Where the idea came.The idea of creating RFID Emulator come from the idea to create an environment for developing and experimenting with different RFID applications. This article was created with the goal of engineers amateur enthusiasts and fans of electronics who like to experiment with different radio frequency devices and face their challenges. Later i realized it for the useful application of the schematic in our daily lives and how useful it can be developed schematic for making a backup of the existing RFID card, so you always have a backup of your access card - as assume that you have the spare keys to your home or car. If you loss your RIFD card, you will have backup using RIFD Emulator, you will not be able to lift without the barrier of your garage or sitting outside the office. After using this emulator for emergency needs when is possible and in convenient time you can tell people supporting system for access control that your card is lost and want new. And with RFID emulator you can make a backup of it and to use it in subsequent similar need.
Most useful of all this is that RIFD Emulator will not confuse engagements planned for the day. You can buy kit for assembling and see another interesting projects in my website:If you have another ideas or has developed better shematic with more options, Please share it with us on my website, let's make this project bigger and better. Creators and distributors of the scheme and the materials needed for construction and will not be responsible for malicious actions by malicious individuals from tampering with the device! Everything about this device and the attached article is for educational and experimental purposes. Use at your own risk!
Radio frequency identification, or RFID often abbreviated Radio Frequency IDentification is method for automatic identification of objects, where the object IDs read or write data using radio waves. The technology is based on radio frequency communication between specially crafted identifier (label, tag, card, keychain, sticker or other.) and Reader.
Each chip contains an identifier stored inside, with unique number and antenna. Depending on the system configuration in 'reading' the number may take action - for example, to open door, barrier or other reaction - or information can be sent to the computer for proper decision making. Some types of RFID cards allow multiple recording information which opportunities they further expand.
Distance, which can be 'read' identifier depends on many factors such as frequency, size and shape of the antenna, the environment and more. Even distance can reach tens of meters using active RFID tags, ie. Using additional power (like a battery or other).The RFID Emulator developed here is designed with open software and hardware and is subject to dynamic progression in finding new ideas for lovers developers, whichever you may be too.
In the Internet there are several similar devices - such or - but they do not support low-frequency identification, and in turn are quite expensive and not as flexible. Also are portable and mostly depend on external power or need to connect to a computer. Unlike these devices, the idea of the RFID Emulator was developed to drive stick on the following conditions:-Elementary, so it's easy to understand how it works from electronic lovers if they have little knowledge of electronics in order to exchange ideas and contribute to its development. Easy to understand software and minimal hardware complexity.-Easy to practical work. All parts can be easily sourced from a nearby electronics store.-To be largely controlled by software and to be easy sophisticated when there is ideas for development, hardware side to be most optimal and functional, and almost to be not changed or if needed to be a very small range. The Results by the moment is:-Far advanced our RFID Emulator can work with the following coding standards: EM4100, TK5551, Verichip, similar to ISO 11784, Biphase, Manchester, PSK, RAW encoding-Speed of data transfer is from 8 to 256 cycle for bit.-Volume of space for storing map data 1920 bits (firmware limit).-100% passive. Does not need battery.
Device control interface.The board has two buttons. They are connected to GP2 and GP3 pin inputs the processor. Two capacitors (C5 and C6) are connected in parallel with the keys to prevent any disturbance feedback. Note that to put GP3 pull resistor (R5), but not GP2 because it uses software programmed one. Processor Series PIC 12F. have built software controlled pull resistor on each I/O line with the exception of GP3. 1K resistors (R3 and R4) separate I/O legs of the capacitors.
This is needed to use, ICSP programming. Without such separation connecting ICSP programmer or debugger will load capacitor GP3/MCLR/Vpp, preventing ICSP programmer to send the required voltage and the chip will enter the programming mode. Nevertheless, my advice is to program the chip advance programmer before soldering or before placing capacitors on the board to ensure successful programming. Since this is a test and constantly develops projects and programming will hardly fail if the problem is in programming or hardware, so at least you're assured a secure programming safely follow the tips below in section SOFTWARE. Information indicationAn 'Sucessful Programmed' LED using a serially connected 470 ohms resistor.
Be careful when choosing LED for your project. Most ordinary SMD LEDs draw up to 8 mA current, which is often more than the rest of the device consumption.
Putting more powerful LED (a bright, white, blue) or different from smd-LED assembly can consume too much power, more than the antenna can induce in themselves and this can lead to supply voltage drops below the minimum threshold scheme to work properly. Power supplyThe question was how to most optimally and efficiently get the voltage from the carrier frequency of 125 khz RFID reader and how to use it to power the system. To make a passive detector, without requiring an external power supply.
Using a schematic Diode-Bridge from simple low voltage silicon rectifier diodes have very large losses. These diodes have a voltage drop on him straight about 0.6V, at the time of flattening each half period of the current passes through two of them and we will lose 1.2V. Experiments show us the following results. When using Diode-Bridge circuit formed by four Schottky diodes save more than 600 mV, which is much better option.
Used 1N5819 (with Vf = 0.2V @ 10mA) are perfect for this. Automatic overvoltage protectionIn most cases the voltage that is induced in the coil can not exceed 6V, and it does not have risk to damage any of the elements. Age of empires 1 vs 2 vs 3. But sometimes, under certain conditions - in a strong magnetic field or a sharp magnetization coil (sudden skidding to a receiver) can form a peak above the maximum voltage that can kill CPU. To prevent the risk of damage from surges, we applied the following schematic.If the voltage is below 5.1V zener diode (D1) is blocked.
The base of the transistor (Q1) is 'GND' and also blocked.At a time when the supply voltage jump over 5.1V. Zener diode opens and unlocks respectively transistor (Q1).
On (R7) forms a voltage drop with power sufficient to load the coil so that the supply voltage drops below 5.1V. Selecting useful signalAs mentioned above there are types of cards that can accept data sent by the reader. Usually this operation is used to write data to the card processor (for programming card of our choice). Reader transmits data to card memory as the same way as the card reader sends this data to - modulated radio frequency carrier that is accepted by the antenna. To empower our emulator to read and process this information be necessary to create a circuit that reads, decodes and sends this information to the processor. Later it was recorded in himself to play. To do so, demodulate the carrier frequency to remove it only useful signal and the easiest way for us is using the 'Envelope detector'.
Diode (D4) misses the positive component of the pulse frequency and the load capacitor (C7) when the amplitude of the carrier increases. When the amplitude of the carrier fell capacitor (C7) is discharged through the resistor (R8) (diodes to prevent discharge in power). We need a signal formed by the edge of the carrier frequency is modulated signal containing the data on the card.Green line: Modulated carrier input of the Envelope detectorYellow line: Modulated signal at the output of the Envelope detector. The RFID Emulator can emulate almost all low frequency RFID cards, who can not be overwritten or those who play the embedded serial number immediately after skidding to a reader. The board is designed with the size of a calling card and built-in antenna made from the track on the PCB. You can check your gallery for photos and video. If you are interested in RFID emulator can work it out themselves.
Below is depicted the emulator board, and pictures from his process of practical implementation. All items are available in electronics stores. If you do not want to Produce board yourself, you can order the machine is made by our board and Online Store kit components and programmed processor.
You can always replace some of the elements of its analogue. You can use any transistors or Schottky diodes have similar parameters as capacitors or resistors. You can use other processor. Software with minor changes can be adapted to work on a PIC 12F PIC 16F microcontrollers. For other questions anoint use our forum.The kit is with unsoldered elements.
It takes you a little soldering skills in order to weld the SMD components. The hardest part of all solder is the scheme SO8 (SOIC8) microcontroller socket. This is a list of items for making the emulator. It may be helpful if you buy items from different store from our online store.DesignatorBAT721S Schottky diodes can be difficult to find. If you can not find it you can use one of its analogues. (sorted by Vf - lower is recommended):BAT721S - Vf=250mV @ 10mABAT754S - Vf=340mV @ 10mABAT54S - Vf=400mV @ 10mABAT40-04 - Vf=450mV @ 10mAIMPORTANT!C2 and C3 are capacitors with polarity.
Be careful when soldering. In C2, electrolytic capacitor, the black bar indicates negative polarity. In, C3 (tantalum capacitors) black-brown bar indicates the positive pole.
If you make own board should ensure that that the resonance in the freewheeling circuit depends on the capacitor C4. But as with any board would look different (different thickness slopes depending on the time of etching) you should measure the inductance you receive and comply with this capacitor.
I use 3nF capacitor instead 8.2 nF like in calculations. You can buy kit for assembling and see another interesting projects in my website: Creators and distributors of the scheme and the materials needed for construction and will not be responsible for malicious actions by malicious individuals from tampering with the device! Everything about this device and the attached article is for educational and experimental purposes. Use at your own risk!Boards are shown in real dimensions.
In order to work out from simple laminated you can use different methods Amateur etching as a method or a laser printer to use photo-paste. The bottom of the board is to mirror print is on the right side to proceed with construction. I share 4 board views:-Top side of board-Bottom side of the board (mirrorred)-Top side of the board with white solder-Bottom side of the board with white printWhen soldering the board needs to start from small items such as resistors and capacitors, then continue welding with a large electrolytic capacitors, processor and buttons. If you make own board should ensure that that the resonance in the freewheeling circuit depends on the capacitor C4. But as with any board would look different (different thickness slopes depending on the time of etching) you should measure the inductance you receive and comply with this capacitor. I use 3nF capacitor instead 8.2 nF like in calculations. To understand this part of the article requires knowledge of assembler.Generally code is nothing more than some well-timed instructions that change the state of GP4.
This microcontroller (like most PIC processors) have a built-in generator, however, instead of using the internal oscillator, the CPU uses the carrier frequency of the incoming GP4. Software is not as complex as it needs no synchronization of modulated data. (GP4 switched to GND or high).
The internal oscillator has a very high energy consumption, and this is another reason to shun its use in our scheme. Less consumption means the board to operate from a greater distance. Our firmware can be downloaded from here. It emulates EM4100 RFID card, one of the most popular. EM4100 datasheet is a map with read-only memory and 64 bits in most cases configured to work with 64 beats per bit and Manchester encoding. Manchestar code is decoded half life is 32 beats produced by 32 units and the other bars to 0 (this means log. 1).The following example shows how software works:BSF TRISIO, GP4; GP4 as input (High-Impedance).
Transmit a '0'.NOPNOPNOPNOPNOPNOPNOPBCF TRISIO, GP4; GP4 as output (GND). Transmit a '1'NOPNOPNOPNOPNOPNOPNOPNote that between BSF and BCF has exactly four instruction cycles. Considering that the PIC architecture uses 4 to instruction execution, this means that the broadcast exactly 32 between bearing bars group instruction.
In the previous scheme will displayed value for our coil. If you use the slopes of the board is difficult to make an accurate value of the coil, but if we can roll up our external antenna is easier. In designing the antenna to improve signal reception - and thus increase the distance the device inductance and capacity must be in resonance to the carrier frequency.
(125 KHz in our case). By using parasitic capacitance (30 pF) and frequency around 125 KHz, we can calculate the approximate value of the coil.Ressult is 54.04 mH.The value of parasitic capacitance is relative. The value of inductance is also relative. Its value can vary (from one device to another) within certain limits not only of the imperfection of workmanship as well as the influence of external factors. (temperature, voltage, frequency, etc.). Using only the parasitic capacitance, making it almost impossible LC group setting.
Adding additional capacity along the coil facilitates dramatically situation. The value of capacity should be about 1 nF to allow variations of loops does not affect your scheme.
Well calibrated antenna is not the main factor for normal operation of the device. Operating at 125 KHz (wavelength 2400 m) have a small reading distance. We can develop an alternative, an external antenna to improve this shortcoming. The bigger antenna has a large area where they can be induced magnetic field, respectively, will have a higher output voltage coil i made of board - as seen in the video - there is little physical space and not to generate very high voltage pulse frequency, appropriate distance reading will be much greater. We can develop a better antenna, for example naviem coils of copper wire on the inside of the roll of toilet paper.
You can measure or estimate made antenna, but then do not forget to put the required capacitor to be calibrated. For 150uH coil - 10 nF capacitor is good blended. Once you finish the dish to tape is wound in coils to prevent injury.Photos of handmade bobins Creators and distributors of the scheme and the materials needed for construction and will not be responsible for malicious actions by malicious individuals from tampering with the device! Everything about this device and the attached article is for educational and experimental purposes.
Use at your own risk! You can buy board for assembling and see another interesting projects in my website: If you have another ideas or has developed better shematic with more options, Please share it with us on my website, let's make this project bigger and better.
A subreddit dedicated to hacking and hacking culture.What we are about: quality and constructive discussion about the culture, profession and love of hacking.This sub is aimed at those with an understanding of hacking - please visit for posting beginner links and tutorials; any beginner questions should be directed there as they will result in a ban here.Guides and tutorials are welcome here as long as they are suitably complex and most importantly legal!Bans are handed out at moderator discretion.Another one got caught today, it's all over the papers. 'TeenagerArrested in Computer Crime Scandal', 'Hacker Arrested after Bank Tampering'.Damn kids. They're all alike. Rules:.Keep it legalHacking can be a grey area but keep it above board.
Discussion around the legality of issues is ok, encouraging or aiding illegal activities is not.We are not your personal army. This is not the place to try to find hackers to do your dirty work and you will be banned for trying. This includes:. Asking someone to hack for you. Trying to hire hackers. Asking for help with your DoS.
Asking how to get into your 'girlfriend's' instagram. Offering to do these things will also result in a ban.No 'how do i start hacking?' See or the stickied post.Intermediate questions are welcomed - e.g. 'How does HSTS prevent SSL stripping?' Is a good question. 'How do I hack wifi with Kali?'
Is bad.No 'I got hacked' posts unless it's an interesting post-mortem of a unique attack. Your nan being phished doesn't count.Sharing of personal data is forbidden - no doxxing or IP dumping.Spam is strictly forbidden and will result in a ban. Professional promotion e.g. From security firms/pen testing companies is allowed within the confines of site-wide rules on self promotion, but will otherwise be considered spam.Off-topic posts will be treated as spam.Low-effort content will be removed at moderator discretion.We are not tech support, these posts should be kept on.Don't be a dick. Play nice, support each other and encourage learning.Recommended Subreddits:. I have been searching around on ways to read and write to RFID, but i just wanted to ask, is it possible to do?I don't have any information about the keycard i have, no company, no frequency, no model.Where can i find this information?
The only thing written on the card is the logo of the gym 'city fitness' and a serial number at the back.So the real question is, where do i start? I want to know what is stored on the card. How do i read it?Should i melt the outside to see the circuit inside and see if there is anything i can search up?It sounds like its a 125khz card, but then again how can i know if it is? I dont have an oscilloscope, i have no tools.Sorry for not good question!.
In theory everything is possible.Firstly, do you have an android phone with NFC capabilities?If yes, try the or to get basic information like card type, generation and see which raw data it provides.That should give you basic information to research further.Second step would be to try evaluation of the data, to see what changes over time, do they have counters that are changed, values that are changed, when you swipe the card.Third step includes (cheap) emulation hardware, to see if you can reproduce data sets via independent device. Something like should help you further.A step further would be questionable, depending on your local jurisdictions.Analysis and research are always really close to the legal border. Especially if you want to disclose the information and have conducted your research without proper authorization.
OP doesnt need that or any of us. They could always start with Google rather than asking us and would probably find ISO 14443 pretty quick. On top of that OP probably only wants to clone the card.
I don't think they are actually interested in learning. It took one whole search and at the low low cost of and less than a minute of their time they can copy a 125kHz card. There are even instructions for 13.6mHz cards capable of NFC as well as interpreting read outs for both in the blog I'm on. All in one Google search 😑🔫.
This isn't worth talking to over, he's part of the problem and I don't have patience. Btw that first post with the phone might as well have been trolling you into the dirt if it didn't work and it probably is a 125kHz fob, so likely not. Info is in plain text on prox cards(125kHz) because it physically has too little bandwidth for encryption, it usually runs a protocol called EM4100. The NFC Protocol on those 13.6Mhz cards is passive, can contain encryption, has no battery so it charges up when near EMF in order to transfer data, and is not worth your time to actually read the data off of and likely you will never need to know more than that. You'll have something to try right away following his advice but you'll get stuck pretty fast if you blindly believed it would work considering your initial post here. So test both. You should have everything you need by now and whether you cared in the first place or not, doesn't really matter anymore.
The only other useful thing in this thread for you, maybe, is the blackhills link a bit lower. Otherwise look up the blackhat 2013 slides on this subject linked in the kisi security blog I posted and that will get you at the very least introduced to a bit of easy to understand stuff.Next time ask; I don't have time to teach what I know on this subject, any sensible person will say the same.
It just becomes a wall of text before you even get to useful stuff. I get that you're new, and you will have trouble conveying what you want to know because you don't have enough knowledge on the subject itself. People in security from my experience don't take kindly to questions like this, just look at all the useless to near useless comments you've gotten. Explain what you tried first, try to explain what you're having trouble with, and people who actually have answers will usually help if you've at least made a little attempt. Thank you man, i will improve,I tried on my friend iPhone X with both apps above and none of them detect the fob, they dont even detect a visa paywave or a bus card!, i am not sure what the problem is, phone or app?, i have no other nfc phone so i need to get a hold of another NFC phone and try again. The gym key card is a proximity card, i place it on the scanner for 1sec only, i am pretty sure its a low frequency card. Obviously no battery on it, very thin.
I just need to get info from it, if its just plain text i will copy and write to a blank card and test it. I really thank you for the time man.Also i read that blackhill infosec acrticle and it looks like just what i need. But i will do more research and testing. He asked for help on identifying the card and frequencies, most results on Google don't provide that information.Cloning, as a question, is mostly connected to neferious purposes, which this sub does not cater to.If he already knows about different cards and frequencies, he is also looking for help on how to discover that information and how to access the data. Instead of googling it quickly I decided to write down the easiest ways to figure it out, instead of writing down illicit usages or just saying what most people do here: No.How people decide to use that information is their problem, maybe he will discover something new, get curious or writes/designs some future systems with which the work will be easier for us. Or maybe he will be a dick and scam his gym.
Sometimes I forget my RFID door access card at home when I go to work, and when this happens I must stay in the building for the rest of the day or have a friend let me in if I leave during the day (i.e. To go to lunch).My Galaxy S4 phone has NFC capability. Is it possible to record my RFID door access card to my phone so I can use my phone in lieu of my card for times when I forget my card?I have not found any apps which will do this, so I am wondering if the phone is even capable of performing this function. Assuming the RFID system you are talking about only expects a key, and then does a look up in the user db.Usually, a new UID is generated for each NFC transaction by phones.Some users have been able to maintain a static UID sent from the phone to the RFID receiver. A static UID will then act to send a constant 'key' across to the RFID receiver instead of a generated one, everytime you try to swipe the device.To obtain the static UID, you need to change the firmware on your phone, to only send one UID. Users on forum have achieved it on the Google Nexus S and EVO 4g LTE.Happy days!