An Arduino, a spent roll of toilet paper, magnet wire, and a few passive components are what’s needed to build this RFID spoofer. It’s quick, dirty, and best of all, simple. However, [SketchSk3tch’s] creation is not an RFID cloner. You must already know the hex code of the tag you want to spoof. That may or may not be as easy as using a separate tag reader.
We’ve seen some very simple RFID tag concepts. What we want is a DIY reader that is easy to build from cheap and readily available components. If you’ve got one, make with the details and tip us off about it.
You can get a functional, assembled RFID reader from Parallax for $40. You would need a uC capable of generating the 125 KHz while simultaneously monitoring the power going into the LC antenna circuit and decoding any changes that would indicate the presence of a second tuned or detuned circuit drawing power off it. It’s quite a bit more complicated than emulating the card, which was designed to be simple and dirt cheap and not really worth the effort when a turnkey solution is available.
This card hack is kind of cool mainly because there is no pretense of it being practical, and you could theoretically use it to clone a card, which with the read only cards is generally assumed to be impossible.
http://instruct1.cit.cornell.edu/courses/ee476/FinalProjects/s2006/cjr37/Website/index.htm
diy RFID reader, it should be under 10$ if you already have some atmega chip, and power supply
I’m not proficient with RFID as in, I’ve never done any work with them personally, but I understand their basic function and use. But would it be possible to brute force copies of “read only” cards? Obviously this would be a slow and tedious process, much like any form of brute force hack. But, just to enlighten me, the idea of brute force hacking RFID is still a “possibility”, correct? Would a “rainbow table-esque” be a “feasible” project? I have zero intention, but, as any hacker, i’m just trying to broaden my knowledge.
@skinner
you don’t have any hash of the ID that reader is waiting for so rainbow tables wont work.
basic RFID tags usually have at least 32bit ID, so there are 2^32combinations, so even if you were trying passwords one after another it would take a lot of time
If I am not wrong it would be in order of 10^7 years:P
http://www.wolframalpha.com/input/?i=%28%28125*1000%2F8%29*32%29*%282^32%29%2F3600%2F24%2F365
Not only does Parallax have an RFID unit ready for sale, the following thread on their forums is a very nice DIY implementation:
http://forums.parallax.com/forums/default.aspx?f=25&m=287204
An $8 Propeller plus some junkbox parts = win.
Perhaps they will add a reader, making a tool. Not sure if the builder will go the extra bit, or if this was meant to be a super cheap and easy task.
How ironic then that this is an entry on instructables.com, the site that turned so repressive and no doubt would see us all tagged.
@Chuck LOL I should have known the Propeller could do that.
Nothing about 13.56Mz cards?
they have more feature (internal memory, password protection, sectors, anti-collision).
I’m trying to inteface my arduino to serial reader, but i’m also interested to make a spoofer..
omg I hate the Arduino…lame
@skinner
As klulukasz said there are a ton of possible combinations and it would take a long time to go through them all. I’ve heard though that some companies buy batch of cards that end up being sequential. If that’s the case, then if you can just read one card from a location, then you could work from there. In many cases if you have one working ID (the one you were able to read) you don’t need any more, but in other cases different cards give access to different locations. So, if your ID doesn’t work for a door, you could try several IDs around the one you’re using.
@Lorenzo
I’m not sure an Arduino is fast enough to emulate a 13.56Mhz card (it’s about100 times faster). I’m curios if this could be done with a Maple (Arduino clone using an ARM processor) or with a Butterly Uno (FPGA that you can program using the Arudino stuff). I’m guessing you could do something similar to the 125KHz one, I’m going to try it with my Maple and see how it goes.
I’d love to see a cheap DIY reader. The Propeller one is really cool. It would be awesome to combine that reader with this emulator. It would be even cooler if you could do it the reading and emulation all on the Arduino, which I bet you can (I’m sure you could do it all on a Propeller).
By the way, you should be able to modify the sketch so you can also hook the Parallax reader up to it for reading (which would then effectively make it a cloner). There were a couple of reasons I didn’t do this. First, I wanted to keep the project really simple so others could build on it and add whatever they wanted. Second, the Parallax reader reads EM4100 tags. It does read a lot of tags, but I was hoping to figure out a more generic reader, because you should be able to clone more tags using it.
By the way, when I picked up my reader a couple of weeks ago it was on sale at Radio Shack, the marked price was $49.99 but when they rung it up it was only $29.99. It looks like it’s been removed from their website so I think they’re closing them out.
any reason u think the attiny isnt fast enough? should work on 13mhz if u can figure out when to short coil to look like normal card. The at85 goes to 20mhz with the standard part. Standard part craps out at a higher voltage than the 10u lv part but the saving grace may be that the same length of coil is orders of magnitude closer to length for an efficent antena than it is at 125khz (see wave length). That higher efficency might make the difference to power the chip properly.
Seven years later… seriously?
@ARDUINO!!!!!!!: you may hate the arduino, but posting so in a way irrelevant to the topic is trolling. This project is not featured because it’s an arduino, it’s because it can spoof RFID codes for surprisingly cheap.
On a more relevant note, would this work for other values of caps?
@captainsolderbum
why don’t you feed the trolls some more
So, You’re troll-feeder trolling?
lol,
then that makes me troll-feeder-troller-troll, kinda. I guess I’m not really trolling am I.
An arduino project(using only 3 external components) AND on instructables? Hack-a-Day, surely you jest!
this utterly rocks and is worthy of HOD.
and yes this tool would make it trivial to get into most places as they never randomize RFID cards for access. Simply get a read off of an employee and you will be able to hit one within a short time.
add this:
http://www.sparkfun.com/commerce/product_info.php?products_id=8628
and couple lines of code, and you have mobile scanner/spoofer.
As they grow older, Kiriko and Raizo develop a romantic bond, however Kiriko’s desire to leave the Ozunu Clan for freedom is greater … u gotta check dis out http://tinyurl.com/BHVNinja
ARGH! This uses a BREADBOARD! I HATE BREADBOARDS!
This is a nice proof of concept. But I cannot replicate it, because I am not willing to pay instructables for the source code.
here’s the code from the instructables page:
//Pin to connect to the circuit
//Setting the pin LOW will tune the coil
//meaning it will respond as a high signal to the reader
//Setting the pin to HIGH will detune coil
//meaning the reader will see it as a low signal
int coil_pin = 9;
void setup()
{
//Set pin as output
pinMode(coil_pin, OUTPUT);
//Start it as low
digitalWrite(coil_pin, LOW);
}
//Does manchester encoding for signal and sets pins.
//Needs clock and signal to do encoding
void set_pin_manchester(int clock_half, int signal)
{
//manchester encoding is xoring the clock with the signal
int man_encoded = clock_half ^ signal;
//if it’s 1, set the pin LOW (this will tune the antenna and the reader sees this as a high signal)
//if it’s 0, set the pin to HIGH (this will detune the antenna and the reader sees this as a low signal)
if(man_encoded == 1)
{
digitalWrite(coil_pin, LOW);
}
else
{
digitalWrite(coil_pin, HIGH);
}
}
void loop()
{
//this is the card data we’re spoofing. It’s basically 10 hex F’s
int data_to_spoof[64] = {1,1,1,1,1,1,1,1,1, 1,1,1,1,0 ,1,1,1,1,0, 1,1,1,1,0 ,1,1,1,1,0, 1,1,1,1,0 ,1,1,1,1,0, 1,1,1,1,0 ,1,1,1,1,0, 1,1,1,1,0 ,1,1,1,1,0, 0,0,0,0,0};
for(int i = 0; i < 64; i++)
{
set_pin_manchester(0, data_to_spoof[i]);
delayMicroseconds(256);
set_pin_manchester(1, data_to_spoof[i]);
delayMicroseconds(256);
}
}
@Ivan_k
You shouldn’t have to pay for the code, it’s the rfidFake.pde file on step 5. You should just be able to click on it and download it. It looks like you do have to create an account to download the code, but you can create a free one.
This is the first project I’ve posted on Instructables, I didn’t realize you had to set up an account to download the code. I’ll probably post the code on scribd or something so people can avoid doing that. Besides that, how do people feel about Instructables? I could set up my own site and put everything up there, but I’ve spent too much time over the last 10 years developing and maintaining websites to want to do that unless I have to.
maybe just upload the code to pastebin… then hotlink it into your instructions
How about using Bus Pirate + script in python
Codedump: Thanks, that was really nice of you!
Sketchsk3tch: Maybe I didn’t look hard enough.. What was in my face when I clicked “register” were the paid options.
At the end of the instructable I found this link: http://micah.navi.cx/2008/09/using-an-avr-as-an-rfid-tag/
Hack-a-day has featured Micahs work before, but not thisone I think. It’s a 2 component LF-RFID spoofer.
@sketchsk3tch. It works! Thank you sir, for sharing this simple (as in few components) but powerful project!
@Ivan_k
I’m glad you got it working. Let me know if you have any suggestions on anything I can improve.
codedump you posted the instructables code i couldnt see!!
i love you!!
Hi do you know a name of machine able to read and write a RFID tag passive 13.56mhz ?
Best regards
Check out proxmark3. You can build it yourself or buy one pre-made. Pre-made is very expensive.
Here is the 125kHz clonner DIY or buy:
http://www.kukata86.com/en/description-and-development-RFID-emulator
Can you read 125Khz HID prox (1-3) tags easily with this or just EM based?
Hi,
I bought a machine for my shop a while ago and they installed an RFID reader on it so it could tell when I had used up a couple liters of a chemical solution. Each container has an RFID tag. Without the tag on the container, the machine will not run. I have 20 liters of material I can’t use as the RFID tag is set to run out at 2 liters. Anyway I cando something for this?
Are the tags removable? Do you see any way to register new tags? There has to be a way, then you could just buy a few for 50-85 cents. If that doesn’t work you could try http://www.clonemykey.com, they do many types of RFID tag cloning, not just keys.