A Universal RFID Key
Even I recently purchased an RFID door lock on eBay for $15 to lock my garage (
So he can get the tools if my neighbor wants).
We already know that cheaper RFID technology has been rather insecure in the past few years.
The researchers have proven a wide variety of clones, but still use simple RFID tags for access control.
Even my current employer is using them.
Not long ago I was watching the hack one day and I saw an amazing project that someone did.
This is an RFID card with a keyboard.
I can\'t forget the image of this card for the next few days;
This project reminds me of how much I wanted to build an RFID cheat myself.
The original author did not release the source code for their project, but they left me enough clues.
So in a typical way, I built my own reader hardware so that I can view the data from the card and create my own version of the generic RFID key.
The keys I made are beautiful on my garage door and many other RFID readers I \'ve tried!
I decided to release this as more people should be aware of the design flaws inherent in the old RFID implementation and allow others to make their own generic keys.
Will this key get you into any office protected by RFID?
Yes, let\'s say a few things are true. it will.
Must use the 125 kHz RFID tag of the same coding standard as the project I designed for, and, 2)
You must have access to the number printed on the back of the label-
With this number, you can simply enter it into the generic RFID key, which will simulate this tag.
So you go-
I hope you enjoy doing this project. -
Remember, it is a great responsibility that comes with great power!
RFID or radio frequency identification is a term used to describe various standards that allow readers to read data stored in electronic \"tags\" without wires.
There are many common standards, coding formats and frequencies.
I will describe the 125 kHz standard commonly used by the access control mechanism.
The 125 kHz RFID tag is usually packaged in a plastic or disc of the size of a business card.
The label consists of a coil connected to the microchip.
When the tag is close to the reader, the energy is sensed from the reader to the microchip inside the tag.
The reader\'s energy has a dual use;
First, it provides the power to run the card, and secondly, it provides a communication medium for the data to be transmitted.
Once powered on, the tag uses the signal modulation that the reader can detect to be programmed to the bit mode in the tag.
The reader then reads the bit mode and passes it to the door controller.
If the bit mode matches the authorized mode, the goalkeeper is unlocked.
If the bit mode does not match the authorization mode, the door does not unlock.
In the RFID system I play with, the bit mode looks like this;
11111111111001011111118. 0011111000101111101111011110110111102016i to describe this mode, in fact, is on the second page.
An interesting feature of data transmission between the card and the reader is that the data is encoded using Manchester encoding, which is a way to encode the data so that the data can be transmitted through a single line, so that the clock information can be easily recovered.
For Manchester coding, there is always a transition at the middle point.
If you want to transfer 1, the conversion will go from low to high, and the conversion will go from high to low if you want to transfer 0.
Because the conversion is in the middle of each bit, you can make sure that the valid data is locked.
Please check this page for details.
The actual data is transmitted through the card, which effectively shortens the coil output
This imposes additional load on the transmitter in the reader and can be detected.
I started by building an RFID card reader (
More details in future articles).
This shows me the data that was being sent when the card was transferring the information.
The RFID card I brought is printed with numbers on the back.
This number indicates what data is included in the card.
The card is printed with 0007820706 119,21922 with its transmission mode: 1111111110010111111. 0001111011110101010101010101100the sequence of 111111111 bits of the first episode
It is used to tell the reader that the code is coming --
The card reader also uses a sequence to lock the card data.
The stored data is transmitted in groups of 4 bits, with a parity bit at the end of each group.
The data can be decomposed as follows;
00101 cm 11000 cm 00000 cm 01111 cm 01010 cm 10100 cm 00101 Cm 01100If ignored every eating away at WE of parity bit have0010 11000000 cm 0000 cm 0111 cm 0101 cm 1010 cm 0010 cm 011002 CM C007 army 5A months stopthis check if we to code divided into 3 Group, the code is 2c 0077 55a2, and we have 2c followed by 0077 (
The decimal is 119)
Finally, 55A2, decimal 21922
This corresponds to 119,21922.
The same number is written in another way on these cards 0007820706 (in decimal)
In short, it is the hexadecimal number of 7755A2.
We now understand how data is stored.
2C is a constant code sent with all cards.
It is just a facility identifier for this RFID system.
How does the parity checksum and checksum work?
The last data transmitted by the card is verification and word-
This is to ensure that all data is received successfully.
First, the parity bit at the end of each data byte is even parity-
This means that the transmitter will add 1 to ensure that each data block has an \"even\" number for the \"1\" bit
So if we look at a \'2\' it\'s 0010 of binary-
The parity system will detect that there is an odd number of \"1\" bits and one will be added to compensate.
Compared to the \"c\" of 1100, the parity system detects an even number of \"1\" bits, so zero is added.
00101 a 211000 MM C00000 000000 cm 001111 cm 701111 cm 701010 cm 501010 cm 510100 CM A00101 20110 months to stop bitfinally check is I parity bit of application to each vertical pai zuan tou.
In this way, each sent bit has a horizontal and vertical check
Everything has to be queued, otherwise the reader simply refuses the transmission.
It follows a similar sequence when I decode the data of my working prox card, (
The reason is obvious.
I will not actually publish these figures.
Again, part of the sequence is the facility code, and the rest of the sequence remains the same number as printed on the back of the card.
So the next step is to figure out how to pretend to be a card.
I want a card that can enter the card number, so it has to have a microprocessor and a keyboard that can enter the data.
ATMega operates the 125 kHz RF field by using a bridge rectifier.
When the output of micro is low, the diode in the bridge is allowed to be turned on by the current induced in the coil, which effectively shortens it.
The reader detects additional load and detects in-place conversion.
The work of a microcomputer is only to turn the output on and off in a way that makes sense to our readers.
So I created a board with micro, power, keyboard and some status indicator lights.
The attached PDF is a complete schematic diagram of the project.
You might notice that c6 is 0pF-
This is intentional, 6 is a placeholder assembly that allows me to mount a cap or 1000pF hole-through cap using a 1000pF surface.
The coil is a 100 loop thin line, on an open coil smaller than the card border.
The next step is software.
Using the Arduino IDE, I implemented a simple menu system that allows me to go directly from the keyboard to the relevant facilities and CardID data.
I also provide a way to display data using LEDs I installed on the board.
One problem I have is that when I calculate the card data (
Parity and checksum)on the fly -
To read successfully, the card must output data in real time (
Most readers need a lot of efficient reading in order)
, And increases the sub-routine and calculation delay, which in the case of the reader causes the card to output invalid data.
I solve this problem by populating a bit array, which is sent when the card is transferring more information.
In this way, the calculation is done only once.
When the cartoon electricity, it waits to press the \"mode\" button.
Display the current mode number using a set of 4 LEDs.
The current mode is added each time the mode button is pressed.
After the correct mode is displayed, the \"enter\" key will start executing the function. MODE 1 -
Low power input (sleep)
Mode card goes into low power mode waiting to restart by pressing reset button
Wake up itMODE 2-
Enter the hexadecimal facility ID card to wait for 2 digits to be entered, indicating the facility code of this system (
It\'s 2C in this case)-
Software defaults to 2C-
So no need to enter this. MODE 3 -
The decimal card ID card waits for 8 digits to be entered, indicating that the card is deceived (
In this case, it is 07820706)-
This is the long number printed on the back of the card, not the 119,21922 number. MODE 4 -
Dump facility and card IDThe facility and card ID use the 4 LEDs at the top of the card as a hexadecimal digital dump. MODE 5 -
Analog Kaka into analog mode-
Turn off all led.
You can only exit simulation mode by pressing the reset button.
The software relies on the keyboard library standards of Mark Stanley and Alexander Brevig, and I use toner to transfer to etched circuit boards on magazine paper.
Come here to see the details.
The etched PCB uses the file to clean up the edges a little and drill holes for the IC leg.
Attached is the PDF file I used for Toner transmission.
To keep the item the same size as the normal prox card, I decided to make it on a small PCB of the same size as the business card.
I decided to use the surface mounting buttons I brought from eBay, so that means that all components have to be welded to the copper side of the PCB in order to install and mark the buttons.
I weld the button first and then install the led, resistor and capacitor.
Since I don\'t have a surface mount Crystal, I have to install a 16 MHz crystal at the bottom of the PCB.
I also installed 12 jumpers on the back of the card to connect the key columns together.
The next step is to install.
I didn\'t use the socket because I wanted to reduce the board thickness.
Next, I wound the coil-
I used a piece of waste wood with 4 screws on it and counted 100 laps 0.
Coil Winding wire with diameter of 25mm.
Before I removed the coil from the holder, I wound a small amount of transparent tape around each edge to make sure the coil was not unwound.
I then installed the coil and a small battery holder on the back of the PCB.
I am very satisfied with the results of my work.
I used the standard 6-pin connector installed on the PCB to allow the FTDI 5 v USB-
232 cable for programming the chip-situ -
This is particularly important because the ATMega chip is soldered directly to the PCB and therefore cannot be removed to insert it into the normal Arduino PCB-
In order to have a nice compact project, this is a small price.
The chip is used.
Bpm Arduino sketch provided in step 4-
Use the normal Arduino IDE. The .
The partial differential equation file I provided was customized according to the standard cheap eBay RFID system.
This is not a version of other international fid readers I can also access. . . . . (
I just wanted to mention :-))
Testing is a breeze.
I entered the relevant code on the keyboard, aligned the blackboard to the reader, and got a satisfactory \"beep\", indicating that reading was successful.
It\'s equally valuable to test with other readers I \'ve come into contact with and get unlimited geekpoints! ! !
This is a project that \"proves I can do it --
I \'ve finished it, so it\'s now on the shelf where I work, reminding others that a simple RFID system is not safe at all.
You are welcome to adjust this item as you wish, although you may have a master key to the kingdom, you still need a small number on the back of the access card before you use the key yourself.
I have considered modifying my card so it works like all the compatible RFID tags I hold.
I need to visit multiple work sites in my job and it would be great to use one card but I don\'t think it\'s a good idea. . . . . . . . . .
Will this work on all RFID systems? No it won\'t.
This is a good thing.
The first RFID system deployed a few years ago used a very simple protocol, based on the intelligence of the chip in the card.
They also used low frequencies (125kHz)carrier.
More modern systems use techniques to ensure security, such as one-time code; cryptography; use bi-
Use an internal password and use it more often.
Thus, it is a lot more work to deceive these systems.
But there are already a lot of low-tech systems.
What can I do to protect my system?
First of all, don\'t equate cards with physical keys
They are not equivalent in simple systems.
No visitor card-
They are easy to copy
If you do need a visitor card then implement a system that will only be active if they are issued.
Enable return system-
If the card system thinks you are in a specific room, make sure the card cannot be used in other rooms at the same time.
Remove numbers from the back of the card-
While they may make it easier to enter the card details, they also make it easy for people to use the details for their own purposes.
Finally, see how you can upgrade your access system to a card system that cheats with parts worth $15. And -
No, buying a new system from eBay for $15 is not the answer. . . .