RFID reader technology and cloning tags!

I am a retired computer admin. Bought arduino for a dollhouse project believe it or not. I am fascinated - I started going through the the basic start me kit but I wanted remote control and somehow landed on this channel, I wish I was back in school and you were my professor I LOVE your channel - always always interesting things. You think like me a lot when tinkering. Just absolutely fabulous....and the accent helps as well LOL!

At a secure, classified facility, where I used to work I remember digital door locks that used an LCD touchpad to enter the code to open the door. The twist was that the keyboard layout changed randomly each time, so you wouldn't be touching the same portions of the screen each time.

When you mentioned the wear marks on keypads it reminded me of a manager I had years back. He took offence to us night shift scum going in his nice warm office and using his lovely high end PC to generate stock control labels rather than using the temperamental old PC in our unheated portacabin in the yard. We'd been using his PC for months before he noticed, But as soon as he did he got very snotty about it. He had one of those mechanical code locks fitted to his door, So that night I drew along the underside of all the buttons with a whiteboard marker. Next evening I went back and saw the 4 buttons that had scuffs in the pen marks from being pushed in and guessed the code on the second attempt. I also found that he'd added a password to his PC........ Which was the same as the door code. :)
About a month later he confronted me and asked if we'd been in his office again (He was the kind of pedantic tit who'd leave a pen in exactly the same place on his keyboard every night to see if anyone had snuck in and used his precious COMPANY OWNED computer), Not wanting to flat out lie to management (On the off chance I'd left anything incriminating in his office the previous night), I said "Duh, Didn't you have a lock fitted to your door". He seemed quite happy with the answer and went away.
He never mentioned it again, But on my last night working there I did sneak in, set high scores on minesweeper and solitaire, And put my own name against them. I hope he eventually noticed. :)

I am a security systems technician and this is interesting. In terms of being able to short a power supply to open a lock, any good security tech will use 2 power supplies, one for the readers and one for the locks, using transistor switch relays to open the lock. These switches are kept low with a pull down resistor when the microcontroler initialises to prevent the relays from switching during starting.

I have been involved with projects that have "Wander Guard" systems. They work in reverse in that they LOCK the door if someone wearing the bracelet approaches. It is used to prevent Alzheimer sufferers from getting out of the assisted care facility through "street side" doors while allowing access to the garden areas.

The stand alone keypads are vulnerable to numerous attacks:- Copying the tags as you demonstrated, also its very easy to rip the plastic keypad off the wall to access the wires to the lock solenoid and bypass the keypad relay contacts too. Its also easy to unscrew the lid and hold down the tamper switch while bridging the contacts. Another trick is to use a stun gun on the keypad as it typically will cause the electronic and transistor driving the relay to go short and power and operate the lock too, this will destroy the keypad electronics however.

The history of RFID is really interesting. I'd recommend looking into the life and work of Leon Theremin (yes, like the instrument. That came out of the same research) and particularly into "The Thing", which is the single greatest covert espionage device ever created

BTW re. the resin encased unit it's worth Goggling wiegand replay attack, if you can access the wiring (e.g. by prising it off) then you can stick a simple dongle in the line that will record any cards presented to the reader, then the attacker comes along with their special card which tells the dongle to use a stored card code to open the door. I designed a custom in house system for the company I work for that uses an encrypted challenge/response link between the reader and the controller so a man in the middle dongle attack won't work. wiegand is a very weak protocol security wise yet still widely used.

I like it when you explain on the notepad. You can be a fantastic teacher in electronics!

I use NFC tags all the time around my home by just sticking them in different places around the house, so when I put the phone in that area the phone is set to do whatever I need like opening Google Maps when I get in the car.

I bought one of these units a few months back to use for my work room. it was fun to install and it keeps the kids out.

I actually use one of these units on my garage door.. I would never use it on my house door as I think it is easily hacked by just brute forcing the code.
As I'm not using the keypad and just the RFID function, I bought an RFID antenna from eBay, desoldered the antenna wires from the board and connected the external antenna. This antenna is outside my garage. It also gives a lot better response from the unit.
The antenna I used is this one: "External extend sencondary antenna for RFID access controller 125k 1.5m length"

My old place of work had one of those rfid readers for the office, a disgruntled employee had broken the system and we couldn't get into the office. Now I knocked the device off the wall and managed to bypass the system completely using a phone charger. This was a while ago so I hope things have improved by I don't think it has.

Casinos, crime done in style.
I love it, and so true

Ok, this was probably the most beneficial explanation of how passive tags or NFC tags actually work- that I have seen. Thank you for taking the time to explain it.

12345?! That's amazing! I have the same combination on my luggage!!

That blue handheld RFID copier worked alot better then I expected.
Lost my main keychain(in a lake) witch had 2 of my 3 tags to my apartment complex so I bought one of these since a new tag would cost ~30$.
Now I have 6 tags and the ability to make endless more for a total of ~19$. And I've learned that the security around these things are a complete joke.
And for fun I used it to make copies of my dad's RFID-card that he uses to acess secure sites with important IT-equipment around the country. It also worked.
You could quite easily disable the beeping-sound and then just copy someones tag in a crowded area or similar and Beep! Full access(assuming there isn't a number-combination that you don't know)

@18:58 looks like the little CMOS chip is used to pump current into the coil which is controlled by the Nuvoton MCU on the other side of the PCB. The MCU and the CMOS are both acting like an RFID reader, with all intelligence coded in the same MCU. The 4069 Inverter CMOS can output up to 25 mA with DS voltage near 15 VDC and up to 5 mA with DS voltage near 5 VDC - both can be sink or source currents. Not a bad current driver into the coil antenna when using the 12 VDC Switch Mode Power supply you mentioned later.

Often installed behind a nice thick laminated glass cover panel, giving a 5cm gap for clearance. Tag only mode though, and the gap means the magnet does not work, though the tags work fine. Glass is generally tough enough to hold up to vandalism.

An awesome eye opener. Not an awesome door opener.

RFID writers are quite useful when you have to make tons and tons of tags, probably embedded tags in your products to identify stuff.

I've got this idea that you're house is like Wallace and grommit.

You can even get tiny, passive RFID detecting stickers that will fit on a fingernail. Pretty cool but the range must be short.
I've been playing with the basic MFRC522 (13.56mhz) reader/writer as one of my first Rbpi projects (also incredibly simple circuitry), so this was informative. Thanks again Clive. You're a legend.

I'm 100% sure that this channel rocks!

That beeping drove everyone in the house crazy. love the video, very educational and informative!

We use RFID tags at my university for the accommodation buildings, they're tag only entrance with ID cards
I know they're quite strong because I can use my card in my wallet behind some other cards and it will work. The cards are like the thinner one you have.
Interestingly they're not NFC or like bank cards (which I think are also NFC, my phone will read my card), so I can't clone the card with my phone and use my phone to open the door
For the convenience over keys, they're useful and they don't appear to be the cheap generic ones like you showed so at least should be more secure

may i suggest you swap out the red led with a warm white one🙄

BigCliveDotCom is spot on about not being secure. One would be very surprised (or not) at how many are out there with this flaw. The eBay special he explains would (make that should) never be used where real security is needed or where multiple tags are issued, or where you want to know who comes in and when. Apparently, if you lose a tag, you can't remove it unless you wipe and reprogram all tags. The better ones just power a reader like Clive showed. The reader sends the chip's unique code to the micro which determines if the card has granted access at that time. Removing the reader does little towards granting unauthorized access. The better ones also have a facility code in the chip which can't be cloned (easily). As for the casino chips, they can also count what you have, track the tables you play at and movement in the casino.
Access cards don't store data, access codes, account balances or eye color. They are just electronic "keys" that identify which user's information is to be accessed in a central database.

I'm not sure why, but the phrase "having just sniffed someone else's tag" sounds faintly dirty. It is also the only video where I have heard that particular phrase. So good job on that.

Do more in depth on RFID!

Alzheimer's is heartbreaking. A nice policeman brought my mum home one day, after she went for a walk and the lady in the post office recognised that she wasn't herself. She had it bad, so letting her go wandering wasn't a safe option.

Can you do some projects with these RFID readers?

i administer an RFID security system and this video has been hugely educational, i'm saving it to rewatch later

I work on gates, and all of the access control devices. an unbelievable amount are set to default codes and so forth. also security tends to be perceived versus real. The keypad and RFID system we install at a housing place is not even remotely close to the same as what we install at let's say a shipping center. I however have wanted to make a tool to scan either tags and then emulate them or a gate remote emulator. you continued to mention a style type I was unfamiliar with maybe that is the uk/USA part but here I think what you are referring to is called Wiegand and [I say it wig and] is more of the communication from the "brains to the dumb reader " is that what you meant or no?

You know shit is about to get real when Clive pulls out his notepad.

I've got several of these modules and yes, if you use it just like putting it in front of the entrance it's not that secure - with some tricks you get access. As for me I put the entire system inside the house, I remove the internal coil and place it behind the door at the inside. The module is so sensitive that it can operate through some cm of wood, glass and even thin walls. So it's physically accessible just from the inside but with the right card you open the door from the outside - doing so, everything's getting pretty secure (moreover because of the fact, that nobody has to know, where the receiver-coil is placed to (behind the door / wall etc.) ...good thing.

The bosh or hid systems use a rolling code (sends a new id/code every use) system kinda like garage door openers so that is probably why the gadget didn't work on your work card.

I like the way u talk and explain ur contents . U can talk to an angry person and make them carm . U can be a good teacher

you may also open and make a brigde by wiring.Basicly put a wire between the 12V and the coil of the relay , this is what happen also for electric gates.Anyway my opinion is to have a controller far from the sensor and implement a protocol.Of course the relay has to stand so far from the door.

These are really fun to do projects etc.. I use one as a login method for my desktop.

The casino chips would be using 3.56Mhz and DES/AES Encryption. They would also have a worm memory section allowing one-type write of unique identifier. Also the long range card you showed had a coil with many more turns, the more turns allows is what give its range. Just like a transformer, the induced voltage is higher with more turns in the receiving coil - Therefore even if a small voltage is induced (because its far away from the transmitting coil) it will still amplify the voltage sufficiently to work.

I would suggest using the 13,56MHz RFID standards since they are way more secure with both 48-bit encryption and well as built-in EEPROM of about 1kB and a unique code on each tag that can be used, making cloning way more difficult. These are also the once used in many MTR/Travel cards etc. They use the PN532 reader chipset which is much more fun to play with since you can connect them directly to a Ardunio (many libraries are available). If you purchase the tags on eBay or Alibaba, 100 pcs cost less than 20p each.

It is a bit old video, but what about taking coils from few of these long range cards, and putting them together to increase sensitivity

19:41 what about that chip next to your pinky?

I did wonder whether a dedicated power supply is necessary. I ordered one of these on behalf of my brother-in-law who wants it protecting his front gate and the little leaflet (printed on a single sheet of toilet paper) indicated the maximum load to be

Interesting about cloning the tags like that! I always thought that RFID tags had a unique serial number in ROM, as well as - sometimes - a data storage user area, and that locks used that serial number. So cloning shouldn't work?
Or are these particularly shitetastic locks that read the user data area and not the serial number?

I'm sorry your mother has Alzheimer's. My great uncle died recently from that (and several other health problems). We took care of him and we watched him go from the nicest guy ever to just a complete jerk as a result of the Alzheimer's. Please remember that she can't control the way she acts and remember what she was and not what the disease makes her.

The chip at 17:40 is an 8052 microcontroller.

Hey Big Clive! We have a security system at work that uses 125Khz readers, and one was surplus to requirements a few years back. It's potted, but the terminals on the back are nicely labelled and there is a Wiegand library for Arduino, so I set it up to test damaged access cards at my desk. You probably could have done your mother's door access with a reader, an arduino and a solenoid release for the door. Simple and cheap.
The card your little rewriter wouldn't handle is probably an NFC MiFare card which uses 13.56Mhz. You can get an NFC shield for the Arduino Uno that will handle those but you then need to know the "A" value to decrypt the stored data.

I have the exact same system, have been using it for years but as a secondary system. It always struck me as a pain that you have deadlocks on all exit doors but you can't wind them out on your exit door. So using one of these pads, with electric deadlocks, mounted inside the house (so forget tampering issues) with a coil reader on the outside of the door frame. The fob then opens the electric deadlocks from outside and a button releases them from the inside, the keypad is never used. As soon as I leave the house the door shuts and deadlocks pop out. I then lock the door as normal. So now I have 3 bolts on the door.

The amount of Tekone access systems left with default passwords astounds me, nearly everyone I've ever worked on!

My work uses a card fob system like this for the employee door. When I get really early 6 AM shifts, as a part timer (even with 40+ hours a week, as I), one doesn't get a card, so one must stand at the door pressing the buzzer and waiting till someone kindly opens the door from the inside or comes along with a card. It's a very big building so sometimes the 10 night crew workers are on the other end and just don't hear it for twenty minutes. Now on cold winter Canadian mornings, this is a pain in the arse, literally.
Because of this video, I nabbed the exact same eBay RFID read/writer, asked our assistant manager if I could copy her card (as they're all the same, no ID chip, just the basic unlock code), and in two seconds, I had a fob on my keys that opens the door for me. I let our head honcho manager in on it and asked if I could use it, as we have security cameras and I wanna be all above board, and even he thought it was neat, and simply told me not to show it around and tell people I borrowed his card for that shift only. Been using it for three years now. So thank you for allowing me to not freeze my plums off every morning.

Clive - if you want some further explanation about these devices I'd be glad to help. I spent the last 7 years in door access installation and support before returning to IT (and I do this work at my current employer as well).
Cheers!

I injected a rfid chip into someone as part of their art college degree show a few years ago. If you scanned your phone over her hand it took you to her website to show more of her artwork.

Part of my last job was security, i looked after the access control, are you sure it's not Wiegand ? we used Wiegand/HID readers, small ones about 2" x 3", to bigger 3 foot x 2 foot which were designed for using from a vehicle.
I think the longer range is more about the size of the coil, though there could be a few more turns.
Shorting the reader power feed 'should' blow a dedicated fuse for that reader, which would then show a fault at the security hut

I would assume the extra lamp positions would be used for extra modes, maybe for telling you which building and room your key goes to in an apartment complex? Maybe it has an enhanced version somewhere that can control multiple doors on one building and the light tells which has opened

They had one on the computer room door at the place I used to work. Whenever the janitor would wipe down the walls near the sensing head, the doors would pop open, driving them bonkers. Cleaning lady told me, but we kept it our secret. Coffee machine in the same building had a beam at the bottom where the cup dropped. If you put your personal cup in the bottom, you got free copy. Perks of the accounting department. (and me)😁

So Clive, I am an electronics newbie, and I was wondering if that tech - that lite the leds on the test paper with the copper loop antenna- is what they use to wirelessly charge devices like my cell phone?

I have to bring my trash and plastic to underground collection bins down the street. The lid opens with a RFID card, the bag goes in and when i close the lid the bag falls down in the bin. We get billed once a year based in part on how many times you opened the lid.

Songle relays are reasonably good, they do last around a half million cycles before burning up ( literally) as the contacts disintegrate. Used in those L sealers, so I change a fair number of them, but they only cost 50p each.

Hi Clive, I hope your mother is doing alright! I know you mentioned her in a few videos (this and the pseudo GPS tracker one), so I thought I'd ask. Have a great weekend! I'm still waiting for you and your brother to do a video together - you both scotch and rum soaked, pie-eyed and playing with leaded solder and hot soldering irons! :)

Can that blue cloner clone whose white cards? Or just the little blue and yellow key tags?

Hehehe, the chinese one in the beginning is absolute shite, you can open the door with a larger neodemium magnet without getting it off the wall.. :P

I had one of those cheap RFID units on my shed for a long time but I changed the codes. Currently using one of my own design so if you rip the outside unit of the wall the door won't open.

could you post a link to devices in description?

Dear clive i have a magnetic lock installed on my friends dads warehouse and they wanted to use fobs which they are currently right now but me and my friend don't want to instead we would like to use the remote control with the receiver box now we don't have a clue how to wire up the remote because no manual came with it and the only manual we got was how to setup your new magnetic lock.
Thanks stephen

I'm chuckling at your phrase: 'Casino's are crime in style' 😆

I have keyboards with that same nuvoTon chip. I believe it is a 8051 mcu.

In addition to my previous comment. Reading and writing the fobs, with the new cards. The old 125khz simply gets powered up then transmit the code, the new ones initiate 2 way communications, where encryption can be used.

As a rough estimate, an RFID coil can pick up a card up to about 1.5x the width of the coil away, shopping anti theft sensors are 125Khz rfid systems with a larger coil, they didnt reinvent the wheel.
If you made your sense coil the size of the door trim, it would likely pick her up almost 1m away from door, you would defiantly have to change the correction capacitors for the coil for this mod, but it would work (you need the RLC of the coil and compensation caps to be resonant at the RFID frequency)

Why isn't this functionality in smartphones? I have nfc phone but not recognising the keycard at all.

What would be the best way to find all of your videos pertaining to your RFID setup for your mother? I quite like your videos & I’m very interested in setting up some RFID for my home, but number of different units & amount of information is somewhat overwhelming, so I’d like to know what all you used to determine a better starting point...

Equipped for extra leds? No, someone just cut up a Mastermind board :D

Oh shit.... I didn't know casinos had RFID tags in their poker chips... Never thought they would for some reason.

I think the more expensive door locking systems use a different standard (more secure) so you can't use your tag duplicator with them.
Have you tried using one of these cards with the door opener?

I looked at the older model of this reader (mine had a nuvoTon chip), along with some other cheap ebay RFID reader only modules, when teaching myself how RFID works. I actually made a small board with an AVR processor to replace the nuvoTon chip. The older board has all the antenna drive circuitry and filters to read out the signal in discrete components. It was a very interesting project teaching me a ton of analog electronics. I spent the better part of a summer building different types of active filters. Happy times =) I'm very curious to what the SOIC8 package on the button side of the board is. Perhaps a dedicated ASK demodulator?
Wiegand is a very simple serial protocol between the micro on the reader and the surrounding system. Communication between the tag and reader is Manchester encoded ASK, as far as I've seen. I've read about biphase and other protocols, but I think Manchester is the most common.

haha "Casinos - Crime done in style" Well said. Interesting and informative video

There's some sheltered accommodation for the elderly near here that has keypad entry on one building complete with voice feedback turned up to 11. Edit: Which of course reduces the its security to zero.

Clive.. Couldnt you have opened the device itself and run a very thin (single) line of copper around a particular area therefore acting as an aeriel?

Clive, I used to work in the casino industry for many years. It moved past it's criminal roots decades ago. And yes the technology used is really quite interesting. Especially the surveillance departments.

Where did u found that Jack Daniel's Chip? That one is still missing in my collection :p

Clive. I bought one of those Chinese blue cloners like yours and tried it with two different RFID tags and it didn't read either.
Are there only certain types compatible?

With using wiegand systems and to make it difficult to do a replay attack, you must secure the wiring so it is virtually impossible to access, also motion security cameras can catch an attacker attempting to modify a keypad. Another trick is to disable the wiegand input at the controller so access is only available at certain times.

@17:20 the Chip is: 8-bit MCU 8KFLASH 256B RAM 40MHz 2.4-5.5V --- so any MCU with similar of higher capabilities should do with the proper firmware code. Today it is not difficult to write our own RFID code.

Even the super expensive systems from Door King and Linear for high end buildings have easy to access exposed contacts in the controller. A child can open it with a paper clip.

9:20 The higher the number of turns, the higher the voltage. So the more sensitive cards are most likely using more turns to achieve the voltage necessary to run the chip.

Could i clone my buscard? I'am pretty sure it's RFID. I also just wan't to clarify that i am only doing this for entertaining reasons. The school i go to pays the bustrip anyway. And do you mind linking where you bought your RFID write/scanner?

Hah. I've got some Arduino code kicking around to read and emulate these RFID tags that I should really release one of these years. Can also talk to the reprogrammable ones used by those cloners over their native protocol; they're EM4305 chips emulating the read-only EM4100s according to my notes. Never got around to actually trying to reprogram them though, and my homebrew reader is finicky.
Your work RFID is likely one of the more secure challenge-response models, though most of those are hilariously broken. Random number generators that repeat the same pseudo-random sequence every power on, dubious homebrew encryption, that kind of thing.

I wonder if one of those individual RFID readers (as shown at 1:48 ) could be used as a NC or NO switch for an alarm system? They seem to come with 4 or 5 different leads coming out of them.

125khz rfid systems are now rare for access control. Instead, 13.56MHz rfid is much more secure, and there is no way you can copy a card without knowing all the memory access code. Some 13.56MHz rfid like mifare, the circuit inside the chip has been arranged in a secured fashion, such that it is very hard to hackit even by directly probing the silicon die.
however, 125khz rfid has longer reading range up to several meters. All you need to do is to increase the transmitted power from the reader. And you can setup memory access code for improved security, moreover, the unique TID could be used to generate the data inside the chip

hey clive, if your phone is capable of reading the NFC tags, then you can use your phone to read and write to the RFID tags. So you can literally dump data onto your phone, copy it, change it, and write it to another. Great for messing around with these. There few apps on the android google play

What would be your suggestion for a relatively cheap and secure RFID lock solution?

For those wondering, that chip is just a standard 8-bit microcontroller, it's not a dedicated RFID chip. That thing is as barebones as it gets lol.

Wyatt if you put a photo sensor behind a cheap RFID reader to a circuit behind the lock that shuts off receiving of the unlock command from the reader that has to be reset from the inside? But pin code system would still flawed, though.

Hey Clive, There's a history channel documentary called "Beat the wheel" about a group of students that built a wearable computer in the 70s that was used to predict roulette. Problems occcured when their perspiration short-circuited the vibration solenoids and the thing started to give them electric shocks. Think they got caught shortly thereafter. Worth a watch if you're interested in casinos and electronics.

For those who can't be arsed to research a 4069 is a x6 not gate/inverter chip.

In the white card what is the small chip name?

Love your videos Clive. Thanks

I'm not a 100% sure, but I think I'm drunk as hell.

At my university there's always one or two people every year that decide to have a bit of fun in cloning the RFID-based student cards since the original cards can be "loaded" up with money for vending machines and even the on-campus restaurants...