Skip to content

Latest commit

 

History

History
127 lines (90 loc) · 5.89 KB

README.md

File metadata and controls

127 lines (90 loc) · 5.89 KB

Table of Contents

Description

BRAT or Badge Reader Active Tap, allows you to either install this implant into an HID Prox or iClass Reader inline between the reader and server. It captures the bits from the Data0 and Data1 line and decodes the Wiegand protocol. It stores the value on its file system and writes the bits back out to the server.

The Device has a built in Access Point and web server. You can connect to the Access Point with and device such as a smart phone or computer. You can interact with the device through its web page. The default address is http://192.168.4.1/view. This provides list of previous cards that have been used on the reader.

The data stored is

  • Card Hex
  • Facility Code
  • Card Number
  • Raw Bits

The Card Hex is a URL link to replay the card to the reader.

Optionally you can connect the BRAT-GUI on the BRAT-RPi device, which is designed to allow printing of the card with a proxmark3.

Key components

The BRAT implant is built using the node mcu V 0.9. The Node MCU leverages the ESP 8266 SoC to provide a WiFi Access Point, 1 MB code and 3 MB Flash for storage, two interrupts and a number of GPIO pins.

The node mcu provides a 5V regulator and programming circuits for the ESP 8266 12.

The AP default name iPhone-BRAT, which can be changed at compile time.

On the BRAT there is a 3V3 to 5V logic converter. This jumps the 3V3 logic signal that is put out by the ESP, to 5V which is required to drive the signal to the server. There is a 5V Regulator that takes the line power from the server to the reader, which is between 12V and 24V and drops it to 5V. There are two 10 uF capacitors to smooth the power out. The main board must be fabricated, see below for more information on that.

Schematics

I used Eagle CAD to design the circuit and board.

Board Fabrication

When I fabricate my final boards I use OSH Park. You will have to purchase three boards minimum for a total cost of $21.85 USD.

Front:

Back:

Parts list

So the cost individual cost is ~$24, depends on quantity and shipping.

  • Node MCU $9
  • Capacitors $1
  • Level Converter $2
  • Connectors $4
  • Board $8

There are a number of different Logic converters out there. Some simply move where the V_high/GND and V_low/GND are located, which makes them not compatable with this board, and others simply dont respond as they should. Below are some examples:

I have found that even if you pay close attention to the ads on amazon and eBay, an only order the ones witht he double arrow on the back, some times they still send you other boards.

If you are only going to use this witht he Tastic, then you can forgo the Logic Level Converter. Looking att he back side of the BRAT card solder the data out pins from the 3.3v side to straight across to the 5V side. Don't solder the top pin one is 3V3 nd the other is 5V. That would be bad. But 4th pin down and the bottom (6th Pin down) on the left solder a wire to the coresponding pin on the other side. Left 4th pin to right 4th pin, and Left 6th pin to right 6th pin.

How to build the Board

https://youtu.be/rFhIB0w98co

Where to buy

References

There are sections of the code that were orginally developed by Francis Brown of Bishop Fox for the Tastic RFID Thief. The BRAT works great in the Tastic RFID Thief. This adds the capability for the user to monitor the badges acquired and for others to use the BRAT-GUI and BRAT-RPi to write badges as the attacker collects them.

BRAT-GUI

The BRAT GUI is a Raspberry Pi with touch screen and ProxMark, for full life cycle badge cloning. Use the BRAT in the Tastic and the BRAT GUI to print badges on the fly.

https://github.com/osok/BRAT/tree/master/BRAT-RPi-3D

How to use

Once the BRAT is installed and powered on, you can connect to the AP. The SSID can be modified before the source is compiled and loaded. The password is also confgurable. Based on what SSID / Password you used when compiling the source, will determine how to connect.

Once your mobile device is connected, you can use a browser to visit: http://192.168.4.2/view

You'll see the hex code with a link, Facility Code, Badge ID, and the raw bits.

Clicking the link with the hex code for a badge will replay the bits on the wire.
So if this is installed as an implant you can replay cards that have been used since the implant was installed.

If the the device is being used witht he Tastic, use the BRAT-GUI to grab the card data from the BRAT and create clones in realtime.

License

Creative Commons Attribution 3.0 United States https://creativecommons.org/licenses/by/3.0/us/