Stupid Simple Arduino LF RFID Tag Spoofer
9 Steps
RFID tags are all over the place.  They're used in building access control systems, passports, inventory tracking . . .   This instructable will show how you can use an Arduino and a few simple components (wire coil, transistor, capacitor, resistor) to make a device that can spoof an 125 KHz (low frequency) RFID tag.  This is version 1, so there are many enhancements that can be made, but this version is stupid simple, yet it works.  I did this in a few hours without much previous knowledge of RFID and without any fancy equipment (like a radio tuning hardware or an oscilloscope . . .I guess an oscilloscope is fancy, I need to pick up one of those).

UPDATE: Here is a link to an Arduino Mini shield based on these instructions http://wiki.smallroom.net/doku.php?id=terd:projects:rfidspoofer .
Remove these ads by Signing Up

## Step 1: Parts

Parts:

*Some enamel coated solid core copper wire (I used the green spool from the 3 spool set Radio Shack carries).

*A NPN transistor, I used a 2N3904

*A 10 K Ohm Resistor

*A 10 nF capacitor (0.01 uF). I'm using a Metalized polyester film cap I got from Radio Shack, others should work though

*A toilet paper roll to wind the wire on

I tested my circuit using a Parallax RFID serial reader connected to a second Arduino
TimMcClymont says: Feb 25, 2013. 9:34 PM
I've just built this circuit and it works just fine, I was curious as to how you would go about calculating an actual RFID tag code for spoofing as well as the parity bits to go with?
I understand the code itself is in 10 binary segments each with a parity bit but I'm unsure on how to work out the parity for it.
sketchsk3tch (author) says: Feb 26, 2013. 8:16 PM
Check out step 3. Each hex number is represented by 4 binary digits then one even parity bit. In other words count how many of the 4 digits are 1s, if it's an even number the 5th bit is a 0, if it's odd then it's a one. Do the same for the column parity bits at the end, the but add up the ten columns.
SpecTrum_Bill says: Aug 22, 2012. 3:54 PM
Is it possible to replace the coil by an inductor of the same inductance? It has the same effects?
Thanks!
Machine says: Jul 11, 2012. 4:43 AM
What does "spoof" mean? Forgive my ignorance.

Don't bother, I went looking for it and found it in the Hacker's Dictionary:

spoof vi.

To capture, alter, and retransmit a communication stream in a way that misleads the recipient. As used by hackers, refers especially to altering TCP/IP packet source addresses or other packet-header data in order to masquerade as a trusted machine. This term has become very widespread and is borderline techspeak.
Astinsan says: Sep 24, 2010. 2:14 AM
Can this be made to spoof transponder keys? I have a old ford that uses the ti transponder in the ignition. VAT bypass would cost me around 400\$. If it could be done for under 100 with arduino it would be cool.
solaralternatives says: Dec 16, 2011. 3:19 PM
The only reason people would have something like those here in the US is that they were arrested for drunk driving. If you own the car, and are not REQUIRED to have the thing, why don't you just remove it? If you ARE required to have it, you could probably get in a lot of trouble for screwing around with it. I wouldn't, if I were you.
Grumpy Mike says: Dec 14, 2011. 1:51 AM
No, transponders don't work like this.
Astinsan says: Dec 14, 2011. 8:57 AM
darnit...
dersteps says: Nov 24, 2011. 10:45 AM
Hey! Looks like an awesome project, I'm planning to try it myself.

I don't have Radio Shack around here and don't want to order the wire set from them to Germany (shipping...). So I'm very, very interested in the wire's diameter (I'd love to see it in mm). Can you (or anyone else) tell me?

sketchsk3tch (author) says: Dec 10, 2011. 11:01 PM
I believe the green is 26 AWG.
dersteps says: Dec 11, 2011. 2:40 AM
Thank you very much!
jonnyb023 says: Dec 8, 2011. 2:51 PM
Does the resistor value depend on the inductance or capacitance?
jonnyb023 says: Dec 9, 2011. 7:35 PM
Also, I am using a Coilcraft .4mH transponder coil with a 4.05nF capacitor and I cannot even get the reader at school to recognize it, not even a rejection.

Any help?

Thanks
apburner says: Sep 6, 2011. 8:29 PM
This would be a perfect project for the femtoduino, http://www.varesano.net/projects/hardware/Femtoduino. I could see this put along with a 3.7v lipoly 1s battery into a small tin and then just push the button to get it to spoof.
aloirã says: Apr 23, 2011. 11:45 PM

My dog has a microchip (standard pet chip which is ISO RFID chip operating at 125khz inserted just under the skin between the shoulder blades) and I have fears we are being watched / recorded / studied due to this - and alot of the research Ive done on the subject has lead me to find lots of stories of tracking / tracing / research and other breaches of privacy due to these pet chips. I no longer agree with the idea of my dog having this "chip" active inside him.

I have enquired at my vet about removal, which is not possible and even if I found someone who would do it, due to his extremely small size, the anaesthetic needed to operate under is more likely to kill him, and he has a high risk of infection on the area - I will not put his life at risk - surgery is not an option. Is there anyway I can deactivate / destroy / disable the RFID chip, without injuring my dog?

Thankyou so much for taking the time to read this,

markmeehan says: Aug 14, 2011. 11:14 PM
I'm familiar with the technology and the device. I worked and have the readers. implants and syringes used for one of the leading firms. The device is extremely easy to remove. It's not difficult to make the device unreadable, but if you're really that concerned about them tracking you, then you should have it removed. With the same concern you have over tracking you should also be concerned that you or you animal be questioned for having a RFID that is unable to be read.

We are seeing more and more agencies looking at these tracking devices. Isn't it funny how only 30 years ago when I was much younger they spoke of the mark of the beast, and we all thought, this is so goofy. Today, this is a reality. The difference today is that you have to allow yourself to be tagged. There are technologies that are available today, (two german scientists developed a few years back) that use a special radioactive material to mark things as small as a red blood cell.

using technologies like this a government or other agency could mark you without you even knowing it. Given this concern, the device in your dog is an antique and I wouldn't be too overwelled with concern over it.

There are much easier and non invasive ways that you can be tracked if they want to.

Good luck on whatever you choose and I hope this helps.
ToolboxGuy says: Aug 14, 2011. 8:41 AM
Since there is no way to disable it, therefore, we have two options:
1) We cloak it from the sensors.
2) Scramble/confuse the signal.

1) Cloak:
You could use a jacket to block the signal, just like the wrapper used for the "FasTrak" metering for automobiles, or for your USA passport. It's just an anti-static bag, but a bit thicker than your normal bags for PC parts. Two layers of normal wrap would probably be more than sufficient. However, it's not a guarantee here.

It would be easy enough to fashion an "cloak/overcoat" for your pet, with some of this wrap inside it. I am sure your vet would be willing to test the feasibility of using the wrap before you put effort into making one or two overcoats for you pet. Have the vet "find" the chip, then hold the material over that area, and rescan.

Please remember, this jacket is being made coated plastic, so it could become quite warm while wearing such a coat. Imagine wearing a raincoat in the summer sun.... Check your pet for signs of overheating.

2) Scramble
Those of us who use RFID badges in our daily lives have found that having more than one badge in your pocket frequently prevents the "right" badge from working. Stacking a few badges atop one another, over the chip, could scramble the results. I am not a fan of the option though, as over time, those who are "interested" may validate their results and start seeing which pattern does occur when you pass their reader, and use that for tracking instead. the other big downside is that the chip in the animal can migrate within the body, so your badges won't be in the right place should the chip relocate itself.

Good luck!
solaralternatives says: Dec 16, 2011. 2:50 PM
Sorry, wrong. See my post in this thread.
Grumpy Mike says: Dec 14, 2011. 1:48 AM
I used to design RFID readers for a living.

@aloir - the range of these tags is very small, your pet will have to get to within less than one foot of a reader to be tracked.

@ToolboxGuy - there is no way that readers can cope with more than one tag in a field. There is no way that you can determine that there are two tags in a filed and get a pattern. The signals are rejected inside the reader. You could not make a reader to do what you feared. Your paranoia is a result of you not understanding the technology.
ToolboxGuy says: Dec 14, 2011. 6:41 AM
@Grumpy Mike
1) No, I am not paranoid, but thanks for *assuming*. I am only offering options, and I am not the person who believes they're being stalked.
2) The scenario is to track activity, so *any* signal is "accepted" and tracked. Most dolts could figure out if you always pass at 10am, and now all of a sudden you don't, you'd review what DID pass by at 10am, and verify it the next day, matching or non-matching.
3) Now that I look back on this, I wonder if this person is trying to cheat detection on a stolen animal, and does not want to be discovered.
Grumpy Mike says: Dec 15, 2011. 4:27 AM
The scenario is to track activity, so *any* signal is "accepted" and tracked.
No you can't track two tokens because the reader would not see them, it would regard them as noise, just the same as noise that happens all the time due to the working of the reader. There would be no "special event" to actually see and record.

The range of the tokens is less than a foot anyway so you normally have to present it to the reader. It is not something you can activate from a long way off. You can do this with some other cards but not the passive 125KHz tokens.
Grumpy Mike says: Dec 16, 2011. 3:38 AM
i have just done some experiments with two tokens in a field. I can adjust the reader to actually pick up a random pattern with two tokens in the field. As I said this looks like noise. However, when I do these adjustments then the reader will no longer respond to a single token. So, as I said two tokens blocks the reading completely with no way of detecting that there are two tokens in the field.
solaralternatives says: Dec 4, 2011. 11:07 PM
Couldn't a strong RF or electromagnetic field destroy the sensor? It should remain in place, of course, but burn out and deactivate the device without hurting the animal.
solaralternatives says: Dec 4, 2011. 11:05 PM
A strong electromagnetic or rf field should harmlessly burn out the circuitry in the tag, shouldn't it?
Grumpy Mike says: Dec 14, 2011. 1:49 AM
No.
solaralternatives says: Dec 15, 2011. 6:15 PM
You do realize it's a very fine coil.. overload a wire by inducing too much current in it from an electromagnetic field and it'll blow like an incandescent bulb designed for 100v running on 440..
Grumpy Mike says: Dec 16, 2011. 3:32 AM
Yes the wire in the token is very fine, but to make that melt like a fuse you will have to put at least 1A through it. You have a problem with this, it is getting enough magnetic field to produce that much current. This is because the energising coil is an inductor and so the inductive reactance limits the amount of current you can get down a coil. To build an electromagnet that would destroy a token is way beyond the capacity of anyone on this site. Would anyone like to prove me wrong and build one?
DIY-Guy says: Jun 8, 2012. 6:38 PM
I'd just be curious to see if anyone here has the specs for such an electromagnet. Do you know what the values would need to be? The seed of accurate information might be enough to start someone here on the project. Then everyone would learn something one way or the other.

Nice thought isn't it? :)
solaralternatives says: Dec 16, 2011. 2:42 PM
FURTHER: I would keep ALL electronic equipment, including cellphones, computers, radios, TVs, and those remote car starting tags FAR away from this thing. I'll bet it fries ICs and other delicate circuitry as well.. Again, you guys have been warned.
Grumpy Mike says: Dec 17, 2011. 8:01 AM
Don't forget to change the tin foil in your hat because it wears out after about three months and then you are vulnerable again. YOU HAVE BEEN WARNED.

On the other hand I assume that your totally meaningless rant means that you brain has already been taken over.
solaralternatives says: Dec 21, 2011. 6:07 AM
For some reason my reply was lost, so re-posting. Mike, I think we're talking apples and oranges here. I never said your device was dangerous around RFID. I said the link I provided has a device that CREATES A HUGE EMP SPIKE was. I stand by that. It is. And no, I need no 'tin foil hat'. It was provided as an info link in response to a query by the woman with the dog. She wanted to deactivate the chip. Apparently the device is quite capable for doing so. Next time you have a problem with me, do not be quite so grumpy, and take it off list, ast least first, and see if we can resolve the issue like mature adults. Thank you.
solaralternatives says: Dec 17, 2011. 3:55 PM
Have you ever seen what happens with EMP? I didn't think so. If you want to be responsible for f'ing up someone's I-Phone or computer by not warning them sufficiently, be my guest. IC's are NOT bulletproof. Not funny, mike.
Grumpy Mike says: Dec 18, 2011. 2:49 AM
" Have you ever seen what happens with EMP? "

Yes I have, I have been an Electronic Engineer for over 40 years. I have subjected equipment to electro magnetic pulses in test chambers at approved test houses. I know that this project poses no danger to any electronic equipment because the fields it produces are tiny.

" I didn't think so. "
So wrong again.
solaralternatives says: Dec 16, 2011. 2:31 PM
I don't want to be responsible for stupid people doing stupid things so note the following (if you DO build it):

1) This puppy has VERY high voltage and you must be careful when wiring it and fiddling around inside the HV circuits.

2) For God's sake.. keep any RFID based stuff you DON'T WISH TO DESTROY far away from this device. This includes some drivers licenses, passports, some credit cards. You've been warned

solaralternatives says: Dec 16, 2011. 2:24 PM
I'm not quite that clever, even tho I have tech training.. BUT: http://www.rfidjournal.com/article/view/2098 http://hackaday.com/2009/12/22/terminate-rfid-tags/ (for info purposes ONLY)
HomemadeHonor says: Jun 21, 2011. 7:20 PM
This
átóth2 says: May 6, 2011. 10:36 PM
option(1) Yeap, I guess you could build a fake device/mod a stock one, which can either constantly transmit only 1's at the same signal shape, possibly emitting the signal at higher energy than the retail device or a signal pattern that makes the superposed bitstream invalid, or you could try to mod one to invert the pattern by inserting a simple NOT instruction in the microcode in order to have the logical negated signal / waveform cancelation (not sure how the term applies to squarewaves and not sure how the detector's edge detection method works). You could also make it self-powered to achieve a stronger transmission from your second device.
Or you can shield it around by mounting some sort of foil or other flexible metal mesh/sheet somehow onto the dog's skin. No better rapid ideas now :)

option(2): keep your dog at home/have your best friend doggysit him for the time you have to visit your boyfriend while cheating your rich CIA-employed husband ;)))
davidaneiss says: Jan 2, 2011. 1:29 PM
sketchsk3tch, nice job. But why delayMicroseconds() 256 instead of 208? 1/2400/2 = 208.3. I've tried it at 208 and it doesn't seem to work. It stops working for me at around a value of 215. I wonder if the Parallax is actually sending data at a slightly lower baud rate than 2400?
davidaneiss says: Jan 2, 2011. 1:55 PM
Ok, my bad. I assumed that because Parallax was emitting the serial data at 2400, the internal RFID part was also running at 2400. Googling seems to indicate that RF portion actually works at a slightly different rate as they are getting 64 cycles of the 128 kHz carrier together into a half bit.
flashmandv says: Nov 21, 2010. 1:39 AM
do we have to change the circuit if we want to use bi-phase coding ?
evanwehrer says: Apr 26, 2010. 12:56 PM
I'm gonna make a shield for this!
duct tape says: Sep 9, 2010. 9:51 PM
Lol it could be the new line:
"There's a shield for that!"
musick7 says: Sep 8, 2010. 7:02 PM
LC METER Link, This will help with this project.

http://electronics-diy.com/lc_meter.php

Great Project! Love the simpleness here at Instructables!
musick7 says: Sep 8, 2010. 7:01 PM
Here is a Link for a Simple Meter that will help with this Process. It's an LC Meter it will Read VERY SMALL Amounts.
If you need to MAKE YOUR OWN COIL then this is the Meter for you.
Simple to Build Schematic and Instructions are located here:

http://electronics-diy.com/lc_meter.php

yaba says: Apr 20, 2010. 4:17 AM
Hi, nice work!!
Now tell me, we could use some PIC or anyother device right?
I wonder if we could use Bus Pirate + some script in Python or Perl?!?!?!?
Thanks
sketchsk3tch (author) says: Apr 20, 2010. 6:28 AM
Anything that can power the transistor on and off with a 256 microsecond delay between them should work.  So yeah, a PIC should work.  I bet the Bus Pirate could as well.  I've got one of those on order at Seeed, but I ordered it with their new logical analyzer so it won't ship until that does.
lras says: Apr 19, 2010. 12:12 AM
Shouldn't the sixth line "11100" be "11101"?  (Zero-happy again? :-)

sketchsk3tch (author) says: Apr 19, 2010. 6:19 AM
You're right, thanks for pointing that out.  It should be fixed now.  Let me know if you notice anything else.
lras says: Apr 19, 2010. 12:14 AM
Or perhaps it should be "11110" to make the column party correct.
Learndy says: Apr 16, 2010. 1:28 PM
Coilcraft offers RFID transponder coils of different inductance and range. From inductance you can calculate the capacitor. They are much more compact than a TP-roll. Even smaller than an empty roll. ;-) They are not very expensive and Coilcraft supplies free samples.

--
Airspace V - international hangar flying!
http://www.airspace-v.com/ggadgets for tools & toys (MODIS image og the day will be repaired soon)
iBurn says: Apr 15, 2010. 11:44 AM
Which Arduino board are you using? Or rather, which would be the most appropriate for this application on a budget? Thanks in advance
--
IBurn
hollenback.c says: Apr 15, 2010. 12:19 PM
That's an Arduino Duemilanove (ATmega 328). They're about \$30 from SparkFun, \$35 from the Makershed. If you wanted something cheaper, you could get an arduino clone of some kind, like the boarduino (\$18?), but they get a little more complicated. You'll probably do best with a Duemilanove. Good luck.
spyguy99 says: Apr 13, 2010. 7:07 PM
Thank you for this! I've been looking all over for an Arduino based RFID spoofer, and now here it is!
robomaniac says: Apr 13, 2010. 9:16 AM
Normally, to peek people interest, it is recommended to put the video on the main page. Because that video is a resumer of your entire instructable.

Also in your video, a better view of your computer screen would of been nice.
A video of the screen capture (Camstudio)  at the same time of the video would of been nicer.
More work in the editing but that would of ensure more views on youtube and instructables.

Keep it up, I like the idea.
takatomon says: Apr 11, 2010. 5:52 AM