LF RFID Shenanigans

Posted on by glitch0ne

Versiunea în Română: https://glitch0ne.com/2023/10/12/aventuri-cu-rfid-la-frecventa-joasa/

Disclaimer: The things I’m about to tell you about should only be tried on personal devices or with the explicit consent of any targets. I’m not responsible for the malicious use of the information presented below. Thank you, and godspeed!

As an avid proponent of Dee Dee’s motto „Ooh! What does this button do?”, I oftentimes find myself in situations where my previous knowledge of a subject only takes me so far. One day, I decided to try and copy a Low Frequency RFID tag that I had, to see whether I could store and emulate it on my Flipper. And while it did seem to recognize the tag as an EM4100 chip, a classic chip type that it could easily emulate, the reader for that particular tag did not recognize my attempts at emulation. Without any other info, I decided to approach this issue at a later time, when I would have more powerful tools at my disposal.

And more powerful tools were on their way. Having gotten my hands on a Proxmark 3, a classic RFID research tool, I took another crack at emulating the chip, only to fail a second time. But what the Proxmark could do that the Flipper could not (or at least, not to my knowledge at the time) was to look further into the data received from the chip. And there the story truly begins.

For context, the EM4100 is a very common RFID chip. It’s used in a lot of access control systems, and it holds some basic data following a specific format, that looks like so:

1 1 1 1 1 1 1 1 19 bit header, all 1’s
8 bit version number
or customer ID		D00D01D02D03P0 Each group of 4 bits
is followed by
one even parity bit
D04D05D06D07P1
32 bits of dataD08D09D10D11P2
D12D13D14D15P3
D16D17D18D19P4
D20D21D22D23P5
D24D25D26D27P6
D28D29D30D31P7
D32D33D34D35P8
D36D37D38D39P9
4 column parity bitsPC1PC2PC3PC4S0One stop bit, always 0

I took the binary data that I received from my unknown chip and tried to see whether it followed this format. And it did. At least, for a while. See, most of the binary data fit neatly into this format, which of course meant that for a basic reader, this would look, feel and behave like your run-of-the-mill EM4100.

1 1 1 1 1 1 1 1 1 9 bit header, all 1’s
8 bit version number
or customer ID		00000 Each group of 4 bits
is followed by
one even parity bit
00110
32 bits of data11101
10001
10111
01010
11101
11000
01010
10111
4 column parity bits01110One stop bit, always 0
Additional data0111111 0
00011110
10101010
10101010

But there was more data there beyond it. Specifically 4 more bytes of it, right at the end, after the EM4100 trailer. To make reading easier, we’ll just go with the hexadecimal representation from now on, because ones and zeroes are machine talk, and we’re not quite there yet. The data after the stop bit was essentially 0x7E1EAAAA.

Ultimately, the reason for which my initial attempts at reading and emulation failed were that both myself and my tools ran under the assumption that if it looks like a duck and quacks like a duck, then it is a duck. Unfortunately, this duck had a longer tail. So here we were. I had a tag that behaved “mostly” as an EM4100, but with data that could not fit into your normal EM4100 chip. How could I copy this onto another card?

Enter, the T5577

The T5577 is a chip that offers a lot of custom functionality as well as much more storage than an EM4100, and is able to emulate multiple different chip types and protocols. As long as you configure it properly, and write the correct data to it, it should work and behave like any other low-frequency RFID chip. Its storage format looks something like this:

Page 1LAnalog front end option set upBlock 3
1Traceability dataBlock 2
1Traceability dataBlock 1
LPage 0 configuration dataBlock 0
Page 0LUser data or PasswordBlock 7
L32 bit user dataBlock 6
L32 bit user dataBlock 5
L32 bit user dataBlock 4
L32 bit user dataBlock 3
L32 bit user dataBlock 2
L32 bit user dataBlock 1
LConfiguration dataBlock 0

So, what do we know so far? We have an unknown LF chip, behaving roughly as an EM4100, holding more data than an EM4100, right after the trailer. This means that we could configure the T5577 to look and quack like our duck, writing the following data to the first block of the first page:

0x00148060

Which essentially tells the chip to work on a bit rate of 64 clock cycles, using Manchester encoding, and outputting data all the way out to block 3, which amounts to 96 bits of data. 64 bits of EM4100-like data and 32 bits of mysterious, much secure data. Just like our duck.

Right after that, we write the actual data on the card, block by block, which looks like this in hexadecimal:

0xFF80DD8D
0xD5DC2AEE
0x7E1EAAAA

Doing so made the T5577 chip transmit all of the data that was on the original fob, which made it recognizable by the readers I was targeting. The end!

Or is it? What was the mystery data? Well, I could make a few assumptions, but the main one is that the manufacturer wanted to add a little bit of security through obscurity, in order to thwart basic attempts at duplicating their tags. And while that almost worked for me as well, as soon as I got my hands on some dedicated tooling, the mysteries were unobscured and there went their security. Word on the street is that most if not all of these cards have the same data after the EM4100-like data ends, so it doesn’t seem to be anything of importance yet.

And the moral to the story is, if you’re a company that considers doing security through obscurity, just know that someone, somewhere, is gonna see right through the smoke and mirrors.

References

Leave a comment