Arduino RFID spoofer

An Arduino, a spent roll of toilet paper, magnet wire, and a few passive components are what’s needed to build this RFID spoofer. It’s quick, dirty, and best of all, simple. However, [SketchSk3tch’s] creation is not an RFID cloner. You must already know the hex code of the tag you want to spoof. That may or may not be as easy as using a separate tag reader.

We’ve seen some very simple RFID tag concepts. What we want is a DIY reader that is easy to build from cheap and readily available components. If you’ve got one, make with the details and tip us off about it.

36 thoughts on “Arduino RFID spoofer

  1. You can get a functional, assembled RFID reader from Parallax for $40. You would need a uC capable of generating the 125 KHz while simultaneously monitoring the power going into the LC antenna circuit and decoding any changes that would indicate the presence of a second tuned or detuned circuit drawing power off it. It’s quite a bit more complicated than emulating the card, which was designed to be simple and dirt cheap and not really worth the effort when a turnkey solution is available.

    This card hack is kind of cool mainly because there is no pretense of it being practical, and you could theoretically use it to clone a card, which with the read only cards is generally assumed to be impossible.

  2. I’m not proficient with RFID as in, I’ve never done any work with them personally, but I understand their basic function and use. But would it be possible to brute force copies of “read only” cards? Obviously this would be a slow and tedious process, much like any form of brute force hack. But, just to enlighten me, the idea of brute force hacking RFID is still a “possibility”, correct? Would a “rainbow table-esque” be a “feasible” project? I have zero intention, but, as any hacker, i’m just trying to broaden my knowledge.

  3. Nothing about 13.56Mz cards?
    they have more feature (internal memory, password protection, sectors, anti-collision).
    I’m trying to inteface my arduino to serial reader, but i’m also interested to make a spoofer..

  4. @skinner
    As klulukasz said there are a ton of possible combinations and it would take a long time to go through them all. I’ve heard though that some companies buy batch of cards that end up being sequential. If that’s the case, then if you can just read one card from a location, then you could work from there. In many cases if you have one working ID (the one you were able to read) you don’t need any more, but in other cases different cards give access to different locations. So, if your ID doesn’t work for a door, you could try several IDs around the one you’re using.

    I’m not sure an Arduino is fast enough to emulate a 13.56Mhz card (it’s about100 times faster). I’m curios if this could be done with a Maple (Arduino clone using an ARM processor) or with a Butterly Uno (FPGA that you can program using the Arudino stuff). I’m guessing you could do something similar to the 125KHz one, I’m going to try it with my Maple and see how it goes.

    I’d love to see a cheap DIY reader. The Propeller one is really cool. It would be awesome to combine that reader with this emulator. It would be even cooler if you could do it the reading and emulation all on the Arduino, which I bet you can (I’m sure you could do it all on a Propeller).

    By the way, you should be able to modify the sketch so you can also hook the Parallax reader up to it for reading (which would then effectively make it a cloner). There were a couple of reasons I didn’t do this. First, I wanted to keep the project really simple so others could build on it and add whatever they wanted. Second, the Parallax reader reads EM4100 tags. It does read a lot of tags, but I was hoping to figure out a more generic reader, because you should be able to clone more tags using it.

    By the way, when I picked up my reader a couple of weeks ago it was on sale at Radio Shack, the marked price was $49.99 but when they rung it up it was only $29.99. It looks like it’s been removed from their website so I think they’re closing them out.

    1. any reason u think the attiny isnt fast enough? should work on 13mhz if u can figure out when to short coil to look like normal card. The at85 goes to 20mhz with the standard part. Standard part craps out at a higher voltage than the 10u lv part but the saving grace may be that the same length of coil is orders of magnitude closer to length for an efficent antena than it is at 125khz (see wave length). That higher efficency might make the difference to power the chip properly.

  5. @ARDUINO!!!!!!!: you may hate the arduino, but posting so in a way irrelevant to the topic is trolling. This project is not featured because it’s an arduino, it’s because it can spoof RFID codes for surprisingly cheap.
    On a more relevant note, would this work for other values of caps?

  6. this utterly rocks and is worthy of HOD.

    and yes this tool would make it trivial to get into most places as they never randomize RFID cards for access. Simply get a read off of an employee and you will be able to hit one within a short time.

  7. here’s the code from the instructables page:

    //Pin to connect to the circuit
    //Setting the pin LOW will tune the coil
    //meaning it will respond as a high signal to the reader
    //Setting the pin to HIGH will detune coil
    //meaning the reader will see it as a low signal
    int coil_pin = 9;

    void setup()
    //Set pin as output
    pinMode(coil_pin, OUTPUT);

    //Start it as low
    digitalWrite(coil_pin, LOW);

    //Does manchester encoding for signal and sets pins.
    //Needs clock and signal to do encoding
    void set_pin_manchester(int clock_half, int signal)
    //manchester encoding is xoring the clock with the signal
    int man_encoded = clock_half ^ signal;

    //if it’s 1, set the pin LOW (this will tune the antenna and the reader sees this as a high signal)
    //if it’s 0, set the pin to HIGH (this will detune the antenna and the reader sees this as a low signal)
    if(man_encoded == 1)
    digitalWrite(coil_pin, LOW);
    digitalWrite(coil_pin, HIGH);

    void loop()
    //this is the card data we’re spoofing. It’s basically 10 hex F’s
    int data_to_spoof[64] = {1,1,1,1,1,1,1,1,1, 1,1,1,1,0 ,1,1,1,1,0, 1,1,1,1,0 ,1,1,1,1,0, 1,1,1,1,0 ,1,1,1,1,0, 1,1,1,1,0 ,1,1,1,1,0, 1,1,1,1,0 ,1,1,1,1,0, 0,0,0,0,0};
    for(int i = 0; i < 64; i++)
    set_pin_manchester(0, data_to_spoof[i]);

    set_pin_manchester(1, data_to_spoof[i]);

  8. @Ivan_k
    You shouldn’t have to pay for the code, it’s the rfidFake.pde file on step 5. You should just be able to click on it and download it. It looks like you do have to create an account to download the code, but you can create a free one.

    This is the first project I’ve posted on Instructables, I didn’t realize you had to set up an account to download the code. I’ll probably post the code on scribd or something so people can avoid doing that. Besides that, how do people feel about Instructables? I could set up my own site and put everything up there, but I’ve spent too much time over the last 10 years developing and maintaining websites to want to do that unless I have to.

  9. Hi,
    I bought a machine for my shop a while ago and they installed an RFID reader on it so it could tell when I had used up a couple liters of a chemical solution. Each container has an RFID tag. Without the tag on the container, the machine will not run. I have 20 liters of material I can’t use as the RFID tag is set to run out at 2 liters. Anyway I cando something for this?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s