Doppelgänger Stealth

A fresh approach to an old problem


Introduction

The PPE Stealth Wiegand Data Interpreter (WDI) v2 provides a novel approach to initial access and supports physical privilege escalation in badge-based environments (e.g., server rooms or restricted areas) using non-destructive methods.

What is Stealth Mode?

Stealth Mode serves two primary purposes:

  1. To reduce detectability in high-security areas where wireless detection measures are in place.
  2. To reduce power consumption by disabling the wireless access point, lowering CPU frequency, and slowing the main processing loop.

You can enable or disable Stealth Mode using the Stealth Card, which can be programmed with custom values.

Supported Card Formats

Wiegand Formats

Below are the card data formats supported by Doppelgänger Core. Bit positions listed exclude parity bits, and actual implementation may vary by reader.

Card TypeFormatFacility Code BitsCard Number BitsNotes
HID H1030126-bit8 (1–8)16 (9–24)Standard Prox
Indala26-bit8 (1–8)16 (9–25)Requires Indala-capable reader
Indala27-bit12 (1–12)13 (14–26)Requires Indala-capable reader
2804 Wiegand28-bit8 (4–11)14 (13–26)Custom format
Indala29-bit12 (1–12)15 (14–28)Requires Indala-capable reader
ATS Wiegand30-bit11 (2–12)15 (14–28)Custom format
HID ADT31-bit4 (1–4)23 (5–27)ADT-specific format
WEI32 (EM4102)32-bit15 (1–15)16 (16–31)EM4102 format
HID D1020233-bit7 (1–7)24 (8–31)Extended format
HID H1030634-bit16 (1–16)16 (17–32)Extended format
HID Corporate 100035-bit12 (2–13)20 (14–33)Corporate format
HID Simplex (S12906)36-bit8 (1–8)16 (19–34)Simplex format
HID H1030437-bit16 (1–16)19 (17–35)Extended format
HID Corporate 100048-bit22 (2–23)23 (24–46)Extended corporate format

iCLASS Formats

Card TypeNotes
iCLASS StandardLegacy iCLASS cards
iCLASS SESecure Element cards
iCLASS SeosLatest-generation secure cards
PIV/MF CardsUID extraction only (UID provided in data stream)

Additional Wiegand Features

  • Keypad PIN capture (4-bit)
  • Raw binary data capture
  • Error detection and filtering
  • Parity bit validation

Differences Between Doppelgänger Stealth and Core

The primary difference between the Stealth and Core firmware lies in their wireless access point functionality, which reflects the intended use case and operational environment for each device.

  • Doppelgänger Stealth is designed to be placed in a stationary location while the operator remains out of sight—or entirely off-site. For this purpose, Stealth operates as a wireless access point. You can also disable the access point entirely using the Stealth Card, which is ideal for high-security environments where wireless detection controls may flag rogue or unauthorized networks.

  • Doppelgänger Core is intended for use with long-range readers, where the operator needs to maintain persistent communication or where multiple operators require access to the device’s web interface. Core also supports email notifications and haptic feedback triggers, eliminating the need for the operator to constantly refresh the web application to check for successful card reads.

Initial Setup Instructions

To get started, simply slide the power switch to the ON position (to the left) and connect to the access point doppelgänger_XXXX (default password: UndertheRadar).

Change Wireless Credentials

It is highly recommended to change the default wireless credentials. To do this, navigate to the Configuration Page and click the Modify Wireless Network button.

Stealth Card

We recommend configuring the Stealth Card with a custom value. The default Stealth Card values are:

Bit LengthFacility CodeCard Number
262221337

Custom Stealth Card values must fall within the following ranges:

Bit LengthFacility CodeCard Number
26 or 351–2551–65,535

Serial Debugging

For OPSEC purposes, you can enable or disable serial output over the USB-C connection. To modify this behavior, navigate to the Configuration Page.

Resetting the Device

To reset the device, navigate to the RESET page. Here you will have several options available. Select the desired button. In some cases the device will recycle power (e.g., Full Device Reset, Wireless Credentials).

Writing Captured Card Data

To efficiently manage and write captured RFID data, use the official Doppelgänger Assistant application. This tool simplifies generating Proxmark3 commands, writing data to blank RFID cards, and simulating captured card data. Doppelgänger Assistant supports macOS, Linux, and Windows (via WSL).

License Information

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

You are free to:

  • Share – Copy and redistribute the material in any medium or format

Under these terms:

  • Attribution – Provide appropriate credit, a link to the license, and indicate if changes were made
  • NonCommercial – Do not use the material for commercial purposes
  • NoDerivatives – Do not distribute modified versions

Full license details are available in the LICENSE file.

This device is intended strictly for authorized penetration testing and security assessments. Unauthorized or illegal use is the sole responsibility of the user. Mayweather Group LLC, Practical Physical Exploitation, and its creators assume no liability for misuse or unauthorized application of this tool.