Instructables

Stupid Simple Arduino LF RFID Tag Spoofer

Picture of Stupid Simple Arduino LF RFID Tag Spoofer
 RFID tags are all over the place.  They're used in building access control systems, passports, inventory tracking . . .   This instructable will show how you can use an Arduino and a few simple components (wire coil, transistor, capacitor, resistor) to make a device that can spoof an 125 KHz (low frequency) RFID tag.  This is version 1, so there are many enhancements that can be made, but this version is stupid simple, yet it works.  I did this in a few hours without much previous knowledge of RFID and without any fancy equipment (like a radio tuning hardware or an oscilloscope . . .I guess an oscilloscope is fancy, I need to pick up one of those).  

UPDATE: Here is a link to an Arduino Mini shield based on these instructions http://wiki.smallroom.net/doku.php?id=terd:projects:rfidspoofer . 
 
Remove these adsRemove these ads by Signing Up

Step 1: Parts

Picture of Parts
Parts:

*Some enamel coated solid core copper wire (I used the green spool from the 3 spool set Radio Shack carries).


*A NPN transistor, I used a 2N3904

*A 10 K Ohm Resistor

*A 10 nF capacitor (0.01 uF). I'm using a Metalized polyester film cap I got from Radio Shack, others should work though

*A toilet paper roll to wind the wire on

I tested my circuit using a Parallax RFID serial reader connected to a second Arduino
lgrama2 months ago

I tried to make the circuit but for me it doesn't work. I used a coil from coilcraft (

4513TC-495XGLB ) with a 330 pF capacitor and a standard usb reader.

Can you help me with some adwice, please

2014-02-17 19.54.08.jpg2014-02-17 19.53.34.jpg
Machine1 year ago
What does "spoof" mean? Forgive my ignorance.

Don't bother, I went looking for it and found it in the Hacker's Dictionary:

spoof vi.

To capture, alter, and retransmit a communication stream in a way that misleads the recipient. As used by hackers, refers especially to altering TCP/IP packet source addresses or other packet-header data in order to masquerade as a trusted machine. This term has become very widespread and is borderline techspeak.

It means "To Protend to be something its not" In this instance

TripM10 months ago
I have a related but similar question. Is it possible to hide the identifying information on an RFID card? Thanks in advance for any details you can provide!
I've just built this circuit and it works just fine, I was curious as to how you would go about calculating an actual RFID tag code for spoofing as well as the parity bits to go with?
I understand the code itself is in 10 binary segments each with a parity bit but I'm unsure on how to work out the parity for it.
sketchsk3tch (author)  TimMcClymont1 year ago
Check out step 3. Each hex number is represented by 4 binary digits then one even parity bit. In other words count how many of the 4 digits are 1s, if it's an even number the 5th bit is a 0, if it's odd then it's a one. Do the same for the column parity bits at the end, the but add up the ten columns.
Is it possible to replace the coil by an inductor of the same inductance? It has the same effects?
Thanks!
aloirã2 years ago
**** PLEASE READ ****

My dog has a microchip (standard pet chip which is ISO RFID chip operating at 125khz inserted just under the skin between the shoulder blades) and I have fears we are being watched / recorded / studied due to this - and alot of the research Ive done on the subject has lead me to find lots of stories of tracking / tracing / research and other breaches of privacy due to these pet chips. I no longer agree with the idea of my dog having this "chip" active inside him.

I have enquired at my vet about removal, which is not possible and even if I found someone who would do it, due to his extremely small size, the anaesthetic needed to operate under is more likely to kill him, and he has a high risk of infection on the area - I will not put his life at risk - surgery is not an option. Is there anyway I can deactivate / destroy / disable the RFID chip, without injuring my dog?

PLEASE HELP

Thankyou so much for taking the time to read this,

Since there is no way to disable it, therefore, we have two options:
1) We cloak it from the sensors.
2) Scramble/confuse the signal.

1) Cloak:
You could use a jacket to block the signal, just like the wrapper used for the "FasTrak" metering for automobiles, or for your USA passport. It's just an anti-static bag, but a bit thicker than your normal bags for PC parts. Two layers of normal wrap would probably be more than sufficient. However, it's not a guarantee here.

It would be easy enough to fashion an "cloak/overcoat" for your pet, with some of this wrap inside it. I am sure your vet would be willing to test the feasibility of using the wrap before you put effort into making one or two overcoats for you pet. Have the vet "find" the chip, then hold the material over that area, and rescan.

Please remember, this jacket is being made coated plastic, so it could become quite warm while wearing such a coat. Imagine wearing a raincoat in the summer sun.... Check your pet for signs of overheating.

2) Scramble
Those of us who use RFID badges in our daily lives have found that having more than one badge in your pocket frequently prevents the "right" badge from working. Stacking a few badges atop one another, over the chip, could scramble the results. I am not a fan of the option though, as over time, those who are "interested" may validate their results and start seeing which pattern does occur when you pass their reader, and use that for tracking instead. the other big downside is that the chip in the animal can migrate within the body, so your badges won't be in the right place should the chip relocate itself.

Good luck!
A strong electromagnetic or rf field should harmlessly burn out the circuitry in the tag, shouldn't it?
No.
You do realize it's a very fine coil.. overload a wire by inducing too much current in it from an electromagnetic field and it'll blow like an incandescent bulb designed for 100v running on 440..
Yes the wire in the token is very fine, but to make that melt like a fuse you will have to put at least 1A through it. You have a problem with this, it is getting enough magnetic field to produce that much current. This is because the energising coil is an inductor and so the inductive reactance limits the amount of current you can get down a coil. To build an electromagnet that would destroy a token is way beyond the capacity of anyone on this site. Would anyone like to prove me wrong and build one?
I'd just be curious to see if anyone here has the specs for such an electromagnet. Do you know what the values would need to be? The seed of accurate information might be enough to start someone here on the project. Then everyone would learn something one way or the other.

Nice thought isn't it? :)
FURTHER: I would keep ALL electronic equipment, including cellphones, computers, radios, TVs, and those remote car starting tags FAR away from this thing. I'll bet it fries ICs and other delicate circuitry as well.. Again, you guys have been warned.
Don't forget to change the tin foil in your hat because it wears out after about three months and then you are vulnerable again. YOU HAVE BEEN WARNED.

On the other hand I assume that your totally meaningless rant means that you brain has already been taken over.
For some reason my reply was lost, so re-posting. Mike, I think we're talking apples and oranges here. I never said your device was dangerous around RFID. I said the link I provided has a device that CREATES A HUGE EMP SPIKE was. I stand by that. It is. And no, I need no 'tin foil hat'. It was provided as an info link in response to a query by the woman with the dog. She wanted to deactivate the chip. Apparently the device is quite capable for doing so. Next time you have a problem with me, do not be quite so grumpy, and take it off list, ast least first, and see if we can resolve the issue like mature adults. Thank you.
Have you ever seen what happens with EMP? I didn't think so. If you want to be responsible for f'ing up someone's I-Phone or computer by not warning them sufficiently, be my guest. IC's are NOT bulletproof. Not funny, mike.
" Have you ever seen what happens with EMP? "

Yes I have, I have been an Electronic Engineer for over 40 years. I have subjected equipment to electro magnetic pulses in test chambers at approved test houses. I know that this project poses no danger to any electronic equipment because the fields it produces are tiny.

" I didn't think so. "
So wrong again.
I don't want to be responsible for stupid people doing stupid things so note the following (if you DO build it):

1) This puppy has VERY high voltage and you must be careful when wiring it and fiddling around inside the HV circuits.

2) For God's sake.. keep any RFID based stuff you DON'T WISH TO DESTROY far away from this device. This includes some drivers licenses, passports, some credit cards. You've been warned

I'm not quite that clever, even tho I have tech training.. BUT: http://www.rfidjournal.com/article/view/2098 http://hackaday.com/2009/12/22/terminate-rfid-tags/ (for info purposes ONLY)
Sorry, wrong. See my post in this thread.
I used to design RFID readers for a living.

@aloir - the range of these tags is very small, your pet will have to get to within less than one foot of a reader to be tracked.

@ToolboxGuy - there is no way that readers can cope with more than one tag in a field. There is no way that you can determine that there are two tags in a filed and get a pattern. The signals are rejected inside the reader. You could not make a reader to do what you feared. Your paranoia is a result of you not understanding the technology.
@Grumpy Mike
1) No, I am not paranoid, but thanks for *assuming*. I am only offering options, and I am not the person who believes they're being stalked.
2) The scenario is to track activity, so *any* signal is "accepted" and tracked. Most dolts could figure out if you always pass at 10am, and now all of a sudden you don't, you'd review what DID pass by at 10am, and verify it the next day, matching or non-matching.
3) Now that I look back on this, I wonder if this person is trying to cheat detection on a stolen animal, and does not want to be discovered.
The scenario is to track activity, so *any* signal is "accepted" and tracked.
No you can't track two tokens because the reader would not see them, it would regard them as noise, just the same as noise that happens all the time due to the working of the reader. There would be no "special event" to actually see and record.

The range of the tokens is less than a foot anyway so you normally have to present it to the reader. It is not something you can activate from a long way off. You can do this with some other cards but not the passive 125KHz tokens.
i have just done some experiments with two tokens in a field. I can adjust the reader to actually pick up a random pattern with two tokens in the field. As I said this looks like noise. However, when I do these adjustments then the reader will no longer respond to a single token. So, as I said two tokens blocks the reading completely with no way of detecting that there are two tokens in the field.
Couldn't a strong RF or electromagnetic field destroy the sensor? It should remain in place, of course, but burn out and deactivate the device without hurting the animal.
I'm familiar with the technology and the device. I worked and have the readers. implants and syringes used for one of the leading firms. The device is extremely easy to remove. It's not difficult to make the device unreadable, but if you're really that concerned about them tracking you, then you should have it removed. With the same concern you have over tracking you should also be concerned that you or you animal be questioned for having a RFID that is unable to be read.

We are seeing more and more agencies looking at these tracking devices. Isn't it funny how only 30 years ago when I was much younger they spoke of the mark of the beast, and we all thought, this is so goofy. Today, this is a reality. The difference today is that you have to allow yourself to be tagged. There are technologies that are available today, (two german scientists developed a few years back) that use a special radioactive material to mark things as small as a red blood cell.

using technologies like this a government or other agency could mark you without you even knowing it. Given this concern, the device in your dog is an antique and I wouldn't be too overwelled with concern over it.

There are much easier and non invasive ways that you can be tracked if they want to.

Good luck on whatever you choose and I hope this helps.
This
eb6.jpg
Astinsan3 years ago
Can this be made to spoof transponder keys? I have a old ford that uses the ti transponder in the ignition. VAT bypass would cost me around 400$. If it could be done for under 100 with arduino it would be cool.
The only reason people would have something like those here in the US is that they were arrested for drunk driving. If you own the car, and are not REQUIRED to have the thing, why don't you just remove it? If you ARE required to have it, you could probably get in a lot of trouble for screwing around with it. I wouldn't, if I were you.
No, transponders don't work like this.
darnit...
dersteps2 years ago
Hey! Looks like an awesome project, I'm planning to try it myself.

I don't have Radio Shack around here and don't want to order the wire set from them to Germany (shipping...). So I'm very, very interested in the wire's diameter (I'd love to see it in mm). Can you (or anyone else) tell me?

Thanks in advance!
sketchsk3tch (author)  dersteps2 years ago
I believe the green is 26 AWG.
Thank you very much!
jonnyb0232 years ago
Does the resistor value depend on the inductance or capacitance?
Also, I am using a Coilcraft .4mH transponder coil with a 4.05nF capacitor and I cannot even get the reader at school to recognize it, not even a rejection.

Any help?

Thanks
apburner2 years ago
This would be a perfect project for the femtoduino, http://www.varesano.net/projects/hardware/Femtoduino. I could see this put along with a 3.7v lipoly 1s battery into a small tin and then just push the button to get it to spoof.
átóth22 years ago
option(1) Yeap, I guess you could build a fake device/mod a stock one, which can either constantly transmit only 1's at the same signal shape, possibly emitting the signal at higher energy than the retail device or a signal pattern that makes the superposed bitstream invalid, or you could try to mod one to invert the pattern by inserting a simple NOT instruction in the microcode in order to have the logical negated signal / waveform cancelation (not sure how the term applies to squarewaves and not sure how the detector's edge detection method works). You could also make it self-powered to achieve a stronger transmission from your second device.
Or you can shield it around by mounting some sort of foil or other flexible metal mesh/sheet somehow onto the dog's skin. No better rapid ideas now :)

option(2): keep your dog at home/have your best friend doggysit him for the time you have to visit your boyfriend while cheating your rich CIA-employed husband ;)))
Pro

Get More Out of Instructables

Already have an Account?

close

PDF Downloads
As a Pro member, you will gain access to download any Instructable in the PDF format. You also have the ability to customize your PDF download.

Upgrade to Pro today!