RFID projects have been pretty prominent recently, ranging from projects here in Instructables, to our local Silicon Chip magazine in Australia publishing a RFID door lock project in their November issue. Even I recently purchased a RFID door lock on eBay for $15 to lock my garage (so my front neighbor could get tools if he wanted to).
We have known that the cheaper RFID technologies were pretty insecure for a number of years. Researchers have demonstrated cloners of all varieties, but simple RFID tags are still being used for access control. Even my current employer uses them.
A while ago, I was looking at Hack A Day, and I saw an amazing project that somebody had made. It was an RFID card with a keypad on it. For the next couple of days, I couldn't get the image of the card out of my mind; the project reminded me of how much I wanted to build a RFID spoofer myself. The original author didn't release source code for their project, but they left enough clues that I could follow.
So, in typical fashion, I built my own reader hardware so I could have a look at the data from a card, and created my own version of the Universal RFID key.
The key I made works beautifully both on my garage door, as well as a number of other RFID readers I have tried!
I have decided to publish this, as more people should be aware of the design flaws that are inherent in older RFID implementations, and to allow others to make their own universal key.
Will this key let you into anybodies RFID protected office? Yes it will, assuming a couple of things are true
- The have to be using 125kHz RFID tags that use the same encoding standard as I have designed this project for, and,
- You have to have access to the number printed on the back of the tag - with that number, you can simply key it into the Universal RFID key, and it will emulate that tag.
So there you go - I hope you enjoy making this project. - And remember, with great power comes great responsibility!
How does RFID work?
RFID, or Radio Frequency IDentification is the term used to describe a wide variety of standards that allow data stored within electronic 'tags' to be read by a reader without using wires. There are a number of standards, encoding formats, and frequencies in common use. I will describe the 125 kHz standard that is common for access control mechanisms.
125 kHz RFID tags are commonly encased in a business card sized piece of plastic, or a round disk. The tag consists of a coil of wire, connected to a microchip. When the tag is brought into close proximity to a reader, energy is coupled inductively from the reader to the microchip within the tag.
The energy from the reader has dual use; firstly, it provides power to run the card, and secondly, it provides a communication medium for data to be transmitted. Once powered up, the tag modulates the bit pattern that is programmed into the tag using a signal that the reader can detect. The reader then reads this bit pattern, and passes it onto the door controller. If the bit pattern matches one that is authorised, the door will be unlocked. If the bit pattern does not match an authorised one, then the door won't unlock.
In the RFID system I was playing with, the bit pattern looked like this:
1111111110010111000000000000001111100010111110111101001111010000
I will describe what this pattern actually means in the next page.
One interesting feature of the data transfer between the card and the reader, is that data is encoded using Manchester Encoding, which is a way of encoding data so that it can be transmitted over a single wire ensuring that the clock information is able to be recovered easily. With Manchester encoding, there is always a transition in the middle of a bit. If you want to transmit a 1, the transition would be from low to high, and if you want to transmit a 0, the transition would from from high to low. Because the transitions are in the middle of each bit, you can ensure that you have locked onto valid data. For a detailed description, have a look a this page.
The actual data is transmitted by the card effectively shorting the coil out - this applies an additional load to the transmitter in the reader, which can be detected.
The RFID cards that I brought have numbers printed on the back of them. This number says what data the card has included in it.
the card with 0007820706 119,21922 printed on it transmits this pattern:
1111111110010111000000000000001111011110101001010101000010101100
The first set of 111111111 bits are the start sequence - it is used to tell the reader that a code is coming - the reader also uses the sequence to lock onto the card data.
Data stored is transmitted in groups of 4 bits, with a parity bit at the end of every group. The data can be broken up as follows:
00101 11000 00000 00000 01111 01111 01010 01010 10100 00101 0110 0
If we ignore the parity bit at the end of every nibble we have
BIN
|
0010
|
1100
|
0000
|
0000
|
0111
|
0111
|
0101
|
0101
|
1010
|
0010
|
0110
|
0
|
HEX
|
2
|
C
|
0
|
0
|
7
|
7
|
5
|
5
|
A
|
2
|
Checksum
|
STOP
|
This code is 2c 0077 55a2 if we break the code into 3 groups, we have 2c, followed by 0077 (which is 119 in decimal), and finally 55A2, which is 21922 in decimal - this corresponds to the 119,21922.
The same number is also written in another way on these cards 0007820706 (in decimal) is simply the hexadecimal number 7755A2. 2C is a constant code that is sent with all of the cards. It is simply a facility identifier for this RFID system.
Part 2 - How do we emulate a card, Schematic