RFID tag cloned using an ATtiny85 and a 1mh inductor

Following http://svn.navi.cx/misc/trunk/avrfid/avrfid.S I was able to clone my company parking lot's RFID card to an ATtiny85 microcontroller with an inductor connected to it's external clock pins.

This was made possible thanks to the advice (and code) from a nice guy from #avr channel on Freenode nicknamed 'RikusW'.

Thanks to him, I was able to use another ATtiny85 chip I had as the clock source to reprogram what I thought was a "bricked" ATtiny85 after programming it's LFUSE byte to use external clock.

The Attiny85 on the right is programmed to provide external clock for the Attiny85 on the left

I've also added an on/off switch for RFID skimmer:

Unfortunately I must place the tag _really_ close to the reader. But it does work:

Programming an ATtiny85 on a breadboard using AVR-ISP500 (STK500 compatible) AVR programmer

So I finally got my AVR programmer and I wanted to program my ATtiny85 MCU, to act as an RFID tag.

I got the code for the ATtiny85 RFID emulator from here and you can read more about that project there.

Since I have never programmed an AVR before, I had to read a lot to figure out how simple it is to hook up an AVR to the programmer on a breadboard.

This blog post might be helpful to those who want to just get their AVR programmed right away.

Parts needed:
- AVR-ISP programmer

- ATtiny85 MCU

- Breadboard

- 3 x 1.5v Battery box with 3 x 1.5v batteries - I was able to find only a 4 x 1.5v battery box, so I soldered a wire instead of one battery.

- 40pin Breakaway header - picture shows the 12 pins I have left, after using a bunch already...

- 6 Breadboard wires

Steps:
-------
- Mark the breadboard wires like so: VCC, GND, RST, MISO, MOSI, SCK - I used a white duct tape, cut a little piece, stick it to a cable and write the letters on it with a pen.

- Break two pieces of 3 pins from the 40pin breakaway header

- On one 3 pins header, using pliers, bend the long legs on a 90 degrees angle, then again - to give you a shape like so:

- Place the two 3 pin headers next to each other but on different sides of the breadboard - this allows for connecting a separate wire on each of the ISP connector's pins.

- Plug the ATtiny85 MCU in parallel to the "ISP header"

- Wire the pins according to the datasheet

Taken from Olimex's AVR-ISP500 user's manual

- Connect the ISP connector to the 2x3 connector - make sure the ISP connector's pin 1 is connected to the MISO marked wire and connect battery pack to the ATtiny85's VCC and GND pins

- Done. You can now program the ATtiny85 with avrdude which is included in winavr

Playing around with Arduino - update

So I still have to implement an RFID tag spoofer for my project, but I've managed to get a few things done this evening:

I've made a small connector for the 9v battery and I've broken up the plastic casing of a USB extension cable - so now my reader is small and portable as I planned it to be :-)

I need to add a switch for the battery cable, as it's a pain to open up the device and unplug the battery to turn the thing off... I just didn't have a switch laying around - I might purchase one or disassemble one from a wrecked helicopter I've got lying around...

The connector I've made for the 9V battery, as well as a view of the USB extension cable with it's male connector casing removed.

Small, self contained and fully portable :)

 

Playing around with Arduino

So I got myself an Arduino Mega 2560. I ordered one as I wanted to experiment a little with RFID signals and also, since I'm a geek, I wanted to play around with micro-controller programming.

This is how it looks like:

Front of Arduino Mega 2560 - from http://www.arduino.cc

Here you can read more about the specs of this board.

So to play with RFID, I needed an RFID reader module. I had two options to choose from - either buy an RFID module chip, that I'll be soldering to a PCB which I'll have to make, or go the easy route and buy a USB RFID dongle that acts as an HID keyboard.

I chose the easy route, as I like keeping things simple when possible, as well as being able to use my Arduino (as well as the RFID reader) for other projects.

Arduino USB Host Shield 2 - from http://www.circuitsathome.com

But how can I connect the USB RFID dongle to the Arduino? Well, Circuits@Home have made a nice Shield for the Arduino : "The initial goal of the project was to develop Arduino code supporting USB Host controller in order to communicate with USB peripherals, such as keyboards, joysticks and cameras."-[http://www.circuitsathome.com/arduino_usb_host_shield_projects]

These are (almost) all the needed parts for the project I wanted to build - an RFID tag sniffer that will collect RFID tag information and store it in memory. I wanted it to be small and portable, so I ordered a nice case for the Arduino as well as a 9v battery connector.

This is how it looks like, all soldered and hooked up:

I still have a few things unfinished:
- make a small shield to connect the battery to the Vin and Gnd pins on the Arduino, so I don't have a dangling battery connected to the Arduino and it all can sit nicely in the case.
- solder a USB female connector with wires to a USB male connector and place it just above the Arduino's USB port - to move the USB Host Shield's USB port to a location that will allow me to close the lid and be able to plug and unplug the RFID reader dongle.
- implement an RFID tag spoofer shield that can fit in the same casing, allowing me to switch operation from sniffing to spoofing mode - should not be hard once I get my ordered coils and inductors...

For the code, I've used the sketch developed by darran @ Arduino USB Keyboard Passthrough, modified it a bit to work with my reader module and be able to store read card numbers to the EEPROM of the Arduino.

It assumes the RFID tag code is 10 digits long, so every 10 'keystrokes' (remember, the USB RFID module is an HID device), will be treated as a new RFID tag ID - if it's unique, it will be stored in EEPROM. The code also limits the number of stored cards to 255, as I'm using a single byte as an index - can easily be changed to support the maximum number of available EEPROM memory (4k available EEPROM storage / 10 bytes per card ~= 400 cards) or, if more card storage is needed, there are options available for adding additional storage to an Arduino.
[Edit: As I don't need to store the hex digits, I only needed 5 bytes instead of 10 per card, so with a 4KB of storage, 819 cards are supported. The code is updated to index the number of cards in storage using an int instead of a char data type - simply change the MAX_RFID_CARDS_STORAGE definition to 819 from 255]

I've created a google project for storing the sketch but I haven't uploaded the code there yet, as there's no license clause on darran's Arduino USB Keyboard Passthrough sketch. I'll upload the code and update the blog once I verify that I won't get into any legal problems...
[Edit: Darran got back to me indicating his code is BSD licensed - Here's a direct download link: http://arduino-rfid-tag-sniffer.googlecode.com/files/rfid_reader_v1.7z]