|
| 1 | +# Building a Portable HID MaxiProx 125 kHz Mobile Cloner |
| 2 | + |
| 3 | +{{#include ../../banners/hacktricks-training.md}} |
| 4 | + |
| 5 | +## Goal |
| 6 | +Turn a mains-powered HID MaxiProx 5375 long-range 125 kHz reader into a field-deployable, battery-powered badge cloner that silently harvests proximity cards during physical-security assessments. |
| 7 | + |
| 8 | +The conversion covered here is based on TrustedSec’s “Let’s Clone a Cloner – Part 3: Putting It All Together” research series and combines mechanical, electrical and RF considerations so the final device can be thrown in a backpack and immediately used on site. |
| 9 | + |
| 10 | +> [!warning] |
| 11 | +> Manipulating mains-powered equipment and Lithium-ion power-banks can be dangerous. Verify every connection **before** energising the circuit and keep the antennas, coax and ground planes exactly as they were in the factory design to avoid detuning the reader. |
| 12 | +
|
| 13 | +## Bill of Materials (BOM) |
| 14 | + |
| 15 | +* HID MaxiProx 5375 reader (or any 12 V HID Prox® long-range reader) |
| 16 | +* ESP RFID Tool v2.2 (ESP32-based Wiegand sniffer/logger) |
| 17 | +* USB-PD (Power-Delivery) trigger module able to negotiate 12 V @ ≥3 A |
| 18 | +* 100 W USB-C power-bank (outputs 12 V PD profile) |
| 19 | +* 26 AWG silicone-insulated hook-up wire – red/white |
| 20 | +* Panel-mount SPST toggle switch (for beeper kill-switch) |
| 21 | +* NKK AT4072 switch-guard / accident-proof cap |
| 22 | +* Soldering iron, solder wick & desolder pump |
| 23 | +* ABS-rated hand tools: coping-saw, utility-knife, flat & half-round files |
| 24 | +* Drill bits 1/16″ (1.5 mm) and 1/8″ (3 mm) |
| 25 | +* 3 M VHB double-sided tape & Zip-ties |
| 26 | + |
| 27 | +## 1. Power Sub-System |
| 28 | + |
| 29 | +1. Desolder and remove the factory buck-converter daughter-board used to generate 5 V for the logic PCB. |
| 30 | +2. Mount a USB-PD trigger next to the ESP RFID Tool and route the trigger’s USB-C receptacle to the outside of the enclosure. |
| 31 | +3. The PD trigger negotiates 12 V from the power-bank and feeds it directly to the MaxiProx (the reader natively expects 10–14 V). A secondary 5 V rail is taken from the ESP board to power any accessories. |
| 32 | +4. The 100 W battery pack is positioned flush against the internal standoff so there are **no** power cables draped across the ferrite antenna, preserving RF performance. |
| 33 | + |
| 34 | +## 2. Beeper Kill-Switch – Silent Operation |
| 35 | + |
| 36 | +1. Locate the two speaker pads on the MaxiProx logic board. |
| 37 | +2. Wick *both* pads clean, then re-solder only the **negative** pad. |
| 38 | +3. Solder 26 AWG wires (white = negative, red = positive) to the beeper pads and route them through a newly cut slot to a panel-mount SPST switch. |
| 39 | +4. When the switch is open the beeper circuit is broken and the reader operates in complete silence – ideal for covert badge harvesting. |
| 40 | +5. Fit an NKK AT4072 spring-loaded safety cap over the toggle. Carefully enlarge the bore with a coping-saw / file until it snaps over the switch body. The guard prevents accidental activation inside a backpack. |
| 41 | + |
| 42 | +## 3. Enclosure & Mechanical Work |
| 43 | + |
| 44 | +• Use flush cutters then a knife & file to *remove* the internal ABS “bump-out” so the large USB-C battery sits flat on the standoff. |
| 45 | +• Carve two parallel channels in the enclosure wall for the USB-C cable; this locks the battery in place and eliminates movement/vibration. |
| 46 | +• Create a rectangular aperture for the battery’s **power** button: |
| 47 | + 1. Tape a paper stencil over the location. |
| 48 | + 2. Drill 1/16″ pilot holes in all four corners. |
| 49 | + 3. Enlarge with a 1/8″ bit. |
| 50 | + 4. Join the holes with a coping saw; finish the edges with a file. |
| 51 | + ✱ A rotary Dremel was *avoided* – the high-speed bit melts thick ABS and leaves an ugly edge. |
| 52 | + |
| 53 | +## 4. Final Assembly |
| 54 | + |
| 55 | +1. Re-install the MaxiProx logic board and re-solder the SMA pigtail to the reader’s PCB ground pad. |
| 56 | +2. Mount the ESP RFID Tool and USB-PD trigger using 3 M VHB. |
| 57 | +3. Dress all wiring with zip-ties, keeping power leads **far** from the antenna loop. |
| 58 | +4. Tighten the enclosure screws until the battery is lightly compressed; the internal friction prevents the pack from shifting when the device recoils after every card read. |
| 59 | + |
| 60 | +## 5. Range & Shielding Tests |
| 61 | + |
| 62 | +* Using a 125 kHz **Pupa** test card the portable cloner achieved consistent reads at **≈ 8 cm** in free-air – identical to mains-powered operation. |
| 63 | +* Placing the reader inside a thin-walled metal cash box (to simulate a bank lobby desk) reduced range to ≤ 2 cm, confirming that substantial metal enclosures act as effective RF shields. |
| 64 | + |
| 65 | +## Usage Workflow |
| 66 | + |
| 67 | +1. Charge the USB-C battery, connect it, and flip the main power switch. |
| 68 | +2. (Optional) Open the beeper guard and enable audible feedback when bench-testing; lock it down before covert field use. |
| 69 | +3. Walk past the target badge holder – the MaxiProx will energise the card and the ESP RFID Tool captures the Wiegand stream. |
| 70 | +4. Dump captured credentials over Wi-Fi or USB-UART and replay/clone as required. |
| 71 | + |
| 72 | +## Troubleshooting |
| 73 | + |
| 74 | +| Symptom | Likely Cause | Fix | |
| 75 | +|---------|--------------|------| |
| 76 | +| Reader reboots when card presented | PD trigger negotiated 9 V not 12 V | Verify trigger jumpers / try higher-power USB-C cable | |
| 77 | +| No read range | Battery or wiring sitting *on top* of the antenna | Re-route cables & keep 2 cm clearance around the ferrite loop | |
| 78 | +| Beeper still chirps | Switch wired on positive lead instead of negative | Move kill-switch to break the **negative** speaker trace | |
| 79 | + |
| 80 | +## References |
| 81 | + |
| 82 | +- [Let’s Clone a Cloner – Part 3 (TrustedSec)](https://trustedsec.com/blog/lets-clone-a-cloner-part-3-putting-it-all-together) |
| 83 | + |
| 84 | +{{#include ../../banners/hacktricks-training.md}} |
0 commit comments