Doppelgänger Core

For Physical Security Practitioners, by a Physical Security Practitioner


Introduction

Doppelgänger Core is a professional-grade RFID cloning and analysis tool designed specifically for penetration testing applications. It merges the best features of the Doppelgänger Community and Pro firmware into a unified platform, optimized exclusively for the Doppelgänger RFID Development Board. Core simplifies capturing and analyzing RFID access control card data while maintaining operational security and ease of use.

To purchase the Doppelgänger RFID Development Board, visit the Practical Physical Exploitation Store. Detailed specifications and documentation are available here.

Supported Card Formats

Wiegand Formats

Below are the card data formats supported by Doppelgänger Core. Bit positions listed exclude parity bits, and actual implementation may vary by reader.

Card TypeFormatFacility Code BitsCard Number BitsNotes
HID H1030126-bit8 (1–8)16 (9–24)Standard Prox
Indala26-bit8 (1–8)16 (9–25)Requires Indala-capable reader
Indala27-bit12 (1–12)13 (14–26)Requires Indala-capable reader
2804 Wiegand28-bit8 (4–11)14 (13–26)Custom format
Indala29-bit12 (1–12)15 (14–28)Requires Indala-capable reader
ATS Wiegand30-bit11 (2–12)15 (14–28)Custom format
HID ADT31-bit4 (1–4)23 (5–27)ADT-specific format
WEI32 (EM4102)32-bit15 (1–15)16 (16–31)EM4102 format
HID D1020233-bit7 (1–7)24 (8–31)Extended format
HID H1030634-bit16 (1–16)16 (17–32)Extended format
HID Corporate 100035-bit12 (2–13)20 (14–33)Corporate format
HID Simplex (S12906)36-bit8 (1–8)16 (19–34)Simplex format
HID H1030437-bit16 (1–16)19 (17–35)Extended format
HID Corporate 100048-bit22 (2–23)23 (24–46)Extended corporate format

iCLASS Formats

Card TypeNotes
iCLASS StandardLegacy iCLASS cards
iCLASS SESecure Element cards
iCLASS SeosLatest-generation secure cards
PIV/MF CardsUID extraction only (UID provided in data stream)

Additional Wiegand Features

  • Keypad PIN capture (4-bit)
  • Raw binary data capture
  • Error detection and filtering
  • Parity bit validation

Firmware Features

  • Wireless configuration manager
  • Device egress and team access via mobile hotspot
  • mDNS access: http://rfid.local/
  • Optional email/text notifications
  • Web interface for viewing, sorting, and downloading captured card data
  • Web-based reset functionality
  • Configurable GPIO support for external sensors or relays

Initial Setup Instructions

We recommend configuring Doppelgänger Core initially via a computer. After setup, the device can operate independently.

  1. Apply power to the device.
  2. If the blue LED is lit, the device is in configuration mode.
    • Connect to the wireless network named doppelgänger_XXXX (default password: UndertheRadar).
  3. The Captive Portal should launch automatically. If not, manually navigate to http://192.168.4.1.

Captive Portal Menu Options

  • Configure WiFi: Scan and select wireless networks (RSSI-based filtering included).
  • Configure WiFi (No Scan): Manually configure without scanning.
  • Info: View device stats; erase Wi-Fi credentials (email config retained).
  • Update: Perform OTA firmware updates.
  • Restart: Restart the device.
  • Exit: Close the portal.

Mobile Device Connectivity

  • iPhone:
    Enable Maximize Compatibility in Personal Hotspot settings and keep the hotspot menu open during configuration. Connect via Captive Portal.

  • Android:
    Procedure is similar to iPhone (testing pending).

Once configured, access the Doppelgänger web app at: http://rfid.local

Reconnection Process

Ensure your mobile hotspot is active before powering on Doppelgänger. If the device doesn’t detect the hotspot, it will enter configuration mode automatically. It retries every 120 seconds, or you can manually reboot via the Captive Portal.

Multi-Operator Operation

Multiple operators can access the Doppelgänger Core web interface by connecting to the same wireless hotspot that the device is tethered to. The following graphic illustrates the connectivity flow:

Email & Text Notifications Setup

Configure notifications through the Notifications tab in the Doppelgänger web app. SMTP credentials are stored securely.

Text notification format:

Verizon: [email protected]
AT&T: [email protected]
T-Mobile: [email protected]
Google-Fi: [email protected]

Gmail Notification Account Setup

To enable Gmail notifications, enable 2-Step Verification and create an App Password:

  1. Set up a new Gmail account
  2. Enable 2-Step Verification
  3. Create an App Password via your Google Account under Security → App Passwords
    • Select “Mail” and “Other” named “Doppelgänger”
    • Use the generated password for notification setup

Gmail SMTP Settings:

SMTP ServerSMTP Port
smtp.gmail.com465 (SSL)

Serial Debugging

Serial debugging can be enabled or disabled from the Configuration Menu. Why disable it? Operational security (OPSEC).

Note: You should enable Serial Debugging prior to upgrading firmware.

Connect the Doppelgänger RFID Dev Board via USB-C to your computer:

macOS

ls /dev/cu.usbmodem*
screen /dev/cu.usbmodemXXXXX 115200

Linux

ls /dev/ttyUSB*
screen /dev/ttyUSBX 115200

Or use PlatformIO’s serial console:

Once connected, the serial console provides detailed status messages during boot, configuration, and runtime. This information is useful for troubleshooting and verifying proper functionality.

WiFi Reset Card

The WiFi Reset Card is designed to erase stored wireless credentials. This is especially useful for rotational gear shared between team members. Doppelgänger stores credentials when connecting to a hotspot so it can auto-reconnect on future boots. If someone forgets to wipe credentials, use the WiFi Reset Card.

We recommend customizing this card with unique values.

GPIO Settings

The image below illustrates a haptic (vibration) sensor installed on GPIO36. When enabled, the sensor will vibrate for 3000ms (3 seconds) upon a successful card read.

Doppelgänger Operational Processes Explained

The diagrams below illustrate Doppelgänger’s internal processes, including boot sequences, configuration mode logic, and how captured card data is handled.

Boot Process Overview

Upon power-up, Doppelgänger follows this sequence:

Configuration Mode Timeout Logic

If Doppelgänger fails to connect to a known wireless network within 30 seconds, it enters Configuration Mode to allow manual setup via the Captive Portal. If it fails again, it skips wireless setup entirely and proceeds into the main loop, allowing you to continue capturing card data.

Writing Captured Card Data

To efficiently manage and write captured RFID data, use the official Doppelgänger Assistant application. This tool simplifies generating Proxmark3 commands, writing data to blank RFID cards, and simulating captured card data. Doppelgänger Assistant supports macOS, Linux, and Windows (via WSL).

License Information

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

You are free to:

  • Share – Copy and redistribute the material in any medium or format

Under these terms:

  • Attribution – Provide appropriate credit, a link to the license, and indicate if changes were made
  • NonCommercial – Do not use the material for commercial purposes
  • NoDerivatives – Do not distribute modified versions

Full license details are available in the LICENSE file.

This device is intended strictly for authorized penetration testing and security assessments. Unauthorized or illegal use is the sole responsibility of the user. Mayweather Group LLC, Practical Physical Exploitation, and its creators assume no liability for misuse or unauthorized application of this tool.