Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
As you know, many access systems use RFID cards of the EM-Marin standard with a frequency of 125 kHz. The intercom of my house is no exception. One problem - it would be nice to learn how to copy such cards, because the price tags for copying them are not encouraging. Of course, there are quite a few copier schemes on the Internet (and the Chinese sell their copiers for pennies - however, when copying, they often put their password on the blanks), but why not build your own copier? This is what the article below is about.
It is worth starting the development of the copier with finding out what such tags can be copied to. After reading the forums, you can find out that the most common blanks for copying are T5577, T5557, EM4305.
Now we need a circuit. Let's take the analog part of such a copier from RECTO and connect it to the atmega8 microcontroller. We will add a level converter for connecting to a COM port based on max232 (those who wish can use ST232 or something else to connect via USB, but I have a COM port on my computer, as well as a USB-COM adapter, so I did not have such a task).
You will get the following circuit:
What is it? A dual emitter follower, an oscillatory circuit, a detector and RC filters. Due to the fact that the RC filters have different time constants, by comparing the voltage levels between the cascades, you can isolate the change in the RFID tag signal. The built-in comparator in atmega8 will handle this task. The built-in PWM controller in atmega8 will provide generation of 125 kHz signal.
The RFID tag – reader combination is formed by a transformer, where the tag is the secondary winding. The tag transmits information by changing the load of the secondary winding. As a result, the current in the reader coil (primary winding) changes. The analog part of the circuit shown above is responsible for isolating these current pulses. The oscillatory circuit should be adjusted to the maximum voltage at the control point, for example, by winding/winding the coil turns. However, they say that it is better to have a voltage slightly less than the maximum – it works more stably. I have about 40 V at the control point.
The copied tag uses Manchester -type coding. In order to decrypt this code, it is enough to skip three quarters of the bit slot period for any change in the signal front and, for the signal edge that follows it, record the bit value, which will correspond to the signal value after the edge. When decoding, it is worth setting the window in which the signal edge should occur - no more than half the bit slot period. I took the Manchester coding decryption method and the code for this from Shads. Of course, it was possible to write my own, but I was in a hurry to launch the copier - I wanted to make sure that the circuit was working and that the labels were being received. So this fragment remained in the copier code. It also turned out that my comparator was configured inversely than the decoding code needed. I changed it in the code. So, we got sequences of zeros and ones. How to get the card code from them? It's very simple. Let's assume that the card number by nibbles is AB CD EF GH IJ.
The card gives out the following:
1) Nine ones at the beginning;
2) Nibble A;
3) Nibble parity A (1 bit);
4) Nibble B;
5) Nibble parity B (1 bit);
…
16) Nibble I;
17) Nibble parity I (1 bit);
18) Nibble J;
19) Nibble parity J (1 bit);
20) Column parity nibble for nibbles ABCDEFGHIJ;
21) Bit 0.
We read all 64 bits, decrypt and get 40 bits of the card code. It is logical that if we generate such a code ourselves by short-circuiting the coil of the card attached to the reader, we will get a card emulator. But now we are not interested in it.
We have learned how to read the card, but how to transfer data to the card? To do this, you just need to turn on or off the 125 kHz frequency in accordance with the protocol for exchanging data with the card. During the “silence” of the reader, the card is powered by the stored energy.
The T5557/T5577 blanks are fully compatible with each other in terms of recording protocols, however, they have slightly different minimum and maximum pulse times (fortunately, the T5557 times overlap with the T5577). The EM4305 has a different recording protocol.
To record the T5557, I used the BolshoyK code. The table below shows the signal parameters for the T5557 key fob.
Recording begins with the StartGape signal - you need to turn off the 125 kHz signal for about 300 μs. This is a signal to the card that data will now be transmitted to it. Then you should transmit information to the blank. The encoding of the transmitted data is the same Manchester.
The T5557/T5577 and EM4305 blanks are multifunctional and can use different types of modulations, support passwords and much more. Each blank has a set of 32-bit blocks on board. The purpose of these blocks is different. In some, it is the issued key code (it takes up two blocks). In others, it is the configuration. In others, it is the manufacturer's identifier. We will use limited functionality, so those who want to understand what all these bits mean can look at the documentation for the blanks (I have attached it to the archive).
The blocks are collected in two pages (0 and 1).
The zero page contains a configuration block with index 0. We will set it. For T5557/T5577, we will have the following configuration bytes: 0x00,0x14,0x80,0x40 according to the table in the documentation (I have marked the modes selected by single bits in red):
Thus, we have selected: data transmission frequency RF/64 (125 kHz/64), Manchester encoding, issuing blocks up to the second (in blocks 1 and 2, we will have the code issued by the card). Before writing, you must send the operation code (2 opcode bits) and one latch bit (lockbit). Operation codes 10b and 11b precede writing data for pages 0 and 1 (the least significant bit specifies the page number, the most significant bit specifies the page write code). We get 10b for the operation code (all work is done with the zero page) and 0b for the latch bit. After transmitting all this data, you must transmit the three-bit address of the page being written. All data transfers for T5557/T5577 are from the most significant bit to the least significant.
By setting the card code in blocks 1 and 2 and the configuration in block 0, you can get a duplicate RFID tag. As you can see, everything is simple.
The next type of blanks is EM4305. I had to figure out how to record this blank myself. It also consists of 32-bit blocks, but their purpose is different.
The data transmitted to the card is encoded by differences over a time interval. If there was a difference over a time interval, it is zero, and if there was none, it is one. The configuration word is stored in byte 4 and I defined it for myself as follows: 0x5F, 0x80, 0x01, 0x00 (Manchester encoding, RF/64, word output 6). In words 5 and 6, I write the card code (the same 64 bits that the card outputs). EM4305 requires that the transmission be carried out from the least significant bit to the most significant. The card understands that an exchange is starting with it after it is given a combination of impulses:
The command to write a block to the map is transmitted as follows:
Command format
Command codes
Block address format
This is how the EM4305 blank configuration and its code are set.
Actually, a simple copier does not need anything more.
I made several versions of the copier with different displays. For example, here is a copier with a 1602 display:
And here is a video of the copier working on the LPH9157-02 display:
Here is the reason why I got interested in copiers of such keys — I needed to make a lot of copies of the intercom key (I was too lazy to wait for a parcel from China), but the price tag is as follows: The archive contains all the schemes, printouts, programs and documentation for the blanks. There is a version for Arduino Nano (it needs to be flashed separately through programs for uploading third-party firmware). Those who wish can open the documentation for all these blanks and implement password support and other card operating modes. Personally, I didn’t need all this. Special thanks to RECTO, BolshoyK and Shads — without you, I would have been having fun with the development for quite a long time! Thank you for your attention. P.S. I am not a professional in copying keys and blanks, so I could well have made a mistake in something. However, the copier works, and no one has found any errors in it yet.
Source
It is worth starting the development of the copier with finding out what such tags can be copied to. After reading the forums, you can find out that the most common blanks for copying are T5577, T5557, EM4305.
Now we need a circuit. Let's take the analog part of such a copier from RECTO and connect it to the atmega8 microcontroller. We will add a level converter for connecting to a COM port based on max232 (those who wish can use ST232 or something else to connect via USB, but I have a COM port on my computer, as well as a USB-COM adapter, so I did not have such a task).
You will get the following circuit:
What is it? A dual emitter follower, an oscillatory circuit, a detector and RC filters. Due to the fact that the RC filters have different time constants, by comparing the voltage levels between the cascades, you can isolate the change in the RFID tag signal. The built-in comparator in atmega8 will handle this task. The built-in PWM controller in atmega8 will provide generation of 125 kHz signal.
The RFID tag – reader combination is formed by a transformer, where the tag is the secondary winding. The tag transmits information by changing the load of the secondary winding. As a result, the current in the reader coil (primary winding) changes. The analog part of the circuit shown above is responsible for isolating these current pulses. The oscillatory circuit should be adjusted to the maximum voltage at the control point, for example, by winding/winding the coil turns. However, they say that it is better to have a voltage slightly less than the maximum – it works more stably. I have about 40 V at the control point.
The copied tag uses Manchester -type coding. In order to decrypt this code, it is enough to skip three quarters of the bit slot period for any change in the signal front and, for the signal edge that follows it, record the bit value, which will correspond to the signal value after the edge. When decoding, it is worth setting the window in which the signal edge should occur - no more than half the bit slot period. I took the Manchester coding decryption method and the code for this from Shads. Of course, it was possible to write my own, but I was in a hurry to launch the copier - I wanted to make sure that the circuit was working and that the labels were being received. So this fragment remained in the copier code. It also turned out that my comparator was configured inversely than the decoding code needed. I changed it in the code. So, we got sequences of zeros and ones. How to get the card code from them? It's very simple. Let's assume that the card number by nibbles is AB CD EF GH IJ.
The card gives out the following:
1) Nine ones at the beginning;
2) Nibble A;
3) Nibble parity A (1 bit);
4) Nibble B;
5) Nibble parity B (1 bit);
…
16) Nibble I;
17) Nibble parity I (1 bit);
18) Nibble J;
19) Nibble parity J (1 bit);
20) Column parity nibble for nibbles ABCDEFGHIJ;
21) Bit 0.
We read all 64 bits, decrypt and get 40 bits of the card code. It is logical that if we generate such a code ourselves by short-circuiting the coil of the card attached to the reader, we will get a card emulator. But now we are not interested in it.
We have learned how to read the card, but how to transfer data to the card? To do this, you just need to turn on or off the 125 kHz frequency in accordance with the protocol for exchanging data with the card. During the “silence” of the reader, the card is powered by the stored energy.
The T5557/T5577 blanks are fully compatible with each other in terms of recording protocols, however, they have slightly different minimum and maximum pulse times (fortunately, the T5557 times overlap with the T5577). The EM4305 has a different recording protocol.
To record the T5557, I used the BolshoyK code. The table below shows the signal parameters for the T5557 key fob.
Recording begins with the StartGape signal - you need to turn off the 125 kHz signal for about 300 μs. This is a signal to the card that data will now be transmitted to it. Then you should transmit information to the blank. The encoding of the transmitted data is the same Manchester.
The T5557/T5577 and EM4305 blanks are multifunctional and can use different types of modulations, support passwords and much more. Each blank has a set of 32-bit blocks on board. The purpose of these blocks is different. In some, it is the issued key code (it takes up two blocks). In others, it is the configuration. In others, it is the manufacturer's identifier. We will use limited functionality, so those who want to understand what all these bits mean can look at the documentation for the blanks (I have attached it to the archive).
The blocks are collected in two pages (0 and 1).
The zero page contains a configuration block with index 0. We will set it. For T5557/T5577, we will have the following configuration bytes: 0x00,0x14,0x80,0x40 according to the table in the documentation (I have marked the modes selected by single bits in red):
Thus, we have selected: data transmission frequency RF/64 (125 kHz/64), Manchester encoding, issuing blocks up to the second (in blocks 1 and 2, we will have the code issued by the card). Before writing, you must send the operation code (2 opcode bits) and one latch bit (lockbit). Operation codes 10b and 11b precede writing data for pages 0 and 1 (the least significant bit specifies the page number, the most significant bit specifies the page write code). We get 10b for the operation code (all work is done with the zero page) and 0b for the latch bit. After transmitting all this data, you must transmit the three-bit address of the page being written. All data transfers for T5557/T5577 are from the most significant bit to the least significant.
By setting the card code in blocks 1 and 2 and the configuration in block 0, you can get a duplicate RFID tag. As you can see, everything is simple.
The next type of blanks is EM4305. I had to figure out how to record this blank myself. It also consists of 32-bit blocks, but their purpose is different.
The data transmitted to the card is encoded by differences over a time interval. If there was a difference over a time interval, it is zero, and if there was none, it is one. The configuration word is stored in byte 4 and I defined it for myself as follows: 0x5F, 0x80, 0x01, 0x00 (Manchester encoding, RF/64, word output 6). In words 5 and 6, I write the card code (the same 64 bits that the card outputs). EM4305 requires that the transmission be carried out from the least significant bit to the most significant. The card understands that an exchange is starting with it after it is given a combination of impulses:
- We turn off the field for 48 µs.
- We turn on the field for 96 µs.
- Turn off the field at 320 µs.
- We turn on the field for 136 µs.
- We turn off the field until the next command.
The command to write a block to the map is transmitted as follows:
- We send the above sequence of pulses.
- Helmet 0b.
- We transmit CC0-CC1 and their parity P. (0101b for recording, see tables below).
- We transmit the block address (see table), two padding zeros and the parity of the address.
- We transmit block data (32 bits).
Command format
Command codes
Block address format
This is how the EM4305 blank configuration and its code are set.
Actually, a simple copier does not need anything more.
I made several versions of the copier with different displays. For example, here is a copier with a 1602 display:
And here is a video of the copier working on the LPH9157-02 display:
Here is the reason why I got interested in copiers of such keys — I needed to make a lot of copies of the intercom key (I was too lazy to wait for a parcel from China), but the price tag is as follows: The archive contains all the schemes, printouts, programs and documentation for the blanks. There is a version for Arduino Nano (it needs to be flashed separately through programs for uploading third-party firmware). Those who wish can open the documentation for all these blanks and implement password support and other card operating modes. Personally, I didn’t need all this. Special thanks to RECTO, BolshoyK and Shads — without you, I would have been having fun with the development for quite a long time! Thank you for your attention. P.S. I am not a professional in copying keys and blanks, so I could well have made a mistake in something. However, the copier works, and no one has found any errors in it yet.
Source
