RFID is commonly used, the flipper advertises that it can copy RFID codes to emulate them. I have done my fair share of RFID universal key research. It seems it needs to transmit a series of binary code or hexadecimal code. There are ways to emulate that unique code, and seeing as the flipper seems to be able to emulate RFID codes, is there not a way to brute-force the code using a built in script?
2 Likes
The idea sounds good, but I’m afraid this won’t be useful. While broadcasting a remote radio signal (like garage doors remote), in some cases you’re able to send all of the combinations in a row. When it comes to the NFC / RFID you have to scan them one by one. It takes some time.
Please take a look at the links.
[https://www.youtube.com/watch?v=QSVCqi-M2x0](RFID bruteforce)
[https://www.i-keys.de/en/chip-codes.html](RFID codes)
The second link gives you roughly information about RFID codes.
Let’s take the easiest case: 2 hex digits.
16^2 gives us 256 possible codes. In the video, it took 1-2 seconds to read one code, so you’d have to stay up to 4 minutes in front of the beeping reader to break into. I guess codes are usually longer than 2 digits 
1 Like
Yeah most codes are probably easily six or more digits so if you do the math enjoy the heat death of the universe
lol, i am very stupid
Ok, thanks
If i am understanding the question correctly - lets look at the concept of brute-forcing (in the traditional sense of trying every code) an RFID device expecting a 4 byte code and lets assume the correct code is the last one attempted in the attack.
The variations for an integer value with 4 bytes of code is 2,147,483,647 (2 billion) and assuming each attempt would take as little as 1 millisecond (which it doesn’t) the attack would take just under 25 days to complete.
1 Like
RFID Fuzzer is using combinations of normall used values as master codes that on some cases unlock the doors/system. Brute forcing using the Fuzzer will take severa weeks to run all possible combinations as mentioned. A normall fuzzer just sends “garbage” like strange characters, etc to software to test it for vulnerability to see if it crashes. Those flipper fuzzers are not real fuzzers as they are not sending invalid stuff, yet the codes it sends like the 00 00 00 and FF FF FF … are many times used on system as master codes and they do unlock systems many times.
1 Like
That’s brute forcing and getting lucky. You can optimize brute forcing by starting with default pins then moving to the most common pins and finally everything left. In that video they knew the lock had default password before they started recording. They might have tried dozens of locks before they found that one.
1 Like
Is there a way to save the code once it does get cracked?
1 Like
That should be possible. In the second video they seem to be using a code list. You can basically copy that part of the file and paste it into a new file with whatever name you like. I can’t see the screen well but it probably even shows you what the key is on the screen.
26 bit Wiegand rfid have 255 facility codes and 65,535 card number, total of 16,711,425 options.
usually facilities get the cards in batches 25-200 cards in a batch- (122 55000 to 122 55100)
so you need a to run numbers in jumps of 200 until you hit a batch
it will be around 3,000,000 numbers
1 Like
It was similar when I brute forced the IR on my TV. The code space was large but after finding a single working code you can likely find a pattern to reduce the code space. This is a bit larger code space to start but there should be more working codes. In this case you probably want to identify the working facility codes to reduce the code space. I’ve seen cards sold in 100 card batches so I would jump numbers by 47 then run all the possible facility codes on each jump. That would give me 2 tries in each one hundred batch. It would also give a bit of rotation so I didn’t focus on numbers just ending in 0. Alternately I might simply put some randomness into the jumps. In my opinion you don’t want a perfect pattern or you might miss something.