EM410x Apartment Door Clone Project [Solved]

I recently moved into an apartment with 125kHz RFID door access, and the management company is very strict about lost or damaged key fobs ($500 replacement)! I want to keep my original key fob in a safe place, and use a clone to enter the building. Note that I am not interested in “hacking” or any illegal activity, only cloning a key fob I was given legally. If I can make this work, I might opt for an implant too.

Here’s a photo of the outdoor panel,

bec1041×1758 382 KB

After researching, I discovered this is the BEC MT-D5S but the spec sheet and key fobs have no RFID details. So I scanned my key fob with an iCopy-X and found this:

EM Marin
EM410x 125kHz
UID 3B008F2FEA
Chipset X

Using the iCopy-X to sniff between the key fob and reader, I got this output, “TraceLen: 42259” but I’m not sure what that means exactly.

My understanding is that EM4100 chips are read-only, but I looked for EM4305 “writeable” key fobs online and ordered a few. When they arrived, I discovered they’re really T5577 fobs, and when I clone my original to them, this is the output:

EM Marin
EM410x 125kHz
UID 3B008F2FEA
Chipset T5577

As far as I can tell, the cloned fob should work, and it did, but only one time?! Now when I place it against the reader, nothing happens. I’ve tried cloning to the new fob again, but no dice. I can still read the correct UID from the cloned fob, so I don’t think it’s an issue with tearoff.

Right now I’m stuck and looking for help. If I make any progress, I’ll post updates.

Update: I figured out how to simulate the original key fob with the iCopy-X, and that works on the reader. So now I’m assuming that either a) the T5577 fobs I ordered aren’t working correctly, or b) the reader can tell they’re not really EM410x and is blocking them.

The next step would be to custom order an EM4100 with the UID, is that possible? Does anyone have any online store recommendations?

Some readers can detect T5577 chips but this is a rare feature.

It does seem unlikely, yeah. I read elsewhere that some readers simply attempt to write to the chip, and if successful, the reader knows it’s not a genuine read-only EM4100 device. Simulating the UID works because the reader can’t write to the simulator (e.g. iCopy-X or Flipper Zero).

Would password-protecting the cloned T5577 chip prevent that? I’m not sure how to do that with my iCopy-X, but apparently I can connect it to my computer and run Proxmark3 commands. Researching now, any advice or suggestions are welcome.

EDIT: This is fustrating. I was going to use the T5577 Guide for adding a password, but in PC Mode, the iCopy-X doesn’t see the cloned fob as T55xx, it sees it as the EM410x it was cloned from.

lf em 410x_read
[+] EM410x pattern found

I would explore the em4100 tear off vulnerability. Using this hack which is now supported by proxmark3 you can change the normally read only ID.

https://www.google.com/search?q=em4100+tear+off

From what I found it looks like EM4305 chips (not the T5577 chips I have) can be modified to “protect” the UID from tearoff events. I think I have a true EM4305 on its way from China, but I’m not sure when it will arrive in the mail. Even then, that writeup looks waaaaaay over my head.

SOLVED!

Too many variables weren’t adding up, so I grabbed a new T5577 fob and used the iCopy-X to create a new clone. And once again, it worked on the front door reader one time only. Clearly, the reader is doing something to these fobs, and I’m sure someone smarter than me could figure it out.

This led me to believe password-protecting the cloned fob is necessary. I went through the guide again but the recommended commands weren’t working. More suspicion. So I grabbed yet another new T5577 fob and put the iCopy-X in PC Mode to run the commands manually:

hw tune
lf em 410x_read
### lf em 410x_write [UID] 1
lf em 410x_write 3B008F2FEA 1
## lf t55xx write b 7 d [PW]
lf t55xx write b 7 d 12345678
lf t55xx dump
### Block 0, Bit 28 (from 0 to 1), then convert binary to hex
### lf t55xx write b 0 d [New HEX]
lf t55xx write b 0 d 00148050
lf t55 detect
lf t55 detect p 12345678

This time the password protection worked as expected. I just tried the cloned fob on the door reader, and it worked more than once! Until I run into issues, I’ll assume I have my answer.

Lessons Learned

• Don’t use the iCopy-X autocopy menu feature, use PC Mode with commands instead.
• The iCopy form factor vs Proxmark3 RDV4 still justifies the price, I think.
• Password-protect cloned fobs, in case the reader tries to break it.

This was a fun project, thanks to those who replied. I’ll leave this up for future inquisitive minds.

I’d be curious to see a before and after full dump of the t5577. (Maybe the reader is writing to it to try and intentionally break it?)

Hello! I also managed to password protect a t5577 card, after I found and read your article. I used to be able to copy my own keyfob from my apartment building but now Electra, changed the device with a new one, that still works on EM4100 chip, but my coloned ones didn’t work anymore.

So after reading around, found out that this could possibly be the issue: new keyfobs are “password-protected” or “read-only”. After using my proxmark with the same commands you used, I managed to clone and password protect my new card, but guess what…

The card doesen’t work on the new device… I can’t understand what am I missing, do Electra keyfobs have a new kind of security?

So there are some obscure features of the T5577 chip that include specific data on blocks not clonable from an EM41x to a T5577… however, the funny thing is, these features become moot if the fob issuer falls prey to the lure of using a T5577 chip themselves instead of a “real” Em410x chip.

Do an LF SEARCH on your fob, then LF T5 DETECT and see if it’s an actual T5577 chip. If it is, then you can use the password you obtained to do a full dump and write that dump to your target T5577 card… it should work then.