Rfid Hacking

8/20/2019 Rfid Hacking

1/47

Intro to Hardware Hackingwith a Cheap RFID Reader

THOTCON 05

Kevin Bong

.


2/47

AD2000-M RFID Lock


3/47

Inspecting the board


4/47

Voltage Regulator

• 78M05

• Get the datasheet


5/47

Datasheets

• Many components have standard part

numbers across manufacturers

• Components are well documented, can find

the datasheets online

• 7805 datasheet

http://localhost/var/www/apps/conversion/tmp/scratch_7/78M05.pdfhttp://localhost/var/www/apps/conversion/tmp/scratch_7/78M05.pdf


6/47

MicroprocessorsThe W78E054D/W78E052D/W78E051D series is an 8-bit

microcontroller which can accommodate a widerfrequency range with low power consumption. Theinstruction set for the W78E054D/W78E052D/W78E051Dseries is fully compatible with the standard 8051. The78E054D/W78E052D/W78E051D series contains16K/8K/4K bytes Flash EPROM programmable byhardware writer; a 256 bytes RAM; four 8-bit bi-directional (P0, P1, P2, P3) and bit-addressable I/O ports;an additional 4-bit I/O port P4; three 16-bittimer/counters; a hardware watchdog timer and a serialport. These peripherals are supported by 8 sources 4-level interrupt capability. To facilitate programming andverification, the Flash EPROM inside the

W78E054D/W78E052D/W78E051D series allows theprogram memory to be programmed and readelectronically. Once the code is confirmed, the user canprotect the code for security.


7/47

Integrated Circuits

“Hex Inverter” - chip with six logic gates, logical negation.


8/47

Memory


9/47

Capacitors

• Store charge

• Power Conditioning

•

Resonating (with aninductor or IC)


10/47

Resistors

• Voltage Dividers

• Protection (limit current flow)

•

Pull-up or Pull-downWeakly pulls the voltage of the wiretowards voltage or ground.

+ signal means connected to voltage- signal means connected to ground

high impedance means not connected


11/47

Surface Mount Resistors


12/47

Relay

• Switch – turns a high voltage & current on/off

with a low (logic) voltage signal

• Physical connection (solenoid magnet), click

sound when activated.


13/47

Diode

• Allow current to only flow one direction

• Clamp only allow voltages above/below a

certain threshold

• Often used to protect IC’s, etc.

• LED’s


14/47

Crystal

• A crystal oscillator is an electronic oscillator

circuit that uses the mechanical resonance of

a vibrating crystal of piezoelectric material to

create an electrical signal with a very precisefrequency.

• Acts as the clock for the

Microprocessor

• 12Mhz here


15/47

Transistor

• Gate that changes the

amount of current that

flows through based on

changes to the current orvoltage on another pin

• Used as switches

• Used as amplifiers


16/47

Tool: Multitester

• Test voltage between two points

– An active data line will often show

a voltage between ground and +V

• Test resistance between two

points

• Also test current, batteries,

transistors


17/47

Finding Interesting Signals

• With the board running, probe different pins

on the Microprocessor

– Pin 16

shows 2.9V


18/47

Tools: Logic Analyzer

•Measure the logic on 8 separate lines

• I get by with cheap knock-off

• More MHz better

• Some includedigital oscilloscope


19/47

Grounding

• Serves as a reference – what is the voltage ascompared to Ground?

• Different circuit boards may be powered from

different power supplies. – Likely won’t end up with the “same” ground.

• Usually you can and do want to connect thegrounds of different board together to create a

common ground. – e.g. connect the ground of the RFID lock to the

Arduino ground


20/47

Logic Analyzer Demo


21/47

RFID Research: Manchester Encoding

• EM400 Cards use Manchester encoding


22/47

EM 400 RFID Protocol


23/47

Arduino

• For interfacing, reading and crunching data

• Only using one data pin, and ground

•

5 volt version (not 3.3V)


24/47

Tools: Soldering Iron

• The one place I don’t recommend going with

the cheapest.

• Don’t forget some solder –

0.031" dia.(21 gauge/.079 cm) rosin core


25/47

Soldering on the pins

• Solder leads onto ground and pin 16


26/47

Signal Decoding/Binary Analysis

• Think in binary and Hex

– B11111100 = 0xFC

• Pay attention to data types

– Byte = unsigned 8 bits

– Char = signed 8 bits (-128 to 127)

– Int = signed 16 bits

• Byte Arrays


27/47

Arduino EM400 Example

• “Count” the length of each “high” or “low”

signal.

• With Manchester encoding we should either

have a length of x or 2x for each high or low.

• First pass – count the highs or lows

• Second pass – have the Arduino convert to 0’s

or 1’s


28/47

EM400 Arduino Pseudocode

• Create a buffer – holds the “length” of eachManchester high/low signal

• Start a loop

• Read the pin state (high/low) – If state has changed, write loopcounter to buffer

and reset

–

Else increment loopcounter and loop• When buffer is full, dump buffer and start

over.


29/47

Read Output

• Single Manchester bits are between 55-75

counts long

• Double Manchester bits are between 110 and

150 counts

• Sometimes an extra up-down or two in

between.

•


30/47

Arduino Pseudocode – convert to 1’s

and 0’s

• Another buffer – stream – 110101101001…

• GoodBitsGoing…. As long as I’m reading high

or low signals that are ~60 or ~120 counts

long, add bits to the stream

• If GoodBitsGoing ends, then see if the buffer is

long enough to look for an EM400 signal

• Go to the EM400 Decode


31/47

Stream of 0’s and 1’


32/47

Manchester Decode


33/47

EM 400 RFID Protocol


34/47

Decode and Send via Serial


35/47

Making a Cloner

• Now we have the number of the intercepted

key

• Need to make a copy of the key


36/47

On the shoulders of others

wiki.smallroom.net


37/47

How does the tag actually work

• Tuned 125KHz circuit

– LC (inductor-capacitor) circuit

– The blue RFID keys require a 560 pf capacitor

– Coilcraft inductors

• A transistor is used as a switch to short the

circuit - opens and closes to create the signal

http://localhost/var/www/apps/conversion/tmp/scratch_7/Coilcraft.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_7/Coilcraft.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_7/Coilcraft.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_7/Coilcraft.png


38/47

Spoofer circuit


39/47

Fritzing


40/47

PCB Etching

• Copper board off E-Bay

• Etchant off of E-Bay

• Family Fun magazine


41/47

Spoofer using RFID key for inductor


42/47


43/47

Project Ideas – EEPROM memory

access

• Remember that 32K memory chip?

• Likely where tag ID’s, master passcode, other

passcodes are stored


44/47

Project Ideas HID Cards

• Very common system

• Also 125KHz


45/47

HID Card

• HID uses Frequency Shift Keying

– Compressed frequency = 1

– Stretched frequency = 0

• Capturing and decoding this signal stretches

the capabilities of the standard arduino.


46/47

Project Ideas

• Remote RFID Snooper

– Pack the arduino, a battery, and a Wifi travel

router board inside the lock casing

– Paint the casing flat black

– Mount on the wall next to the real tag reader

– Capture RFID tags, send to the travel router via

serial, access captured tag ID’s via web page.


47/47

Thanks and Notes

AD2000-M RFID Lock

Logic Analyzer (Seleae Logic clone)

Code @ minipwner.com

Stuff from harborfreighttools

Rfid Hacking

Documents

Transcript of Rfid Hacking