search

flipperdevices / flipperzero-firmware

Flipper Zero firmware source code
https://flipperzero.one
GNU General Public License v3.0
12.81k stars 2.72k forks source link

LF-RFID Support for RadioKey/Securakey #2619

Closed tacticalkeyboard closed 4 months ago

tacticalkeyboard commented 1 year ago

Describe the enhancement you're suggesting.

I'm hoping support for SecuraKey/RadioKey can be added to the LF-RFID app.

There was a post was made in the forum here back in September: https://forum.flipperzero.one/t/securakey/6434

I'm able to provide raw reads of my own keys. (I have 3 of them that can be tested with)

Anything else?

Just a huge thank you to the Flipper team for the consistent firmware updates. This is a great tool.

Edit. Here's a RAW read of one of the tags. SecuraKey.zip

skotopes commented 1 year ago

ASK record looks good. Should be totally feasible.

halfaura commented 1 year ago

Hello. I was wondering if support for linear 125khz keys an/or securakey/radiokey was still being worked on?

skotopes commented 1 year ago

Not really. We are mostly busy with NFC refactoring now, we'll be able to take close look after its completion.

halfaura commented 1 year ago

Thanks for responding so quickly. I appreciate all the work you guys do.

lukzluthor commented 12 months ago

Same here, Looking for Securakey support. Proxmark 3 has it. I would figure it would work on flipper as well.

hi-im-vika commented 5 months ago

Is there still work being done on this? I am interested in getting this working for my Flipper. Any tips on getting started with adding support for this (or any other raw captured data) into the firmware? I tried looking at previous pull requests for adding support for new LF-RFID devices but couldn't find anything helpful to me. I have several raw captures of my own key I can work with.

zinongli commented 5 months ago

@hi-im-vika I'm also looking into this. But I am learning while doing so I'm going slowly. I found this to be potentially useful but I'm no way close to understanding how it works.

Flipper's official pulse plotter is also a useful tool. I'm learning by looking through OP's dump with it and looking into the source code.

Here's what I've learned so far and I might sound dumb because C, RFID, and Javascript are all new to me:

  1. OP's dump will be recognized as Pulse Width Modulation(PWM) with sync/delimiter on FZ pulse plotter. But PM3's Securakey decoder seems to assume Manchester modulation. I have no clue what their relationship is.
  2. PM3's Securakey decoder looks for preamble sequence 0111111111001, which I cannot find in pulse plotter's PWM output or viewing the dump with a hex editor and converting them to binary by hand.
  3. Pulse plotter's PWM output seems to be 4-bit off sometimes. For example: FF FF FF FD 76 5F BF FF FF FF FE BB 2F DF I assume the actual information is D765FB EBB2FD instead of FD765FBF FEBB2FDF. The hanging Fs probably should've been grouped with other FFs

But that's all that I've learned so far. If you'd like to chat on a more regular basis you can find me on discord @torron0483 (If attaching discord id is prohibited here please let me know and I will delete this).

hi-im-vika commented 5 months ago

Thanks @zinongli, I am also learning so I don't mind if it's a slow process! Here are some links on the Proxmark3 forum that I found that could be relevant:

I've seen the Manchester code mentioned a couple times while reading through the threads, but I'm not sure what it means either. The official SecuraKey white paper attached above doesn't mention PWM either, so I'm guessing it's not related?

zinongli commented 5 months ago

@hi-im-vika Thank you! These are really helpful. After reading them and some trial and errors, I am suspecting if FZ have automatically performed Manchester demodulation on OP's dump already. My reasoning is below:

My understanding of the processing steps as of now is raw radio frequency -> ASK demodulation -> Manchester demodulation -> look for preamble in binary -> parse binary into hex -> done.

I assumed Securakey has preamble = 01111111110 because according to the PM3's securakey reader the sequence should start with a 0, nine 1s, and then a 0 as marker bits to separate between bytes. So a typical sequence should look like this: 0111111111 0 01011010 0 00000000 0 00000010 0 00110110 0 00111110 0 01100010 0 00001111 0 01100000 0 00000000 0 0000 I ignored the extra 01 in the end of PM3's preamble search because it's not actually content of the preamble but more of a verification of specific bit-format.

So I just looked up the preamble in the .ask.raw in binary and found 14 instances where this sequence was present. And for each instances, the bytes after the preamble would repeat for a lot of times. A sample looks like this: '0111111111 0 11100110 0 11100110 0 11100110 0 11100110 0 11100110 0 11100110 0 11100110 0 11100110 0 So I collected the 14 instances and converted the repeating bytes into hexes. They were: 4C CE 9E C4 6C 46 7E 46 C4 E4 EE CE C4 E6

I didn't know what to make out of this. But when I tried to perform this same look up after I performed Manchester demodulation on the .raw binary file, I couldn't find the preamble anywhere. Nothing with the .psk.raw before or after Manchester demod either.

So this is why I came to the hypothesis that FZ has already performed Manchester demod on the signal, and that Securakey transmit information by repeating each byte for many times before they resume to the next byte, each repetition sequence leading by a preamble. (I could be wrong about other stuff, but the repetition should be present no matter which stage of decoding/demodulation this dump is at. A wave should always be able to pass through a linear transformation.) This format doesn't conform to the suspected format in the PM3 code at all except the preamble. I don't know what I'm doing wrong here. Please let me know if you have any ideas.

By the way, do you mind posting your dump here as well? Some comparison between keys can be really helpful for reverse engineering.

hi-im-vika commented 4 months ago

@zinongli Sorry, I don't want to post the dump of my keys, but I really appreciate you working on this. Thanks a lot! I've barely made any progress on my end of things 😅

zinongli commented 4 months ago

@hi-im-vika I totally understand. I highly recommend the flipper-rfid-raw repository and Derek Jamison's youtube channel.

The former has a python notebook in there that might require ten minutes of small changes and setting up before you can start analyzing raw signals. It's a very automated script and it shows you the processes with graphs. It works regardless of the modulation or rf clock.

Derek has an entire Low Frequency RFID playlist that goes from time sample series to data parsing and rendering. His videos helped me a lot getting started coding for FZ.

I might be too dumb to use it, but the only help I got from Flipper lab's pulse plotter is confirming the rf clock. Nothing else. the repo mentioned at the beginning was SO MUCH more helpful and it should've been included in Flipper lab.

Also, if you got to my PR and look through my code, I left tons of comments wherever I could, so hopefully it can be a helpful reference to learn FZ developing. And since you have the fobs, might as well compile the commit and give it a try!

Please at me with whatever question you have about all these jargons and scripts. It took me a difficult time to learn this with very limited resources, so I know that feeling sucks.

EricRibeiro commented 4 months ago

Hey folks, thanks for the great work!

I pulled in e7d0afd via the Development update channel and tried reading my Secura Key without success.

I'm wondering if anyone else was able to.

skotopes commented 4 months ago

@EricRibeiro Securakey is actually a company name, they you bunch of different technologies and key types. Do you know which type of key do you have?

EricRibeiro commented 4 months ago

@EricRibeiro Securakey is actually a company name, they you bunch of different technologies and key types. Do you know which type of key do you have?

That's my bad! I have a Radio Key proximity tag:

I see on their website they have several models (RKKT-02, RKKTH-02 and RKKT-01), but I can't make out the difference visually.

skotopes commented 4 months ago

@EricRibeiro do you have proxmark? Can you share RFID RAW files?

EricRibeiro commented 4 months ago

@EricRibeiro do you have proxmark? Can you share RFID RAW files?

Unfortunately, I do not own a proxmark 😔.

zinongli commented 4 months ago

@EricRibeiro do you have proxmark? Can you share RFID RAW files?

Unfortunately, I do not own a proxmark 😔.

You can read raw with flipper. Turn on Debug and go RFID - Extra Actions and you'll see read raw.

Edit: also, the main difference between your photo and the RKKT-02 fobs I've tested on is mine have trademark sign next to the Securakey. image This might help differentiating the two.

EricRibeiro commented 4 months ago

the main difference between your photo and the RKKT-02 fobs I've tested on is mine have trademark sign next to the Securakey.

@zinongli, good catch! Looking back on their website, the RKKT-01 also has the trademarked sign. The RKKTH-02 is the only one that matches the tag I own. Thanks! 🙏

You can read raw with flipper. Turn on Debug and go RFID - Extra Actions and you'll see read raw.

Perfect, thank you! @skotopes, can I DM you the raws on Discord? I would rather not upload them to GitHub.

skotopes commented 4 months ago

@EricRibeiro sure, but keep in mind that person who actually implemented this protocol is @zinongli

zinongli commented 4 months ago

count me in! my discord is @torron0483