Posted inCardiagtech

Copying Your Schlage Key Fob: A Comprehensive Guide with Flipper Zero

No Comments

Schlage key fobs are a popular choice for secure access control, often used in residential buildings and commercial spaces. If you’re looking to create a backup or understand how your Schlage key fob works, the Flipper Zero offers a powerful tool for copying its functionality. This guide will walk you through the process of duplicating your Schlage key fob using a Flipper Zero, ensuring you have a reliable spare or simply want to explore the technology behind it.

Understanding Schlage Key Fob Technology

Schlage key fobs, like many modern access control systems, often utilize dual-frequency technology for enhanced security and versatility. This means a single fob can operate on two different radio frequencies to interact with various systems. In many cases, Schlage fobs employ:

  • 125kHz RFID (Radio-Frequency Identification): This lower frequency is commonly used for proximity access, such as elevator controls or parking garage entry. RFID at 125kHz is a well-established technology for simple identification and access.
  • 13.56MHz NFC (Near-Field Communication): The higher frequency NFC is often used for door access and more secure entry points. NFC at 13.56MHz can support more complex data exchange and encryption protocols, such as Mifare.

Understanding these frequencies is crucial because you’ll need to handle each frequency component separately when copying your Schlage key fob with a Flipper Zero.

Firmware Version: A Critical Step for Success

Before you begin the copying process, it’s absolutely essential to ensure your Flipper Zero is running firmware version 0.79 or earlier. Firmware versions after 0.80 have introduced a bug that prevents Schlage keys from being saved correctly. This is a critical point, and downgrading your firmware to version 0.79 is a necessary step for successful Schlage Key Fob Copying. Failing to do so can lead to frustration and wasted time.

Materials You Will Need

To copy your Schlage key fob, you will need the following materials:

  • Flipper Zero: This multi-tool device is the core of the copying process, capable of reading, emulating, and writing various radio frequencies and NFC protocols.
  • T5577 Tag: You’ll need a T5577 tag to clone the 125kHz RFID component of your Schlage key fob. These tags are rewritable and specifically designed for RFID emulation.
  • Magic Gen1a Tag (13.56MHz, Changeable UID): For the 13.56MHz NFC part, you’ll require a “magic” Gen1a tag. These tags are special NFC tags with a changeable UID (Unique Identifier), which is necessary for cloning Mifare-based NFC fobs. Look for tags advertised as “changable UID” and compatible with 13.56MHz. They usually come in “1k” or “4k” memory sizes; “1k” should suffice for most Schlage key fobs.

Step-by-Step Guide to Copying Your Schlage Key Fob

Now, let’s proceed with the steps to copy your Schlage key fob. Remember to handle each frequency component separately.

1. Cloning the 125kHz RFID Component

The 125kHz RFID portion is generally straightforward to clone:

  1. Read the Original Fob: Use your Flipper Zero to read the 125kHz RFID signal from your Schlage key fob. Navigate to the RFID section on your Flipper Zero and use the “Read” function.
  2. Write to T5577 Tag: Once the Flipper Zero has read the RFID signal, take your T5577 tag and use the “Write” function in the RFID section of your Flipper Zero to write the captured data onto the T5577 tag.
  3. Test the T5577 Tag: Test the newly written T5577 tag on the 125kHz RFID reader (e.g., elevator control) to ensure it works correctly.

2. Cloning the 13.56MHz NFC Component: A More Detailed Process

Copying the 13.56MHz NFC part is slightly more involved, especially if your Schlage key fob uses Mifare Classic encryption, which is common. Here’s a breakdown:

  1. NFC Detection and Nonce Collection: Schlage key fobs often use Mifare Classic with Crypto1 encryption. To crack this encryption, you may need to collect “nonces” from your specific reader.

    • Use the “NFC Detect Reader” function on your Flipper Zero multiple times in proximity to your Schlage reader.
    • Simultaneously, use a phone app (like “Mifare Classic Tool” or similar “mfkey32” based apps, often found through Flipper Zero communities or forums) that can assist in decoding Mifare keys. The app and Flipper Zero work in conjunction to gather necessary cryptographic information.
    • This process might require several attempts to gather enough nonces for successful decryption.

  2. Emulate and Verify: After collecting nonces, use the Flipper Zero’s “Emulate” function in the NFC section to emulate your Schlage key fob. Attempt to open your door or access point using the Flipper Zero emulation. You might need to try emulating multiple times and potentially repeat the nonce collection process until you achieve successful emulation. Some users report needing to try up to 32 keys or combinations before successful emulation. Patience is key here.

  3. Write to Magic Gen1A Tag: Once you have successfully emulated your Schlage key fob and confirmed it opens the intended access point while on firmware 0.79 or earlier, you can write the cloned data to your Magic Gen1a tag.

    • Navigate on your Flipper Zero to: Applications > NFC > NFC Magic > Write Gen1A.
    • Follow the prompts to write the currently emulated NFC data to your Magic Gen1a tag.

  4. Test the Magic Gen1A Tag: Finally, test your newly written Magic Gen1a tag on the 13.56MHz NFC reader to ensure it now functions as a copy of your original Schlage key fob.

Alt text: Schlage key fob copy process using Flipper Zero and magic NFC tag for access control duplication.

Important Considerations and Responsible Use

  • Mifare Crypto1 Assumption: This guide assumes your Schlage key fob uses Mifare Classic with Crypto1 encryption. If your fob uses a different or more advanced encryption, the copying process might be significantly more complex or even impossible with current Flipper Zero capabilities.
  • Firmware Downgrade: Again, remember the critical requirement of downgrading your Flipper Zero firmware to version 0.79 or earlier for reliable Schlage key saving.
  • Ethical and Legal Use: Duplicating key fobs should only be done for legitimate purposes, such as creating a backup for personal use or with explicit authorization from the system owner. Unauthorized duplication and use of key fobs can have legal and ethical consequences.

Conclusion

Copying your Schlage key fob using a Flipper Zero is achievable, albeit with some technical steps, especially for the 13.56MHz NFC component. By following this guide, ensuring you have the correct firmware, and using the appropriate materials, you can create a functional copy. Consider this process as an educational exploration of access control technology and always use your knowledge responsibly.

A request from the original author: If you found this guide helpful, please consider a donation of $25 to the SPCA or perform an equivalent act of kindness.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *