Stupid Simple Arduino LF RFID Tag Spoofer

by sketchsk3tch

199K20445

Intro: Stupid Simple Arduino LF RFID Tag Spoofer

RFID tags are all over the place. They're used in building access control systems, passports, inventory tracking . . . This instructable will show how you can use an Arduino and a few simple components (wire coil, transistor, capacitor, resistor) to make a device that can spoof an 125 KHz (low frequency) RFID tag. This is version 1, so there are many enhancements that can be made, but this version is stupid simple, yet it works. I did this in a few hours without much previous knowledge of RFID and without any fancy equipment (like a radio tuning hardware or an oscilloscope . . .I guess an oscilloscope is fancy, I need to pick up one of those).

UPDATE: Here is a link to an Arduino Mini shield based on these instructions http://wiki.smallroom.net/doku.php?id=terd:projects:rfidspoofer .

STEP 1: Parts

Parts:

*Some enamel coated solid core copper wire (I used the green spool from the 3 spool set Radio Shack carries).

*A NPN transistor, I used a 2N3904

*A 10 K Ohm Resistor

*A 10 nF capacitor (0.01 uF). I'm using a Metalized polyester film cap I got from Radio Shack, others should work though

*A toilet paper roll to wind the wire on

I tested my circuit using a Parallax RFID serial reader connected to a second Arduino

STEP 2: RFID Background

A passive RFID tag has a coil and a chip with data on it. An RFID reader has a coil in it that has a coil in it that creates a varying electronic field (in this case 125 KHz), which is called the carrier signal. When the tag is close to the RFID reader then the magnetic field powers the chip on the tag, which then responds by tuning and detuning its own antenna. This all works on the principle of inductive coupling, to learn more about his see www.rfid-handbook.de/rfid/types_of_rfid.html

125 KHz cards use manchester encoding to encode the data to send it to the reader. Manchester encoding basically takes the XOR of the bit that needs to be transmitted and the clock value. So if the clock value is low (0) and the value to transmit is 1 then it would be 0 XOR 1 which is 1. This has to be done on every clock cycle. For more information on manchester encoding see en.wikipedia.org/wiki/Manchester_code.

STEP 3: The Data

You can either download the code below, or get it here: www.scribd.com/doc/30215336/RFID-Faker-Code

The serial number of a tag is sent over using a fairly simple protocol.

It starts by sending 9 one's

Then it sends 10 sets of 4 bits, then one parity bit (it's using even parity)
Then it sends "column" parity bits (even parity of the rows in the previous step)
Last it sends a 0 stop bit

So an example looks like this:

(start bits)
111111111

(10 rows of data - the card serial number)
(the first 4 bits are the data, the last is the even parity bit)

11110
10100
10001
11000
10010
11101
11110
00000
00011
01010

(then it sends the column parity bits, even parity of the rows above)

1101

(last a 0 stop bit)

0

See the pdf in the first link in the references section for more details on this

Image provided by Flickr user at www.flickr.com/photos/kurtisscaletta/2473469841/ and used under the creative commons license.

STEP 4: Building the Circuit

You need to create a coil that's about 150 to about 162 uH (different sources say it should be different values). To determine how many winds to do you can use an induction calculator like the one here www.crystalradio.net/cal/indcal2.shtml. I used the green spool from the Radio Shack set of wires and wound it about 133 times around the toilet paper roll (I did this both by working with a calculator and some trial and error, I have no tuning equipment). You probably want to leave a little extra wire in case you need to wind some more to get your antenna tuned right.

After you have your coil you can connect it to your circuit. The schematic is pretty easy. Just connect pin 9 on the Arudino to a 10 K Ohm resistor, then to the base of the transistor. Next you can put your capacitor between the collector and emitter of the transistor. The emitter also needs to be connected to ground. Next connect the coil the the emitter and collector of the transistor.

STEP 5: The Code

The Arduino now needs to tune and detune the antenna. When pin 9 is low then the antenna is tuned (sending out a "high" signal). When the pin is high then it sends power to the base of the transistor. This reduces the resistance between the two ends of the coil, which "detunes" the antenna. We just need to do this in the right sequence to send data to the reader. The code generates a tag ID that's 10 hex F's. If that's what you get in your reader then you know it's working.

STEP 6: Testing

To test the circuit hold the antenna right up to the reader (go ahead and touch it to the reader for the first test), if everything's right you should see the tag ID you're hoping to see. If not (and you're sure the sketch is uploaded properly and the circuit is connected correctly) start adding and removing winds from the coil and retesting it. It should be somewhere in the 120-140 range with the green Radio Shack wire I used.

Once it's working at really short ranges (touching the reader) you can mess with the coil some more to tune the antenna better and you should be able to get a range of a few inches.

STEP 7: The Video

First I hold up a real tag to the reader, and you'll see by the screen behind it that the tag ID is read and displayed on the screen behind it. Next I hold my coil up and the reader sees it as a tag and reads the serial number off it.

STEP 8: Elephants in the Room

This project does have a few deficiencies that should be mentioned. First, since the RFID emulator runs on it's own clock instead of using the one from the magnetic field the reader creates not every serial ID broadcast is received by the broadcaster. This isn't a huge deal because in my experience they end up matching up close enough every about every second or two. If you wanted to modify this so it could brute force tag IDs it might be more important that every tag ID is broadcast correctly.

The second issue is the form factor of the antenna. It should be easy to modify this though by simply collapsing the coil. At that point though you'll need to use a different calculator that does multi-level coils to figure out how to wind it.

Last, there's the range. By experimenting with the coil winds and the capacitor you should be able to get a few inches of range. More range would probably need some type of an amplified coil.

The image for this step is from www.flickr.com/photos/exfordy/123900378/ used under the creative commons license.

STEP 9:

References

PDF on a similar project, good discussion of how it all works and schematic
mrl.cz/projects/rfid/rfid.pdf

Similar project, including C code
www.alexanderguthmann.de/en/emulator.html

An RFID tag that's just a small Microchip uController and a resistor
micah.navi.cx/2008/09/using-an-avr-as-an-rfid-tag/

A similar project, also a reader
www.cq.cx/prox.pl

School project, cool ideas, missing some details though
www.dennislambing.com/senior-design-rfid/

44 Comments

po222gu 3 years ago

Hi! I'm working on a lab project in electronics and will try to build this emulator but with with Mifare 13.56MHz standard. Except from changing the circuit for the right frequency, do you know if we will have to make any changes in the code? Mifare should also be using Manchester encoding.

Thank you in advance, Pierre

tomroth 9 years ago

So I was wondering how you came up with 133 windings around a toilet paper roll? It measures about 1.625" in diameter, wire diameter is negligible, and using #26 wire (the green stuff, .0179"), the calculator says about 68 windings. If it was close to your number I wouldn't ask, but they are not even remotely close. How did you come up with you number?

system85 9 years ago

hi there thanks for the grate work i have a ? if you dont mind emailing me on systemcrash85@gmail.com i work for a company called armadale locksmiths

konsumer 9 years ago

Also, these guys did it with a much smaller coil: http://wiki.smallroom.net/doku.php?id=terd:projects:rfidspoofer

konsumer 9 years ago

Here is an arduino L/C/Freq meter that can help with calibration (like the PIC thing, but more readings & also arduino-based) http://www.kerrywong.com/2010/10/16/avr-lc-meter-with-frequency-measurement/

makomk 10 years ago

This is neat but I can't get this code to work as-posted, it looks like the Manchester encoding is inverted from what it should be according to http://www.priority1design.com.au/em4100_protocol.html. (It damps the antenna when it should tune it and vice-versa.) If I change that it works fine with the cheap USB reader I've got. Maybe your reader is more accomodating than mine?

aleza84 10 years ago

Is there a way to modify this to use it with 134.2khz tags?

lgrama 10 years ago

I tried to make the circuit but for me it doesn't work. I used a coil from coilcraft (

4513TC-495XGLB ) with a 330 pF capacitor and a standard usb reader.

Can you help me with some adwice, please

Machine 11 years ago

What does "spoof" mean? Forgive my ignorance.

Don't bother, I went looking for it and found it in the Hacker's Dictionary:

spoof vi.

To capture, alter, and retransmit a communication stream in a way that misleads the recipient. As used by hackers, refers especially to altering TCP/IP packet source addresses or other packet-header data in order to masquerade as a trusted machine. This term has become very widespread and is borderline techspeak.

mindfulhacker 10 years ago

It means "To Protend to be something its not" In this instance

TripM 10 years ago

I have a related but similar question. Is it possible to hide the identifying information on an RFID card? Thanks in advance for any details you can provide!

TimMcClymont 11 years ago

I've just built this circuit and it works just fine, I was curious as to how you would go about calculating an actual RFID tag code for spoofing as well as the parity bits to go with?
I understand the code itself is in 10 binary segments each with a parity bit but I'm unsure on how to work out the parity for it.

sketchsk3tch 11 years ago

Check out step 3. Each hex number is represented by 4 binary digits then one even parity bit. In other words count how many of the 4 digits are 1s, if it's an even number the 5th bit is a 0, if it's odd then it's a one. Do the same for the column parity bits at the end, the but add up the ten columns.

SpecTrum_Bill 11 years ago

Is it possible to replace the coil by an inductor of the same inductance? It has the same effects?
Thanks!

Astinsan 13 years ago

Can this be made to spoof transponder keys? I have a old ford that uses the ti transponder in the ignition. VAT bypass would cost me around 400$. If it could be done for under 100 with arduino it would be cool.

solaralternatives 12 years ago

The only reason people would have something like those here in the US is that they were arrested for drunk driving. If you own the car, and are not REQUIRED to have the thing, why don't you just remove it? If you ARE required to have it, you could probably get in a lot of trouble for screwing around with it. I wouldn't, if I were you.

Grumpy Mike 12 years ago

No, transponders don't work like this.

Astinsan 12 years ago

darnit...

dersteps 12 years ago

Hey! Looks like an awesome project, I'm planning to try it myself.

I don't have Radio Shack around here and don't want to order the wire set from them to Germany (shipping...). So I'm very, very interested in the wire's diameter (I'd love to see it in mm). Can you (or anyone else) tell me?

Thanks in advance!

sketchsk3tch 12 years ago

I believe the green is 26 AWG.

More Comments