Introduction: RFID Emulator - How to Clone RFID Card, Tag ...

About: www.kukata86.com

Where the idea came.
The idea of creating RFID Emulator come from the idea to create an environment for developing and experimenting with different RFID applications. This article was created with the goal of engineers amateur enthusiasts and fans of electronics who like to experiment with different radio frequency devices and face their challenges. Later i realized it for the useful application of the schematic in our daily lives and how useful it can be developed schematic for making a backup of the existing RFID card, so you always have a backup of your access card - as assume that you have the spare keys to your home or car. If you loss your RIFD card, you will have backup using RIFD Emulator, you will not be able to lift without the barrier of your garage or sitting outside the office. After using this emulator for emergency needs when is possible and in convenient time you can tell people supporting system for access control that your card is lost and want new. And with RFID emulator you can make a backup of it and to use it in subsequent similar need. Most useful of all this is that RIFD Emulator will not confuse engagements planned for the day.

You can buy kit for assembling and see another interesting projects in my website: www.kukata86.com

If you have another ideas or has developed better shematic with  more  options, Please share it with us on my website, let's make this project bigger and better.


Creators and distributors of the scheme and the materials needed for construction and will not be responsible for malicious actions by malicious individuals from tampering with the device! Everything about this device and the attached article is for educational and experimental purposes. Use at your own risk!

Step 1: What Is RFID and What RFID Emulator?

        Radio frequency identification, or RFID often abbreviated Radio Frequency IDentification is method for automatic identification of objects, where the object IDs  read or write data using radio waves. The technology is based on radio frequency communication between specially crafted identifier (label, tag, card, keychain, sticker or other.) and Reader. Each chip contains an identifier stored inside, with unique number and antenna. Depending on the system configuration in "reading" the number may take action - for example, to open door, barrier or other reaction - or information can be sent to the computer for proper decision making. Some types of RFID cards allow multiple recording information which opportunities they further expand. Distance, which can be "read" identifier depends on many factors such as frequency, size and shape of the antenna, the environment and more. Even distance can reach tens of meters using active RFID tags, ie. using additional power (like a battery or other).

        The RFID Emulator developed here is designed with open software and hardware and is subject to dynamic progression in finding new ideas for lovers developers, whichever you may be too. In the Internet there are several similar devices - such OPEN PICC or PROXMARK - but they do not support low-frequency identification, and in turn are quite expensive and not as flexible. Also are portable and mostly depend on external power or need to connect to a computer.

Unlike these devices, the idea of the RFID Emulator was developed to drive stick on the following conditions:
       -->>Elementary, so it's easy to understand how it works from electronic lovers if they have little knowledge of electronics in order to exchange ideas and contribute to its development. Easy to understand software and minimal hardware complexity.
       -->>Easy to practical work. All parts can be easily sourced from a nearby electronics store.
       -->>To be largely controlled by software and to be easy sophisticated when there is ideas for development, hardware side to be most optimal and functional, and almost to be not changed or if needed to be a very small range.

      The Results by the moment is:
       -->>Far advanced our RFID Emulator can work with the following coding standards: EM4100, TK5551, Verichip, similar to ISO 11784, Biphase, Manchester, PSK, RAW encoding
       -->>Speed of data transfer is from 8 to 256 cycle for bit.
       -->>Volume of space for storing map data 1920 bits (firmware limit).
       -->>100% passive. Does not need battery.




Step 2:

Device control interface.
The board has two buttons. They are connected to GP2 and GP3 pin inputs the processor. Two capacitors (C5 and C6) are connected in parallel with the keys to prevent any disturbance feedback. Note that to put GP3 pull resistor (R5), but not GP2 because it uses software programmed one. Processor Series PIC 12F * have built software controlled pull resistor on each I/O line with the exception of GP3. 1K resistors (R3 and R4) separate I/O legs of the capacitors. This is needed to use, ICSP programming. Without such separation connecting ICSP programmer or debugger will load capacitor GP3/MCLR/Vpp, preventing ICSP programmer to send the required voltage and the chip will enter the programming mode. Nevertheless, my advice is to program the chip advance programmer before soldering or before placing capacitors on the board to ensure successful programming. Since this is a test and constantly develops projects and programming will hardly fail if the problem is in programming or hardware, so at least you're assured a secure programming safely follow the tips below in section SOFTWARE.

Step 3:

Information indication

An "Sucessful Programmed" LED using a serially connected 470 ohms resistor. Be careful when choosing LED for your project. Most ordinary SMD LEDs draw up to 8 mA current, which is often more than the rest of the device consumption. Putting more powerful LED (a bright, white, blue) or different from smd-LED assembly can consume too much power, more than the antenna can induce in themselves and this can lead to supply voltage drops below the minimum threshold scheme to work properly.

Step 4:

Power supply

The question was how to most optimally and efficiently get the voltage from the carrier frequency of 125 khz RFID reader and how to use it to power the system. I.e. to make a passive detector, without requiring an external power supply. Using a schematic Diode-Bridge from simple low voltage silicon rectifier diodes have very large losses. These diodes have a voltage drop on him straight about 0.6V, at the time of flattening each half period of the current passes through two of them and we will lose 1.2V. Experiments show us the following results. When using Diode-Bridge circuit formed by four Schottky diodes save more than 600 mV, which is much better option. Used 1N5819 (with Vf = 0.2V @ 10mA) are perfect for this.


Step 5:

In the bottom oscillograms notice the difference in the use of Schottky diodes or ordinary in bringing the carrier frequency.

                                 Blue: = 2.03V   Green: = 1.36V         Yellow: Max. = 2.27V      Бял: = GND

                                           Blue line shows the power signal using Schottky diodes.
                                                         Green line is without Schottky diodes.
                                     Yellow line is the signal induced in the coil reaching (GP5) processor.

                             As noted in the use of Schottky diodes compared with ordinary save about 0.6 volts.

Step 6:

Several capacitors are added for filtering the Supply voltage. Electrolyte (C4), Tantalum (C3) and Ceramic (C1). Not all of them are necessary, but helps to dramatically reduce peaks and harmonics, such as LED illumination, or using the built-in generator 8 Mhz processor.

Step 7:

Automatic overvoltage protection

In most cases the voltage that is induced in the coil can not exceed 6V, and it does not have risk to damage any of the elements. But sometimes, under certain conditions - in a strong magnetic field or a sharp magnetization coil (sudden skidding to a receiver) can form a peak above the maximum voltage that can kill CPU. To prevent the risk of damage from surges, we applied the following schematic.


If the voltage is below 5.1V zener diode (D1) is blocked. The base of the transistor (Q1) is "GND" and also blocked.

At a time when the supply voltage jump over 5.1V. Zener diode opens and unlocks respectively transistor (Q1). On (R7) forms a voltage drop with power sufficient to load the coil so that the supply voltage drops below 5.1V.


Step 8:

ICSP Connector

The displayed 5 pin connector provides easy access to the pins of the microcontroller. It can be used for programming or testing I/O on the chip. The pin connections of the connector is the same as the programmer PicKit2, but you can use other JDM programmer as long as you follow the correct pin connections.

Step 9:

Selecting useful signal

As mentioned above there are types of cards that can accept data sent by the reader. Usually this operation is used to write data to the card processor (for programming card of our choice). Reader transmits data to card memory as the same way as the card reader sends this data to - modulated radio frequency carrier that is accepted by the antenna. To empower our emulator to read and process this information be necessary to create a circuit that reads, decodes and sends this information to the processor. Later it was recorded in himself to play. To do so, demodulate the carrier frequency to remove it only useful signal and the easiest way for us is using the "Envelope detector"

Step 10:

Diode (D4) misses the positive component of the pulse frequency and the load capacitor (C7) when the amplitude of the carrier increases. When the amplitude of the carrier fell capacitor (C7) is discharged through the resistor (R8) (diodes to prevent discharge in power). We need a signal formed by the edge of the carrier frequency is modulated signal containing the data on the card.

               Green line:  Modulated carrier input of the Envelope detector
               Yellow line: Modulated signal at the output of the Envelope detector

Step 11:

The output signal of the detector (crosses decoupling capacitor (C8) as a permanent component of the isolated strain.

                 Green line: before unleashing a constant component
                 Yellow line: after untying the constant component
                        White line: GND
                 Refference: 0.5V/V-div  0.4ms/H-div

Step 12: IMPORTANT!!

As seen from the oscillograms as a consequence of unleashing a constant component of the comparator input signal is negative (<GND) half of the cycle. Taken from the manufacturer's specifications CPU -0.3 Input I/O processor can damage the entire processor. I do not have such a case of blown processor but keep in mind that placing a negative signal to this input can have disastrous consequences for the chip.

Step 13:

After untying the signal enters the integrated comparator the PIC processor. Comparator compares the CPU voltage detect signal of 0.1 volts (software defined) and the output signal is generated close to the signal sent by the reader, ready for decoding and processing.

                 Yellow: the input of the comparator (0.2V / V-div)
                Green: the output of the comparator (1V / V-div)
                                   White: GND

Step 14: Shortly Mathematics

The values of the capacitor (C7) and resistor (R8) Envelope detector must be accurately calculated. Elements  form a low-pass filter cut frequency and has the following relationship:

Step 15:

The upper limit of the filter must be high enough crossover that miss frequency modulation signal and sufficiently low to block the carrier signal. If the upper limit of the filter is very high, the output will be missed and damaging signals which we call interference or noise. If you turn the upper threshold is very low modulation signal will be partly filtered and the output signal will get "clipped".

Ideally, you should choose a threshold filter by:

Step 16:

Calculations (R) and (C)

Carrier frequency(fc) = 125 KHz

Modulating frequency (fm) = 1953.125 Hz <- Responsible for coding and Manchester bi-phase encoding bearing 64 cycles per bit (most commonly used modulation).

The following waveforms is shown the effect of choosing a low threshold cut filter:

                      Yellow line:   R=100K    C=10nF    flp=1000Hz
                      Green :  R=56K      C=10nF    flp=1785Hz

Step 17:

Output signal must be "square" but notice how low threshold filter brings distortion of the output signal and rounded fronts. The higher the lower the threshold, the more rounded they are. To prevent this "cut" threshold cut filter must be higher than the switching frequency (1953.125 Hz), but not too high so as not to miss the extra "pulses".

                    Yellow line:   R=10K    C=10nF    flp=10KHz

Step 18:

From the calculations here, the appropriate values are:

Threshold shear device formative shell = 3030 Hz

R = 33 Kohms

C = 10 nF



3030 Hz is enough to properly filter 1953 Hz signal without having a very large ripple or too much pruning. If you keep quick transfer and increase the target rate, you will have problems with noise pulses. In this case you will need to aggravate the scheme with more filters, but this is not required 3030 Hz is enough to emulate almost any low-frequency RFID card.

Step 19: Shematic

You can buy kit for assembling and see another interesting projects in my website: www.kukata86.com

Creators and distributors of the scheme and the materials needed for construction and will not be responsible for malicious actions by malicious individuals from tampering with the device! Everything about this device and the attached article is for educational and experimental purposes. Use at your own risk!


Step 20:

The RFID Emulator can emulate almost all low frequency RFID cards, who can not be overwritten or those who play the embedded serial number immediately after skidding to a reader. The board is designed with the size of a calling card and built-in antenna made from the track on the PCB. You can check your gallery for photos and video. If you are interested in RFID emulator can work it out themselves. Below is depicted the emulator board, and pictures from his process of practical implementation. All items are available in electronics stores. If you do not want to Produce board yourself, you can order the machine is made by our board and Online Store kit components and programmed processor. You can always replace some of the elements of its analogue. You can use any transistors or Schottky diodes have similar parameters as capacitors or resistors. You can use other processor. Software with minor changes can be adapted to work on a PIC 12F PIC 16F microcontrollers. For other questions anoint use our forum.

The kit is with unsoldered elements. It takes you a little soldering skills in order to weld the SMD components. The hardest part of all solder is the scheme SO8 (SOIC8) microcontroller socket.

Step 21: List Items

This is a list of items for making the emulator. It may be helpful if you buy items from different store from our online store.
Designator

BAT721S Schottky diodes can be difficult to find. If you can not find it you can use one of its analogues. (sorted by Vf - lower is recommended):

BAT721S - Vf=250mV @ 10mA

BAT754S - Vf=340mV @ 10mA

BAT54S - Vf=400mV @ 10mA

BAT40-04 - Vf=450mV @ 10mA

IMPORTANT!

C2 and C3 are capacitors with polarity. Be careful when soldering. In C2, electrolytic capacitor, the black bar indicates negative polarity. In, C3 (tantalum capacitors) black-brown bar indicates the positive pole.

If you make own board should ensure that that the resonance in the freewheeling circuit depends on the capacitor C4. But as with any board would look different (different thickness slopes depending on the time of etching) you should measure the inductance you receive and comply with this capacitor. I use 3nF capacitor instead 8.2 nF like in calculations.

Step 22: Board and Soldering

You can buy kit for assembling and see another interesting projects in my website: www.kukata86.com

Creators and distributors of the scheme and the materials needed for construction and will not be responsible for malicious actions by malicious individuals from tampering with the device! Everything about this device and the attached article is for educational and experimental purposes. Use at your own risk!

Boards are shown in real dimensions. In order to work out from simple laminated you can use different methods Amateur etching as a method or a laser printer to use photo-paste. The bottom of the board is to mirror print is on the right side to proceed with construction.

I share 4 board views:
-->>Top side of board               
-->>Bottom side of the board (mirrorred)
-->>Top side of the board with white solder
-->>Bottom side of the board with white print

When soldering the board needs to start from small items such as resistors and capacitors, then continue welding with a large electrolytic capacitors, processor and buttons.

If you make own board should ensure that that the resonance in the freewheeling circuit depends on the capacitor C4. But as with any board would look different (different thickness slopes depending on the time of etching) you should measure the inductance you receive and comply with this capacitor. I use 3nF capacitor instead 8.2 nF like in calculations.

Step 23: Software

To understand this part of the article requires knowledge of assembler.
Generally code is nothing more than some well-timed instructions that change the state of GP4. This microcontroller (like most PIC processors) have a built-in generator, however, instead of using the internal oscillator, the CPU uses the carrier frequency of the incoming GP4. Software is not as complex as it needs no synchronization of modulated data. (GP4 switched to GND or high). The internal oscillator has a very high energy consumption, and this is another reason to shun its use in our scheme. Less consumption means the board to operate from a greater distance. Our firmware can be downloaded from here. It emulates EM4100 RFID card, one of the most popular. EM4100 [datasheet] is a map with read-only memory and 64 bits in most cases configured to work with 64 beats per bit and Manchester encoding. Manchestar code is decoded half life is 32 beats produced by 32 units and the other bars to 0 (this means log. 1).

The following example shows how software works:

BSF         TRISIO, GP4                           ; GP4 as input (High-Impedance). Transmit a '0'.
NOP
NOP
NOP
NOP
NOP
NOP
NOP
BCF         TRISIO, GP4                           ; GP4 as output (GND). Transmit a '1'
NOP
NOP
NOP
NOP
NOP
NOP
NOP

Note that between BSF and BCF has exactly four instruction cycles. Considering that the PIC architecture uses 4 to instruction execution, this means that the broadcast exactly 32 between bearing bars group instruction.

Step 24: Downloads

You can download a  emulator's software from instructables or my website:

Source code – Source which you can change or experimenting with it

MPLAB IDE – Software from Microchip to modify and compile the source code

HEX file – compiled, .HEX file ready to program

Password for all archives from article is : www.kukata86.com

Step 25:

In the previous scheme will displayed value for our coil. If you use the slopes of the board is difficult to make an accurate value of the coil, but if we can roll up our external antenna is easier. In designing the antenna to improve signal reception - and thus increase the distance the device inductance and capacity must be in resonance to the carrier frequency. (125 KHz in our case). By using parasitic capacitance (30 pF) and frequency around 125 KHz, we can calculate the approximate value of the coil.
Ressult is  54.04 mH.



The value of parasitic capacitance is relative. The value of inductance is also relative. Its value can vary (from one device to another) within certain limits not only of the imperfection of workmanship as well as the influence of external factors. (temperature, voltage, frequency, etc.).. Using only the parasitic capacitance, making it almost impossible LC group setting. Adding additional capacity along the coil facilitates dramatically situation. The value of capacity should be about 1 nF to allow variations of loops does not affect your scheme. Well calibrated antenna is not the main factor for normal operation of the device.

Step 26:

Operating at 125 KHz (wavelength 2400 m) have a small reading distance. We can develop an alternative, an external antenna to improve this shortcoming. The bigger antenna has a large area where they can be induced magnetic field, respectively, will have a higher output voltage coil i made of board - as seen in the video - there is little physical space and not to generate very high voltage pulse frequency, appropriate distance reading will be much greater. We can develop a better antenna, for example naviem coils of copper wire on the inside of the roll of toilet paper. You can measure or estimate made antenna, but then do not forget to put the required capacitor to be calibrated. For 150uH coil - 10 nF capacitor is good blended. Once you finish the dish to tape is wound in coils to prevent injury.
                                       Photos of handmade bobins


Creators and distributors of the scheme and the materials needed for construction and will not be responsible for malicious actions by malicious individuals from tampering with the device! Everything about this device and the attached article is for educational and experimental purposes. Use at your own risk!

You can buy board for assembling and see another interesting projects in my website: www.kukata86.com

If you have another ideas or has developed better shematic with  more  options, Please share it with us on my website, let's make this project bigger and better.

Step 27: Gallery

Step 28:

Step 29:

Step 30:

Step 31:

Step 32: