Wiegotcha – RFID Thief

Update: Wiegotcha will also work on the newer HID R90 SE, but in order to silence the speaker, you’ll need to dremel it from the sealed plastic inner casing.

As with most things I do, this is a work in progress. If you notice any bugs, run into any problems, or have any questions at all, ping me on twitter: @lixmk. Or you can submit an issue or a pull request on github, apparently that’s what they are there for: https://github.com/lixmk/Wiegotcha.

Wiegotcha is a long range RFID reader inspired by the Tastic RFID Thief originally released by Fran Brown and Bishop Fox. Wiegotcha is designed be a simple and reliable method of discreetly capturing RFID credentials from unsuspecting targets. Before I go any further, there are a lot of people who unknowingly helped out on this project. Check the README.md on github for a full list.

Wiegotcha improves upon the Tastic RFID Thief in few key areas:

  • Includes a wireless AP with a simple auto-refreshing web page to display captured credentials. No more need to open the reader and remove the sd card.
  • Uses a hardware clock for accurate timestamps. Useful for identifying when (and with a little note taking, where) credentials were captured.
  • Reduces or potentially eliminates (depending on choice of Level Shifter) the need to solder components.
  • Utilizes an external rechargeable battery. No more carrying a 30 pack of AA batteries or opening the reader to replace them.

Source is available at: https://github.com/lixmk/Wiegotcha

Working w/ Wiegotcha:

I won’t tell you how to steal badges, that part you can figure out yourself. But there are a few things to know about how Wiegotcha works. When powered on, Wiegotcha takes a couple minutes to completely boot and fire up it’s access point. Once that’s complete, you’re good to go.

Once connected to the AP, just browse to http://192.168.150.1 to get a (mostly) live view of badges as they arrive. The site refreshes every 5 seconds.

All captured badges are stored in /var/www/html/data.csv, which is parsed by the web site. At each boot, the previous data.csv is backed up with a timestamp to /var/www/html/backup/<TIMESTAMP>.data.csv. Directory indexing is enabled for easy browsing of backed-up badges (http://192.168.150.1/backup/).

If you are using a new hardware clock, or need to replace it, give the RPi an ethernet connection and run /root/Wiegotcha/fixclock.sh.

If you install manually, you’ll have the ability to change passwords for each of the users and the option to enable SSH for the root user (SSH is enabled for the pi user by default). If you used the downloadable image, SSH is enabled for root by default. CHANGE THE DEFAULT PASSWORDS. To change the passphrase for the wireless AP, just modify /etc/hostapd/hostapd.conf.

Defaults are as follows (Seriously though, change the defaults):

Default Passwords (Image only):
root:Wiegotcha
pi:Wiegotcha

IP Addressing:
eth0 = DHCP
wlan0 = 192.168.150.1

Access Point:
ESSID: Wiegotcha
Passphrase: Wiegotcha

I probably forgot some stuff. If you notice any problems or have any questions, reach out on twitter @lixmk.

Hardware Installation:

Installation is extremely straight forward. The tl;dr of which is: power pi, hookup GPIOs and RFID reader (with a level shifter as a middle man (wiegand output is 5v, RPi GPIOs are 3.3v), plug in battery.

In this build example, I’m using an HID MaxiProx 5375 (125kHz), but you can follow the same steps for an HID R90 (13.56mHz iClass) or Indala ASR-620. Start with a small bit of prep work. If your level shifter did not come pre-populated you can either: Solder pins to the through holes or solder the jumper wires directly. Soldering the jumper wires will make things a bit more sturdy, but it’s not necessary. If you choose to solder the wires, skip down a bit to check the wiring diagram.

Take the Y-cable from the battery and cut one of the tails off. Strip the outer wrapping to expose the red and black wires. Then strip roughly 1/8″ to 1/4″ off both the internal wires. Give each one them a twist to tighten up the copper. If you have a soldering iron handy, you can get a bit of solder on the twisted copper to keep it from fraying.

String the newly created power cable, and a short USB micro cable, through the conveniently located hole in the back the of the reader (micro side in). Connect the two power cable leads:

  • Battery Ground (Black) to Reader TB1-3
  • Battery 12v (Red) Reader TB1-1

Next, wire up the GPIO’s, level shifter, and reader. Refer to the mastery of MS Paint that is the following diagram:

(Good huh?)

Now wire the rest of the bits. Set the RPi with GPIO pins on the right and the level shifter’s low volt (LV) side facing left.

  1. Hardware RTC on pins 1,3,5,7,9 (First 5 pins on the left side)
  2. RPi pin 4 to Level Shifter HV in
  3. RPi pin 6 to Level Shifter LV gnd
  4. RPi pin 11 to Level Shifter LV 1
  5. RPi pin 12 to Level Shifter LV 4
  6. RPi pin 17 to Level Shifter LV in
  7. Reader TB2-1 to Level Shifter HV 1
  8. Reader TB2-2 to Level Shifter HV 4
  9. Reader TB1-2 to Level Shifter HV gnd

Next, you need to address the Reader’s speaker. Obviously, a loud beep every time you read a badge isn’t very stealthy. To address this, you can do 1 of 2 3 things.

**UPDATE**: I completed testing on replacing the speaker with a small haptic motor and it worked perfectly.

  1. You can desolder (or snip) the speaker to completely disable all audio output (including power-up auto-tune tones).
  2. You can adjust the dip switches on the top of the reader PCB to disable card read tones. If you choose to this option, push switch 4 of SW1 (right most set of switches) to the off position as pictured below:

3. You can replace the speaker with a small haptic motor causing a cell-phone like vibrate feeling and sound every time a badge is read. Desolder (preferred) or snip off the speaker and solder the on the motor. No in-line resistance is required. Red wire to + and blue wire to -. If you choose this option, leave SW1 switch 4 in the default “on” position.

Last step: since we’re using a 12v power supply to the reader, we need to move the P2 jumper. By default, the jumper is installed over pins 2 and 3. Move this jumper to pins 1 and 2. Like below:

Hardware installation is complete. I suggest getting some stick-on velcro to hold the RPi in place, and running the group of wires through the small slit towards the top of the reader. Also, some duct-tape helps holds wires in place. Your final product should look something like this:

Software Installation:

  1. Download the RPi image: https://drive.google.com/file/d/0B1KiYGoUoNwGem8tZlRxeEVwRHM/ *Updated 5-22-17*
  2. Check md5 sum of .gz: 7f8b0507e0b58cbc301b39550c59e33d
  3. gunzip and check .img md5 sum: b68d21f1c0e6b200985a29869491fbf0
  4. Push image to SD card (8GB or larger) (just like any other RPi image)
  5. Install the SD card in the RPi.
  6. Boot the RPi.
  7. If this is a fresh install with a brand new hardware clock. Plug the RPi into a wired ethernet connection and execute the fixclock.sh script: /root/Wiegotcha/fixclock.sh

For installation from source, see the github README.md: https://github.com/lixmk/Wiegotcha/blob/master/README.md

Bill of Material (BOM):