We have known that the cheaper RFID technologies were pretty insecure for a number of years. Researchers have demonstrated cloners of all varieties, but simple RFID tags are still being used for access control. Even my current employer uses them.
A while ago, I was looking at Hack A Day, and I saw an amazing project that somebody had made. It was an RFID card with a keypad on it. For the next couple of days, I couldn't get the image of the card out of my mind; the project reminded me of how much I wanted to build a RFID spoofer myself. The original author didn't release source code for their project, but they left enough clues that I could follow.
So, in typical fashion, I built my own reader hardware so I could have a look at the data from a card, and created my own version of the Universal RFID key.
The key I made works beautifully both on my garage door, as well as a number of other RFID readers I have tried!
I have decided to publish this, as more people should be aware of the design flaws that are inherent in older RFID implementations, and to allow others to make their own universal key.
Will this key let you into anybodies RFID protected office? Yes it will, assuming a couple of things are true
1) The have to be using 125kHz RFID tags that use the same encoding standard as I have designed this project for, and,
2) You have to have access to the number printed on the back of the tag - with that number, you can simply key it into the Universal RFID key, and it will emulate that tag.
So there you go - I hope you enjoy making this project. - And remember, with great power comes great responsibility!
Remove these ads by
Signing UpStep 1How does RFID work?
125 kHz RFID tags are commonly encased in a business card sized piece of plastic, or a round disk. The tag consists of a coil of wire, connected to a microchip. When the tag is brought into close proximity to a reader, energy is coupled inductively from the reader to the microchip within the tag.
The energy from the reader has dual use; firstly, it provides power to run the card, and secondly, it provides a communication medium for data to be transmitted. Once powered up, the tag modulates the bit pattern that is programmed into the tag using a signal that the reader can detect. The reader then reads this bit pattern, and passes it onto the door controller. If the bit pattern matches one that is authorised, the door will be unlocked. If the bit pattern does not match an authorised one, then the door won't unlock.
In the RFID system I was playing with, the bit pattern looked like this;
1111111110010111000000000000001111100010111110111101001111010000
I will describe what this pattern actually means in the next page.
One interesting feature of the data transfer between the card and the reader, is that data is encoded using Manchester Encoding, which is a way of encoding data so that it can be transmitted over a single wire ensuring that the clock information is able to be recovered easily. With Manchester encoding, there is always a transition in the middle of a bit. If you want to transmit a 1, the transition would be from low to high, and if you want to transmit a 0, the transition would from from high to low. Because the transitions are in the middle of each bit, you can ensure that you have locked onto valid data. For a detailed description, have a look a this page.
The actual data is transmitted by the card effectively shorting the coil out - this applies an additional load to the transmitter in the reader, which can be detected.
| « Previous Step | Download PDFView All Steps | Next Step » |















































Sorry about so many question.
1) The two small circle labeled as vcc connect directly to the positive of the battery which is also the connection 1 on P1.
2) I got caps that have polarity or C3 and C5, C3's positive toward the vcc circle, and C5's positive toward connection 1 on P2.
Are both of them sound right?
Thanks!
Power ON
Pin3 LED ON
Push Mode
>>Pin3 LED ON
Push Mode
Pin2 and Pin3 LED ON
Push Mode
Pin3 and Pin4 LED ON
Push Mode
Pin2, Pin3, and Pin4 LED ON
Push Mode
Pin2 and Pin3 LED ON
Push Mode
Back to >>
As you can see, Pin3 is always on, I'm guessing that is some to do with the fact that its TX pin.
Also for some reason, Pin2 LED only light up faintly, probably because I'm using a really bright LED so the Atmega don't have enough juice to power that?
(I'm using the same LED through out the board)
Last, Pin5 LED never light up :/
And - you are right with serial enabled then you will have the TX pin on all the time - I normally disable the serial interface.
Doug
(I actually just upload the sketch to my UNO, unplug the atmega and use it directly)
Doug
It works like a charm. Of course it's not using an Atmega, but maybe the datasheets help you.
I'd love to help but I'm afraid I'm way too new to electronics.
The receiver was based on the microchip design notes.
Send me your email to doug@doughq.com - and I will send you the code I have.
Remember that it isn't a competed project - I just built it enough to get me the data I was looking for.
my email id : francisroan@gmail.com
I've read the post 50 times and I can seam to grasp it. HOw did you connect the antenna to the board? Do you think it's possible to buy an antenna online ?
Thanks
We want to play a prank on our school next year after our finals.
Our teachers use a RFIDtag to gain access to the parking lot. Once you checked in at the gate, you NEED to check out again before you can get in again.
We want to make a brute force RFID spoofer, to check all the possible cards OUT, so they can't get in.
They'll all need to get out of their cars and check out first.
But to try all the codes,
You need 2^(44) = 1.73*10^13 combinations
Or am I wrong on this? Because that's a damn lot of numbers.....
It's more fun and cheaper than smashing the reader to pieces. :)
and is that a microcontroller there??? can a arduino be used instead if u got frm a website pls tell that too!!
thanks
Thanks
sincerely, Artem
mordashov_artem@mail.ru
Thanks in advance,
I'm starting to draw the diagram in EAGLE with mostly through hole components.
On your schematic, on the top left corner, there's a CONN_2 (P1). What is it ? What does it do? And is it necessary? Will share once done. Thank you.
You should make a reader built in the spoofer, so you just scan an RFID tag which it would then spoof. For example, you scan the tag which unlocks your garage door, then the microcontroller will remember that tag and spoof it.
http://www.arduino.cc/playground/Code/ID12