refusing to accept the emulated key with the flipper.

[DrZlo13]

OK, it's time to return to this topic. I will try to reset the protocol encoder if field is gone for ?? (10?) clocks. Also, it will help if someone points out the problematic reader model.

[Kritkatten]

Still doesn't work. I saw new data with the last update though. Picture:

[trupus]

EDIT: Oh, interesting. The key fob works on 2 frequencies. The RFID is for the main (shared) entrance, and then it also has NFC, which opens the second door. The NFC is a Mifare classic, which I was able to read and emulate.

Sorry, but this reader is then unrelated to the described issue!

---

Also, it will help if someone points out the problematic reader model.

At this moment I encountered 2 different readers in 2 different countries that share the described problem. I found the manufacturer for one of them: official page, datasheet

[swittenberger]

@DrZlo13 The reader described in this bug is an Electra, as can be found in the link above. What other information would you require?

[Montecri]

Got the same issue with a different brand of reader. In my case, I even tried proxmark3 cloning to a blank key (besides flipper emulation) and the reader didn't detect. Read somewhere that some readers will try to detect if the key is writable and deny access.

[d3xt3r01]

I can confirm the electra keyfob (https://electra.ro/ro/produse/videointerfoane-si-interfoane/gama-touch-line/rezidential/terminale-1/tag-elt-000) issue. Same here using the latest firmware. Altough not the same reader. The builsing has https://electra.ro/ro/produse/videointerfoane-si-interfoane/gama-touch-line/rezidential/terminale-1/vpm-bsr02-elb this reader.

[LowSkillDeveloper]

I have a "mizip" key for a coffee machine. When I try to read it, this is what I get.

I don't know if this information is correct or not. Perhaps the key does not have its own id. And inside the key there is other information. After all, this key has a balance that is displayed when taking coffee.

[Ferferite]

Any update on the Electra readers? Could try sniffing with a proxmark3 if that provides any useful info

[Ferferite]

After a bit more digging I found some stuff. First, electra.ro is associated with electra-automation.at and they developed their own rfid solution "for maximum security". And according to this thread, this should be the datasheet for the readers.

just compiled some info I could find online, didn't have more time to look into it yet

[R1DEN]

@DrZlo13 hey there, it seems like a working PoC is already there https://forum.flipperzero.one/t/electra-intercom/6368/65 however it would probably be better to add another protocol to the list. If you could point to some contribution guide for such issues, I could probably open some kind of a PR, however my C skills are really rusty...

[R1DEN]

@DrZlo13 any chance we could see this in the firmware any time soon? Feels like the issue is somewhat researched and the solution is a couple of steps away for experienced contributors. :pray:

[skotopes]

@R1DEN more like everyone is busy with other tasks. We'll come back eventually to this one.

[R1DEN]

@skotopes thank you for the reply. Just hoping it will be sooner rather than later as this will really help for Romanian and Moldovan users, we have these intercoms almost everywhere in new apartment blocks.

[dontbug]

We are waiting, we are really waiting. Thank you in advance

[gherman22]

Any luck to emulating the tag on an electra reader for anyone?

[R1DEN]

@gherman22 only with that "hacky" way from one of my above posts. Hope a proper way will be incorporated in the firmware some day...

[gherman22]

Thank you for your answer, i tried to fallow the steps but i got lost. Mabe we will have a easier way or a video with the steps.

[skotopes]

@DrZlo13 ping

[dontbug]

@DrZlo13 ping

[skotopes]

3640 brought support for electra, please check latest RC or Dev and reopen if issues persist

[d3xt3r01]

Can confirm it works!

[itrack]

Should this function work?

[d3xt3r01]

Yes. Works, tested.

On Thu, 20 Jun 2024 at 13:55, Alex Stoica @.***> wrote:

Should this function work?

— Reply to this email directly, view it on GitHub https://github.com/flipperdevices/flipperzero-firmware/issues/1500#issuecomment-2180388714, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARHYG6ZWQCAA3PIM3IIVH3ZIKYJ3AVCNFSM55DQIAK2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMJYGAZTQOBXGE2A . You are receiving this because you are subscribed to this thread.Message ID: @.*** com>

[itrack]

I managed to emulate, it works fine but when I tried to write a blank tag it didn't work:

I mention that this only when I want to write previously saved Electra tags, with other RFID tags it works ok

[itrack]

it's a bit strange, if I read a tag and write over the same tag it works, if I want to write it on a different one it doesn't work

[bettse]

I tried to write a blank tag

t5577? (https://docs.flipper.net/rfid/write-data)

write over the same tag it works

Generally not a valid test, even for a read-only tag it would appear to be successful because the tag has the same data.

[itrack]

t5577 and Electra blank tag, on t5577 I managed to write other tags that are not of the Electra type

[itrack]

Short demo: https://www.youtube.com/shorts/fI8o7a28TzE

Electra marks electra tags as "programmable":

[skotopes]

@itrack do I understand right that writing to 5577 fails too? If yes then have you tried to read this 5577 with proxmark? Some protocols got additional payload validation and may alter data written to 5577 which may cause write fail. May be that is your case?

As of electra blank keyfobs, do you know what exactly is in the keyfob? Do they also use 5577?

[VladFlorinIlie]

Why do you even bother to write an Electra tag? They are more expanse and harder to come by. As for T5577, I have tested writing them and they are recognized by the reader. I would say that reading an Electra tag and then writing the data on a T5577 should be your best bet on getting a proper tag.

[itrack]

Hi @VladFlorinIlie ,

I put here a demo in which I try read electra tag and to write to T5577 and another an electra tag: https://www.youtube.com/shorts/fI8o7a28TzE

It doesn't work.

After to prove that it is a programmable T5577 tag, I selected a previously saved tag (which was not electra), it could be written without problems.

@skotopes , it only fails when I try to write using a previously scanned electra tag, if I try any other type of rfid it works

[VladFlorinIlie]

I have replicated your experiment here: https://streamable.com/4a07vk

You can also try with the e-locks T5577 that I have used in the video. You can buy them from EMAG here: https://www.emag.ro/set-10-bucati-tag-de-proximitate-rfid-e-locks-125-khz-chip-t5577-rewritable-galben-t5577elck/pd/D5RK86MBM/

[itrack]

Bought, I'll come back with a feedback in 6 days when the products arrive :)

My tests so far have been done with: https://www.aliexpress.com/item/1005005863796435.html?spm=a2g0o.order_list.order_list_main.11.1e331802lOqgr3 and https://www.a2t.ro/interfoane-videointerfoane/cartela-interfon-electra.html

[itrack]

Recommended tags arrived faster, same problem, thinking it is a firmware version problem, I reinstalled the original firmware:

Demo video: https://www.youtube.com/watch?v=AbJDa9PVRl4

Something's different than what you have @VladFlorinIlie , are you using custom firmware?

[itrack]

I tried the following cases:

• Read original Electra Tag -> Write original Electra Tag = failed
• Read original Electra Tag -> Write china T5577 = failed
• Read original Electra Tag -> Write e-locks T5577 = failed
• Read e-locks T5577 with Electra Tag clone (written on tag) -> Write china T5577 = failed
• Read e-locks T5577 with Electra Tag clone (written on tag) -> Write another e-locks T5577 = failed
• Read random RFID (non Electra) -> Write e-locks T5577 = success
• Read random RFID (non Electra) -> Write china T5577 = success
• Read random RFID (non Electra) -> Write original Electra Tag = failed

[VladFlorinIlie]

I do indeed use a custom firmware, Momentum version 004 to be exact. As far as I am aware, there shouldn't be any differences between the original firmware and this custom one when it comes to the Electra RFID protocol. I guess trying this firmware as well wouldn't hurt :)

[itrack]

I also installed Momentum v 004 , same result :) Using the same tags as @VladFlorinIlie , but with a different result, very strange.

Any idea what could be the cause? Could it be a hardware difference? A debug idea?