Instructables
Picture of A Universal RFID Key
RFID projects have been pretty prominent recently, ranging from projects here in Instructables, to our local Silicon Chip magazine in Australia publishing a RFID door lock project in their November issue.  Even I recently purchased a RFID door lock on eBay for $15 to lock my garage (so my front neighbor could get tools if he wanted to).

We have known that the cheaper RFID technologies were pretty insecure for a number of years.  Researchers have demonstrated cloners of all varieties, but simple RFID tags are still being used for access control.  Even my current employer uses them.

A while ago, I was looking at Hack A Day, and I saw an amazing project that somebody had made.  It was an RFID card with a keypad on it.  For the next couple of days, I couldn't get the image of the card out of my mind;  the project reminded me of how much I wanted to build a RFID spoofer myself.  The original author didn't release source code for their project, but they left enough clues that I could follow. 

So, in typical fashion,  I built my own reader hardware so I could have a look at the data from a card, and created my own version of the Universal RFID key.

The key I made works beautifully both on my garage door, as well as a number of other RFID readers I have tried!

I have decided to publish this, as more people should be aware of the design flaws that are inherent in older RFID implementations, and to allow others to make their own universal key.

Will this key let you into anybodies RFID protected office?  Yes it will, assuming a couple of things are true

  1)  The have to be using 125kHz RFID tags that use the same encoding standard as I have designed this project for, and,
  2)  You have to have access to the number printed on the back of the tag - with that number, you can simply key it into the Universal RFID key, and it will emulate that tag.

So there you go - I hope you enjoy making this project.  - And remember, with great power comes great responsibility!
 
Remove these adsRemove these ads by Signing Up
1-40 of 130Next »
AmpOwl2 months ago

Theoretically, could you write the code so that it runs through every possible rfid code combination (similar to a password hacking program) until one of them works, or are there too many combinations for that to be efficient?

jerbs2 months ago

I bought a RFIDler at Derbycon a couple of weeks ago and having trouble getting started with it, I really wish someone would make an instructable for one of those.

Vadzz10 months ago

Hi. Sorry for bad English.

Noticed some mistakes. The diagram shows a ATmega8 microcontroller, in the article you say that ATMega168 was mounted on board, but the image on the finished board I see Atmega328 installed.

I understand that for the project is suitable for mega168 and mega328, but on Schematic - ATmega8 microcontroller will not work and it is misleading. Please correct the error, or specify exactly what MCU you used.

Thank you!

BeerLogic11 months ago
It is interesting that *ANY* of the actual encoded number was printed on the card it's self. Twenty years ago I was designing systems that used the original Wiegand cards (the protocol that the cards use, 36 bit) and they had protocols that ensured that the printed numbers in no way matched the encoded numbers. It is not unusual that the facility code is not printed on the cards. - RJ
drj113 (author)  BeerLogic11 months ago
Yea - I would have thought that Security 101 would be to not disclose the numbering... But sadly, in 3 samples that i have decoded thus far, that simply isn't the case.
usbg3rd1 year ago
hi, excellent project there... but i have a few questions
1- i have a card,with the number on the back , i can decode most of the portion of the number but how do i find the facility code? and the total number of bits including the starting bits and the ending bits.
2- i don't have the card reader so how can i see the bit pattern sent by that RFID card.
3- is there any way i can receive the whole bit stream sent by my rfid card?
drj113 (author)  usbg3rd1 year ago
Cool - Thanks for the questions.

The only way of getting the facility code is to read a card. It is rarely printed on the card itself

The only way to see the bit pattern is using a card reader. I built my own - there are lots of simple designs.

usbg3rd drj1131 year ago
Hey thanks for the reply , but i wanted to know how can i build a card reader (without using any module) using only micro controllers (pic AVR etc) and stuff.. can u give me a link to it
and just wandering if 8051 can be used in making the reader ?
helo ? u there ?
drj113 (author)  usbg3rd1 year ago
Sorry for the late reply, I was away.

You can certainly use an 8051 to read a card - You have to build all of the electroinics yourself though.

Here is a link to a project that I found helpful.

http://www.proxclone.com/reader_cloner.html

Soirry, but my reader is not a completed project that is at the stage where it can be released as an Instructable.

prayalone1 year ago
I'm experimenting with the RFID.
with my little knowledge ^ ^'.

Please help me comparing your design using diode bridge and some other design using a transistor. (like this one : http://www.instructables.com/id/Stupid-Simple-Arduino-LF-RFID-Tag-Spoofer/?ALLSTEPS). what the difference (pros/cons)?

I'm see that using transistor is more simpler but I don't know if there is any trade of?

Thanks for your contribute :D
drj113 (author)  prayalone1 year ago
That is an interesting way of doing it.

The thing to consider is that the output of the micro already has a transistor anyway... So this is simply duplication.
tomroth1 year ago
Should the windings and diodes alone be read by the reader or does it need to be connected to the arduino for anything to happen? I built the 100 windings with the diodes and resitstor and nothing is happening. I'm pretty sure that is to be expected, but I just wanted to be sure.
Thanks!!!
tomroth1 year ago
OK, got the program opened and verified. I made an arduino device that reads #bits, facility code, and card number from any weigand card. I'm going to use your instructions to prove to my boss (I'm in the security installation business) that weigand can be hacked and copied very easily. This will get our customers to move to newer and more advanced technologies.
drj113 (author)  tomroth1 year ago
Hit enter far too soon.

Well done, it works beautifully against the Chinese card systems that are prevalent.
tomroth1 year ago
I tried that. The Arduino IDE just opens it with one REALLY long line. Would you be willing to email it to me? t.c.roth@sbcglobal.net. If not, I will try to enter it manually.
drj113 (author)  tomroth1 year ago
done :-)
tomroth1 year ago
This is an awesome project! But I can't download the Arduino sketch, it just opens as a text document. Any reason why?
drj113 (author)  tomroth1 year ago
It is a problem with instructables - Just save the text document as a .pde file
lazerek1 year ago
RFIDSpoofer_Instructables:3: error: expected constructor, destructor, or type conversion before '<' token
RFIDSpoofer_Instructables:90: error: 'ROWS' was not declared in this scope
RFIDSpoofer_Instructables:108: error: 'ROWS' was not declared in this scope
RFIDSpoofer_Instructables:123: error: 'Keypad' does not name a type
RFIDSpoofer_Instructables.pde: In function 'void setup()':
RFIDSpoofer_Instructables:147: error: 'EEPROM' was not declared in this scope
RFIDSpoofer_Instructables.pde: In function 'void PowerDown()':
RFIDSpoofer_Instructables:375: error: 'SLEEP_MODE_PWR_DOWN' was not declared in this scope
RFIDSpoofer_Instructables:375: error: 'set_sleep_mode' was not declared in this scope
RFIDSpoofer_Instructables:376: error: 'sleep_enable' was not declared in this scope
RFIDSpoofer_Instructables:377: error: 'sleep_mode' was not declared in this scope
RFIDSpoofer_Instructables.pde: In function 'void LoadFacility()':
RFIDSpoofer_Instructables:431: error: 'NO_KEY' was not declared in this scope
RFIDSpoofer_Instructables:434: error: 'keypad' was not declared in this scope
RFIDSpoofer_Instructables:470: error: 'EEPROM' was not declared in this scope
RFIDSpoofer_Instructables.pde: In function 'void LoadCardID()':
RFIDSpoofer_Instructables:491: error: 'NO_KEY' was not declared in this scope
RFIDSpoofer_Instructables:494: error: 'keypad' was not declared in this scope
RFIDSpoofer_Instructables:533: error: 'EEPROM' was not declared in this scope
RFIDSpoofer_Instructables.pde: In function 'void loop()':
RFIDSpoofer_Instructables:571: error: 'keypad' was not declared in this scope
RFIDSpoofer_Instructables:573: error: 'NO_KEY' was not declared in this scope
drj113 (author)  lazerek1 year ago
it looks like you have not loaded the keypad or eeprom library.

Also - what version of the Arduino software are you using?
curlydude932 years ago
How could the range of this spoofer be increased? I'm interested in using this to gain access to my college dorm without having to scan my ID right next to the reader.
I'm curious about that too.
drj113 (author)  Klaudiuszm1 year ago
The only think I could think of is increasing the antenna size, or making the project be an active transmitter - That's an area that I had not experimented with.

Hi my key has the numbers:
20307 1196689-1
I don't know what the code would be for it. Could you please help me?
ninthlife2 years ago
seen this?

no credit given :(

http://www.instructables.com/id/A-Universal-RFID-Key-1/
drj113 (author)  ninthlife2 years ago
Hey,

Thanks for that - From the links, it looks like he made it as a present for a friend.

It is sad that he didn't attribute the original project.

But while it is irritating that he took my name off the board we have a big mish-mash of cultures that should be respected here on Instructables, and I am stoked that at least he had a go at the project.

Doug


Laserman5953 years ago
:D
How-do-we-emulate-a-card.jpg
drj113 (author)  Laserman5952 years ago
Ahhhhh - it took a while for me to see this..... C4 was not chosen intentionally :-)
wow, just wow. : )
drj113 (author)  techxpert2 years ago
Why Thank you :-) This was a fun project.
darkhack2 years ago
Hello,
How your antenna measures wide and long? your image is not accurate and how did turn you do ?
Thanks.
ljfa3212 years ago
Still acting weird :/
Sorry about so many question.
1) The two small circle labeled as vcc connect directly to the positive of the battery which is also the connection 1 on P1.

2) I got caps that have polarity or C3 and C5, C3's positive toward the vcc circle, and C5's positive toward connection 1 on P2.

Are both of them sound right?

Thanks!
ljfa321 ljfa3212 years ago
Oh and can you also tell me in each mode, which LED should be on to indicate the mode? Thanks
ljfa321 ljfa3212 years ago
so far my sequence look like this:

Power ON
Pin3 LED ON
Push Mode
>>Pin3 LED ON
Push Mode
Pin2 and Pin3 LED ON
Push Mode
Pin3 and Pin4 LED ON
Push Mode
Pin2, Pin3, and Pin4 LED ON
Push Mode
Pin2 and Pin3 LED ON
Push Mode
Back to >>



As you can see, Pin3 is always on, I'm guessing that is some to do with the fact that its TX pin.
Also for some reason, Pin2 LED only light up faintly, probably because I'm using a really bright LED so the Atmega don't have enough juice to power that?
(I'm using the same LED through out the board)
Last, Pin5 LED never light up :/
drj113 (author)  ljfa3212 years ago
The mode is displayed in binary - 0001 = 1, while 0101 = 5

And - you are right with serial enabled then you will have the TX pin on all the time - I normally disable the serial interface.

Doug
ljfa321 ljfa3212 years ago
Oops, I mean the positive after the Voltage regulator
ljfa321 ljfa3212 years ago
BTW, I'm using Atmega328 with UNO boot loader. Will that make a difference?
(I actually just upload the sketch to my UNO, unplug the atmega and use it directly)
ljfa3212 years ago
Question, shouldn't R6 be a 10k resistor instead of 100k one @@?
drj113 (author)  ljfa3212 years ago
Either will work fine - It is just a pull up resistor on the reset signal.
1-40 of 130Next »