RFID reader technology and cloning tags!

At a secure, classified facility, where I used to work I remember digital door locks that used an LCD touchpad to enter the code to open the door. The twist was that the keyboard layout changed randomly each time, so you wouldn't be touching the same portions of the screen each time.

When you mentioned the wear marks on keypads it reminded me of a manager I had years back. He took offence to us night shift scum going in his nice warm office and using his lovely high end PC to generate stock control labels rather than using the temperamental old PC in our unheated portacabin in the yard. We'd been using his PC for months before he noticed, But as soon as he did he got very snotty about it. He had one of those mechanical code locks fitted to his door, So that night I drew along the underside of all the buttons with a whiteboard marker. Next evening I went back and saw the 4 buttons that had scuffs in the pen marks from being pushed in and guessed the code on the second attempt. I also found that he'd added a password to his PC........ Which was the same as the door code. :)
About a month later he confronted me and asked if we'd been in his office again (He was the kind of pedantic tit who'd leave a pen in exactly the same place on his keyboard every night to see if anyone had snuck in and used his precious COMPANY OWNED computer), Not wanting to flat out lie to management (On the off chance I'd left anything incriminating in his office the previous night), I said "Duh, Didn't you have a lock fitted to your door". He seemed quite happy with the answer and went away.
He never mentioned it again, But on my last night working there I did sneak in, set high scores on minesweeper and solitaire, And put my own name against them. I hope he eventually noticed. :)

I am a retired computer admin. Bought arduino for a dollhouse project believe it or not. I am fascinated - I started going through the the basic start me kit but I wanted remote control and somehow landed on this channel, I wish I was back in school and you were my professor I LOVE your channel - always always interesting things. You think like me a lot when tinkering. Just absolutely fabulous....and the accent helps as well LOL!

I have been involved with projects that have "Wander Guard" systems. They work in reverse in that they LOCK the door if someone wearing the bracelet approaches. It is used to prevent Alzheimer sufferers from getting out of the assisted care facility through "street side" doors while allowing access to the garden areas.

The history of RFID is really interesting. I'd recommend looking into the life and work of Leon Theremin (yes, like the instrument. That came out of the same research) and particularly into "The Thing", which is the single greatest covert espionage device ever created

Casinos, crime done in style.
I love it, and so true

I am a security systems technician and this is interesting. In terms of being able to short a power supply to open a lock, any good security tech will use 2 power supplies, one for the readers and one for the locks, using transistor switch relays to open the lock. These switches are kept low with a pull down resistor when the microcontroler initialises to prevent the relays from switching during starting.

I use NFC tags all the time around my home by just sticking them in different places around the house, so when I put the phone in that area the phone is set to do whatever I need like opening Google Maps when I get in the car.

I like it when you explain on the notepad. You can be a fantastic teacher in electronics!

The stand alone keypads are vulnerable to numerous attacks:- Copying the tags as you demonstrated, also its very easy to rip the plastic keypad off the wall to access the wires to the lock solenoid and bypass the keypad relay contacts too. Its also easy to unscrew the lid and hold down the tamper switch while bridging the contacts. Another trick is to use a stun gun on the keypad as it typically will cause the electronic and transistor driving the relay to go short and power and operate the lock too, this will destroy the keypad electronics however.

12345?! That's amazing! I have the same combination on my luggage!!

My old place of work had one of those rfid readers for the office, a disgruntled employee had broken the system and we couldn't get into the office. Now I knocked the device off the wall and managed to bypass the system completely using a phone charger. This was a while ago so I hope things have improved by I don't think it has.

Ok, this was probably the most beneficial explanation of how passive tags or NFC tags actually work- that I have seen. Thank you for taking the time to explain it.

I bought one of these units a few months back to use for my work room. it was fun to install and it keeps the kids out.

BTW re. the resin encased unit it's worth Goggling wiegand replay attack, if you can access the wiring (e.g. by prising it off) then you can stick a simple dongle in the line that will record any cards presented to the reader, then the attacker comes along with their special card which tells the dongle to use a stored card code to open the door. I designed a custom in house system for the company I work for that uses an encrypted challenge/response link between the reader and the controller so a man in the middle dongle attack won't work. wiegand is a very weak protocol security wise yet still widely used.

I'm 100% sure that this channel rocks!

That beeping drove everyone in the house crazy. love the video, very educational and informative!

I actually use one of these units on my garage door.. I would never use it on my house door as I think it is easily hacked by just brute forcing the code.
As I'm not using the keypad and just the RFID function, I bought an RFID antenna from eBay, desoldered the antenna wires from the board and connected the external antenna. This antenna is outside my garage. It also gives a lot better response from the unit.
The antenna I used is this one: "External extend sencondary antenna for RFID access controller 125k 1.5m length"

You know shit is about to get real when Clive pulls out his notepad.

@18:58 looks like the little CMOS chip is used to pump current into the coil which is controlled by the Nuvoton MCU on the other side of the PCB. The MCU and the CMOS are both acting like an RFID reader, with all intelligence coded in the same MCU. The 4069 Inverter CMOS can output up to 25 mA with DS voltage near 15 VDC and up to 5 mA with DS voltage near 5 VDC - both can be sink or source currents. Not a bad current driver into the coil antenna when using the 12 VDC Switch Mode Power supply you mentioned later.

I've got this idea that you're house is like Wallace and grommit.

An awesome eye opener. Not an awesome door opener.

i administer an RFID security system and this video has been hugely educational, i'm saving it to rewatch later

RFID writers are quite useful when you have to make tons and tons of tags, probably embedded tags in your products to identify stuff.

Alzheimer's is heartbreaking. A nice policeman brought my mum home one day, after she went for a walk and the lady in the post office recognised that she wasn't herself. She had it bad, so letting her go wandering wasn't a safe option.

Great video Clive! Thanks for making it available.

I'm not sure why, but the phrase "having just sniffed someone else's tag" sounds faintly dirty. It is also the only video where I have heard that particular phrase. So good job on that.

You can even get tiny, passive RFID detecting stickers that will fit on a fingernail. Pretty cool but the range must be short.
I've been playing with the basic MFRC522 (13.56mhz) reader/writer as one of my first Rbpi projects (also incredibly simple circuitry), so this was informative. Thanks again Clive. You're a legend.

That blue handheld RFID copier worked alot better then I expected.
Lost my main keychain(in a lake) witch had 2 of my 3 tags to my apartment complex so I bought one of these since a new tag would cost ~30$.
Now I have 6 tags and the ability to make endless more for a total of ~19$. And I've learned that the security around these things are a complete joke.
And for fun I used it to make copies of my dad's RFID-card that he uses to acess secure sites with important IT-equipment around the country. It also worked.
You could quite easily disable the beeping-sound and then just copy someones tag in a crowded area or similar and Beep! Full access(assuming there isn't a number-combination that you don't know)

BigCliveDotCom is spot on about not being secure. One would be very surprised (or not) at how many are out there with this flaw. The eBay special he explains would (make that should) never be used where real security is needed or where multiple tags are issued, or where you want to know who comes in and when. Apparently, if you lose a tag, you can't remove it unless you wipe and reprogram all tags. The better ones just power a reader like Clive showed. The reader sends the chip's unique code to the micro which determines if the card has granted access at that time. Removing the reader does little towards granting unauthorized access. The better ones also have a facility code in the chip which can't be cloned (easily). As for the casino chips, they can also count what you have, track the tables you play at and movement in the casino.
Access cards don't store data, access codes, account balances or eye color. They are just electronic "keys" that identify which user's information is to be accessed in a central database.

I like the way u talk and explain ur contents . U can talk to an angry person and make them carm . U can be a good teacher

Often installed behind a nice thick laminated glass cover panel, giving a 5cm gap for clearance. Tag only mode though, and the gap means the magnet does not work, though the tags work fine. Glass is generally tough enough to hold up to vandalism.

Love your videos Clive. Thanks

Do more in depth on RFID!

We use RFID tags at my university for the accommodation buildings, they're tag only entrance with ID cards
I know they're quite strong because I can use my card in my wallet behind some other cards and it will work. The cards are like the thinner one you have.
Interestingly they're not NFC or like bank cards (which I think are also NFC, my phone will read my card), so I can't clone the card with my phone and use my phone to open the door
For the convenience over keys, they're useful and they don't appear to be the cheap generic ones like you showed so at least should be more secure

I'm chuckling at your phrase: 'Casino's are crime in style' 😆

thanks friend. I learn a lot of things by watching your videos

These are really fun to do projects etc.. I use one as a login method for my desktop.

Hi Clive, I hope your mother is doing alright! I know you mentioned her in a few videos (this and the pseudo GPS tracker one), so I thought I'd ask. Have a great weekend! I'm still waiting for you and your brother to do a video together - you both scotch and rum soaked, pie-eyed and playing with leaded solder and hot soldering irons! :)

Great video as always Clive, please keep up the great videos :)

I literally took delivery of this same item just this morning!

Awesome video Clive. Really interesting.

haha "Casinos - Crime done in style" Well said. Interesting and informative video

Thanks for all the great entertaining videos clive, have a great new year and 2018 cheers 🍻

Hehehe, the chinese one in the beginning is absolute shite, you can open the door with a larger neodemium magnet without getting it off the wall.. :P

I've got several of these modules and yes, if you use it just like putting it in front of the entrance it's not that secure - with some tricks you get access. As for me I put the entire system inside the house, I remove the internal coil and place it behind the door at the inside. The module is so sensitive that it can operate through some cm of wood, glass and even thin walls. So it's physically accessible just from the inside but with the right card you open the door from the outside - doing so, everything's getting pretty secure (moreover because of the fact, that nobody has to know, where the receiver-coil is placed to (behind the door / wall etc.) ...good thing.

The amount of Tekone access systems left with default passwords astounds me, nearly everyone I've ever worked on!

I never really thought about how r.f.i.d works, thanks clive, very interesting system :-D

They had one on the computer room door at the place I used to work. Whenever the janitor would wipe down the walls near the sensing head, the doors would pop open, driving them bonkers. Cleaning lady told me, but we kept it our secret. Coffee machine in the same building had a beam at the bottom where the cup dropped. If you put your personal cup in the bottom, you got free copy. Perks of the accounting department. (and me)😁

I injected a rfid chip into someone as part of their art college degree show a few years ago. If you scanned your phone over her hand it took you to her website to show more of her artwork.

you may also open and make a brigde by wiring.Basicly put a wire between the 12V and the coil of the relay , this is what happen also for electric gates.Anyway my opinion is to have a controller far from the sensor and implement a protocol.Of course the relay has to stand so far from the door.

Interesting stuff. I've used keycards at work for 25+ years, most of them 125 KHz stuff, but I haven't dug into the details. I hope you'll do another one on the long range unit you ended up using at your mother's, as that might help me address a few issues as well.

The casino chips would be using 3.56Mhz and DES/AES Encryption. They would also have a worm memory section allowing one-type write of unique identifier. Also the long range card you showed had a coil with many more turns, the more turns allows is what give its range. Just like a transformer, the induced voltage is higher with more turns in the receiving coil - Therefore even if a small voltage is induced (because its far away from the transmitting coil) it will still amplify the voltage sufficiently to work.

Equipped for extra leds? No, someone just cut up a Mastermind board :D

I learnt all about rfid via an arduino, its fun stuff to learn!

this guy is very informative, i've posted links to his videos on my own website

Thank you for doing what it is you do!

The bosh or hid systems use a rolling code (sends a new id/code every use) system kinda like garage door openers so that is probably why the gadget didn't work on your work card.

I have keyboards with that same nuvoTon chip. I believe it is a 8051 mcu.

This has to be one of the most informative vids I have seen in a long while

My work uses a card fob system like this for the employee door. When I get really early 6 AM shifts, as a part timer (even with 40+ hours a week, as I), one doesn't get a card, so one must stand at the door pressing the buzzer and waiting till someone kindly opens the door from the inside or comes along with a card. It's a very big building so sometimes the 10 night crew workers are on the other end and just don't hear it for twenty minutes. Now on cold winter Canadian mornings, this is a pain in the arse, literally.
Because of this video, I nabbed the exact same eBay RFID read/writer, asked our assistant manager if I could copy her card (as they're all the same, no ID chip, just the basic unlock code), and in two seconds, I had a fob on my keys that opens the door for me. I let our head honcho manager in on it and asked if I could use it, as we have security cameras and I wanna be all above board, and even he thought it was neat, and simply told me not to show it around and tell people I borrowed his card for that shift only. Been using it for three years now. So thank you for allowing me to not freeze my plums off every morning.

I have the exact same system, have been using it for years but as a secondary system. It always struck me as a pain that you have deadlocks on all exit doors but you can't wind them out on your exit door. So using one of these pads, with electric deadlocks, mounted inside the house (so forget tampering issues) with a coil reader on the outside of the door frame. The fob then opens the electric deadlocks from outside and a button releases them from the inside, the keypad is never used. As soon as I leave the house the door shuts and deadlocks pop out. I then lock the door as normal. So now I have 3 bolts on the door.

I would suggest using the 13,56MHz RFID standards since they are way more secure with both 48-bit encryption and well as built-in EEPROM of about 1kB and a unique code on each tag that can be used, making cloning way more difficult. These are also the once used in many MTR/Travel cards etc. They use the PN532 reader chipset which is much more fun to play with since you can connect them directly to a Ardunio (many libraries are available). If you purchase the tags on eBay or Alibaba, 100 pcs cost less than 20p each.

So Clive, I am an electronics newbie, and I was wondering if that tech - that lite the leds on the test paper with the copper loop antenna- is what they use to wirelessly charge devices like my cell phone?

Clive - if you want some further explanation about these devices I'd be glad to help. I spent the last 7 years in door access installation and support before returning to IT (and I do this work at my current employer as well).
Cheers!

I had one of those cheap RFID units on my shed for a long time but I changed the codes. Currently using one of my own design so if you rip the outside unit of the wall the door won't open.

may i suggest you swap out the red led with a warm white one🙄

I'm sorry your mother has Alzheimer's. My great uncle died recently from that (and several other health problems). We took care of him and we watched him go from the nicest guy ever to just a complete jerk as a result of the Alzheimer's. Please remember that she can't control the way she acts and remember what she was and not what the disease makes her.

I work on gates, and all of the access control devices. an unbelievable amount are set to default codes and so forth. also security tends to be perceived versus real. The keypad and RFID system we install at a housing place is not even remotely close to the same as what we install at let's say a shipping center. I however have wanted to make a tool to scan either tags and then emulate them or a gate remote emulator. you continued to mention a style type I was unfamiliar with maybe that is the uk/USA part but here I think what you are referring to is called Wiegand and [I say it wig and] is more of the communication from the "brains to the dumb reader " is that what you meant or no?

I did wonder whether a dedicated power supply is necessary. I ordered one of these on behalf of my brother-in-law who wants it protecting his front gate and the little leaflet (printed on a single sheet of toilet paper) indicated the maximum load to be

Where did u found that Jack Daniel's Chip? That one is still missing in my collection :p

I've used this in my company restricted access areas. Cheap and easy ones.

Interesting about cloning the tags like that! I always thought that RFID tags had a unique serial number in ROM, as well as - sometimes - a data storage user area, and that locks used that serial number. So cloning shouldn't work?
Or are these particularly shitetastic locks that read the user data area and not the serial number?

Hey Big Clive! We have a security system at work that uses 125Khz readers, and one was surplus to requirements a few years back. It's potted, but the terminals on the back are nicely labelled and there is a Wiegand library for Arduino, so I set it up to test damaged access cards at my desk. You probably could have done your mother's door access with a reader, an arduino and a solenoid release for the door. Simple and cheap.
The card your little rewriter wouldn't handle is probably an NFC MiFare card which uses 13.56Mhz. You can get an NFC shield for the Arduino Uno that will handle those but you then need to know the "A" value to decrypt the stored data.

I wonder if one of those individual RFID readers (as shown at 1:48 ) could be used as a NC or NO switch for an alarm system? They seem to come with 4 or 5 different leads coming out of them.

I looked at the older model of this reader (mine had a nuvoTon chip), along with some other cheap ebay RFID reader only modules, when teaching myself how RFID works. I actually made a small board with an AVR processor to replace the nuvoTon chip. The older board has all the antenna drive circuitry and filters to read out the signal in discrete components. It was a very interesting project teaching me a ton of analog electronics. I spent the better part of a summer building different types of active filters. Happy times =) I'm very curious to what the SOIC8 package on the button side of the board is. Perhaps a dedicated ASK demodulator?
Wiegand is a very simple serial protocol between the micro on the reader and the surrounding system. Communication between the tag and reader is Manchester encoded ASK, as far as I've seen. I've read about biphase and other protocols, but I think Manchester is the most common.

Clive. I bought one of those Chinese blue cloners like yours and tried it with two different RFID tags and it didn't read either.
Are there only certain types compatible?

Cheers, I always thought it was the length of wire giving of a radio frequency like how a antenna is tuned, never realised it was a chip inside.

Songle relays are reasonably good, they do last around a half million cycles before burning up ( literally) as the contacts disintegrate. Used in those L sealers, so I change a fair number of them, but they only cost 50p each.

I'm not a 100% sure, but I think I'm drunk as hell.

With all your electronic toys, it seems your most valuable tool is your notepad. ;->

Hey Clive, There's a history channel documentary called "Beat the wheel" about a group of students that built a wearable computer in the 70s that was used to predict roulette. Problems occcured when their perspiration short-circuited the vibration solenoids and the thing started to give them electric shocks. Think they got caught shortly thereafter. Worth a watch if you're interested in casinos and electronics.

If you look on the last page of your passport, you'll see the exact same fine ring of wire with a tiny chip all laminated on.

Hah. I've got some Arduino code kicking around to read and emulate these RFID tags that I should really release one of these years. Can also talk to the reprogrammable ones used by those cloners over their native protocol; they're EM4305 chips emulating the read-only EM4100s according to my notes. Never got around to actually trying to reprogram them though, and my homebrew reader is finicky.
Your work RFID is likely one of the more secure challenge-response models, though most of those are hilariously broken. Random number generators that repeat the same pseudo-random sequence every power on, dubious homebrew encryption, that kind of thing.

So when a fob is programmed, does it program it by attenuating the signal to a proper level that the transmitter can open? Or something else going on?

The MK Grid 6- or 8-gang box is perfect for containing that PSU, if anyone is interested ;)
It also makes a nice backplate for the control pad.

You can make these writeable FOBs yourself with a spool of wire and an AT-Tiny85

Could you open one of them by making a coil then attacting a DC motor to the + & - to the coil the power the motor near the door lock thing.so it gives off a RF frequency?are does it need to be a certain frequency.thanks for showing

In addition to my previous comment. Reading and writing the fobs, with the new cards. The old 125khz simply gets powered up then transmit the code, the new ones initiate 2 way communications, where encryption can be used.

I would assume the extra lamp positions would be used for extra modes, maybe for telling you which building and room your key goes to in an apartment complex? Maybe it has an enhanced version somewhere that can control multiple doors on one building and the light tells which has opened

Holy cow man I seen quotes once for 500 long range rfid tags and 2 readers for cars/gates it was like $80k installed

The chip at 17:40 is an 8052 microcontroller.

Hi Clive thanks for the video..was wondering if you had come across the zizzle zoundz a weird music making kinda toy really but great fun..though not easy to find cheap now. I got one years ago from a cheap shop for about £8 new. They have RFID coils / chips in them and different sounds / beats per object depending on which pad you put them on.

What would be the best way to find all of your videos pertaining to your RFID setup for your mother? I quite like your videos & I’m very interested in setting up some RFID for my home, but number of different units & amount of information is somewhat overwhelming, so I’d like to know what all you used to determine a better starting point...

19:41 what about that chip next to your pinky?

We use those to get into our work. Now i want to clone some tags

2:16 ah, the nuvoton microcontroller. Classy

With using wiegand systems and to make it difficult to do a replay attack, you must secure the wiring so it is virtually impossible to access, also motion security cameras can catch an attacker attempting to modify a keypad. Another trick is to disable the wiegand input at the controller so access is only available at certain times.

Please do more things with RFID

Can you do some projects with these RFID readers?