Long Range ReadingThe ability to be able to read a 125Khz access card or keyfob at a large distance involves numerous factors including reader antenna size, radiated power, receiver sensitivity and the like. The reader cloner shown on the previous web page has the benefit of simplicity and low cost but is only capable of reading an RFID tag from a distance of approximately 3-4 inches. The ability to read a tag from much greater distances requires much more complicated receiver circuitry and the ability to generate a higher power RF magnetic field.
Design ConceptRather than designing a long range reader from scratch, my long range cloner project leverages the use of a commercial off-the-shelf long-range reader that I have modified to be able to write a T5567 Read/Write card with the information that is output by the commercial reader. The reader that I selected for my project is the 5375AGN00 MaxiProx reader that is manufactured by HID. The reader has a typical read range of up to 24 inches for a standard ProxCard II access card. The reader outputs the card information via a standard Wiegand interface following each read of a valid tag. The wiegand data stream is then sent to a custom circuit board that I have physically installed into unused space within the MaxiProx reader. The custom circuit board utilizes a Parallax SX28 8-bit microcontroller to decode, display and store the data that is sent by the reader.
Commercial readers do not output all of the binary information that is transmitted by the tag. Information such as the card number, the facility code and parity bits are transmitted by the reader whereas the front end preamble and detailed card format information are verified by the reader but not output as part of the wiegand data stream. However, this missing information can be captured (and displayed) by my other custom reader/cloner device and once known, this "fixed" information can be combined with the commercial readers output data to generate the necessary programming sequence to create a clone card.
The top photo below shows the finished long range reader/cloner. The second photo shows the internal layout which includes the stock commercial reader circuitry (on right) along with my added circuitry and LCD display (on left) and a 12x AA rechargeable battery pack to allow the unit to be completely portable. The readers high power antenna 12"x12" is used to read the tags while the smaller 2" diameter antenna is used to write the T5567 R/W cards.
OperationSince the modified reader has its own local power source it is completely portable and can easily be used in the field. When the unit gets within a couple of feet of a valid HID (or HID compatible) card the reader's LED will blink and it will begin outputing the wiegand data stream. The microcontroller will decode the readers wiegand data stream and drive the 2x16 LCD with information that includes the card format (bit length) and the hex value of the 26-37 bits of wiegand data that was received. The wiegand data is further decoded to determine the decimal value of the cards facility code and card number which is then displayed on the second line of the LCD display. The card number is usually the same as is physically printed on the backside of the card. If the operator desires to make a copy of the card that was read, he simply brings a T5567 R/W card near the smaller antenna and then presses the "write" button. In less than a second a duplicate card is created.
Note: The long read range of the unit combined with it's portability makes it fairly simple to covertly read and copy a card. The unit can easily be concealed in a briefcase or backpack. The simple act of walking by someone in a hallway or being in near vicinity (e.g. elevator) is sufficient to read and clone a persons card making this type of cards use questionable for high security applications.
A schematic of the hardware design is shown below. The entire assembly (reader & custom circuit board) requires less than 200ma of current to operate, thus allowing at least 10 hours of operation before the batteries must be recharged. The microcontroller code was written in assembly language and uses less than 2K bytes of program memory to support all functionality.
Download a PDF version of the schematic here. Schematic