MiniPwner RFID

Print

What is the MiniPwner RFID?

The MiniPwner RFID is a hacking project to take a cheap AD2000-M model RFID lock and modify it to become an RFID snooper.

A big thanks to everyone who attended the THOTCON or DerbyCon talks.
A copy of the talk given at THOTCON and DerbyCon can be found here: THOTCON_2014_RFID_Hacking_Kevin_Bong.pdf

To Create the RFID Snooper:

This page contains the step by step instructions to modify the AD2000-M reader so you can collect EM400 RFID tag numbers.  

 

Equipment Required:

  1. AD2000-M RFID lock.  If you seach Ebay for “Rfid Proximity Lock” and buy one that looks like the picture below you should be good.
  2. An arduino.  It has to be 5volt and 16 Mhz clock.  I prefer the arduino nano clone.
  3. some solder, some small gauge stranded hookup wire, and a soldering iron
  4. A 9 to 12 V DC power supply.  
  5. A multimeter (optional but very handy, you should have one anyway.)

 

Step by Step process for snooper:

  1. Heat up your soldering iron and strip the ends of a couple pieces of hookup wire.
  2.  Remove the four screws holding the circuit board into the plastic case.
  3.  Carefully tilt the circuit board over, do not break or kink the antenna wire or pull the antenna out of the plastic case.
  4.  Solder a wire onto the ground terminal pin.  Note its color (use black if you have it). This will go to the arduino ground.
  5. Solder a wire onto pin number 16 of the microprocessor.  Note the wire’s color.  This is where the RFID signal is fed into the microprocessor, and this will connect to data pin 12 on the arduino.  Pin 16 is the fifth pin up from the bottom on the right as you look at the button side of the board.  See picture - the white wire is soldered to pin 16 and the gray is soldered to ground (ignore yellow and orange wires).  You can check that this is the correct pin with your Multitester - when the device is powered on the pin will show about 2.5 volts ...its a signal oscillating between 0 and 5 volts so your multimeter is showing the average.

  6.  Reassemble your RFID lock
  7. Connect your power adapter wires to the RFID lock using the screw terminals.
  8. Connect your two wires to the ground and pin 12 of your arduino
  9. Connect your arduino to your PC using a USB cable.  In this setup the USB cable provides power to the Arduino and also is the serial connection between the ardiuno and your computer.
  10. Download and install the appropriate arduino software for your computer.  
  11. Download the arduino source code for the EM400 snooper and decode here.
  12. Open the EAD2000_EM400_Snooper file in the Arduino software.
  13. Compile and upload the program to your arduino
  14. When it says “upload complete”, launch your Arduino serial monitor.  Make sure you have the right serial port selected and change the speed to 115200

Scan one of the RFID tags that came with your lock.  The arduino should report the serial number of the tag through the serial monitor.

RFID SPOOFER
My circuit is based on the design at http://wiki.smallroom.net/doku.php?id=terd:projects:rfidspoofer

More details can be found in the powerpoint presentation, slides 37-38

There are only a few components you need:
1. Transistor (which will act as a switch)
2. Resistor (reduces the current to the transistor)
3. Inductor (creates a resonant circuit when paired with a capacitor)
4. Capacitor
5. Arduino (turns the transistor switch on and off to create the signal)

For the Arduino, I like Nano because its small, it powers from USB, and you can get cheap clones for under $10.

The best inductor I've found is the one inside of the blue RIFD tags that come with the lock.  Pry out the coin shaped cover on the front and use an exacto knife to cut through the middle of the existing circuit, and solder leads on to the existing pads (because its tough to solder onto magnet wire)
If you are using the RFID tag inductor, the matching capacitor is 560pf to get 125Khz resonance.

If you end up needing to solder the magnet wire directly, I've found it works best to sand the coating off the end with a fine sandpaper.

Here is some basic code for the spoofer.