---

About Doppelgänger RFID

Doppelgänger is firmware that runs on ESP32 devices that can be embedded within commercially available RFID readers with the intent of interpreting wiegand access control card data. Doppelgänger is the foundation for all of Practical Physical Exploitations RFID devices and was developed in-house by @tweathers-sec. The Doppelgänger eco-system consists of several variations:

• Doppelgänger Community: This version is publicly accessible and is designed for DIY reader builds. Additionally, the PPE Doppelgänger Breakout Board ships with the community edition. This version is intended to be connected to your mobile phones hotspot, and is capable of sending e-mail/SMS notifications.
• Doppelgänger Pro: This version comes pre-installed on every PPE Longrange Wiegand Data Interpreter sold after 7/15/2024. This version is intended to be connected to your mobile phones hotspot, and is capable of sending e-mail/SMS notifications. Additionally, it supports processing more card types and bit lengths than the Community Edition.
• Doppelgänger Stealth: Stealth comes pre-installed on the PPE Stealth Reader. Unlike the Community and Pro variants of Doppelgänger, Stealth has an integrated wireless hotspot for the user to configure the device as well as retrive captured card data. Additionally, Stealth comes with a “Stealth Card” which enables and disables the wireless hotspot. This functionally serves three purposes 1) extend battery life, 2) increase LF card performane, and 3) evade wireless detective controls. Finally, Stealth captures an even larger range of card types.
• Doppelgänger MFAS (Multi-Factor Auth Stealth): MFAS is exactly like the Stealth firmware with one very distinct addition. It is capable of capturing keypad enteries.
• Doppelgänger Trainer: The Trainer version of the Doppelgänger is intended for static analysis and longterm desktop use. It supports various card types and includes a screen for displaying card data and a calendar/desktop clock.

Supported Card Types by firmware

Features: Doppelgänger Community & Doppelgänger Pro

The remainder of this document will walkthrough the features of Doppelgänger Community & Doppelgänger Pro. For a detailed walkthrough of Stealth, MFAS, annd Trainer, reference their respected sections.

The following features are built into the firmware:

• Wireless Configuration Manager (Default SSID: doppelgänger_XXXX, Password: UndertheRadar)
• mDNS Server: http://rfid.local/
• Optional E-mail / Text Notifications
• Web interface for viewing, sorting and downloading card data
• Web application-based reset functionality

Supported Devices

The Doppelgänger firmware is designed to work with the SparkFun Thing Plus - ESP32 WROOM (USB-C), which employs the Espressif ESP32-WROOM-32E chip. Other ESP32 boards may be used but modifications to the firmware will be required.

Getting Started with Doppelgänger

For setup purposes, I recommend using a computer to configure the device initially. Once the Doppelgänger has been configured to connect to a mobile device, there should be no need to use a computer again.

1. Apply power to the device.
2. If the blue LED is illuminated, the device is in configuration mode. Connect to the doppelgänger_XXXX network using the default password UndertheRadar.
3. The Captive Portal should automatically launch within a few seconds. If it does not, navigate to http://192.168.4.1/.

Captive Portal Menu Options:

• Configure WiFi: Performs a scan of wireless networks.
• Configure WiFi (No scan): Same as above, but without scanning for wireless networks.
• Info: Provides general information about the device, including temp, memory usage, build date etc. Note that the “ERASE WiFi Button” only clears stored wireless network credentials. It does not clear email configuration data. The only way to clear e-mail configuration data is through the web application.
• Update: OTA firmware update. To choose this option, use your web browser and open the Captive Portal (http://192.168.4.1/).
• Restart: Self-explanatory
• Exit: Self-explanatory

Connecting Doppelgänger to a Mobile Device

Before selecting Configure WiFi in the captive portal, turn on your mobile device’s Personal Hotspot.

• iPhone:
  • Ensure that you enable Maximize Compatibility in the Personal Hotspot menu.
  • You must leave the Personal Hotspot menu open while scanning and connecting Doppelgänger to your device.
  • If no wireless networks appear in the Configure WiFi menu, clicking Refresh at the bottom of the page will initiate a network scan. Doppelgänger is preconfigured to filter out weak wireless networks which should help reduce clutter in WiFi-dense areas.
  • Connect to your Mobile Device’s hotspot.
  • Upon clicking the Save button, Doppelgänger will save the wireless configuration and reboot. Upon reboot, Doppelgänger will automatically attempt to connect to the assigned wireless network.
  • Once connected: Open your web browser to http://rfid.local/ to access the Doppelgänger web application.
• Android:
  • Not tested: The process will be similar to the iPhone instructions.

Reconnecting to Doppelgänger

Ensure that you have the Personal Hotspot menu open on your iPhone before powering Doppelgänger on (I am uncertain if Andriod devices operate in the same manner). Otherwise, Doppelgänger may not see your hotspot and will enter configuration mode. If this happens, you can either wait out the 120-second reset timer, in which Doppelgänger will reboot and look for the stored wireless network again or you can enter into the Captive Portal and make changes/restart the device manually.

Configuring E-mail Notifications

If you want to enable e-mail notifications, navigate to the Notifications page on the Doppelgänger web application. Enter your SMTP credentials and recipient information. This data is stored on the internal flash storage and is not accessible from the web application. The notification configuration can be wiped by using Doppelgänger’s reset functionality from within the web application.

To send a text notification follow this schema:

Verizon: [email protected]
AT&T: [email protected]
Rogers: [email protected]
T-Mobile: [email protected]
Google-Fi: [email protected]
Sprint: [email protected]
Virgin Mobile: [email protected]

Card Notification Account (Gmail)

If you want to setup a dedicated account for handling your card notifications using Gmail you can use this process. Note, you will need to use an App Password to send e-mail from an ESP32 through Gmail:

1. Create a new account: Gmail
2. Turn on 2-Step Verification: 2-Step Verification

• Open your Google Account
• In the navigation panel, select Security.
• Under “Signing in to Google,” select 2-Step Verification > Get started.

Creating an App Password

1. Open your Google Account
2. In the navigation panel, select Security.
3. Under “Signing in to Google,” select App Passwords.
4. Use the following parameters and click Generate:

Write down the provided password as you will need it to configure notifications.

Gmail SMTP Settings

Debugging

Should you want to dive deeper into what Doppelgänger is doing under the hood, You can connect to the device using the terminal.

Connecting to the device from the terminal:

# Example
ls /dev/tty.usb*
screen /dev/tty.usbserial-13440 115200

Boot Process Explained

Configuration Timeout Explained

Card Handling Explained

Writing Captured Card data

As part of the Doppelgänger eco-system, we have released Doppelgänger Assistant. Assistant is a one-stop-shop for generating proxmark3 commands, writing data to blank cards, or simulating card data. It can be installed on MacOS, Linux, and Windows through WSL.

---