Skip to Main Content
October 23, 2018

Let's Build a Card Cloner

Written by Jason Ashton
Hardware Security Assessment Penetration Testing Physical Security Security Testing & Analysis
This post isn't attempting to present new research or a new device—that work has already been done, a la Bishop Fox. While an overall design was created, and many others have discussed building such a device, doing so can prove to be challenging. This post will provide you with all that is needed to fully construct a low-frequency (LF) card cloner, including printable drill templates, PC board (PCB) manufacturing files, and updated microcontroller code. All that's needed is your time and a basic set of tools.   Background For the unfamiliar, the card cloner utilizes a long-range card reader, the same model seen on parking garage entrances and secured facilities, to gather the card ID and facility code of LF 125kHz proximity cards from unwitting targets. The device may be concealed within a backpack, messenger bag, or other concealment method of your choosing. The listed read range is a maximum 29 inches, which is dependent on credential type, operating voltage, and proximity to ferrous and non-ferrous metals. Local power is provided by multiple AA batteries. Additional circuitry is installed to collect the card data and store it on a microSD card. This information can then be used to clone the data to a writable 125kHz card. Upgrades While the Bishop Fox design is great, we found that a few enhancements made it more user friendly. Additionally, an alternate display was chosen and the Arduino code was modified to utilize the stock SD card library. Enhancements include:
Higher Operating VoltageThe maximum read range of the reader is dependent on the supply voltage. The battery quantity was increased to 16 to achieve a 24VDC supply.
External Power SwitchIn order to conserve battery life, the reader shouldn’t run any longer than it needs to, but removing the cover to power up is cumbersome and could blow our cover. A rear-mounted power switch was added for easy blind location and activation.
Arduino SD LibraryThe original design utilized the SDfat library and a specific version of the Arduino IDE. This requirement made setup more difficult than it needed to be. The code was rewritten to take advantage of the stock library.
LCD DisplayIn lieu of the display sourced from Amazon, which could become unavailable, an alternate display was chosen from Sparkfun.
Beeper Control SwitchSo as to not draw attention to our activities, disabling the beeper would be ideal. While there are DIP switches on the reader control board, they are inconvenient for quick adjustment. A switch was added to the Arduino board for this purpose.
  Bill of Materials Following is the bill of materials needed to build the cloner. At the time of writing, the PCBs were custom made. Not included are the light box, developer, and etching solution for production. A third-party fabricator may be considered at a future date, once a pluggable version for easy swap between reader types is designed. Additionally, the ability to drill >1mm holes for the through-hole components will be required.
1AmazonB00AFY2S56Arduino Micro
1AmazonB000W608FO2GB MicroSD Card
4AmazonB01461P5V2M3x10 Standoff
8AmazonB017NBZK7GM3x8 Cap Head Screw
2AmazonB01N1WDUK0M2x8 Cap Head Screw (assortment)
2AmazonB01N1WDUK0M2 Nut (assortment)
1VR1Mouser512-LM317LZVoltage Regulator
1R1Mouser270-270-RCResistor, 270
1R2Mouser270-2K-RCResistor, 2K
1C1Mouser667-ECA-1HM101100uF Electrolytic Capacitor
2Mouser12BH381A-GR8 AA Battery Holder
1Mouser485-1116Board Edge Mounting Kit
1TB1Mouser651-17291282P Terminal Block
1TB2Mouser651-17291999P Terminal Block
1Mouser534-25046-32X3/4 Thumbscrew
1S1Mouser655-1825232-1Slide Switch
1S2Mouser633-MS12AFW01Slide Switch
1Mouser571-5-826629-050P Single Row Header
1Mouser590-630Copper Clad PC Board
1SparkfunLCD-09568Serial Enabled LCD Panel 4X20
1SparkfunDEV-13743MicroSD Card Breakout Board
1Misc. Wire
11/8in Foam Pad (Battery Retention)
  Production We aren't going to cover all facets of production here, because templates and files are provided at the end of the post. We will, however, cover some highlights related to reader modification. A few plastic structures and a coil adhesive will need to be removed from the reader base. This can be done with a hacksaw blade laid flat on the surface, but an oscillating cutter will speed up the process. The adhesive can be scored with a razor knife and pried loose with a screwdriver. [caption id="attachment_15110" align="aligncenter" width="656"] Figure 1 - Reader Base Support & Adhesive Removal[/caption] Next, in order to control the beeper with an external switch, the circuit board will require a minor modification. One side of the piezo will need to be interrupted and routed through the switch, which will entail de-soldering the antenna coil from the control board in order to fully remove and access the bottom of the board. De-solder the piezo, rotate 45 degrees, re-solder one leg, and add two wires, as shown below. [caption id="attachment_15111" align="aligncenter" width="647"] Figure 2 - Control Board Beeper Modification[/caption] While the control board is removed, attach the drill template to the rear of the base, center punch the holes, and drill according to the size as indicated on the template. The control board can be reinstalled and the antenna coil can be re-soldered to the terminals. The display can then have wire soldered to the terminals and the mounting holes enlarged to 1/8-inch diameter. A header soldered to the PIC programming terminals is also recommended, as it enables easier re-flash of the firmware when needed.
Figure 3 - LCD Display Wiring & Programming Header The fully assembled reader can be seen below. PCB fabrication will not be included here, as there are more than enough references on the Internets. [caption id="attachment_15114" align="aligncenter" width="541"] Figure 4 - Assembled Card Cloner Base[/caption] Operation Regarding the microSD card, the maximum size is 2GB. Formatting (MS-DOS) should be done via the SD Formatter from the SD Association for best results, which can be found at: The card must also contain the file 'cards.txt'. As with the Bishop Fox design, the Arduino code will check for card initialization and the presence of 'cards.txt'. The boot process will indicate both valid and invalid conditions. [caption id="attachment_15115" align="aligncenter" width="474"] Figure 5 - Initial Boot Splash Screen[/caption]   [caption id="attachment_15116" align="aligncenter" width="481"] Figure 6 - Boot Confirmation of SD Card Initialization[/caption]   [caption id="attachment_15117" align="aligncenter" width="474"] Figure 7 - Boot Confirmation of 'cards.txt'[/caption]   [caption id="attachment_15118" align="aligncenter" width="474"] Figure 8 - Boot SD Card Initialization Failure[/caption]   [caption id="attachment_15119" align="aligncenter" width="474"] Figure 9 - Boot 'cards.txt' Not Found[/caption] The display will note the last card the reader captured. All cards captured will be appended to the 'cards.txt' file on the microSD card. Data can be retrieved from the 'cards.txt' file when inserted into a computer. [caption id="attachment_15120" align="aligncenter" width="477"] Figure 10 - Display of Last Card Read[/caption] Drill Templates/PC Board Layout/Arduino Code Download here and here.   Bonus! What's better than carrying around a cloner to skim unsuspecting cards? One that you can install in the reader and let it do the dirty work for you! Based on the work above, we created an embeddable version that can be installed within the reader itself. It is fully powered from the reader line and sits in parallel with the data signal. It easily fits inside an HID ProxPro and can reside within the back box of a switch plate reader, like the HID Thinline II. The same microSD recording method of all captured cards will be utilized in this design as well. Features a terminal block so as to not damage the reader conductors and can accept pigtails or the reader's direct wiring. Since there is no display, two LEDs on the rear indicate SD card initialization and the presence of 'cards.txt'. PCB layout and Arduino code are included below. [caption id="attachment_15121" align="aligncenter" width="602"] Figure 10 - Embeddable Card Cloner[/caption]  
Figure 10 - Embeddable Cloner Installed Inside HID ProxPro Bill of Materials Following is the bill of materials needed to build the embeddable cloner. Most components are surface mount, with through-holes for the terminal block, SD card interface, and jumpers.  Conclusion Hopefully this provides an easier path to constructing your own LF card cloner. Stay tuned for a modular version of the custom PCB that can be plugged/unplugged from the various reader types: HID Proximity, Indala Proximity, HID iClass, etc.
1Adafruit2378Arduino Pro Mini
1AmazonB000W608FO2GB MicroSD Card
2D1/D2Mouser696-SML-1206GCTR1SMD LED, Grn
2R1/R2Mouser603-RT1206FRE07270RLSMD Resistor, 270
1TB1Mouser538-39357-00044P Terminal Block
1Mouser571-5-826629-050P Single Row Header
1SparkfunDEV-13743MicroSD Card Breakout Board
1Misc. Wire