Alex Dib

Information Security Enthusiast

RFID Thief v2.0

12 Jul 2018 » all, rfid, tutorial

Table of Contents

Overview

This post will outline how to build and use long range RFID readers to clone iClass, Indala & Prox cards used for Access Control.

Proxmark 3

If you are unfamiliar with the Proxmark 3, it is a general purpose RFID Cloning tool, equipped with a high and low frequency antenna to snoop, listen, clone and emulate RFID cards. There are currently 5 versions of the Proxmark 3, all use the same firmware and software however some have more/less hardware features.

VersionPicture
OriginalOriginal
RDV1RDV1
RDV2RDV2
RDV3RDV3
RDV4RDV4

Long Range Readers

There are 3 main types of long range readers HID sell, the R90, ASR-620 and MaxiProx 5375. Each reader supports a different type of card:

ReaderCard TypePicture
HID iClass R90iClass Legacy (13.56 MHz)HID iClass R90
HID Indala ASR-620Indala 26bit (125 kHz)HID Indala ASR620
HID MaxiProx 5375ProxCard II (125 kHz)HID MaxiProx 5375

Wiegotcha

Wiegotcha is the awesome software for the Raspberry Pi developed by Mike Kelly that improves upon the Tastic RFID Thief in the following areas:

  • Acts as a wireless AP with a simple web page to display captured credentials.
  • Automatically calculates the iClass Block 7 data for cloning.
  • Uses a hardware clock for accurate timestamps.
  • AIO solution, eliminates the need for custom PCB’s and multiple breakout boards.
  • Utilizes an external rechargeable battery.

Raspberry Pi Setup

This build will make use of the Raspberry Pi 3 to receive the raw Wiegand data from the long range readers and provide an access point to view/save the collected data.

MicroSD Card Setup

1. Download and extract Raspbian Stretch.

2. Download ethcher or any disk writer you prefer.

3. Write the Raspbian Strech .img file to the MicroSD card using a USB adapter.

4. Unplug and replug the USB adapter to see ‘boot’ drive.

5. Edit cmdline.txt and add modules-load=dwc2,g_ether after the word rootwait so that so that it looks like this:

dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=PARTUUID=9cba179a-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait modules-load=dwc2,g_ether quiet init=/usr/lib/raspi-config/init_resize.sh splash plymouth.ignore-serial-consoles

6. Edit config.txt and append dtoverlay=dwc2 to the end of the file.

7. Create a blank file within the ‘boot’ directory called ssh.

Raspberry Pi Configuration

1. Connect the RPi to your local network and ssh to it using the default password raspberry.

2. Run sudo su to become the root user.

3. Clone the Wiegotcha repository to the /root directory.

cd /root
git clone https://github.com/lixmk/Wiegotcha 

4. Run the install script in the Wiegotcha directory.

cd Wiegotcha
./install.sh

5. Follow the prompts as requested, the RPi will reboot once completed. Be patient, this process can take some time.

6. After reboot, reconnect to the RPi using ssh and enter the following:

sudo su
screen -dr install

7. RPi will reboot and the installation is completed.

The RPi will now broadcast with the ESSID: Wiegotcha, you can connect to it using the passphrase Wiegotcha. Wiegotcha assigns the static IP 192.168.150.1 to the RPi.

Wiring

Each reader will require a Bi-Directional Logic Level Converter, this is used to convert the 5v Wiegand output from the readers to the 3.3v RPi GPIOs. For quality of life, I have added JST SM connectors allowing quick interchangeability between the different long range readers.

You may choose to add another external controller with switches to power the readers on/off, enable/disable sound or vibration, however this is optional.

The following is a general overview of how the components are connected together:

General Wiring Diagram

RPi

  • GPIO Pins 1,3,5,7,9 -> Hardware RTC

RPi to Logic Level Converter

  • GPIO Pin 4 -> LLC HV
  • GPIO Pin 6 -> LLC LV GND
  • GPIO Pin 11 -> LLC LV 1
  • GPIO Pin 12 -> LLC LV 4
  • GPIO Pin 17 -> LLC LV

Long Range Reader to Logic Level Converter

  • LRR DATA 0 (Green) -> LLC HV 1
  • LRR DATA 1 (White) -> LLC HV 4
  • LRR SHIELD -> LLC HV GND

Raspberry Pi

1. Connect the Hardware RTC to GPIO pins 1,3,5,7,9.

2. Solder female jumper wires to a male JST SM connector according to the table below and connect to the RPi.

RPiJST SM Connector
GPIO Pin 4Blue
GPIO Pin 6Black
GPIO Pin 11Green
GPIO Pin 12White
GPIO Pin 17Red


RPi wiring

RPi wiring alt

HID iClass R90

HID R90 wiring

1. Join wires from the HID R90 to the logic level converter according to the table below.

HID R90Logic Level Converter
P1-6 (DATA 0)HV 1
P1-7 (DATA 1)HV 4
P2-2 (GROUND/SHIELD)HV GND

2. Solder female jumper wires from the logic level converter to a female JST SM connector according to the table below.

Logic Level ConverterJST SM Connector
LVRed
LV GNDBlack
LV 1Green
LV 4White
HVBlue

3. Join Positive and Negative cables from the HID R90 to a DC connector/adapter.

HID R90DC Connector/Adapter
P2-1Positive (+)
P1-5Negative (-)

HID Indala ASR620

The Indala ASR620 will have a wiring harness from factory that you can utilize, the shield wire is within the harness itself so you need to slice a portion of the harness to expose.

Indala ASR620 wiring

1. Splice and solder wires from the Indala ASR620 to the logic level converter according to the table below.

Indala ASR620Logic Level Converter
Green (DATA 0)HV 1
White (DATA 1)HV 4
ShieldHV GND

2. Solder female jumper wires from the logic level converter to a female JST SM connector according to the table below.

Logic Level ConverterJST SM Connector
LVRed
LV GNDBlack
LV 1Green
LV 4White
HVBlue

3. Join Positive and Negative cables from the Indala ASR620 to a DC connector/adapter.

Indala ASR620DC Connector/Adapter
RedPositive (+)
BlackNegative (-)

HID MaxiProx 5375

MaxiProx 5375 wiring

1. Join wires from MaxiProx 5375 to the logic level converter according to the table below.

MaxiProx 5375Logic Level Converter
TB2-1(DATA 0)HV 1
TB2-2 (DATA 1)HV 4
TB1-2 (SHIELD)HV GND

2. Solder female jumper wires from the logic level converter to a female JST SM connector according to the table below.

Logic Level ConverterJST SM Connector
LVRed
LV GNDBlack
LV 1Green
LV 4White
HVBlue

3. Join Positive and Negative cables from the MaxiProx 5375 to a DC connector/adapter.

MaxiProx 5375DC Connector/Adapter
TB1-1Positive (+)
TB1-3Negative (-)

Controller

Hearing a loud beep from your backpack when you intercept a card is probably not good, to avoid this, I made a makeshift controller, to easily power on/off and switch between sound or vibration or both.

Each long range reader contains a sound buzzer either soldered or wired to the board, you can de-solder and replace this with extended wires to the controller.

Within the makeshift controller you can splice/solder a sound buzzer (reuse the readers), vibrating mini motor disc, switches and a voltage display.

Makeshift Controller

ReaderSound buzzer Location
HID iClass R90R90 Sound
HID MaxiProx 5375MaxiProx Sound
HID Indala ASR-620N/A - External

Tutorial

This section will show you how to clone the intercepted cards from the long range readers using the Proxmark 3.

iClass R90

iClass legacy cards are encrypted using a master authentication key and TDES keys. The master authentication key allows you to read and write the encrypted blocks of the card however you will require the TDES keys to encrypt or decrypt each block.

You can find the master authentication key in my Proxmark 3 Cheat Sheet post & step 6 of this tutorial. The TDES keys are not publicly available, you will have to source them yourself using the Heart of Darkness paper.

The R90 will read the card, decrypt it and send the Wiegand data to Wiegotcha.

1. Assemble/Power on the components and connect to the RPi Access Point Wiegotcha.

2. Navigate to http://192.168.150.1 via browser.

Wiegotcha webpage

3. Place/Intercept a iClass Legacy card on the long range reader.

4. Copy the data from the Block 7 column into clipboard.

Capture Block 7

5. Encrypt the Block 7 data using the Proxmark 3.

# Connect to the Proxmark 3
./proxmark3 /dev/ttyACM0

# Encrypt Block 7 data
hf iclass encryptblk 0000000b2aa3dd88

Encrypt Block 7

6. Write the encrypted Block 7 data to a writable iClass card.

hf iclass writeblk b 07 d 26971075da43c659 k AFA785A7DAB33378

Write Block 7

7. Done! if it all worked correctly, your cloned card will have the same Block 7 data as the original. You can confirm with the following:

hf iclass dump k AFA785A7DAB33378

Dump Card

Indala ASR620

1. Assemble/Power on the components and connect to the RPi Access Point Wiegotcha.

2. Navigate to http://192.168.150.1 via browser.

Wiegotcha webpage

3. Place/Intercept a Indala card on the long range reader.

Capture Indala

MaxiProx 5375

1. Assemble/Power on the components and connect to the RPi Access Point Wiegotcha.

2. Navigate to http://192.168.150.1 via browser.

Wiegotcha webpage

3. Place/Intercept a ProxCard II card on the long range reader.

4. Copy the data from the Proxmark Hex column into clipboard.

Capture ProxCard II

5. Clone the Proxmark Hex data to a T5577 card using the Proxmark 3.

# Connect to the Proxmark 3
./proxmark3 /dev/ttyACM0

# Clone Proxmark Hex data
lf hid clone 2004060a73

Clone Proxmark Hex

7. Done! if it all worked correctly, your cloned card will have the same Proxmark Hex, FC & SC data as the original. You can confirm with the following:

lf search

Dump

Components

Most of the components can be found cheaply on eBay or your local electronics store, the most expensive components are the long range readers and the Proxmark 3.

References

Related Posts