Add content from: Let's Clone a Cloner – Part 3: Putting It All Together

src/SUMMARY.md

@@ -887,6 +887,7 @@
 - [Industrial Control Systems Hacking](todo/industrial-control-systems-hacking/README.md)
   - [Modbus Protocol](todo/industrial-control-systems-hacking/modbus.md)
 - [Radio Hacking](todo/radio-hacking/README.md)
+  - [Maxiprox Mobile Cloner](todo/radio-hacking/maxiprox-mobile-cloner.md)
   - [Pentesting RFID](todo/radio-hacking/pentesting-rfid.md)
   - [Infrared](todo/radio-hacking/infrared.md)
   - [Sub-GHz RF](todo/radio-hacking/sub-ghz-rf.md)

src/todo/radio-hacking/maxiprox-mobile-cloner.md

@@ -0,0 +1,84 @@
+# Building a Portable HID MaxiProx 125 kHz Mobile Cloner
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Goal
+Turn a mains-powered HID MaxiProx 5375 long-range 125 kHz reader into a field-deployable, battery-powered badge cloner that silently harvests proximity cards during physical-security assessments.
+
+The conversion covered here is based on TrustedSec’s “Let’s Clone a Cloner – Part 3: Putting It All Together” research series and combines mechanical, electrical and RF considerations so the final device can be thrown in a backpack and immediately used on site.
+
+> [!warning]
+> Manipulating mains-powered equipment and Lithium-ion power-banks can be dangerous.  Verify every connection **before** energising the circuit and keep the antennas, coax and ground planes exactly as they were in the factory design to avoid detuning the reader.
+
+## Bill of Materials (BOM)
+
+* HID MaxiProx 5375 reader (or any 12 V HID Prox® long-range reader)
+* ESP RFID Tool v2.2 (ESP32-based Wiegand sniffer/logger)
+* USB-PD (Power-Delivery) trigger module able to negotiate 12 V @ ≥3 A
+* 100 W USB-C power-bank (outputs 12 V PD profile)
+* 26 AWG silicone-insulated hook-up wire – red/white
+* Panel-mount SPST toggle switch (for beeper kill-switch)
+* NKK AT4072 switch-guard / accident-proof cap
+* Soldering iron, solder wick & desolder pump
+* ABS-rated hand tools: coping-saw, utility-knife, flat & half-round files
+* Drill bits 1/16″ (1.5 mm) and 1/8″ (3 mm)
+* 3 M VHB double-sided tape & Zip-ties
+
+## 1. Power Sub-System
+
+1. Desolder and remove the factory buck-converter daughter-board used to generate 5 V for the logic PCB.
+2. Mount a USB-PD trigger next to the ESP RFID Tool and route the trigger’s USB-C receptacle to the outside of the enclosure.
+3. The PD trigger negotiates 12 V from the power-bank and feeds it directly to the MaxiProx (the reader natively expects 10–14 V).  A secondary 5 V rail is taken from the ESP board to power any accessories.
+4. The 100 W battery pack is positioned flush against the internal standoff so there are **no** power cables draped across the ferrite antenna, preserving RF performance.
+
+## 2. Beeper Kill-Switch – Silent Operation
+
+1. Locate the two speaker pads on the MaxiProx logic board.
+2. Wick *both* pads clean, then re-solder only the **negative** pad.
+3. Solder 26 AWG wires (white = negative, red = positive) to the beeper pads and route them through a newly cut slot to a panel-mount SPST switch.
+4. When the switch is open the beeper circuit is broken and the reader operates in complete silence – ideal for covert badge harvesting.
+5. Fit an NKK AT4072 spring-loaded safety cap over the toggle.  Carefully enlarge the bore with a coping-saw / file until it snaps over the switch body.  The guard prevents accidental activation inside a backpack.
+
+## 3. Enclosure & Mechanical Work
+
+• Use flush cutters then a knife & file to *remove* the internal ABS “bump-out” so the large USB-C battery sits flat on the standoff.
+• Carve two parallel channels in the enclosure wall for the USB-C cable; this locks the battery in place and eliminates movement/vibration.
+• Create a rectangular aperture for the battery’s **power** button:
+  1. Tape a paper stencil over the location.
+  2. Drill 1/16″ pilot holes in all four corners.
+  3. Enlarge with a 1/8″ bit.
+  4. Join the holes with a coping saw; finish the edges with a file.  
+  ✱  A rotary Dremel was *avoided* – the high-speed bit melts thick ABS and leaves an ugly edge.
+
+## 4. Final Assembly
+
+1. Re-install the MaxiProx logic board and re-solder the SMA pigtail to the reader’s PCB ground pad.
+2. Mount the ESP RFID Tool and USB-PD trigger using 3 M VHB.
+3. Dress all wiring with zip-ties, keeping power leads **far** from the antenna loop.
+4. Tighten the enclosure screws until the battery is lightly compressed; the internal friction prevents the pack from shifting when the device recoils after every card read.
+
+## 5. Range & Shielding Tests
+
+* Using a 125 kHz **Pupa** test card the portable cloner achieved consistent reads at **≈ 8 cm** in free-air – identical to mains-powered operation.
+* Placing the reader inside a thin-walled metal cash box (to simulate a bank lobby desk) reduced range to ≤ 2 cm, confirming that substantial metal enclosures act as effective RF shields.
+
+## Usage Workflow
+
+1. Charge the USB-C battery, connect it, and flip the main power switch.
+2. (Optional) Open the beeper guard and enable audible feedback when bench-testing; lock it down before covert field use.
+3. Walk past the target badge holder – the MaxiProx will energise the card and the ESP RFID Tool captures the Wiegand stream.
+4. Dump captured credentials over Wi-Fi or USB-UART and replay/clone as required.
+
+## Troubleshooting
+
+| Symptom | Likely Cause | Fix |
+|---------|--------------|------|
+| Reader reboots when card presented | PD trigger negotiated 9 V not 12 V | Verify trigger jumpers / try higher-power USB-C cable |
+| No read range | Battery or wiring sitting *on top* of the antenna | Re-route cables & keep 2 cm clearance around the ferrite loop |
+| Beeper still chirps | Switch wired on positive lead instead of negative | Move kill-switch to break the **negative** speaker trace |
+
+## References
+
+- [Let’s Clone a Cloner – Part 3 (TrustedSec)](https://trustedsec.com/blog/lets-clone-a-cloner-part-3-putting-it-all-together)
+
+{{#include ../../banners/hacktricks-training.md}}

src/todo/radio-hacking/pentesting-rfid.md

@@ -92,9 +92,20 @@ Or using the **proxmark**:
 proxmark-3.md
 {{#endref}}
 
+### Building a Portable HID MaxiProx 125 kHz Mobile Cloner
+
+If you need a **long-range**, **battery-powered** solution for harvesting HID Prox® badges during red-team engagements you can convert the wall-mounted **HID MaxiProx 5375** reader into a self-contained cloner that fits in a backpack.  The full mechanical and electrical walk-through is available here:
+
+{{#ref}}
+maxiprox-mobile-cloner.md
+{{#endref}}
+
+---
+
 ## References
 
 - [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/)
+- [Let's Clone a Cloner – Part 3 (TrustedSec)](https://trustedsec.com/blog/lets-clone-a-cloner-part-3-putting-it-all-together)
 
 {{#include ../../banners/hacktricks-training.md}}