ฝัง
- เผยแพร่เมื่อ 27 ต.ค. 2018
- In video #223 I promised you we would hack and clone these cards. This is what we will do today. And we will not break any laws. If you just do what I show you.
Grüezi TH-camrs. Here is the guy with the Swiss accent. With a new episode and fresh ideas around sensors and microcontrollers.
RFID Tags are widely used for access control and many other applications. Today we will focus on access systems because many of them still are very primitive and I show you how we can clone cards in seconds using a cheap copier or an Arduino and a small board for a few dollars.
If you did not watch the introductory video, it might be a good idea to do that first.
In this video we will use
- an access control system consisting of
- a simple RFID reader for LF and HF cards
- the RFID board sent to me by Vedran in one of my last videos
- several RFID chips
- an RFID copier
- an Arduino Uno
- And a Proxmark3 Hacker RFID and NFC device
Links:
Chinese Proxmark3 Easy: s.click.aliexpress.com/e/98iDnEu
Official Proxmark3: amzn.to/2ENnCWp
Proxmark on eBay: ebay.to/2JhbwTP
LF RFID copier: bit.ly/2PXw0DP or
s.click.aliexpress.com/e/ccuQhobW
RC522: s.click.aliexpress.com/e/bpUw5E1K
RDM6300: s.click.aliexpress.com/e/br8RaIH6
"Magic Cards": s.click.aliexpress.com/e/XCWFsm8
T5577: s.click.aliexpress.com/e/cBHTXtLi
Supporting Material and Blog Page: www.sensorsiot.org
Github: www.github.com/sensorsiot
My Patreon Page: / andreasspiess
My Bitcoin address: 19FSmqbBzb5zsYB1d8Bq4KbxVmezToDNTV
the channel, please use the links below to start your shopping. No additional charges for you, but I get a commission (of your purchases the next 24 hours) to buy new stuff for the channel
For Banggood bit.ly/2jAQEf4
For AliExpress: bit.ly/2B0yTLL
For ebay.com: ebay.to/2DuYXBp
profile.php?...
/ spiessa
www.instructables.com/member/...
Please do not try to Email me or invite me on LinkedIn. These communication channels are reserved for my primary job - วิทยาศาสตร์และเทคโนโลยี
Always looking forward to see some new stuff coming from you. Keep up the good work!
Next will be the UHF tags...
Andreas Spiess, thank you so much for your videos. I am a system engineer at work and a micro controller hobbies at night. Your videos are very helpful. You are a very good teacher! Kudos to you from Canada! Steven Manzer
Thank you for your nice words! And have fun with your hobby. There are many viewers like you.
Subbed and liked the video. First time here and loving the content! thanks!
Welcome aboard the channel!
Hi Andreas, I really enjoyed this video ... felt like you were returning to your “roots” and what brought me to your channel at around 90 subs! I’ve been here almost as long as you it seems! ;)
Thank you for your continued support! I try to do different things in different episodes...
Great video as usual. This will come usefull to install access control to my workshop ! Thnxs for sharing.
I hope you will be able to design a "secure" shed lock!
Interesting video Andreas. I work for a distributor in electronic security, and I have never heard your theory about normal readers writing zeros to sector 0, however I like the idea. Normally if a more secure system is required, they don't use the UID but use the sector memory (Mifare classic) or application memory (Mifare Desfire). The NTAG's you showed in the video I have never seen used in security, but they will work on a reader that reads only the UID.
You are right. I mentioned that there are better cards available, and maybe they are also used in the "western" world and in the last years. However, the Chinese do not produce these simple "Wiegand UID" readers if nobody buys them...
And I hope I was able to make sure my viewers do not use them for critical tasks.
You are absolutely right. Many new systems sold today use Mifare UID or 125khz variants. But, as usual, price is the most important factor.
We have even seen systems installed where the client was sold a "secure" Mifare Desfire system but the didnt program the cards, just use the UID of the Desfire card.. But
Did you ever get the proxmark to work in emulation mode? I'm not able to replay an card that I use to open the wastebin
Thank you very much for such a detailed description! (Vielen Dank für Ihre ausführlichen und hilfreichen Informationen!)
Bitte, gern geschehen. Das sollte immer so sein auf diesem Kanal
4:06 HAHAHAHHA!!!!!! I LOVE THIS!!!!!!!
You can just so many codes and just hold it there on the scanner as the proxsmart just enters one after the other XD
Man this is awesome!
Very nice video!
I can't wait for the second part.
Hopefully next week...
Thanks for the video Andreas, you're spot on the money when it comes to the door system 'fighting back' if the defcon rfid videos are to be believed. Doing a full dump of the card and then loading the .eml into the simulator ought to work. (The command history is on another machine, else I would paste it here - let me know if you need more help!)
This video reignited my interest in smart cards again - thank you!
Thank you. Maybe I will come back. For the moment I did enough RFID :-)
Andreas Spiess so many things to do, eh? 🙂
Happy Sunday Morning again 😀🤗🏴
Have a nice Sunday, too!
What a fantastic video.
So for the latter issue, all we need is a switch on the card that makes the card not writable to the sector 0, and it would work at least for that particular security measures.
Maybe.
@@AndreasSpiess lab401.com/blogs/academy/know-your-magic-cards
OTW card is what we need.
I bought proxmark 3 as well. It is jolly good fun. Thanks for the awesome introduction!
Another great video. Happy Sunday :)
Thank you!
Love your videos, keep it up please :)
Thank you!
You are welcome!
An option to counterattack the counterattack would be changing sector 0 write key so that only you can change the UID. You should try that in another video.
This is a good idea!
@@AndreasSpiess There are also cards (on ebay) that are resistant (one time programmable, and alternate write commands)
www.ebay.co.uk/itm/UID-CHANGEABLE-GEN2-CHINESE-MAGIC-CARD-BLOCK0-1K-S50-IC-RFID-PROXMARK3-ACR122U/172911985741?_trksid=p2485497.m4902.l9144
Once again bravo,you did a very good video ,with only the important stuff we need to know and with no mich mach,that's why i support your channel, so we can profit for a very long time of your knowledge expertise and experience and of course tishka...schuss ....
Thank you! It is always my goal to save you time!
Very informative video. Thanks for the info on scanning your cat, that will save my puppy from my chasing her with the RFID reader. 😁🐩
She is not done. I ordered a better board ;-)
Andreas, Are you using the stock (@willok) firmware on the PM3 Easy? Or did you update the firmware/bootrom?
I used the iceman fork
Look like you have RFID tags everywhere on you. Not letting you near my forward door Andreas. Lol Have a great week mate.
Not yet. You have to wait for the UHF RFID video. They should bridge bigger distances...
Wonderful video, my friend. Thank you for sharing
You are welcome!
I've been looking at several options. Buying off the shelf is the easiest way, comfortable for waranty and support. The DIY approach is much better, but if I count everthing together, sometimes even more expensive. Tough decisions....
It depends also on the "fun factor" and the time you want to spend. At least, that are my points for decisions.
Nice review thanks for sharing 👍😀
You are welcome!
Very nice explane you about RFID
Thank you!
Excellent project 👍
Thank you!
Thanks for sharing Andreas, now I know that they are easily hack-able now with the right device.
You are welcome!
Kitty will be wearing a tinfoil hat if you keep scanning her :)
:-)
Most of of the rfid tag (and locks) are 125 kh right?
Studied Mifare classic for my dissertation. Use the proxmark3 to capture the communication between the card and lock should indicate what trickery is going on on the first scan. I suspect you’re on the money with rewriting sector 0. Some readers just check if it responds to a magic packet read command and flag the card on the backend. This seems a little more aggressive however.
Thank you for your input. I will not investigate further because it seems to be quite obvious that you are right.
Hey all,
I'm looking to understand RFID and how can a machine know what card it's scanned (to add more time to use it) and how can a card be disabled after using it once? Even with other machines..
Basically the card activate the machine to be used longer. However once scanned it doesn't work. Nor on other machines.
Are these cards coming pre programmed or even empty and the machine writes 0's?
Is it possible to copy that ID and just use it with your phone or a mini computer?
Does the machine read & writes so it tells the card it's not valid anymore?
All the help is appreciated
Interesting. As a hardware guy, I am quite interested into making a hacking tool myself 😄
Maybe you find some help online. The Proxmark diagram is public domain AFAIK. This would be a good start.
I have an rfid chip implemented. Looking forward to saving my credit card and my work key on it.
This will not be possible as credit cards cannot be copied easily.
@@AndreasSpiess Such a shame...
VIELEN DANK for video and your work in field
Your university: Cards cost $30 each kid.
Me: I only need it to gain access to buildings and printers, then just slap a photo of me on it XD
Thanks you so much this worked for me well and the sad cloned itself under 30 minutes
I have a Sureflap cat door and Surefeed cat feeder. It can read the ID-chip in the cat and it can also read the blue tags you started the video with.
My (aftermarket) Immobilizer in my car can read the blue tags.
So probably I can learn the Immobilizer to read the ID-chip in the cat ;-)
I hear about these Surefeed products. But they do not give information about the standards they support. So I have to dig a little more into the topic...
I hope you know your cat and do not need a reader to find out which is yours ;-)
@@AndreasSpiess, they support the standard pet id chips. One manufacturer say: "Pet-ID Microchips produce 134.2 kHz FDX-B microchips to ISO Standard 11784/11785 and to our manufacture’s code 958."
@@LeifNelandDk this cat understand and a dog got eat when food ready b
Have you tried to clone the original onto the 'magic' card using the MFRC522 library cloning sketch on the RC522 reader ?
I think I showed it in the video.
where did you get the pm3 universal GUI?
I used the iceman fork: rehmann.co/blog/simple-proxmark3-setup-windows/
Excellent review and I am the owner of four electric locks with three RFID TAG at 13.56 MHz, I would like to use the same RFID tags to turn on and off the electricity through an RFID card reader (used in hotel rooms) always at 13.56 MHz? In your opinion, can the RFID tags be read by both devices?
The number of the RFID chips are not encrypted and can be read by all readers which support the respective standard. However, there is no security (as I showed in this video).
Question: I know this is an old video but im a nerd and i love stuff like this. If you read a card with the blue gun shaped read&writer and click write on the scanner would it unlock or not work?
It all depends on the card (if it is encrypted or not)
@@AndreasSpiess Thank you, thats pretty cool
I’ve been playing with rfid myself this week. May have to look into the proxmark 3. Thanks.
So I hope you still discovered something new in the video...
Proxmark3 is very advanced for someone just starting, I'd start with something easier to learn and cheaper like MRF 522 card that connects to Arduino/Raspberry or a PN522 which has slightly more power and similar capabilities to Proxmark 3 in most respects
What do you think about MIFARE DESFire EV2? Can Desfire be cloned so easy like HID?
8:28 OH MY GOSH THAT'S MY WHOLE COLLEGE SUPPORT EVERY FORTNIGHT!!!
Hi, thanks for the video! Have you played with smartcards? Plain rfid cards seem not secure to me, but when I tried looking into wireless smartcards (with crypto), I couldn't find detailed howtos or diy usage examples :(
As you said, these cards are not widely used by Makers. So I will not cover them on this channel. At least not for now.
@@AndreasSpiess maybe if you cover them on your channel, you will popularize them amongst makers :) Anyway, thank you for your work!
Say if I wanted to clone my own debit card (in case I lose it while I am travelling overseas) do I just follow these steps?
No. They are encrypted.
Hacking and Cloning is the poor man's way of gaining access to your uni lecture after you lost your card XD
If the access control bits on a mifare are written to something invalid, the sector becomes unreadable. Maybe that happened? I just got started with this stuff as well in the past two weeks and am still waiting for my Arduino board.
Thank you for making this video, with your usual attention to detail. Great stuff!
I think so.
The system for sport timing is interesting... it reads and writes the RFID chips... I think they are 125kHz
I am not sure. From what I know they use UHF RFID tags because they have a bigger range.
@@AndreasSpiess I seem to remember a PCF7936AS or similar. There are many iterations of the technology though and the technique varies.
Is there no way to lock the Mifare's sector 0, in case of these newer readers?
I do not know :-(
Hi Andreas! For the MIFARE try cloning the entire card, sector 0 and every other sector. Maybe it’s not detecting the same information, i think this problem relays in your reader/lock system. I tried with not changeable cards copying all the data but block 0 and the reader gives me access authorization but doesn’t open the gate, for that i need to experiment with changeable cards, in order to solve it. I just have to buy them and wait 3 months for shipment. 😪
As I said, the sector 0 was completely wiped out after one read. That is why I assumed some "activities" of the reader. I am interested in your findings...
Cloning the entire card *works* at least on my limited testing, you can also load the data (the .eml file) into the simulator and use that.
Is to possible to fully secure the RFID tags? Are there any RFIDs which are impossible to clone?
The newer ones are safe (for the moment)
hello it's great what you do !! but I have a query for you. with the proxmark we can obtain information directly from the access panel
I do not understand :-(
I managed to kill my RC522 somehow. But the library is really good, you can bump the baud rate up to get a faster read on the card.
Fortunately, it is not a very expensive module :-)
Is possible to use the arduino library with an RDM6300? Thanks
Maybe you google??
Not sure about this, but do you think I'd be possible to somehow get a CPU to act as a SHF and open something? XD
What do lf and hf signals look like on an o-silly-scope? Maybe even you can see UHF depending on gear.
They are sine waves. Maybe you wait till next Sunday if you want to see UHF RFID signals ;-)
@@AndreasSpiess Yes but obviously they are modulated. Could you decode the packets manually? Maybe prove if the reader is wiping the magic cards?
That should be possible, but maybe not worth the effort. Because I saw the effect on the card (sector 0 all zeros), and the chance it was done by using standard commands is quite big.
@@AndreasSpiess the proxmark3 software has a listen function in lf and hf modes, so you can see the whole conversation that get transmitted over the air (according to the manual)
i prefer the magic mushrooms over the magic cards! :P ...Thanks Andreas :)
Never tried. Thanks for the tip ;-)
:)
Could you copy a uid to a magic card and than lock the card so it's write protected
Ahh another old school Andreas video!
I hope, old school does not translate into „boring“ ;-)
@@AndreasSpiess No the just the opposite. A hacking video. Where you teach us "how to " - I apologise if my comment seemed 'off''. :-)
I wanted to see you trying to scan the cat :-D
I only have two hands ;-)
Lol
So i have an acces card to open a door At my gym. I wonder if its possible to "clone" the acces card on my phone so i can hold my phone next to the Reader an it will open the door? ( the Acces card uses mifare classic)
I do not know. Each card is different. You have to try if it is protected or not.
Which software are you using with the proxmark?
PM3 (ICEMAN FORK)
@@AndreasSpiess How did you install/flash it to proxmark3 Easy?
Hello, I want to read the RFID card data on a INDALE 125khz RFID card. What reader card can I use to connect this to my arduino ?
Maybe you watch my #223 video?
I'm starting to study proxmark3, I wonder if you can give me an idea of where to start my studies, I'm kind of lost in this amazing world of RFID
I did some videos about the different RFID technologies. And I am sure you find many others. Proxmark is not a simple tool, though,
@@AndreasSpiess I know, and I really liked this technology, I wanted to learn in depth
Is it possible to clone a fob that says ICT POS 175? Using the MFRC522 I was having difficulty.
I do not know. I even did not find anything about this number
Not to be confused with magic mushrooms! 😀😄 Those do not support the hf mf csetuid command 😎
:-))
Trying to understand something here. Can someone with a proxmark literally clone a sak20 as i’ve seen in your description?
Only the older RFID models are not encrypted. I do not know the SAK20
When you clone a card onto a keyring chip, does the card become unusable? Or do they both still work?
A clone is a copy and the original is not changed.
@@AndreasSpiess ok thank you, didn't want to risk losing my card is all, great video
I like this Baba Engineer!
:-)
Can someone explain how to copy 125 KHz 26 bit AWID keyfobs? I can't find anywhere on the internet that shows how to do it, but it can't be that hard when companies offer the service for $20.
How do i program the reader? i have come chinese hotel door lock they dont provide front gate access control im thinking to put rfid reader there but how do i copy the rfid info from the Chinese system to the rfid reader?
Maybe you watch my other RFID videos?
I bought a Rfid cloner advice but in my case the chip can't be read. Any tips how I can fix that?
Most of today's RFID cards are encrypted :-(
@@AndreasSpiess whaaaat??? Thanks for the reply!
Any idea on best way to clone a card that has 7 bytes of data? Unable to find any Aurduino code that can do such a thing, can find some for 4 bytes just not 7.
Please help...
I do not know. Most current cards are encrypted anyway...
What about security RFID checkpoints? Is there any way to copy them on other RFID tag??
Only the old RFIDs can be copied. the newer are safe
@@AndreasSpiess Thanks a lot.
Im intrenet wird für das auslesen eine Tierchips folgnede Antenne vorgeschlagen ein Induktor mit 47 mikroHenry und ein ein Ohm Widerstand in Serie. Das erscheint mir eine so billige Lösung, das man sie einfachmal ausporbieren sollte. Sollte es damit funktionieren wäre es einfach klasse und erspart einem eine Menge Wicklerei.
Da mein Proxmark 134 kHz auslesen kann liegt es vermutlich nicht an der antenne, sondern eher am Code... Ich habe auch nicht viel darüber gefunden.
I was able to decode HID cards with Arduino. I am still working on trying to figure out how to clone them though
Good luck!
Hi Cameron Cobb, Can you tell me how to read HID cards? Do you use DIY reader?
Thanks!
You can use an android phone with nfc and the app nfc tools. With this I successfully emulate a mifare card and also re-write, and make backups of the card
You are right.
Reading is available to just about any Android with NFC, but emulation requires root, right?
I had a fair bit of fun on a recent trip reading the various hotel keys we got and comparing them, but didn't have any magic cards and couldn't get any kind of emulation to work on my unrooted phone.
Sir which card should I use then for a serious attendance project for a company.. a link to the card pls and can I print ID card on it?
You have to use the newer, encrypted cards which are not covered in this video.
5:16 FBI OPEN UP!!!!! AHAHHAHAH!!!!1
Hello, help to solve this problem: There is a need for the Arduino platform on the command (external button - for example) to turn on the stepper motor.
After performing the specified number of revolutions (1000), stop it and turn on the second stepper motor with a similar task (say 2000 revolutions)and stop.
After receiving the second command, the program runs everything in reverse order.
First the second motor 2000 rpm in the reverse direction, then the first 1000 revolutions in the opposite direction.
Need a sketch of the program, if possible with detailed comments, as your humble servant is a kettle in programming
With respect and hope.
This is an interesting project. Unfortunately I have no time to help.
@@AndreasSpiess I don't know this technique well. I was probably wrong when I thought it was a simple sketch. And it does not require much time from a professional. Thanks for the reply.
We work on cij printers they use rfid tags on their consumeable bottles how i can bypass the system ....
I have no idea :-(
@@AndreasSpiess can we bypass or brake security of any passive rfid
I do not want to clone but customize how do I do it thanks
has anybody tried using the Proxmark to simulate a card and use it on one of those readers that kill re-writable chips by trying to write all zeros before reading their ID?
surely the Proxmark will just keep on simulating the ID and not react to the instructions by the reader...
Hi Andreas, at sec 25 of this video you show a card from skidata. This is exactly the same I have to access the garage. I would like to duplicate it, how can I do this? What kind ok card it is?
Skidata is Swiss. So their cards are protected ;-)
@@AndreasSpiess hi Andrea, thank you for your fast reply. I perfectly understood... I'm Swiss too (biel). Tschüss
I am not sure how magic cards work, but with the newer CUID cards, block 0 can only be written to once. So if the reader tries to overwrite the CUID card with all 0's, it will fail to do so since block 0 becomes ROM once it is written to for the first time, just like the real cards
You are right. And most of the currently used cards are anyway encrypted.
@@AndreasSpiess Yeah, there are some rather sophisticated standards now. Of course, many people still use MIFARE Classic 1k and 4k which are easy to clone. Although one I tried to do recently had non standard keys for sectors 7 through 11... Those keys can be cracked though by exploiting one of the already read blocks performing a Nested Attack on the card, just takes a little more time than normal
is there a difference between t5577 cards and t5557 cards
I do not know the t5557 cards
Thanks really heiped with new ssd especially since they have dropped in prices!
Happy to help!
👍👏
Thank you!
Please dont says “thanks” dont lose your time. i m not waiting like or hearth.You are the best ;) i m happy when you are sharing new subject.
If you look at the other comment I always try to answer because I value also your time to write a comment. Not everybody writes one.
Chúc Kênh ngày càng thành đạt nhé
Cảm ơn!
Hello. I am having loads of trouble trying to lf sim a loaded pm3 file, what can I do to achieve this?
I do no more remember the details :-(
@@AndreasSpiess Thank you for the response though:)
Hi, I has been looking with not luck, I need a RF receiver in the frequency of 345Mhz (I believe 344.9Mhz), I want ro read my home RF alarm sensors to integrate it to my HomeAssistant, but don't find those, only find 315Mhz and 433Mhz, Can you please help me?? what should I do, is it possible modify the frequency on one of those or not?? Thanks a lot.
RF and RFID is not the same. I made videos on how to hack some of these sensors (40 and 433 MHZ). not easy :-(
@@AndreasSpiess Thanks for your answer, I’ll try to find those videos you are talking about. Thanks again
Can you clone the HID with this method? I want to clone my parking pass
No
Have you done anything with the Stanley RFID tags, they run at 153khz if the information is right,
No, I never heard of them :-(
@@AndreasSpiess oh well, not your fault, is it ok to post a link on here?
@@AndreasSpiess hopefully this will help, all the very best of luck in your endeavours 😃👍
I found them after your post. It seems to be a specialty...
@@AndreasSpiess I think that's how they keep it secure, a strange and different khz frequency range and possibly encrypted,
aren't you using high frequency card on low frequency reader?
The door Reader can read both. And the proxmark, too
Andreas with many varieties of RFID cards available does anyone make an 'identifier' yet? A device that would allow you to scan the card it's type and frequency be identified, does this exist?
I do not know if exists for all cards. For each class (LF, HF, UHF) readers generally, show you the type of the card.
@@AndreasSpiess yes but what to do if you do not know what type of card you are looking it? I guess have multiple readers is no big deal. Thank you for the reply and for your great videos, been a subscriber since #110.
Try to read it. Then you see which reader can read it.
Could this hypothetically work with credit cards?
No.They are encrypted
Hello, Is it possible to clone UHF Encrypted RFID card
I do not know.
Can someone test this reader and writer on catgenie cartridges?
link for proxmark software? or am I just blind...
This video was not about Proxmark. I use this firmware: rehmann.co/blog/simple-proxmark3-firmware-updating-guide-windows/
But it takes some time and googling to get everything working...
@@AndreasSpiess firmware link is broken :(