Building a Portable HID MaxiProx 125 kHz Mobile Cloner

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Goal

Turn a mains-powered HID MaxiProx 5375 long-range 125 kHz reader into a field-deployable, battery-powered badge cloner that silently harvests proximity cards during physical-security assessments.

The conversion covered here is based on TrustedSec’s “Let’s Clone a Cloner – Part 3: Putting It All Together” research series and combines mechanical, electrical and RF considerations so the final device can be thrown in a backpack and immediately used on site.

warning

Manipulating mains-powered equipment and Lithium-ion power-banks can be dangerous. Verify every connection before energising the circuit and keep the antennas, coax and ground planes exactly as they were in the factory design to avoid detuning the reader.

Bill of Materials (BOM)

  • HID MaxiProx 5375 reader (or any 12 V HID Prox® long-range reader)
  • ESP RFID Tool v2.2 (ESP32-based Wiegand sniffer/logger)
  • USB-PD (Power-Delivery) trigger module able to negotiate 12 V @ ≥3 A
  • 100 W USB-C power-bank (outputs 12 V PD profile)
  • 26 AWG silicone-insulated hook-up wire – red/white
  • Panel-mount SPST toggle switch (for beeper kill-switch)
  • NKK AT4072 switch-guard / accident-proof cap
  • Soldering iron, solder wick & desolder pump
  • ABS-rated hand tools: coping-saw, utility-knife, flat & half-round files
  • Drill bits 1/16″ (1.5 mm) and 1/8″ (3 mm)
  • 3 M VHB double-sided tape & Zip-ties

1. Power Sub-System

  1. Desolder and remove the factory buck-converter daughter-board used to generate 5 V for the logic PCB.
  2. Mount a USB-PD trigger next to the ESP RFID Tool and route the trigger’s USB-C receptacle to the outside of the enclosure.
  3. The PD trigger negotiates 12 V from the power-bank and feeds it directly to the MaxiProx (the reader natively expects 10–14 V). A secondary 5 V rail is taken from the ESP board to power any accessories.
  4. The 100 W battery pack is positioned flush against the internal standoff so there are no power cables draped across the ferrite antenna, preserving RF performance.

2. Beeper Kill-Switch – Silent Operation

  1. Locate the two speaker pads on the MaxiProx logic board.
  2. Wick both pads clean, then re-solder only the negative pad.
  3. Solder 26 AWG wires (white = negative, red = positive) to the beeper pads and route them through a newly cut slot to a panel-mount SPST switch.
  4. When the switch is open the beeper circuit is broken and the reader operates in complete silence – ideal for covert badge harvesting.
  5. Fit an NKK AT4072 spring-loaded safety cap over the toggle. Carefully enlarge the bore with a coping-saw / file until it snaps over the switch body. The guard prevents accidental activation inside a backpack.

3. Enclosure & Mechanical Work

• Use flush cutters then a knife & file to remove the internal ABS “bump-out” so the large USB-C battery sits flat on the standoff. • Carve two parallel channels in the enclosure wall for the USB-C cable; this locks the battery in place and eliminates movement/vibration. • Create a rectangular aperture for the battery’s power button:

  1. Tape a paper stencil over the location.
  2. Drill 1/16″ pilot holes in all four corners.
  3. Enlarge with a 1/8″ bit.
  4. Join the holes with a coping saw; finish the edges with a file.
    ✱ A rotary Dremel was avoided – the high-speed bit melts thick ABS and leaves an ugly edge.

4. Final Assembly

  1. Re-install the MaxiProx logic board and re-solder the SMA pigtail to the reader’s PCB ground pad.
  2. Mount the ESP RFID Tool and USB-PD trigger using 3 M VHB.
  3. Dress all wiring with zip-ties, keeping power leads far from the antenna loop.
  4. Tighten the enclosure screws until the battery is lightly compressed; the internal friction prevents the pack from shifting when the device recoils after every card read.

5. Range & Shielding Tests

  • Using a 125 kHz Pupa test card the portable cloner achieved consistent reads at ≈ 8 cm in free-air – identical to mains-powered operation.
  • Placing the reader inside a thin-walled metal cash box (to simulate a bank lobby desk) reduced range to ≤ 2 cm, confirming that substantial metal enclosures act as effective RF shields.

Usage Workflow

  1. Charge the USB-C battery, connect it, and flip the main power switch.
  2. (Optional) Open the beeper guard and enable audible feedback when bench-testing; lock it down before covert field use.
  3. Walk past the target badge holder – the MaxiProx will energise the card and the ESP RFID Tool captures the Wiegand stream.
  4. Dump captured credentials over Wi-Fi or USB-UART and replay/clone as required.

Troubleshooting

SymptomLikely CauseFix
Reader reboots when card presentedPD trigger negotiated 9 V not 12 VVerify trigger jumpers / try higher-power USB-C cable
No read rangeBattery or wiring sitting on top of the antennaRe-route cables & keep 2 cm clearance around the ferrite loop
Beeper still chirpsSwitch wired on positive lead instead of negativeMove kill-switch to break the negative speaker trace

References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks