Help to clone EM410x to T5577

Hello.
0) I have a door lock “Cisa E-volution”. It can be opened via normal metal key or via RFID token.

  1. I have scanned RFID and it seems to be “EM410x” type.
  2. I have cloned to T5577 chip and T5577 card
  3. … but clones DO NOT open the door.
  4. However Flipper Zero can emulate EM410x and lock is opened.

What am I missing in clone process?

“Original rfid” scan:

[usb] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 04184EDCBA
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 2018723B5D
[=] HoneyWell IdentKey
[+] DEZ 8 : 05168314
[+] DEZ 10 : 0407821498
[+] DEZ 5.5 : 06222.56506
[+] DEZ 3.5A : 004.56506
[+] DEZ 3.5B : 024.56506
[+] DEZ 3.5C : 078.56506
[+] DEZ 14/IK2 : 00017587690682
[+] DEZ 15/IK3 : 000137849092957
[+] DEZ 20/ZK : 02000108070203110513
[=]
[+] Other : 56506_078_05168314
[+] Pattern Paxton : 73603770 [0x4631ABA]
[+] Pattern 1 : 9301101 [0x8DEC6D]
[+] Pattern Sebury : 56506 78 5168314 [0xDCBA 0x4E 0x4EDCBA]
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[=] Couldn’t identify a chipset

=====

“Clone scan”

[usb] pm3 → lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags…
[=]
[+] EM 410x ID 04184EDCBA
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
[+] Unique TAG ID : 2018723B5D
[=] HoneyWell IdentKey
[+] DEZ 8 : 05168314
[+] DEZ 10 : 0407821498
[+] DEZ 5.5 : 06222.56506
[+] DEZ 3.5A : 004.56506
[+] DEZ 3.5B : 024.56506
[+] DEZ 3.5C : 078.56506
[+] DEZ 14/IK2 : 00017587690682
[+] DEZ 15/IK3 : 000137849092957
[+] DEZ 20/ZK : 02000108070203110513
[=]
[+] Other : 56506_078_05168314
[+] Pattern Paxton : 73603770 [0x4631ABA]
[+] Pattern 1 : 9301101 [0x8DEC6D]
[+] Pattern Sebury : 56506 78 5168314 [0xDCBA 0x4E 0x4EDCBA]
[+] VD / ID : 004 / 0407821498
[=] ------------------------------------------------

[+] Valid EM410x ID found!

[=] Couldn’t identify a chipset
[usb] pm3

=========

I have proxmark, bought from dt, and quite fresh software:

MCU....... AT91SAM7S512 Rev B
Memory.... 512 Kb ( 60% used )

Client.... Iceman/master/v4.16191-54-g3ee7ac325 2023-02-12 22:17:05
Bootrom... Iceman/master/v4.16191-54-g3ee7ac325 2023-02-12 22:16:03
OS........ Iceman/master/v4.16191-54-g3ee7ac325 2023-02-12 22:16:23
Target.... PM3 GENERIC

====

Probably I must tell T5577 to get into some special state?!
Once again to summarize - I have several different T5577 and all are “ignored” by lock. But Flipper can emulate.

Please give me an ideas :slight_smile:

What types of T5577 do you have?

Did you try to write to them with the flipper?

Rather than emulate, just use write.
then try it on the lock
If its a Card, it SHOULD work
If its a fob, it COULD work
If its an implant, it MIGHT work

Lets see how that goes, if you can get the Flipper to successfully write to a card, then we can try and help get others working

if you want to try your Proxmark, try something like

lf em 410x clone --id your id goes here

Hi,

  1. first: T5577 card “white plastic” that comes with Proxmark
  2. second: T5577 in keyfob format, that I have. It is from bunch, and typically works normal in some other cases (I have cloned 100+ cards on similar fobs so far)

Sure, I am got written on them, but lock just ignores.

yes, command is:

pm3 → lf em 410x clone --id 2018723B5D

Tried that way too. Flipper successfully write to card/fob. But lock still ignores.

without sniffing the interaction between door lock and transponder it would be hard to get a sense of what’s going on here, but my hunch is that it has to do with some additional checks beyond just the ID the lock is doing to actively ward off clones. In particular there are ways to actively probe if you are talking to a T5577 chip or not.

The flipper has the luxury of controlling exactly how to output the data to the reader, and therefor can perfectly emulate an EM410x chip and ignore T5577 probes.

Hi @amal how would I know if the reader is performing this check? I cloned a EM410x 125khz fob to a T5577 fob and it worked on my apartment door reader one time, now the reader doesn’t appear to recognize it. I tried cloning it again, but nothing.

The only difference I can see is the Chipset X vs Chipset T5577 (the UID is correctly cloned, both are registered as “EM Marin” fobs).

You’d probably have to sniff the LF traffic to know for sure. Not sure the proxmark3 can do that with full demod… you might have to get into the weeds with manual signal processing or ask Iceman

Thanks for responding so quickly. I have an iCopy-X, which has sniffing capability, though I don’t know how that’s physically done, or what output I need to look for.