This post isn't attempting to present new research or a new device—that work has already been done, a la Bishop Fox. While an overall design was created, and many others have discussed building such a device, doing so can prove to be challenging. This post will provide you with all that is needed to fully construct a low-frequency (LF) card cloner, including printable drill templates, PC board (PCB) manufacturing files, and updated microcontroller code. All that's needed is your time and a basic set of tools. 

Background

For the unfamiliar, the card cloner utilizes a long-range card reader, the same model seen on parking garage entrances and secured facilities, to gather the card ID and facility code of LF 125kHz proximity cards from unwitting targets. The device may be concealed within a backpack, messenger bag, or other concealment method of your choosing. The listed read range is a maximum 29 inches, which is dependent on credential type, operating voltage, and proximity to ferrous and non-ferrous metals.

Local power is provided by multiple AA batteries. Additional circuitry is installed to collect the card data and store it on a microSD card. This information can then be used to clone the data to a writable 125kHz card.

Upgrades

While the Bishop Fox design is great, we found that a few enhancements made it more user friendly. Additionally, an alternate display was chosen and the Arduino code was modified to utilize the stock SD card library. Enhancements include:

Bill of Materials

Following is the bill of materials needed to build the cloner. At the time of writing, the PCBs were custom made. Not included are the light box, developer, and etching solution for production. A third-party fabricator may be considered at a future date, once a pluggable version for easy swap between reader types is designed. Additionally, the ability to drill >1mm holes for the through-hole components will be required.

Production

We aren't going to cover all facets of production here, because templates and files are provided at the end of the post. We will, however, cover some highlights related to reader modification.

A few plastic structures and a coil adhesive will need to be removed from the reader base. This can be done with a hacksaw blade laid flat on the surface, but an oscillating cutter will speed up the process. The adhesive can be scored with a razor knife and pried loose with a screwdriver.

Figure 1 - Reader Base Support & Adhesive Removal

Next, in order to control the beeper with an external switch, the circuit board will require a minor modification. One side of the piezo will need to be interrupted and routed through the switch, which will entail de-soldering the antenna coil from the control board in order to fully remove and access the bottom of the board. De-solder the piezo, rotate 45 degrees, re-solder one leg, and add two wires, as shown below.

Figure 2 - Control Board Beeper Modification

While the control board is removed, attach the drill template to the rear of the base, center punch the holes, and drill according to the size as indicated on the template. The control board can be reinstalled and the antenna coil can be re-soldered to the terminals.

The display can then have wire soldered to the terminals and the mounting holes enlarged to 1/8-inch diameter. A header soldered to the PIC programming terminals is also recommended, as it enables easier re-flash of the firmware when needed.

Figure 3 - LCD Display Wiring & Programming Header

The fully assembled reader can be seen below. PCB fabrication will not be included here, as there are more than enough references on the Internets.

Figure 4 - Assembled Card Cloner Base

Operation

Regarding the microSD card, the maximum size is 2GB. Formatting (MS-DOS) should be done via the SD Formatter from the SD Association for best results, which can be found at: https://www.sdcard.org/downloa.... The card must also contain the file 'cards.txt'.

As with the Bishop Fox design, the Arduino code will check for card initialization and the presence of 'cards.txt'. The boot process will indicate both valid and invalid conditions.

Figure 5 - Initial Boot Splash Screen

Figure 6 - Boot Confirmation of SD Card Initialization

Figure 7 - Boot Confirmation of 'cards.txt'

Figure 8 - Boot SD Card Initialization Failure

Figure 9 - Boot 'cards.txt' Not Found

The display will note the last card the reader captured. All cards captured will be appended to the 'cards.txt' file on the microSD card. Data can be retrieved from the 'cards.txt' file when inserted into a computer.

Figure 10 - Display of Last Card Read

Drill Templates/PC Board Layout/Arduino Code

Download here and here. 

Bonus!

What's better than carrying around a cloner to skim unsuspecting cards? One that you can install in the reader and let it do the dirty work for you!

Based on the work above, we created an embeddable version that can be installed within the reader itself. It is fully powered from the reader line and sits in parallel with the data signal. It easily fits inside an HID ProxPro and can reside within the back box of a switch plate reader, like the HID Thinline II.

The same microSD recording method of all captured cards will be utilized in this design as well. Features a terminal block so as to not damage the reader conductors and can accept pigtails or the reader's direct wiring. Since there is no display, two LEDs on the rear indicate SD card initialization and the presence of 'cards.txt'. PCB layout and Arduino code are included below.

Figure 10 - Embeddable Card Cloner

Figure 10 - Embeddable Cloner Installed Inside HID ProxPro

Bill of Materials

Following is the bill of materials needed to build the embeddable cloner. Most components are surface mount, with through-holes for the terminal block, SD card interface, and jumpers. 

Conclusion

Hopefully this provides an easier path to constructing your own LF card cloner. Stay tuned for a modular version of the custom PCB that can be plugged/unplugged from the various reader types: HID Proximity, Indala Proximity, HID iClass, etc.