The Tick – The Next Evolution in RFID Security Testing!
The Tick is a powerful and discreet access control system implant designed for red teamers, security auditors, and hardware hackers.
The Tick – The Next Evolution in RFID Security Testing!
The Tick is the next evolution in covert access control system implants. Designed for a seamless integration behind card readers, The Tick silently intercepts, logs, and replays access credentials with greater efficiency and stealth than ever before. Compatible with a wide range of RFID systems, provides invaluable (to red teamers) insights into facility (in)security, while enabling advanced credential injection. Whether for security auditing, red teaming, or mobile access control testing, The Tick delivers a compact, powerful, and flexible solution in an ever-connected world.
GitHub link: https://github.com/jkramarz/TheTick
Connect with the author on LinkedIn!
Comparison to other projects
| BLEKey | ESP-RFID-Tool | ESPKey | The Tick | |
| supported protocols | Wiegand | Wiegand | Wiegand | Wiegand + Clock&Data |
| wireless interfaces | BLE | WiFi | WiFi | BLE + WiFi |
| configurable D0/D1 lines | ❌ | ❌ | ❌ | ✅ |
| max power supply voltage | battery powered | 🔥 | 18V DC | 25V DC |
| max data line voltage | 5V | 5V | 5V | >12V |
| SoC | nRF51822 | ESP8266 | ESP8266 | ESP32C3 |
| firmware | properly structured code | time-efficient code soup | time-efficient code soup | slightly-organized code soup |
| arachnophobia-safe | ✅ | ✅ | ✅ | ❓(partially, hidden mugga-mode) |
While expanding the feature range, the device still preserves the convenient, small footprint:
Software
Firmware of this device started as a simple port of ESPKey for ESP32C3, that gradually grew into extensible and multi-protocol software project, with own improved hardware.
Features
Currently, the firmware can be built with following features:
Communication interfaces
- BLEKey-style Bluetooth Low Energy,
- ESPKEY-style WiFi (hotspot or client) with HTTP interface,
- I2C OLED support for use on a workbench.
Wire protocols
In Wiegand mode, the device can receive (sniff) and transmit messages of any length.
Assignment of D0 and D1 lines can be corrected in the configuration file after the device installation, if needed.
The device was sucessfuly tested with 5V and 12V PACS systems, that uses different card number lengths.
In Clock&Data mode, the device can receive and transmit messages of any reasonable length. Assignment of DATA and CLOCK lines can be corrected in configuration file after the device installation, if needed. The device was sucessfuly tested with 12V Clock&Data system, running in a generic Magstripe (aka ABA TRACK-II) and UNITEK-emulation modes.
Support for Paxton decoding is based on samples provided by en4rab and 00Waz.
HTTP interface
If built with USE_HTTP flag, the device provides a quite-eye candy, simple HTTP interface, based on almost-REST API and built using jQuery and Bootstrap.
Currently, it offers following features:
- review and modification of application configuration files,
- review of sniffed reader interactions,
- replay of acquired credentials,
- sending arbitrary card numbers (raw or encoded in common formats)
BLE interface
If built with USE_BLE flag, the device exposes a custom Bluetooth Low Energy interface:
Currently, it offers following features:
- reading the last sniffed card,
- notifying about new interactions,
- sending arbitrary card number.
The device currently does not support pairing nor bonding. Feature-wise is simillar to BLEKey by Mark Baseggio and Eric Evenchick, but running on a decade-younger hardware.
Its functions are exposed as a service characteristic with easily configurable UUID.
There is planned a Flipper Zero client, that will be publicly released shortly after BLE Central role will be incorporated in its firmware (probably never).
Hardware
The device not only fits behind readers, but also fits the cheapest G3061 hot-plate you can get. It solders nicely with carelessly and generously hand applied solder paste:
ESP32-C3
The device utilizes ESP32C3FN4 on a ready-made ESP32-C3 SuperMini module.
DC-DC converter
The power supply uses LMR51430 synchronous buck step-down converter, rated at up to 36V. It is designed to run at 1.1 MHz switching frequency, to use a relatively small inductor, while maintaining high efficiency with a relatively light load. Maximum voltage if further limited by voltage rating of installed C5 capacitor and F1 resetable polyfuse, but components from the BOM are sufficient to safely run it with 24V-powered long-range readers.
As no linear voltage regulator in used, both power consumption and heat dissipation is minimal. The device is also protected against reverse polarity – it just doesn’t start, but doesn’t blow up.
Battery operation
The device DC-DC converter is configured to turn off at approximately at 6V and start at 6.4V, to provide an overdischarge protection if the device is operated from 2S lithium-ion polymer battery pack. Battery voltage can be measured using device ADC and read in device web interface.
Level shifter
Absolute maximum drain-source voltage rating for 2N7002 N-channel MOSFET transistor is 60V. The board is definitelty not designed for such volatage and I advise against connecting it to live installations of such voltage levels, but it is much more than 5-12V usually found in access control systems anyway.
Voltage shifter is derived from “Bi-directional level shifter for I²C-bus and other systems” design described in Philips Semiconductors application note AN97055:
This solution works properly in installations with external pull-up (e.g. provided by the reader sharing the same line) regardless of the voltage levels, providing a convenient way of pulling it down to GND. It does not provide a way of pulling the line up to VCC.
RS-485 transceiver
The device design incorporates THVD1424 transceiver intended for interacting with OSDP readers. It is configured in single-pair, half-duplex mode and provides switchable bus termination. Populating the transceiver on the PCB limits maximum safe communication lines voltage to 16V.
The code present currently in the device firmware configures the transceiver into high impedance mode to avoid interference.
LCD support
The device supports connecting SSD1306-based 128X32 OLED to visualize reader interactions. Two Wire Interface Bus is available on pin 8 (SDA) and 9 (SCL) of Supermini.
In the current hardware revision there is no dedicated connector due to PCB spatial constraints, so use your soldering iron.
Solder bridges
The device features 3 solder bridges (hardware switches easily operated with a soldering iron):
- JP1 (close to THVD1424): enables half-duplex operation of RS-485 transceiver,
- JP2 (close to inductor): enables supplying power from the converter to ESP32,
- JP3 (on the reverse side): directly connects USB 5V to device VDC – can be used to supply 5V to the connected reader, to create standalone “door-in-the-box” device.
Connectors
The current PCB revision uses KYOCERA AVX insulation displacement connectors of 9175-000 series, designed for 26 AWG stranded or solid wires. It is planned to switch to 9176-000 series, to support wires up to 20 AWG. If connecting the device to thick wires is needed, it is currently recommended to use supplementary automotive IDC T2 tap connectors.
Contributing
If you want to contribute to a project and make it better, your help is very welcome (GitHub). Contributing is also a great way to learn more about social coding on Github, new technologies and and their ecosystems and how to make constructive, helpful bug reports, feature requests and the noblest of all contributions: a good, clean pull request.
I recognize that contributing to hardware projects can be more challenging than software, especially without access to the necessary components. If you’re interested in helping out but lack the hardware, drop me an email — I may be able to send you a PCB to get started.
Connect with the author on LinkedIn!
License
Software License
The software for “The Tick” is licensed under the GNU General Public License (GPL) v3.0. This license allows you to freely use, modify, and distribute the software, provided that any distribution or derivative works are also licensed under the GPL.
For more details on the GNU GPL v3.0, please refer to the GNU General Public License v3.0.
UI Libraries And Template License
The user interface of “The Tick” utilizes jQuery and Bootstrap, both of which are licensed under the MIT License. This permissive license allows you to freely use, modify, and distribute the code, with minimal restrictions.
For more details on the MIT License, please refer to the MIT License.
Hardware License
The hardware design for “The Tick” is licensed under the CERN Open Hardware Licence Version 2 – Strongly Reciprocal (CERN-OHL-S v2). This license permits the use, distribution, and modification of the hardware design, with the condition that any derived works must also be licensed under the same terms.
For more details on the CERN-OHL-S v2, please refer to the CERN Open Hardware Licence Version 2 – Strongly Reciprocal.
