🐚 GTFOBins 🪟 LOLBAS 💾 Compiled Binaries 🩸 BloodHound 🩸 bloodyAD 📜 Certipy ☁️ Cloud ⚡ goexec 🤖 HackTricks 🔌 HardwareATT 📦 Impacket 🏰 InternalATT 🔀 Ligolo-ng 🐱 Mimikatz 💣 msfvenom 🔧 NetExec 🤖 OSAI 💥 PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🤖 HackTricks / Building a Portable HID MaxiProx 125 kHz Mobile Cloner

Building a Portable HID MaxiProx 125 kHz Mobile Cloner

{{#include ../../banners/hacktricks-training.md}}

Goal

Turn a mains-powered HID MaxiProx 5375 long-range 125 kHz reader into a field-deployable, battery-powered badge cloner that silently harvests proximity cards during physical-security assessments.

The conversion covered here is based on TrustedSec’s “Let’s Clone a Cloner – Part 3: Putting It All Together” research series and combines mechanical, electrical and RF considerations so the final device can be thrown in a backpack and immediately used on site.

⚠️ Warning
Manipulating mains-powered equipment and Lithium-ion power-banks can be dangerous. Verify every connection **before** energising the circuit and keep the antennas, coax and ground planes exactly as they were in the factory design to avoid detuning the reader.

Bill of Materials (BOM)

  • HID MaxiProx 5375 reader (or any 12 V HID Prox® long-range reader)
  • ESP RFID Tool v2.2 (ESP32-based Wiegand sniffer/logger)
  • USB-PD (Power-Delivery) trigger module able to negotiate 12 V @ ≥3 A
  • 100 W USB-C power-bank (outputs 12 V PD profile)
  • 26 AWG silicone-insulated hook-up wire – red/white
  • Panel-mount SPST toggle switch (for beeper kill-switch)
  • NKK AT4072 switch-guard / accident-proof cap
  • Soldering iron, solder wick & desolder pump
  • ABS-rated hand tools: coping-saw, utility-knife, flat & half-round files
  • Drill bits 1/16″ (1.5 mm) and 1/8″ (3 mm)
  • 3 M VHB double-sided tape & Zip-ties

1. Power Sub-System

  1. Desolder and remove the factory buck-converter daughter-board used to generate 5 V for the logic PCB.
  2. Mount a USB-PD trigger next to the ESP RFID Tool and route the trigger’s USB-C receptacle to the outside of the enclosure.
  3. The PD trigger negotiates 12 V from the power-bank and feeds it directly to the MaxiProx (the reader natively expects 10–14 V). A secondary 5 V rail is taken from the ESP board to power any accessories.
  4. The 100 W battery pack is positioned flush against the internal standoff so there are no power cables draped across the ferrite antenna, preserving RF performance.

2. Beeper Kill-Switch – Silent Operation

  1. Locate the two speaker pads on the MaxiProx logic board.
  2. Wick both pads clean, then re-solder only the negative pad.
  3. Solder 26 AWG wires (white = negative, red = positive) to the beeper pads and route them through a newly cut slot to a panel-mount SPST switch.
  4. When the switch is open the beeper circuit is broken and the reader operates in complete silence – ideal for covert badge harvesting.
  5. Fit an NKK AT4072 spring-loaded safety cap over the toggle. Carefully enlarge the bore with a coping-saw / file until it snaps over the switch body. The guard prevents accidental activation inside a backpack.

3. Enclosure & Mechanical Work

• Use flush cutters then a knife & file to remove the internal ABS “bump-out” so the large USB-C battery sits flat on the standoff.
• Carve two parallel channels in the enclosure wall for the USB-C cable; this locks the battery in place and eliminates movement/vibration.
• Create a rectangular aperture for the battery’s power button:
1. Tape a paper stencil over the location.
2. Drill 1/16″ pilot holes in all four corners.
3. Enlarge with a 1/8″ bit.
4. Join the holes with a coping saw; finish the edges with a file.
✱ A rotary Dremel was avoided – the high-speed bit melts thick ABS and leaves an ugly edge.

4. Final Assembly

  1. Re-install the MaxiProx logic board and re-solder the SMA pigtail to the reader’s PCB ground pad.
  2. Mount the ESP RFID Tool and USB-PD trigger using 3 M VHB.
  3. Dress all wiring with zip-ties, keeping power leads far from the antenna loop.
  4. Tighten the enclosure screws until the battery is lightly compressed; the internal friction prevents the pack from shifting when the device recoils after every card read.

5. Range & Shielding Tests

  • Using a 125 kHz Pupa test card the portable cloner achieved consistent reads at ≈ 8 cm in free-air – identical to mains-powered operation.
  • Placing the reader inside a thin-walled metal cash box (to simulate a bank lobby desk) reduced range to ≤ 2 cm, confirming that substantial metal enclosures act as effective RF shields.

Usage Workflow

  1. Charge the USB-C battery, connect it, and flip the main power switch.
  2. (Optional) Open the beeper guard and enable audible feedback when bench-testing; lock it down before covert field use.
  3. Walk past the target badge holder – the MaxiProx will energise the card and the ESP RFID Tool captures the Wiegand stream.
  4. Dump captured credentials over Wi-Fi or USB-UART and replay/clone as required.

Troubleshooting

Symptom Likely Cause Fix
Reader reboots when card presented PD trigger negotiated 9 V not 12 V Verify trigger jumpers / try higher-power USB-C cable
No read range Battery or wiring sitting on top of the antenna Re-route cables & keep 2 cm clearance around the ferrite loop
Beeper still chirps Switch wired on positive lead instead of negative Move kill-switch to break the negative speaker trace

References

{{#include ../../banners/hacktricks-training.md}}