loading
RFID projects have been pretty prominent recently, ranging from projects here in Instructables, to our local Silicon Chip magazine in Australia publishing a RFID door lock project in their November issue.  Even I recently purchased a RFID door lock on eBay for $15 to lock my garage (so my front neighbor could get tools if he wanted to).

We have known that the cheaper RFID technologies were pretty insecure for a number of years.  Researchers have demonstrated cloners of all varieties, but simple RFID tags are still being used for access control.  Even my current employer uses them.

A while ago, I was looking at Hack A Day, and I saw an amazing project that somebody had made.  It was an RFID card with a keypad on it.  For the next couple of days, I couldn't get the image of the card out of my mind;  the project reminded me of how much I wanted to build a RFID spoofer myself.  The original author didn't release source code for their project, but they left enough clues that I could follow. 

So, in typical fashion,  I built my own reader hardware so I could have a look at the data from a card, and created my own version of the Universal RFID key.

The key I made works beautifully both on my garage door, as well as a number of other RFID readers I have tried!

I have decided to publish this, as more people should be aware of the design flaws that are inherent in older RFID implementations, and to allow others to make their own universal key.

Will this key let you into anybodies RFID protected office?  Yes it will, assuming a couple of things are true

  1)  The have to be using 125kHz RFID tags that use the same encoding standard as I have designed this project for, and,
  2)  You have to have access to the number printed on the back of the tag - with that number, you can simply key it into the Universal RFID key, and it will emulate that tag.

So there you go - I hope you enjoy making this project.  - And remember, with great power comes great responsibility!

Step 1: How does RFID work?

RFID, or Radio Frequency IDentification is the term used to describe a wide variety of  standards that allow data stored within electronic 'tags' to be read by a reader without using wires.  There are a number of standards, encoding formats, and frequencies in common use.   I will describe the 125 kHz standard that is common for access control mechanisms.

125 kHz RFID tags are commonly encased in a business card sized piece of plastic, or a round disk.  The tag consists of a coil of wire, connected to a microchip.  When the tag is brought into close proximity to a reader, energy is coupled inductively from the reader to the microchip within the tag. 

The energy from the reader has dual use; firstly, it provides power to run the card, and secondly, it provides a communication medium for data to be transmitted.  Once powered up, the tag modulates the bit pattern that is programmed into the tag using a signal that the reader can detect.  The reader then reads this bit pattern, and passes it onto the door controller.  If the bit pattern matches one that is authorised, the door will be unlocked.  If the bit pattern does not match an authorised one, then the door won't unlock.

In the RFID system I was playing with, the bit pattern looked like this;

1111111110010111000000000000001111100010111110111101001111010000

I will describe what this pattern actually means in the next page.

One interesting feature of the data transfer between the card and the reader, is that data is encoded using Manchester Encoding, which is a way of encoding data so that it can be transmitted over a single wire ensuring that the clock information is able to be recovered easily.  With Manchester encoding, there is always a transition in the middle of a bit.  If you want to transmit a 1, the transition would be from low to high, and if you want to transmit a 0, the transition would from from high to low.  Because the transitions are in the middle of each bit, you can ensure that you have locked onto valid data.  For a detailed description, have a look a this page.

The actual data is transmitted by the card effectively shorting the coil out - this applies an additional load to the transmitter in the reader, which can be detected.
<p>sorry for that, it was for my friend's birthday gift, not a school project</p>
<p>so, is this basically the technology used by theives to steal people's credit card info remotely??</p>
<p>This guy is a pretty well known electrical engineer that explains rfid theft/proptections pretty well: https://www.youtube.com/watch?v=kp63MZ6RudE</p>
<p>Basically, it's a reader for id chips which includes but is not limited to credit/debit cards. Simply owning or using such a device on a stranger is most likely illegal in all states, but is a useful tool in discovering someone's identity, for example. This nation (U.S.) was founded on the principle of overthrowing any government which condemned the people from the freedoms of the constitution. We are thereby granted the right by founding fathers to hold equal technology and protection against any government. Anyone who otherwise affects these freedoms should be imprisoned and or deported for treason against the American people.</p>
<p>Hope not...</p>
<p>WOW!</p>
<p>This is a good project and a great article! Very well written and documented. I'm surely going to build one when I find some time. Thanks!</p>
By any chance would anyone be selling one of these. I would love one of these but dont have the paitence so I would happily buy one.
Just to add this is to test my home locks. I have 4 on rfid and well this key looks much better than a white card for when I have gloves on my xEM implant wont read through leather glove for obvious reasons.
<p>Ill make you one, email me at aereadnos@live.com (:</p>
<p>nice one :)</p>
What about placing a rfid reader into the existing rfid so it a log of all scanned cards so you can then enter them into the emulator and when someone figures you out you can just switch to a different number
<p>&quot;2) You have to have access to the number printed on the back of the tag - with that number, you can simply key it into the Universal RFID key, and it will emulate that tag.&quot; - or you can brush past them and sniff their card with an RFID reader, as is being done en masse nowadays: http://news.softpedia.com/news/new-device-sold-on-the-dark-web-can-clone-up-to-15-contactless-cards-per-second-505200.shtml</p>
<p>Man you look just like Flynn in the movie TRON with that</p>
<p>Is there already a solution that pairs RSA hash generation with RFID? </p>
<p>Very interesting idea. I wonder if you could use it to setup one time use RFIDs. So preload a list of 1000 ids (or a non linear sequence), and each time you use it, that one is removed from being valid. The would be preknown on the reader side. Unlike rolling codes in the garage door, there is no reset code. </p>
<p>This is great. if it cud be made smaller and rugged, and with a way of &quot;spiting&quot; more codes , stored before, at a press of a switch, a dream. I'm a careless person and i kill around 4-6 RFID tokens / year, the dumb thing is, sometime i get them not working on Saturday or Sunday :P </p>
<p>Nice</p>
<p>can we make a pcb antenna on the back side ?</p>
<p>SMD component sizes please ?</p>
Hello drj113. I am trying to use this page to make the key. Can you list all the things you used in this project? Thanks.
bottom right*
<p>I also want to ask, how did you program the microcontrolller? Do i need to buy an Arduino Dumaelianove? And what is that green thing at the bottom left?</p>
<p>Awesome ,, Bro for we enter the data , we must know the what is the data it should be accept for that we have to know the data .... instated of we have to change the emulator into a reader and emulator and as well as key pad in the meaning we have the chance to know what is the data their using and would we emulate the same through our;s circuit</p>
<p>that is great . i want to make it fo myself</p>
<p>Theoretically, could you write the code so that it runs through every possible rfid code combination (similar to a password hacking program) until one of them works, or are there too many combinations for that to be efficient?</p>
Assuming a standard 18-number code for a lock, there would be 158,789,030,400 possible combinations to it. An RFID reader, on average, takes 5 seconds to register a card, verify it's credibility, and reset the lock for a different pass code. It would take 25,559 years to enter all of the possible codes into the lock. Technically, it's possible, but not entirely feasible.
When I was playing with this project, I found it easier to stand beside people, reading their cards, and then programming this card to duplicate theirs. I never implemented a rolling code as it would take too long.<br>
<p>I bought a RFIDler at Derbycon a couple of weeks ago and having trouble getting started with it, I really wish someone would make an instructable for one of those. </p>
<p>Hi. Sorry for bad English.</p><p>Noticed some mistakes. The diagram shows a ATmega8 microcontroller, in the article you say that ATMega168 was mounted on board, but the image on the finished board I see Atmega328 installed. <br><br>I understand that for the project is suitable for mega168 and mega328, but on Schematic - ATmega8 microcontroller will not work and it is misleading. Please correct the error, or specify exactly what MCU you used.</p><p>Thank you!</p>
It is interesting that *ANY* of the actual encoded number was printed on the card it's self. Twenty years ago I was designing systems that used the original Wiegand cards (the protocol that the cards use, 36 bit) and they had protocols that ensured that the printed numbers in no way matched the encoded numbers. It is not unusual that the facility code is not printed on the cards. - RJ
Yea - I would have thought that Security 101 would be to not disclose the numbering... But sadly, in 3 samples that i have decoded thus far, that simply isn't the case.
hi, excellent project there... but i have a few questions <br>1- i have a card,with the number on the back , i can decode most of the portion of the number but how do i find the facility code? and the total number of bits including the starting bits and the ending bits. <br>2- i don't have the card reader so how can i see the bit pattern sent by that RFID card. <br>3- is there any way i can receive the whole bit stream sent by my rfid card?
Cool - Thanks for the questions.<br><br>The only way of getting the facility code is to read a card. It is rarely printed on the card itself<br><br>The only way to see the bit pattern is using a card reader. I built my own - there are lots of simple designs.<br><br>
Hey thanks for the reply , but i wanted to know how can i build a card reader (without using any module) using only micro controllers (pic AVR etc) and stuff.. can u give me a link to it <br>and just wandering if 8051 can be used in making the reader ?
helo ? u there ? <br>
Sorry for the late reply, I was away. <br> <br>You can certainly use an 8051 to read a card - You have to build all of the electroinics yourself though. <br> <br>Here is a link to a project that I found helpful. <br> <br>http://www.proxclone.com/reader_cloner.html <br> <br>Soirry, but my reader is not a completed project that is at the stage where it can be released as an Instructable. <br> <br>
I'm experimenting with the RFID. <br>with my little knowledge ^ ^'. <br> <br>Please help me comparing your design using diode bridge and some other design using a transistor. (like this one : http://www.instructables.com/id/Stupid-Simple-Arduino-LF-RFID-Tag-Spoofer/?ALLSTEPS). what the difference (pros/cons)? <br> <br>I'm see that using transistor is more simpler but I don't know if there is any trade of? <br> <br>Thanks for your contribute :D
That is an interesting way of doing it.<br><br>The thing to consider is that the output of the micro already has a transistor anyway... So this is simply duplication.<br>
Should the windings and diodes alone be read by the reader or does it need to be connected to the arduino for anything to happen? I built the 100 windings with the diodes and resitstor and nothing is happening. I'm pretty sure that is to be expected, but I just wanted to be sure. <br>Thanks!!!
OK, got the program opened and verified. I made an arduino device that reads #bits, facility code, and card number from any weigand card. I'm going to use your instructions to prove to my boss (I'm in the security installation business) that weigand can be hacked and copied very easily. This will get our customers to move to newer and more advanced technologies.
Hit enter far too soon.<br><br>Well done, it works beautifully against the Chinese card systems that are prevalent.<br>
I tried that. The Arduino IDE just opens it with one REALLY long line. Would you be willing to email it to me? t.c.roth@sbcglobal.net. If not, I will try to enter it manually.
done :-)
This is an awesome project! But I can't download the Arduino sketch, it just opens as a text document. Any reason why? <br>
It is a problem with instructables - Just save the text document as a .pde file
RFIDSpoofer_Instructables:3: error: expected constructor, destructor, or type conversion before '&lt;' token <br>RFIDSpoofer_Instructables:90: error: 'ROWS' was not declared in this scope <br>RFIDSpoofer_Instructables:108: error: 'ROWS' was not declared in this scope <br>RFIDSpoofer_Instructables:123: error: 'Keypad' does not name a type <br>RFIDSpoofer_Instructables.pde: In function 'void setup()': <br>RFIDSpoofer_Instructables:147: error: 'EEPROM' was not declared in this scope <br>RFIDSpoofer_Instructables.pde: In function 'void PowerDown()': <br>RFIDSpoofer_Instructables:375: error: 'SLEEP_MODE_PWR_DOWN' was not declared in this scope <br>RFIDSpoofer_Instructables:375: error: 'set_sleep_mode' was not declared in this scope <br>RFIDSpoofer_Instructables:376: error: 'sleep_enable' was not declared in this scope <br>RFIDSpoofer_Instructables:377: error: 'sleep_mode' was not declared in this scope <br>RFIDSpoofer_Instructables.pde: In function 'void LoadFacility()': <br>RFIDSpoofer_Instructables:431: error: 'NO_KEY' was not declared in this scope <br>RFIDSpoofer_Instructables:434: error: 'keypad' was not declared in this scope <br>RFIDSpoofer_Instructables:470: error: 'EEPROM' was not declared in this scope <br>RFIDSpoofer_Instructables.pde: In function 'void LoadCardID()': <br>RFIDSpoofer_Instructables:491: error: 'NO_KEY' was not declared in this scope <br>RFIDSpoofer_Instructables:494: error: 'keypad' was not declared in this scope <br>RFIDSpoofer_Instructables:533: error: 'EEPROM' was not declared in this scope <br>RFIDSpoofer_Instructables.pde: In function 'void loop()': <br>RFIDSpoofer_Instructables:571: error: 'keypad' was not declared in this scope <br>RFIDSpoofer_Instructables:573: error: 'NO_KEY' was not declared in this scope <br>
it looks like you have not loaded the keypad or eeprom library.<br><br>Also - what version of the Arduino software are you using?<br>

About This Instructable

356,871views

1,390favorites

License:

Bio: I have a background in digital electronics, and am very interested in computers. I love things that blink, and am in awe of the physics ... More »
More by drj113:A Grey Hat A Programming Jig for our DougsWordClock.com DeskClock Boards The Wordclock Grew Up! 
Add instructable to: