The inside of the UNIQUE 125kHz key copier

TechEkspert 4914 6

TL;DR

The teardown examines a UNIQUE 125 kHz key copier used to duplicate access tags after a move.
Inside are two AAA batteries, a UNIQUE communication coil/antenna, a small PCB, and a main control unit marked F300.
The copier reads a constant 64-bit string from a tag and writes 8 bytes to T5577 or EM4305 key fobs.
U1 generates the read control signal, Q1 drives the buzzer, and Q2/Q3 control coil current; detection takes 10 ms.
The author flags security concerns about multi-system copiers claiming 125 kHz to 1000 kHz support and bundled software that may hide extra features.

Generated by the language model.

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

» | Topic author Helpful post? (+5)

Post #1
20604527 03 Jun 2023 17:13

In the material you will see the inside of the UNIQUE tag copier, which made it easier to use the space after the company moved. Part of the building is separated by doors equipped with electric strikes and keyfob/card readers. The problem is that only three of the transferred tags work, each entrance has a different type of reader, one of which even has a buffer power supply, the rest is powered by plug-in power supplies connected near the passages, the company that serviced it has no contact.

Of course, we will replace this "system" with connected MIFARE readers, but everything in order. To make it easier for yourself, you need to "multiply" your UNIQUE tags. A copier was used for this, reading a constant string of 64 bits from the applied tag to memory and writing a string of 8 bytes to the T5577 or EM4305 key chains. In this way, for "PLN 100" we have the freedom to move around, without excessive investment in a makeshift, which is intended for disassembly.

Below is the inside of the copier, which is mostly empty space a basket of two AAA batteries, a UNIQUE communication coil/antenna and a small printed circuit board. The main control unit is designated F300.

Transistor Q1 controls the buzzer without a generator, transistors Q2 and Q3 control the coil current. U1 during the reading generates a control signal that goes through R8 to the transistors.

The signal on the coil looks like this:

Detection takes 10ms.

There are no SMD components on the other side of the PCB.

The device did its job well and we will not waste funds on checking how to change the settings of existing readers, especially since each of them is of a different type and some of the cards did not work. This is a good solution to reduce the urgency of replacing the access control system.

When looking for a copier, I thought hard about the security of such solutions, because the search engine showed multi-system copiers for tags, working at frequencies of 125 kHz, 250 kHz, 500 kHz, 375 kHz, 625 kHz, 750 kHz, 875 kHz, 1000 kHz, but also those that supposedly duplicate Mifare HID cards. Some have bundled software that supposedly decodes scanned cards (whatever that means). It is difficult to predict whether bundled software from a little-known publisher has bugs or "hidden features".

Cool? Ranking DIY
About Author
TechEkspert TechEkspert

Editor
Offline

Joined: 19 Sep 2014

Posts: 7172

Help: 16

Posts rating: 5540

Points: 24436
TechEkspert wrote 7172 posts with rating 5540, helped 16 times. Been with us since 2014 year.

ADVERTISEMENT
#2 20604766 03 Jun 2023 21:13

prosiak_wej prosiak_wej

Level 39

Posts: 5273

Help: 501

Rate: 1459
» | Helpful post? (+1)

Post #2
20604766 03 Jun 2023 21:13

I found such a copier for PLN 10 with a bag of keyrings. As it turned out, it is not compatible (keyrings too) with the KD system that we have in the company. On the other hand, for copying Mifare, I use cards and keyrings bought on Allegro and the Mifare Classic Tool application on the CAT S61 phone. In this way, apart from the main card, I also have a backup card in the car and a keychain
ADVERTISEMENT
#3 20604774 03 Jun 2023 21:24

szymon122 szymon122

Level 38

Posts: 4087

Help: 302

Rate: 756
» | Helpful post? (+1)

Post #3
20604774 03 Jun 2023 21:24

What is the general process of "programming" a TAG?
It receives some command, then 8 bytes and then sends these 8 bytes each time?

Is such a tag writeable only once?
#4 20604812 03 Jun 2023 22:09

TechEkspert TechEkspert

Editor

Posts: 7172

Help: 16

Rate: 5540
» | Topic author Helpful post? (0)

Post #4
20604812 03 Jun 2023 22:09

The keychains are programmable many times and cost about PLN 3.
Originally, UNIQUE key chains and cards had a factory-assigned number just like "Dallas pills" DS1990A.

I wonder why the programmed keyrings did not work, maybe a different operating frequency?
ADVERTISEMENT
#5 20604838 03 Jun 2023 22:43

prosiak_wej prosiak_wej

Level 39

Posts: 5273

Help: 501

Rate: 1459
» | Helpful post? (+2)

Post #5
20604838 03 Jun 2023 22:43

My tags (cards and keyrings) are rewritable, you can delete, assign your own numbers.
ADVERTISEMENT
#6 20604944 04 Jun 2023 06:09

nukedclxx nukedclxx

Level 7

Posts: 3

Rate: 2
» | Helpful post? (+2)

Post #6
20604944 04 Jun 2023 06:09

I have a similar device somewhere and you can select several different frequencies, but the cards that I use at work do not respond, practically no other reader except those at the company, even a pinball machine that knows a lot, does not respond. What other solutions are there and at what frequency do they work? Unfortunately, I can't find the readers themselves on the Internet to get to the name of the manufacturer. And it seems to me that the author made a mistake, rather 125 kHz.
#7 20605119 04 Jun 2023 10:08

TechEkspert TechEkspert

Editor

Posts: 7172

Help: 16

Rate: 5540
» | Topic author Helpful post? (0)

Post #7
20605119 04 Jun 2023 10:08

I changed the title to 125 kHz, out of curiosity you can check your KD, whose tags cannot be read. Using an oscilloscope and a coil close to the reader, you can determine what frequency your system is operating at. A frequency counter could also be used, but the signal from the coil applied to the reader may be too weak without an additional amplifier.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Topic summary

✨ The discussion revolves around the UNIQUE 125kHz key copier, which is used to duplicate tags for access control systems in a company. The original system has compatibility issues, with only three out of several tags functioning correctly due to different reader types and power supplies. Users share experiences with various key copying methods, including using MIFARE cards and the Mifare Classic Tool application. The conversation highlights the programmability of keychains, the importance of operating frequencies, and troubleshooting techniques such as using an oscilloscope to determine the frequency of the readers. The need for a more reliable system is emphasized, with plans to transition to MIFARE readers.
Generated by the language model.

Home page
/
Forum
/
Articles
/
Teardown
/
The inside of the UNIQUE 125kHz key copier

FAQ

TL;DR: A UNIQUE copier handles 64 bits; the practical rule is "check the frequency" before cloning. This FAQ helps electronics and access-control readers understand why 125 kHz UNIQUE tags clone easily, why MIFARE differs, and how to avoid wasting time on incompatible fobs. [#20604527] Why it matters: Cheap RFID duplication can solve a temporary access problem, but it can also expose weak legacy access control.

Technology or chip	Frequency or role	Data mentioned	Practical takeaway
UNIQUE tag	125 kHz	64-bit fixed string	Simple copier can read and reproduce the identifier
T5577 fob	Writable target	8 bytes	Used as a rewritable replacement key fob
EM4305 fob	Writable target	8 bytes	Used as another rewritable replacement key fob
MIFARE Classic	Different card family	Copied with Android app in thread	Needs different tools than the UNIQUE copier

Key insight: The easiest failure point is not the copier. It is a mismatch between reader technology, tag frequency, and writable fob type.

Quick Facts

The described copier reads a constant 64-bit UNIQUE string and writes 8 bytes to T5577 or EM4305 key fobs. [#20604527]
The inside contains two AAA batteries, one 125 kHz communication coil, a buzzer stage, coil-driving transistors, and a small PCB marked F300. [#20604527]
Detection in the shown measurement takes 10 ms, so the copier can identify a nearby compatible tag quickly. [#20604527]
The temporary cloning setup cost about PLN 100, while rewritable fobs were discussed at about PLN 3 each. [#20604527]
Some multi-system copiers advertise 125 kHz, 250 kHz, 500 kHz, 375 kHz, 625 kHz, 750 kHz, 875 kHz, and 1000 kHz, but compatibility still needs verification. [#20604527]

What is a UNIQUE 125 kHz RFID tag and how does it differ from MIFARE cards?

A UNIQUE 125 kHz RFID tag is a low-frequency access tag with a fixed identifier. "UNIQUE tag is a 125 kHz RFID credential that presents a constant code to a reader, typically used as a simple access identifier rather than a cryptographic smart card." The thread states that the copier reads a 64-bit string from a UNIQUE tag. MIFARE cards need different tools; one user used Mifare Classic Tool on an Android CAT S61 phone. [#20604527]

How does a simple UNIQUE 125 kHz key copier read a 64-bit tag code and write it to T5577 or EM4305 key fobs?

It reads the fixed 64-bit UNIQUE code, stores it, then writes 8 bytes to a writable fob. The described copier uses a coil or antenna for communication. Its small PCB carries an F300 controller. Transistors Q2 and Q3 control coil current. During reading, U1 generates a control signal through R8. The target fobs named in the thread are T5577 and EM4305. [#20604527]

What is the general process of programming a 125 kHz RFID tag with 8 bytes of data?

The process is read, store, and write the 8-byte identifier to a compatible rewritable fob.

Place the original UNIQUE tag near the copier coil.
Let the copier read the 64-bit fixed string into memory.
Place a T5577 or EM4305 fob and write the 8 bytes. The thread describes this as copying a constant 64-bit string and writing 8 bytes to the new keychain. [#20604527]

How many times can T5577 or EM4305 RFID key fobs be rewritten?

The thread says the compatible key fobs are programmable many times. One participant directly answered that the keychains are not one-time devices. The same reply also gives a practical price point of about PLN 3 per rewritable key fob. Another user confirmed that their cards and keyrings can be deleted and assigned custom numbers. [#20604812]

Why might copied 125 kHz key fobs not work with a company access control system?

Copied fobs may fail when the reader expects another technology, frequency, or credential format. One user bought a copier for PLN 10 with a bag of keyrings, but it did not match the company KD system. Another participant suggested that a different operating frequency could explain the failure. The thread also describes a site where each entrance had a different reader type. [#20604766]

How can I check what frequency an unknown access control reader uses with an oscilloscope and a coil?

Use a small coil near the reader and measure the induced signal on an oscilloscope. Place the coil close to the access reader. Read the waveform frequency from the oscilloscope display. A frequency counter can also work, but the coil signal may be too weak without an extra amplifier. This method was suggested for unknown KD readers that did not read common tags. [#20605119]

What is a T5577 RFID chip and why is it commonly used for cloning 125 kHz tags?

T5577 appears in the thread as a writable target for copied UNIQUE data. "T5577 is a rewritable RFID key-fob chip category used as a cloning target, accepting copied low-frequency tag data so another reader can see the same presented identifier." The copier writes 8 bytes to T5577 fobs after reading a 64-bit UNIQUE string. [#20604527]

What is an EM4305 RFID chip and how is it used in rewritable key fobs?

EM4305 appears in the thread as another writable target for UNIQUE copies. "EM4305 is a rewritable RFID key-fob chip category used to store copied low-frequency access identifiers, allowing a blank fob to imitate a compatible original tag." The described copier writes the 8-byte string to EM4305 or T5577 keychains. [#20604527]

UNIQUE vs MIFARE Classic — which technology is easier to copy and why?

UNIQUE is easier in the thread because the copier handles a fixed 64-bit string. The described device reads that constant code and writes 8 bytes to T5577 or EM4305 fobs. MIFARE Classic required a different workflow: cards and keyrings bought online plus the Mifare Classic Tool app on a CAT S61 Android phone. That separates simple 125 kHz copying from MIFARE-specific copying. [#20604527]

How can the Mifare Classic Tool app on an Android phone be used to copy MIFARE Classic cards?

The thread only states the practical setup, not a full MIFARE procedure. One user used Mifare Classic Tool with cards and keyrings bought on Allegro. The phone named was a CAT S61 Android device. The result was one main card, one backup card kept in the car, and one keychain. This differs from the F300-based UNIQUE copier workflow. [#20604766]

What components are typically inside a cheap 125 kHz RFID copier, such as the F300-based UNIQUE copier?

A cheap 125 kHz copier can contain very little hardware. The shown unit had a two-AAA battery basket, a UNIQUE communication coil, and a small PCB. The main controller was marked F300. Q1 drove a buzzer without a generator. Q2 and Q3 drove the coil current. The opposite side of the PCB had no SMD components. [#20604527]

Why do some RFID readers work with only certain cards or key fobs even when they look similar?

Readers may differ by frequency, protocol, and accepted credential type. The thread describes a building where each entrance had a different reader type. Only three transferred tags worked. One reader even had a buffer power supply, while other readers used plug-in power supplies near passages. A copied fob can look right and still fail electrically or logically. [#20604527]

What are the security risks of using cheap multi-frequency RFID copiers and bundled decoding software?

The risks include easy cloning and untrusted software behavior. The thread notes copiers advertising 125 kHz through 1000 kHz and even alleged MIFARE HID duplication. Some bundles included software that supposedly decoded scanned cards. The author warned that software from a little-known publisher may contain bugs or hidden features. That makes the toolchain itself a security concern. [#20604527]

How much do rewritable RFID key fobs usually cost and what should I check before buying them?

The thread gives two practical costs: about PLN 3 per rewritable key fob and PLN 10 for one incompatible copier bundle. Check the reader frequency before buying fobs. Also check whether the system uses UNIQUE, MIFARE Classic, T5577, EM4305, or another credential type. A bag of cheap keyrings wastes money if the company KD system does not read them. [#20604812]

What is the safest temporary way to duplicate access tags before replacing an old access control system?

The safest temporary approach is to clone only authorized tags and schedule reader replacement. In the thread, copying UNIQUE tags cost about PLN 100 and reduced urgency before replacing the makeshift system. The planned permanent fix was connected MIFARE readers. This avoided deeper changes to mismatched old readers, especially when the service company had no contact. [#20604527]