Introduction: RFID Emulator - How to Clone RFID Card, Tag ...

Picture of RFID Emulator - How to Clone RFID Card, Tag ...

Where the idea came.
The idea of creating RFID Emulator come from the idea to create an environment for developing and experimenting with different RFID applications. This article was created with the goal of engineers amateur enthusiasts and fans of electronics who like to experiment with different radio frequency devices and face their challenges. Later i realized it for the useful application of the schematic in our daily lives and how useful it can be developed schematic for making a backup of the existing RFID card, so you always have a backup of your access card - as assume that you have the spare keys to your home or car. If you loss your RIFD card, you will have backup using RIFD Emulator, you will not be able to lift without the barrier of your garage or sitting outside the office. After using this emulator for emergency needs when is possible and in convenient time you can tell people supporting system for access control that your card is lost and want new. And with RFID emulator you can make a backup of it and to use it in subsequent similar need. Most useful of all this is that RIFD Emulator will not confuse engagements planned for the day.

You can buy kit for assembling and see another interesting projects in my website:

If you have another ideas or has developed better shematic with  more  options, Please share it with us on my website, let's make this project bigger and better.

Creators and distributors of the scheme and the materials needed for construction and will not be responsible for malicious actions by malicious individuals from tampering with the device! Everything about this device and the attached article is for educational and experimental purposes. Use at your own risk!

Step 1: What Is RFID and What RFID Emulator?

        Radio frequency identification, or RFID often abbreviated Radio Frequency IDentification is method for automatic identification of objects, where the object IDs  read or write data using radio waves. The technology is based on radio frequency communication between specially crafted identifier (label, tag, card, keychain, sticker or other.) and Reader. Each chip contains an identifier stored inside, with unique number and antenna. Depending on the system configuration in "reading" the number may take action - for example, to open door, barrier or other reaction - or information can be sent to the computer for proper decision making. Some types of RFID cards allow multiple recording information which opportunities they further expand. Distance, which can be "read" identifier depends on many factors such as frequency, size and shape of the antenna, the environment and more. Even distance can reach tens of meters using active RFID tags, ie. using additional power (like a battery or other).

        The RFID Emulator developed here is designed with open software and hardware and is subject to dynamic progression in finding new ideas for lovers developers, whichever you may be too. In the Internet there are several similar devices - such OPEN PICC or PROXMARK - but they do not support low-frequency identification, and in turn are quite expensive and not as flexible. Also are portable and mostly depend on external power or need to connect to a computer.

      Unlike these devices, the idea of the RFID Emulator was developed to drive stick on the following conditions:
       -->>Elementary, so it's easy to understand how it works from electronic lovers if they have little knowledge of electronics in order to exchange ideas and contribute to its development. Easy to understand software and minimal hardware complexity.
       -->>Easy to practical work. All parts can be easily sourced from a nearby electronics store.
       -->>To be largely controlled by software and to be easy sophisticated when there is ideas for development, hardware side to be most optimal and functional, and almost to be not changed or if needed to be a very small range.

      The Results by the moment is:
       -->>Far advanced our RFID Emulator can work with the following coding standards: EM4100, TK5551, Verichip, similar to ISO 11784, Biphase, Manchester, PSK, RAW encoding
       -->>Speed of data transfer is from 8 to 256 cycle for bit.
       -->>Volume of space for storing map data 1920 bits (firmware limit).
       -->>100% passive. Does not need battery.

Step 2:

Picture of

Device control interface.
The board has two buttons. They are connected to GP2 and GP3 pin inputs the processor. Two capacitors (C5 and C6) are connected in parallel with the keys to prevent any disturbance feedback. Note that to put GP3 pull resistor (R5), but not GP2 because it uses software programmed one. Processor Series PIC 12F * have built software controlled pull resistor on each I/O line with the exception of GP3. 1K resistors (R3 and R4) separate I/O legs of the capacitors. This is needed to use, ICSP programming. Without such separation connecting ICSP programmer or debugger will load capacitor GP3/MCLR/Vpp, preventing ICSP programmer to send the required voltage and the chip will enter the programming mode. Nevertheless, my advice is to program the chip advance programmer before soldering or before placing capacitors on the board to ensure successful programming. Since this is a test and constantly develops projects and programming will hardly fail if the problem is in programming or hardware, so at least you're assured a secure programming safely follow the tips below in section SOFTWARE.

Step 3:

Picture of

Information indication

An "Sucessful Programmed" LED using a serially connected 470 ohms resistor. Be careful when choosing LED for your project. Most ordinary SMD LEDs draw up to 8 mA current, which is often more than the rest of the device consumption. Putting more powerful LED (a bright, white, blue) or different from smd-LED assembly can consume too much power, more than the antenna can induce in themselves and this can lead to supply voltage drops below the minimum threshold scheme to work properly.

Step 4:

Picture of

Power supply

The question was how to most optimally and efficiently get the voltage from the carrier frequency of 125 khz RFID reader and how to use it to power the system. I.e. to make a passive detector, without requiring an external power supply. Using a schematic Diode-Bridge from simple low voltage silicon rectifier diodes have very large losses. These diodes have a voltage drop on him straight about 0.6V, at the time of flattening each half period of the current passes through two of them and we will lose 1.2V. Experiments show us the following results. When using Diode-Bridge circuit formed by four Schottky diodes save more than 600 mV, which is much better option. Used 1N5819 (with Vf = 0.2V @ 10mA) are perfect for this.

Step 5:

Picture of

In the bottom oscillograms notice the difference in the use of Schottky diodes or ordinary in bringing the carrier frequency.

                                 Blue: = 2.03V   Green: = 1.36V         Yellow: Max. = 2.27V      Бял: = GND

                                           Blue line shows the power signal using Schottky diodes.
                                                         Green line is without Schottky diodes.
                                     Yellow line is the signal induced in the coil reaching (GP5) processor.

                             As noted in the use of Schottky diodes compared with ordinary save about 0.6 volts.

Step 6:

Picture of

Several capacitors are added for filtering the Supply voltage. Electrolyte (C4), Tantalum (C3) and Ceramic (C1). Not all of them are necessary, but helps to dramatically reduce peaks and harmonics, such as LED illumination, or using the built-in generator 8 Mhz processor.

Step 7:

Picture of

Automatic overvoltage protection

In most cases the voltage that is induced in the coil can not exceed 6V, and it does not have risk to damage any of the elements. But sometimes, under certain conditions - in a strong magnetic field or a sharp magnetization coil (sudden skidding to a receiver) can form a peak above the maximum voltage that can kill CPU. To prevent the risk of damage from surges, we applied the following schematic.

If the voltage is below 5.1V zener diode (D1) is blocked. The base of the transistor (Q1) is "GND" and also blocked.

At a time when the supply voltage jump over 5.1V. Zener diode opens and unlocks respectively transistor (Q1). On (R7) forms a voltage drop with power sufficient to load the coil so that the supply voltage drops below 5.1V.

Step 8:

Picture of

ICSP Connector

The displayed 5 pin connector provides easy access to the pins of the microcontroller. It can be used for programming or testing I/O on the chip. The pin connections of the connector is the same as the programmer PicKit2, but you can use other JDM programmer as long as you follow the correct pin connections.

Step 9:

Picture of

Selecting useful signal

As mentioned above there are types of cards that can accept data sent by the reader. Usually this operation is used to write data to the card processor (for programming card of our choice). Reader transmits data to card memory as the same way as the card reader sends this data to - modulated radio frequency carrier that is accepted by the antenna. To empower our emulator to read and process this information be necessary to create a circuit that reads, decodes and sends this information to the processor. Later it was recorded in himself to play. To do so, demodulate the carrier frequency to remove it only useful signal and the easiest way for us is using the "Envelope detector"

Step 10:

Picture of

Diode (D4) misses the positive component of the pulse frequency and the load capacitor (C7) when the amplitude of the carrier increases. When the amplitude of the carrier fell capacitor (C7) is discharged through the resistor (R8) (diodes to prevent discharge in power). We need a signal formed by the edge of the carrier frequency is modulated signal containing the data on the card.

               Green line:  Modulated carrier input of the Envelope detector
               Yellow line: Modulated signal at the output of the Envelope detector

Step 11:

Picture of

The output signal of the detector (crosses decoupling capacitor (C8) as a permanent component of the isolated strain.

                 Green line: before unleashing a constant component
                 Yellow line: after untying the constant component
                        White line: GND
                 Refference: 0.5V/V-div  0.4ms/H-div

Step 12: IMPORTANT!!

As seen from the oscillograms as a consequence of unleashing a constant component of the comparator input signal is negative (<GND) half of the cycle. Taken from the manufacturer's specifications CPU -0.3 Input I/O processor can damage the entire processor. I do not have such a case of blown processor but keep in mind that placing a negative signal to this input can have disastrous consequences for the chip.

Step 13:

Picture of

After untying the signal enters the integrated comparator the PIC processor. Comparator compares the CPU voltage detect signal of 0.1 volts (software defined) and the output signal is generated close to the signal sent by the reader, ready for decoding and processing.
                 Yellow: the input of the comparator (0.2V / V-div)
                Green: the output of the comparator (1V / V-div)
                                   White: GND

Step 14: Shortly Mathematics

Picture of Shortly Mathematics

The values of the capacitor (C7) and resistor (R8) Envelope detector must be accurately calculated. Elements  form a low-pass filter cut frequency and has the following relationship:

Step 15:

Picture of

The upper limit of the filter must be high enough crossover that miss frequency modulation signal and sufficiently low to block the carrier signal. If the upper limit of the filter is very high, the output will be missed and damaging signals which we call interference or noise. If you turn the upper threshold is very low modulation signal will be partly filtered and the output signal will get "clipped".

Ideally, you should choose a threshold filter by:

Step 16:

Picture of

Calculations (R) and (C)

Carrier frequency(fc) = 125 KHz

Modulating frequency (fm) = 1953.125 Hz <- Responsible for coding and Manchester bi-phase encoding bearing 64 cycles per bit (most commonly used modulation).

The following waveforms is shown the effect of choosing a low threshold cut filter:

                      Yellow line:   R=100K    C=10nF    flp=1000Hz
                      Green :  R=56K      C=10nF    flp=1785Hz

Step 17:

Picture of

Output signal must be "square" but notice how low threshold filter brings distortion of the output signal and rounded fronts. The higher the lower the threshold, the more rounded they are. To prevent this "cut" threshold cut filter must be higher than the switching frequency (1953.125 Hz), but not too high so as not to miss the extra "pulses".

                    Yellow line:   R=10K    C=10nF    flp=10KHz

Step 18:

From the calculations here, the appropriate values are:

Threshold shear device formative shell = 3030 Hz

R = 33 Kohms

C = 10 nF

3030 Hz is enough to properly filter 1953 Hz signal without having a very large ripple or too much pruning. If you keep quick transfer and increase the target rate, you will have problems with noise pulses. In this case you will need to aggravate the scheme with more filters, but this is not required 3030 Hz is enough to emulate almost any low-frequency RFID card.

Step 19: Shematic

You can buy kit for assembling and see another interesting projects in my website:

Creators and distributors of the scheme and the materials needed for construction and will not be responsible for malicious actions by malicious individuals from tampering with the device! Everything about this device and the attached article is for educational and experimental purposes. Use at your own risk!

Step 20:

The RFID Emulator can emulate almost all low frequency RFID cards, who can not be overwritten or those who play the embedded serial number immediately after skidding to a reader. The board is designed with the size of a calling card and built-in antenna made from the track on the PCB. You can check your gallery for photos and video. If you are interested in RFID emulator can work it out themselves. Below is depicted the emulator board, and pictures from his process of practical implementation. All items are available in electronics stores. If you do not want to Produce board yourself, you can order the machine is made by our board and Online Store kit components and programmed processor. You can always replace some of the elements of its analogue. You can use any transistors or Schottky diodes have similar parameters as capacitors or resistors. You can use other processor. Software with minor changes can be adapted to work on a PIC 12F PIC 16F microcontrollers. For other questions anoint use our forum.

The kit is with unsoldered elements. It takes you a little soldering skills in order to weld the SMD components. The hardest part of all solder is the scheme SO8 (SOIC8) microcontroller socket.

Step 21: List Items

This is a list of items for making the emulator. It may be helpful if you buy items from different store from our online store.

BAT721S Schottky diodes can be difficult to find. If you can not find it you can use one of its analogues. (sorted by Vf - lower is recommended):

BAT721S - Vf=250mV @ 10mA

BAT754S - Vf=340mV @ 10mA

BAT54S - Vf=400mV @ 10mA

BAT40-04 - Vf=450mV @ 10mA


C2 and C3 are capacitors with polarity. Be careful when soldering. In C2, electrolytic capacitor, the black bar indicates negative polarity. In, C3 (tantalum capacitors) black-brown bar indicates the positive pole.

If you make own board should ensure that that the resonance in the freewheeling circuit depends on the capacitor C4. But as with any board would look different (different thickness slopes depending on the time of etching) you should measure the inductance you receive and comply with this capacitor. I use 3nF capacitor instead 8.2 nF like in calculations.

Step 22: Board and Soldering

You can buy kit for assembling and see another interesting projects in my website:

Creators and distributors of the scheme and the materials needed for construction and will not be responsible for malicious actions by malicious individuals from tampering with the device! Everything about this device and the attached article is for educational and experimental purposes. Use at your own risk!

Boards are shown in real dimensions. In order to work out from simple laminated you can use different methods Amateur etching as a method or a laser printer to use photo-paste. The bottom of the board is to mirror print is on the right side to proceed with construction.

I share 4 board views:
-->>Top side of board               
-->>Bottom side of the board (mirrorred)
-->>Top side of the board with white solder
-->>Bottom side of the board with white print

When soldering the board needs to start from small items such as resistors and capacitors, then continue welding with a large electrolytic capacitors, processor and buttons.

If you make own board should ensure that that the resonance in the freewheeling circuit depends on the capacitor C4. But as with any board would look different (different thickness slopes depending on the time of etching) you should measure the inductance you receive and comply with this capacitor. I use 3nF capacitor instead 8.2 nF like in calculations.

Step 23: Software

To understand this part of the article requires knowledge of assembler.
Generally code is nothing more than some well-timed instructions that change the state of GP4. This microcontroller (like most PIC processors) have a built-in generator, however, instead of using the internal oscillator, the CPU uses the carrier frequency of the incoming GP4. Software is not as complex as it needs no synchronization of modulated data. (GP4 switched to GND or high). The internal oscillator has a very high energy consumption, and this is another reason to shun its use in our scheme. Less consumption means the board to operate from a greater distance. Our firmware can be downloaded from here. It emulates EM4100 RFID card, one of the most popular. EM4100 [datasheet] is a map with read-only memory and 64 bits in most cases configured to work with 64 beats per bit and Manchester encoding. Manchestar code is decoded half life is 32 beats produced by 32 units and the other bars to 0 (this means log. 1).

The following example shows how software works:

BSF         TRISIO, GP4                           ; GP4 as input (High-Impedance). Transmit a '0'.
BCF         TRISIO, GP4                           ; GP4 as output (GND). Transmit a '1'

Note that between BSF and BCF has exactly four instruction cycles. Considering that the PIC architecture uses 4 to instruction execution, this means that the broadcast exactly 32 between bearing bars group instruction.

Step 24: Downloads

You can download a  emulator's software from instructables or my website:

          Source code – Source which you can change or experimenting with it

           MPLAB IDE – Software from Microchip to modify and compile the source code

            HEX file – compiled, .HEX file ready to program

Password for all archives from article is :

Step 25:

Picture of

In the previous scheme will displayed value for our coil. If you use the slopes of the board is difficult to make an accurate value of the coil, but if we can roll up our external antenna is easier. In designing the antenna to improve signal reception - and thus increase the distance the device inductance and capacity must be in resonance to the carrier frequency. (125 KHz in our case). By using parasitic capacitance (30 pF) and frequency around 125 KHz, we can calculate the approximate value of the coil.
Ressult is  54.04 mH.

The value of parasitic capacitance is relative. The value of inductance is also relative. Its value can vary (from one device to another) within certain limits not only of the imperfection of workmanship as well as the influence of external factors. (temperature, voltage, frequency, etc.).. Using only the parasitic capacitance, making it almost impossible LC group setting. Adding additional capacity along the coil facilitates dramatically situation. The value of capacity should be about 1 nF to allow variations of loops does not affect your scheme. Well calibrated antenna is not the main factor for normal operation of the device.

Step 26:

Picture of

Operating at 125 KHz (wavelength 2400 m) have a small reading distance. We can develop an alternative, an external antenna to improve this shortcoming. The bigger antenna has a large area where they can be induced magnetic field, respectively, will have a higher output voltage coil i made of board - as seen in the video - there is little physical space and not to generate very high voltage pulse frequency, appropriate distance reading will be much greater. We can develop a better antenna, for example naviem coils of copper wire on the inside of the roll of toilet paper. You can measure or estimate made antenna, but then do not forget to put the required capacitor to be calibrated. For 150uH coil - 10 nF capacitor is good blended. Once you finish the dish to tape is wound in coils to prevent injury.
                                       Photos of handmade bobins

Creators and distributors of the scheme and the materials needed for construction and will not be responsible for malicious actions by malicious individuals from tampering with the device! Everything about this device and the attached article is for educational and experimental purposes. Use at your own risk!

You can buy board for assembling and see another interesting projects in my website:

If you have another ideas or has developed better shematic with  more  options, Please share it with us on my website, let's make this project bigger and better.

Step 27: Gallery

Picture of Gallery

Step 28:

Picture of

Step 29:

Picture of

Step 30:

Picture of

Step 31:

Picture of

Step 32:

Picture of


gdps67g (author)2016-07-19

Please update the purchase links. This product is not available at the links that you provided. Please do us a favour and provide the direct link to the product page.

kukata86 (author)gdps67g2016-07-19

The shop is not working becouse i'm outside my country a lot of time and i post that info on the main page of my website,and nobody support the online shop. i can't share other link becouse i'm not resseler,i create this in my free time and now,you can use all attached info and schematics to make similar device but alone,dear hobbyists.soryy that i cant support your hard work

Jean0x7BE (author)kukata862016-12-04

Awesome instructable, thank you so much!

Regarding links, on the few instructions I've written, I just link to search-pages of the product, or product type - since links often gets dead, especially ebay-links and other similar sites. Just a tip :) Thanks a again, gonna use this one as soon as I have the time!

BuyThisComputer (author)2016-09-09

Hello, do you thin that it's possible to make a generic hotel RFID keycard (to keep aircon and plugs ON when i go out for a short time) or possible to do this with a mobile ?


anushreem1 (author)2015-12-13

hi, where is it possible to buy this device?? Please let me know ASAP. I am unable to buy it in the website.It shows temporarily not available.

QuickLulz (author)2014-10-08

Did anyone ever end up trying We own an apartment building and need our entire stock of key cards duplicated. The system won't let us add anymore and upgrading costs a fortune! The company says it can duplicate or "clone" our keys but we're very hesitant to send them money and our only keys!

StefanC11 (author)QuickLulz2015-12-05


I am sure they can do it just fine.

One concern would be that you are actually cloning the cards which means you loose the accountability of whom did use the card.

What kind of hardware are your running ?


taifur (author)2015-09-18

Nice work

gerarde.gerarde (author)2015-03-28

where i can buy it

c1c2c3 (author)2013-09-04

Am I the only one who noticed that the buttons on the video are on the up side but on the photos they are always on the downside?

kukata86 (author)c1c2c32013-09-06

Yes, the first prototype was developed with buttons from the side with componenets, but after that i choose to make buttons from back side becouse was is easier to put it in a box, and push buttons from this side. Bigger eletrolitic capacitor is too high, and was dificult to push the butons when was on side with components. Second modification was only for buttons,There is no other changes on schematic.
In the video clip i use the first "working prototype" board.

c1c2c3 (author)2013-08-24

What is the second button for?

kukata86 (author)c1c2c32013-08-25

The second buton is for optional/future releases or for your custom option if you make your own code. For now it's not used.

c1c2c3 (author)2013-08-24

Also, I forgot to ask
Do you program the microcontroller using the 5 pin header?
If so, how do you connect it to a computer.
Do you need any other hardware for it?
One last question: would it be possible to program it using Arduino

kukata86 (author)c1c2c32013-08-25

No i program it using pickit2 programmer without soldering.
You can program it using this header after solder it once without solder and desolder the chip from board many times becouse you can burn it.
This is normal ICSP header/conector that have every pic programmer like pikkit 2 or 3. You can find more info in the internet about this header.
Maybe it's possible to use arduino for programing with propper software in it, but i think will be easier to use some cheap programmer.

Mnbadger (author)2013-04-07

Is this 125Khz or 13.56Mhz? It mentions both EM4100 and Mifare which are separate frequencies, very cool!

If people are looking for just a cloned key is a much easier way, kinda expensive though.

raaj25 (author)2013-02-01

by using this can i design my ownRFID system for position control

ncortiz (author)2012-11-29


danic (author)2012-11-29

So your idea didn't come from then?! It's good to see that you have been able to take the idea further. Nice work.

bye bye (author)2012-11-25

is this like yours,isnt it?

dimoniet (author)bye bye2012-11-27

Identical PCB, seem's exactly the same to me...

kukata86 (author)bye bye2012-11-25

No it isn't. But it's another interesting demo clip. Thank you for request.

Nick_de (author)2012-11-27

Nice and detailed. Great work!

Edgar (author)2012-11-26

I have a neat pack of Instructables to talk about, today on my Blog, and your's one of them! :)

kukata86 (author)Edgar2012-11-26

Thank you so much Edgar.I appreciate the gesture

Edgar (author)kukata862012-11-26

You know, I've been divulging this stuff for a couple of years, now but one day, I thought, maybe folk will like to know their work is been divulged...I guess I was right! :D

il_matthew (author)2012-11-26

I'm pretty curios by the whole RFID world possibilites, one thing it bothers me though: I managed to read my own work key (wich contains an Rfid chip) with a nexus (Android phone) equipped with a nfc reader. Could it be possible to use the same principle (cloning a rfid card) with just a smartphone and an nfc reader?

kukata86 (author)il_matthew2012-11-26

RFID emulator works with 125kHz and EM4100 proticol. RFID emulator and NFC use RFID (Radio Frequency IDentifiication), but use different standats for comunication and use different frequency NFC standarts are ISO/IEC 14443 and FeliCa and ISO/IEC 18092 and use 13.56 MHz that is hardware integrated.You can't make device for 125kHz to be Readed by 13.56 and inverce.Resonant frequency of the two devices is different and ся hardware set.
You can't emulate nfc tag working on 13.65 Mhz with RFID emulator from this article and can.t emulate 125 kHz rfid chip from nfc transmitter.It's not hardware supported.
RFID emulator can be used only for 125kHz systems.that is most identification cards with only identification in it. it's used in Barriers, access gates and ect.
When you already have Nexus and nfc device If you want to copy nfc chip just read it and write it in new blank and you will have 2 similar chips.See ths link

I hope this information helps.Greetings.

About This Instructable




More by kukata86:High Voltage Generator-ElectrofishingSmart Voice Controller (Arduino) - Android Smartphone125kHz RFID Logger
Add instructable to: