RFID projects have been pretty prominent recently, ranging from projects here in Instructables, to our local Silicon Chip magazine in Australia publishing a RFID door lock project in their November issue. Even I recently purchased a RFID door lock on eBay for $15 to lock my garage (so my front neighbor could get tools if he wanted to).
We have known that the cheaper RFID technologies were pretty insecure for a number of years. Researchers have demonstrated cloners of all varieties, but simple RFID tags are still being used for access control. Even my current employer uses them.
A while ago, I was looking at Hack A Day, and I saw an amazing project that somebody had made. It was an RFID card with a keypad on it. For the next couple of days, I couldn't get the image of the card out of my mind; the project reminded me of how much I wanted to build a RFID spoofer myself. The original author didn't release source code for their project, but they left enough clues that I could follow.
So, in typical fashion, I built my own reader hardware so I could have a look at the data from a card, and created my own version of the Universal RFID key.
The key I made works beautifully both on my garage door, as well as a number of other RFID readers I have tried!
I have decided to publish this, as more people should be aware of the design flaws that are inherent in older RFID implementations, and to allow others to make their own universal key.
Will this key let you into anybodies RFID protected office? Yes it will, assuming a couple of things are true
1) The have to be using 125kHz RFID tags that use the same encoding standard as I have designed this project for, and,
2) You have to have access to the number printed on the back of the tag - with that number, you can simply key it into the Universal RFID key, and it will emulate that tag.
So there you go - I hope you enjoy making this project. - And remember, with great power comes great responsibility!
We have known that the cheaper RFID technologies were pretty insecure for a number of years. Researchers have demonstrated cloners of all varieties, but simple RFID tags are still being used for access control. Even my current employer uses them.
A while ago, I was looking at Hack A Day, and I saw an amazing project that somebody had made. It was an RFID card with a keypad on it. For the next couple of days, I couldn't get the image of the card out of my mind; the project reminded me of how much I wanted to build a RFID spoofer myself. The original author didn't release source code for their project, but they left enough clues that I could follow.
So, in typical fashion, I built my own reader hardware so I could have a look at the data from a card, and created my own version of the Universal RFID key.
The key I made works beautifully both on my garage door, as well as a number of other RFID readers I have tried!
I have decided to publish this, as more people should be aware of the design flaws that are inherent in older RFID implementations, and to allow others to make their own universal key.
Will this key let you into anybodies RFID protected office? Yes it will, assuming a couple of things are true
1) The have to be using 125kHz RFID tags that use the same encoding standard as I have designed this project for, and,
2) You have to have access to the number printed on the back of the tag - with that number, you can simply key it into the Universal RFID key, and it will emulate that tag.
So there you go - I hope you enjoy making this project. - And remember, with great power comes great responsibility!
Remove these ads by
Signing UpStep 1: How does RFID work?
RFID, or Radio Frequency IDentification is the term used to describe a wide variety of standards that allow data stored within electronic 'tags' to be read by a reader without using wires. There are a number of standards, encoding formats, and frequencies in common use. I will describe the 125 kHz standard that is common for access control mechanisms.
125 kHz RFID tags are commonly encased in a business card sized piece of plastic, or a round disk. The tag consists of a coil of wire, connected to a microchip. When the tag is brought into close proximity to a reader, energy is coupled inductively from the reader to the microchip within the tag.
The energy from the reader has dual use; firstly, it provides power to run the card, and secondly, it provides a communication medium for data to be transmitted. Once powered up, the tag modulates the bit pattern that is programmed into the tag using a signal that the reader can detect. The reader then reads this bit pattern, and passes it onto the door controller. If the bit pattern matches one that is authorised, the door will be unlocked. If the bit pattern does not match an authorised one, then the door won't unlock.
In the RFID system I was playing with, the bit pattern looked like this;
1111111110010111000000000000001111100010111110111101001111010000
I will describe what this pattern actually means in the next page.
One interesting feature of the data transfer between the card and the reader, is that data is encoded using Manchester Encoding, which is a way of encoding data so that it can be transmitted over a single wire ensuring that the clock information is able to be recovered easily. With Manchester encoding, there is always a transition in the middle of a bit. If you want to transmit a 1, the transition would be from low to high, and if you want to transmit a 0, the transition would from from high to low. Because the transitions are in the middle of each bit, you can ensure that you have locked onto valid data. For a detailed description, have a look a this page.
The actual data is transmitted by the card effectively shorting the coil out - this applies an additional load to the transmitter in the reader, which can be detected.
125 kHz RFID tags are commonly encased in a business card sized piece of plastic, or a round disk. The tag consists of a coil of wire, connected to a microchip. When the tag is brought into close proximity to a reader, energy is coupled inductively from the reader to the microchip within the tag.
The energy from the reader has dual use; firstly, it provides power to run the card, and secondly, it provides a communication medium for data to be transmitted. Once powered up, the tag modulates the bit pattern that is programmed into the tag using a signal that the reader can detect. The reader then reads this bit pattern, and passes it onto the door controller. If the bit pattern matches one that is authorised, the door will be unlocked. If the bit pattern does not match an authorised one, then the door won't unlock.
In the RFID system I was playing with, the bit pattern looked like this;
1111111110010111000000000000001111100010111110111101001111010000
I will describe what this pattern actually means in the next page.
One interesting feature of the data transfer between the card and the reader, is that data is encoded using Manchester Encoding, which is a way of encoding data so that it can be transmitted over a single wire ensuring that the clock information is able to be recovered easily. With Manchester encoding, there is always a transition in the middle of a bit. If you want to transmit a 1, the transition would be from low to high, and if you want to transmit a 0, the transition would from from high to low. Because the transitions are in the middle of each bit, you can ensure that you have locked onto valid data. For a detailed description, have a look a this page.
The actual data is transmitted by the card effectively shorting the coil out - this applies an additional load to the transmitter in the reader, which can be detected.
Visit Our Store »
Go Pro Today »
1- i have a card,with the number on the back , i can decode most of the portion of the number but how do i find the facility code? and the total number of bits including the starting bits and the ending bits.
2- i don't have the card reader so how can i see the bit pattern sent by that RFID card.
3- is there any way i can receive the whole bit stream sent by my rfid card?
The only way of getting the facility code is to read a card. It is rarely printed on the card itself
The only way to see the bit pattern is using a card reader. I built my own - there are lots of simple designs.
and just wandering if 8051 can be used in making the reader ?
You can certainly use an 8051 to read a card - You have to build all of the electroinics yourself though.
Here is a link to a project that I found helpful.
http://www.proxclone.com/reader_cloner.html
Soirry, but my reader is not a completed project that is at the stage where it can be released as an Instructable.
with my little knowledge ^ ^'.
Please help me comparing your design using diode bridge and some other design using a transistor. (like this one : http://www.instructables.com/id/Stupid-Simple-Arduino-LF-RFID-Tag-Spoofer/?ALLSTEPS). what the difference (pros/cons)?
I'm see that using transistor is more simpler but I don't know if there is any trade of?
Thanks for your contribute :D
The thing to consider is that the output of the micro already has a transistor anyway... So this is simply duplication.
Thanks!!!
Well done, it works beautifully against the Chinese card systems that are prevalent.
RFIDSpoofer_Instructables:90: error: 'ROWS' was not declared in this scope
RFIDSpoofer_Instructables:108: error: 'ROWS' was not declared in this scope
RFIDSpoofer_Instructables:123: error: 'Keypad' does not name a type
RFIDSpoofer_Instructables.pde: In function 'void setup()':
RFIDSpoofer_Instructables:147: error: 'EEPROM' was not declared in this scope
RFIDSpoofer_Instructables.pde: In function 'void PowerDown()':
RFIDSpoofer_Instructables:375: error: 'SLEEP_MODE_PWR_DOWN' was not declared in this scope
RFIDSpoofer_Instructables:375: error: 'set_sleep_mode' was not declared in this scope
RFIDSpoofer_Instructables:376: error: 'sleep_enable' was not declared in this scope
RFIDSpoofer_Instructables:377: error: 'sleep_mode' was not declared in this scope
RFIDSpoofer_Instructables.pde: In function 'void LoadFacility()':
RFIDSpoofer_Instructables:431: error: 'NO_KEY' was not declared in this scope
RFIDSpoofer_Instructables:434: error: 'keypad' was not declared in this scope
RFIDSpoofer_Instructables:470: error: 'EEPROM' was not declared in this scope
RFIDSpoofer_Instructables.pde: In function 'void LoadCardID()':
RFIDSpoofer_Instructables:491: error: 'NO_KEY' was not declared in this scope
RFIDSpoofer_Instructables:494: error: 'keypad' was not declared in this scope
RFIDSpoofer_Instructables:533: error: 'EEPROM' was not declared in this scope
RFIDSpoofer_Instructables.pde: In function 'void loop()':
RFIDSpoofer_Instructables:571: error: 'keypad' was not declared in this scope
RFIDSpoofer_Instructables:573: error: 'NO_KEY' was not declared in this scope
Also - what version of the Arduino software are you using?
20307 1196689-1
I don't know what the code would be for it. Could you please help me?
no credit given :(
http://www.instructables.com/id/A-Universal-RFID-Key-1/
Thanks for that - From the links, it looks like he made it as a present for a friend.
It is sad that he didn't attribute the original project.
But while it is irritating that he took my name off the board we have a big mish-mash of cultures that should be respected here on Instructables, and I am stoked that at least he had a go at the project.
Doug
How your antenna measures wide and long? your image is not accurate and how did turn you do ?
Thanks.
Sorry about so many question.
1) The two small circle labeled as vcc connect directly to the positive of the battery which is also the connection 1 on P1.
2) I got caps that have polarity or C3 and C5, C3's positive toward the vcc circle, and C5's positive toward connection 1 on P2.
Are both of them sound right?
Thanks!
Power ON
Pin3 LED ON
Push Mode
>>Pin3 LED ON
Push Mode
Pin2 and Pin3 LED ON
Push Mode
Pin3 and Pin4 LED ON
Push Mode
Pin2, Pin3, and Pin4 LED ON
Push Mode
Pin2 and Pin3 LED ON
Push Mode
Back to >>
As you can see, Pin3 is always on, I'm guessing that is some to do with the fact that its TX pin.
Also for some reason, Pin2 LED only light up faintly, probably because I'm using a really bright LED so the Atmega don't have enough juice to power that?
(I'm using the same LED through out the board)
Last, Pin5 LED never light up :/
And - you are right with serial enabled then you will have the TX pin on all the time - I normally disable the serial interface.
Doug
(I actually just upload the sketch to my UNO, unplug the atmega and use it directly)