Monday 21 April 2014

Hacking a door controller

As part of looking at RFID and the Internet of Things. I decided to look at RFID Door Access Control Systems and how they could be compromised. I wanted to show it is relatively easy to capture the RFID tags data and be able to clone them.

ADM2000-M Door access controller


The use of the Access Door Controller as a RFID sniffer was based on the work done by Kevin Bong, owner of the MiniPwner website and his minipwnerrfid article. Kevin's article describes an early version of the AD2000-M door controller than is currently available.

I used a AD2000-M access controller with an "Access Control V3."0 circuit board, which used a Nuvoton w78e052ddg 8-bit microcontroller, there is also an unidentified "ID module" attached to the circuit board. The ID module had a number of inputs and outputs which are labelled as follows.

GND OUT DR CFE VCC
GND CY ANT2 ANT1

Pins from the module were traced back to the Micro-controller pins 15 and 16, pin 16 was identified by Kevin in his article as being transmitting the captured TAG details to the Micro-controller. By sniffing this signal it is possible to read the submitted Tags serial numbers.
Part of AD2000-M Circuit - showing test pins
This is indicated that although the circuit board was visibly different from that in Kevin's article, the sniffer software should work. As the signals passed through, what looked like a set of unpopulated test pins, I soldered a set of pins to the board to make easier to connect to the circuit board.

Location of unpopulated test pins
Underside of the circuit board with header soldered in place
Header soldered to the circuit board
After soldering the header to the circuit board the GND and Out connections were connected to the Arduino as per Kevin's article

Header pins connected to a breadboard
Arduino connected to the Access Control unit
The Arduino sketch from Kevin's web site was uploaded to the Arduino and the serial monitor used to capture the scanned tags.
Serial Monitor display showing captured TAG numbers.
The next part of the project will be to clone or spoof the RFID tags.


2 comments:

  1. Very interesting the board and very nice keyboard construction is safe and Strings

    ReplyDelete
  2. Hello! I would like to provide a huge thumbs up for any excellent info you’ve here within this post. I will be coming back to your blog site for more soon. white house market

    ReplyDelete