Here at InGuardians, we are huge fans of the Tastic HiD card long-range reader. Designed and implemented by Bishop Fox, this long-range RFID reader allows us to silently and stealthily acquire sensitive data from things like employee badges, and has become a huge component of our physical penetration testing and red team methodology. For example, using the Tastic to obtain card data is great for cloning access badges, and obtaining HiD facility codes helps immensely when brute-forcing to gain elevated access.

Part of why it’s so convenient is that it’s easy to smuggle on-site in an inexpensive and inconspicuous backpack that we found on sale at our local Swedish flat pack furniture store. Not only does it fit perfectly, it even allows for a little bit of spare room for transporting additional goodies to and from the engagement, including that always useful piece of kit: extra batteries.

There is nothing worse than being in the middle of a recon mission and discovering the batteries are dead, especially when you know you could have just scored some awesome info. Plus, when you need to find some more batteries when on-site? This can also be its own kind of painful. Have you ever had to buy a pack of 25 name-brand AA batteries at the local bodega? Hear that sound? That’s my wallet screaming.

Carrying supplementary batteries is absolutely essential when using the Tastic. If it has a drawback, it’s that it’s a power hog.

There has to be a better way, we thought.

And there is!

Please understand, we are far from criticizing the Tastic. It is a fantastic design that uses off-the-shelf, readily available parts in a unique and novel manner. It’s only that we’ve we found a way to make it better for our uses and want to share that with you.

The best improvement we’ve made to the battery situation is to switch to using six 18650 type rechargeable Lithium-ion batteries.

There are several advantages to upgrading the battery component. Lithium-ion batteries are great for electronics, as they typically have higher capacities than their alkaline counterparts. For example, while various batteries and manufacturers can have different milliamp hour (mAh) ratings, the output voltage for 18650 batteries should run 3.7 volts, and typically around 2800 milliamp hours. Even as the standard brand name alkaline AA batteries only operate at 1.5 volts, and approximately 1800 mAh. Why is this mAh rating important? In simple terms, the larger the mAh, the longer the battery will last under load. (This a massive oversimplification of the complex math and several studies behind the discharge rate, but it will suffice for the purposes of this build.)

Aside from output, basic operating costs are also a factor. Although rechargeable lithium ion batteries tend to cost a little more than standard alkaline batteries up front, over the long haul, these costs balance in your favor because you won’t need to replace rechargeable batteries nearly as often as alkaline cells. For a similar cost of one or two painful trips to the bodega, (that will only net you a single-use tool which has to be discarded after, adding to landfill waste, too), you can have two sets of rechargeable batteries and a charger. To sweeten that deal, consider how the math only gets better the more you use the device.

Figure 0x0: We can charge all of the batteries we need with this monster!

 

What’s more, instead of purchasing the 18650 batteries directly from a supplier, they can be recycled from a number of sources for virtually free. One of our favorite sources is old laptop batteries. In several cases, we’ve found that folks are willing to give their old, ”non-working” laptop batteries to us for free instead of having to pay for recycling. These larger batteries are often full of 18650 cells with only one or two that have failed. This renders the battery configuration too ineffective to power a laptop for longer periods of time, but with careful disassembly, harvesting cells from laptop batteries can result in an over-abundance of 3.7V fun! (Yes, we really do this kind of thing for fun, don’t you?)

Figure 0x1: Another fruitful harvest of 18650 cells.

 

Another advantage is increased read range. In most cases, providing more power to a radio will increase the effective radio power, thus boosting range, too! The standard Tastic implementation provides 18V, but because the 18650 batteries produce more than double the voltage of standard Alkaline batteries (3.7V versus 1.5V), we can supply about 24V by wiring 6 of the 18650’s in series!

It only requires a few minor technical changes to modify the original Tastic design to use the 18650 batteries, too. First, you need to find and install appropriate battery holders. We were lucky and had a few left over, some re-purposed, from the “If it Fits it Ships” project. (Note: They were acquired from a Chinese importer for about $0.30 each. Super cheap, but we absolutely got what we paid for, as they needed a little help from some solder to reliably accept our batteries.)

Once you have battery holders, be careful where you put them! The 18650 have a larger diameter than AA batteries, so be careful to place them out of the way of the LCD display, as reassembling the device with 18650 batteries behind the screen will result in one less LCD. If you don’t trust us on this one, you can ask the broken LCD on our workbench how it feels right about now. (The answer is sad. Very, very sad.)

Figure 0x2: 18650 batteries installed.

 

Second, swap out the resistors on the LM317LZ variable voltage regulator. Since we are increasing the input voltage, we need to adjust the resistors to maintain the appropriate output voltage to correctly power the Arduino and the LCD display. Using the LM317LZ calculator and the reference tables at http://www.reuk.co.uk/LM317-Voltage-Calculator.htm, we swapped out R1 to be 370 ohms and R2 to 2700 ohms (by wiring a 2200 and 500 ohm resistor in series) to deliver 10.37V to the Arduino Vin pin.

Figure 0x3: Swapped R1 and R2. Yes, on a breadboard for modularity and upgrades.

 

Finally, we need to make sure to update the jumper settings on the MaxiProx by shunting pins 3 and 3 to reflect the new input voltage to account for increasing it from 18V to 24V.

Figure 0x4: Forgetting to change this could let the “magic smoke” out.

 

Now that everything is set, fire it up and give it a test to be sure you didn’t do anything wrong. If it is working as expected, button it back up and you are off to the races!

Enjoy combining your new found savings and longer read range for pwnage!

Over and out.

– L