SCHEMATICS & PCBS
Here you can download the software for the OPEN RFID Tag Lite. Documentation is still needed!!!!
The actual version is the 0.4 and includes:
- Multimap emulatorStores up to 12 different RFID memory maps (Manchester/Biphase encoding and different data rate are supported). Pressing the button 1, you can choose which one to emulate.A RS232 bootloader is implemented to change the memory maps. Commands:
- p: prints the stored memory maps.
- wABCCDDXXXXXXXX : writes a memory map. If the command is well constructed, it returns “OK”
- A is the number of the memory map. 1 Byte in hex. Values from 0 to B
- B is the encoding scheme. 1 byte in ASCII. ‘b’ form Biphase , ‘m’ for Manchester
- CC is the data rate. 2 bytes in hex.
- DD is the map size. 2 bytes in hex. Maximal value: 0x0F (firmware limited)
- XXXXXXXXX are the memory map bytes. DD bytes in hex.
- Frequency counterDetects a low frequency RFID reader and shows you the frequency of the carrier (from 115KHz to 145KHz).
LED1 represents 125 KHz and LED2 represents 135Khz. The LEDs blink proportionally to the received carrier. Examples:
- 115 KHz carrier: LED1 blinks very slowly. LED2 is off
- 120 KHz carrier: LED1 and LED2 blink slowly. LED2 is blinking slower than LED1
- 125 KHz carrier: LED1 is on but do not blink. LED2 is blinking slowly.
- 130 KHz carrier: LED1 and LED2 blink slowly and at the same rate.
- 135 KHz carrier: LED2 is on but do not blink. LED1 is blinking slowly.
- Timing AttackIt performs a timing attack. The tag will transmit a memory map and will measure the time between the end of the transmission and denial event occurs. The event can be a rise edge of a signal measured inside the reader circuit (intrusive attack) or can be an acoustic or light signal (non intrusive attack). In this last case, you have to attach to the Open RFID Tag a circuit like an microphone or a light detector.The RS232 connection is used to program the transmitted memory map and read the measured times.
A PC-side software (not provided) is needed to perform the calculations and to decide which memory map try next.
These link has a VERY experimental firmware for cloning RFID tags “on the fly” and 100% passive. You can read more about it here.
- EM4100 Cloner
These are old firmwares that can be useful.
- Brute-Force & Multimap ALL-in-1
This is the old 0.2 version of the firmware. I have not yet ported the “Brute Force Attack” to the 0.4 version of the firmware, so you have to use this old one.
It is commented in spanish and the code is a mess…DOWNLOAD
- EM4100 emulator
A simple EM4100 emulator.
HOW IT WORKS