EM-Marin RFID Copier

    As you know, many access systems use RFID cards of EM-Marin standard with a frequency of 125 kHz. The intercom of my house was no exception. One problem - it would be nice to learn how to copy such cards, because the price tags for copying them are not encouraging. On the network, of course, there are quite a few copier schemes (and the Chinese sell their copiers for a penny - though they often put their password on blanks when copying), but why not put together your own copyist? Here is the article below.

    It’s worth starting the development of the copier with clarification, but what can you copy such marks to? After reading the forums, you can find out that the most common blanks for copying are T5577, T5557, EM4305.

    Now we need a circuit. Take the analog part of such a copyist from RECTOand connect it to the atmega8 microcontroller. We’ll supplement it with a level converter for connecting to a max232-based COM port (those who wish can use ST232 or something to connect via USB, but I have a COM port on my computer, as well as a USB-COM adapter, so I have such a task did not stand).

    Here is the following scheme:



    What is it like? Dual emitter follower, oscillating circuit, detector and RC filters. Due to the fact that RC filters have different time constants, comparing the voltage levels between the stages, it is possible to isolate the change in the signal of the RFID tag. This task will be handled by the comparator integrated in atmega8. The generation of a 125 KHz signal will be provided by the PWM controller integrated in the atmega8.

    RFID tag combination - The reader forms a transformer, where the tag is a secondary winding. The transfer of information by a tag is made by changing the load of the secondary winding. As a result, the current changes in the reader coil (primary winding). The above analogue part of the circuit is engaged in the selection of these current pulses. The oscillation circuit must be adjusted to the maximum voltage at the test point, for example, by winding / winding coils of a coil. True, they say that it is better that the voltage is slightly less than the maximum - it works more stably. I have a checkpoint of about 40 V. The

    copied label uses Manchester -type coding.. In order to decrypt this code, it is enough to skip three quarters of the period of the bit slot for any change in the edge of the signal, and to fix the bit value, which will correspond to the signal value after the difference, after the next signal difference. When decoding, it is worth setting the window into which the signal should drop — no more than half the period of the bit slot.



    The decryption method for Manchester coding and the code for this I took from Shads. You could, of course, write your own, but I was in a hurry to start the copier - I wanted to make sure that the circuit was working and the labels were being received. So this fragment remained in the copyist code. It also turned out that my comparator was configured inverse than the decoding code needed. Changed in the code. So we got sequences of zeros and ones. How to get a card code from them?

    But very simple. We assume that the card number for nibbles is of the form AB CD EF GH IJ . The card displays this:

    1) Nine units at the beginning;
    2) Nibble A;
    3) Parity nibble A (1 bit);
    4) Nibble B;
    5) Parity nibble B (1 bit);
    ...
    16) Nibble I;
    17) Parity nibble I (1 bit);
    18) Nibble J;
    19) Parity nibble J (1 bit);
    20) Nibble parity columns for nibbles ABCDEFGHIJ;
    21) Bit 0.

    Read all 64 bits, decrypt and get 40 bits of card code. It is logical that if we ourselves issue such a code, closing the coil of the card attached to the reader, we will get a card emulator. But now we are not interested in him.

    We learned to read the map, but how to transfer data to the map? To do this, simply turn on or off the frequency of 125 KHz in accordance with the protocol of exchange with the card. During the “silence” of the reader, the card is powered by stored energy.

    T5557 / T5577 discs are completely compatible with each other according to the recording protocols, however, they have slightly different minimum and maximum pulse times (fortunately, the T5557 times overlap with the T5577). The EM4305 has a different recording protocol.

    To write the T5557 I used the BolshoyK code . The table below shows the signal parameters for the T5557 remote control.



    Recording starts with the StartGape signal - you need to turn off the 125 KHz signal by about 300 μs. This is a signal to the card that they will now begin to transmit data to it. Further it is necessary to transfer information to a blank. The encoding of the transmitted data is the same Manchester.

    T5557 / T5577 and EM4305 discs are multifunctional and are capable of different types of modulations, support passwords and much more. In each disc on board there is a set of blocks of 32 bits. The purpose of these blocks is different. In some, the key code is issued (it takes two blocks). In others, the configuration. Thirdly, the identifier of the manufacturer. We will use limited functionality, so those who want to figure out what all these bits mean can look into the documentation for the discs (I attached it to the archive).

    Blocks are collected in two pages (0 and 1).


    In the zero page there is a configuration block with index 0. We will set it. For T5557 / T5577 we will have the following configuration bytes: 0x00,0x14,0x80,0x40 in accordance with the table from the documentation (I marked the modes selected by single bits in red):



    Thus, we have chosen: the frequency of data transmission RF / 64 (125 KHz / 64), coding such as Manchester, the issuance of blocks up to the second (in blocks 1 and 2 we will have the code issued by the card). Before recording, send the operation code (2 bits of opcode) and one bit of the latch (lockbit). Operation codes 10b and 11b are preceded by data records for pages 0 and 1 (the least significant bit sets the page number, the highest bit sets the page record code). We get 10b for the operation code (all work goes with a zero page) and 0b for the latch bit. After transferring all this data, it is necessary to transfer the three-bit address of the recorded page. All data transmissions for the T5557 / T5577 are from the high bit to the low.



    By setting the card code in blocks 1 and 2 and the configuration in block 0, you can get a duplicate RFID tag. As you can see, everything is simple.

    The next type of disc is EM4305. I had to deal with the recording of this disc myself. It also consists of 32-bit blocks, but their purpose is different.



    Encoding of data transmitted to the card - by drops for a time interval. If there was a difference for the time interval, then it is zero, and if it was not, it is one. The configuration word is stored in 4 bytes, and for myself I defined it like this: 0x5F, 0x80,0x01,0x00 (encoding Manchester, RF / 64, issuing word 6). In words 5 and 6 I write down the code of the card (the very 64 bits that the card gives out). The EM4305 requires transmission from the low order bit to the high order bit. The card understands that they begin to exchange with it after issuing a combination of pulses to it:

    1. Turn off the field at 48 μs.
    2. Turn on the 96 μs field.
    3. Turn off the field at 320 μs.
    4. Turn on the 136 μs field.
    5. Turn off the field until the next command.

    The command to write a block to the map is transmitted as follows:

    1. We send the above pulse sequence.
    2. We send 0b.
    3. We pass in CC0-CC1 and their parity is P. (0101b for recording, see tables below).
    4. We pass the address of the block (see table), two complementary zeros and the parity of the address.
    5. We transmit the block data (32 bits).


    Command format Command


    codes Command


    address format

    This way the EM4305 blank is configured and its code is set.

    Actually, nothing more is needed for a simple copyist.

    I made several copier options with different displays. For example, here is a copyist with a display of 1602:



    And here is a video of the copyist working on the display LPH9157-02:



    And here is the reason why I became interested in copying such keys - I had to make many copies of the key to the doorphone (waiting for the parcel from China was also lazy), but the price tag is this:



    The archive contains all the schemes, seals, programs and documentation for the blanks. There is a version for Arduino Nano (you need to flash it separately through programs for uploading third-party firmware).

    Those who wish can open the documentation for all these discs and implement password support and other card operation modes. I personally did not need all this.

    Special tremendous thanks to RECTO, BolshoyK and Shads - without you I would have been entertained with the development for quite some time!

    Thanks for attention.

    PS I am not a professional in copying keys and blanks, so I could have been mistaken in something. However, the copyist works, and so far no one has found errors in it.

    Also popular now: