8/20/2019 Rfid Hacking
1/47
Intro to Hardware Hackingwith a Cheap RFID Reader
THOTCON 05
Kevin Bong
.
8/20/2019 Rfid Hacking
2/47
AD2000-M RFID Lock
8/20/2019 Rfid Hacking
3/47
Inspecting the board
8/20/2019 Rfid Hacking
4/47
Voltage Regulator
• 78M05
• Get the datasheet
8/20/2019 Rfid Hacking
5/47
Datasheets
• Many components have standard part
numbers across manufacturers
• Components are well documented, can find
the datasheets online
• 7805 datasheet
http://localhost/var/www/apps/conversion/tmp/scratch_7/78M05.pdfhttp://localhost/var/www/apps/conversion/tmp/scratch_7/78M05.pdf
8/20/2019 Rfid Hacking
6/47
MicroprocessorsThe W78E054D/W78E052D/W78E051D series is an 8-bit
microcontroller which can accommodate a widerfrequency range with low power consumption. Theinstruction set for the W78E054D/W78E052D/W78E051Dseries is fully compatible with the standard 8051. The78E054D/W78E052D/W78E051D series contains16K/8K/4K bytes Flash EPROM programmable byhardware writer; a 256 bytes RAM; four 8-bit bi-directional (P0, P1, P2, P3) and bit-addressable I/O ports;an additional 4-bit I/O port P4; three 16-bittimer/counters; a hardware watchdog timer and a serialport. These peripherals are supported by 8 sources 4-level interrupt capability. To facilitate programming andverification, the Flash EPROM inside the
W78E054D/W78E052D/W78E051D series allows theprogram memory to be programmed and readelectronically. Once the code is confirmed, the user canprotect the code for security.
8/20/2019 Rfid Hacking
7/47
Integrated Circuits
“Hex Inverter” - chip with six logic gates, logical negation.
8/20/2019 Rfid Hacking
8/47
Memory
8/20/2019 Rfid Hacking
9/47
Capacitors
• Store charge
• Power Conditioning
•
Resonating (with aninductor or IC)
8/20/2019 Rfid Hacking
10/47
Resistors
• Voltage Dividers
• Protection (limit current flow)
•
Pull-up or Pull-downWeakly pulls the voltage of the wiretowards voltage or ground.
+ signal means connected to voltage- signal means connected to ground
high impedance means not connected
8/20/2019 Rfid Hacking
11/47
Surface Mount Resistors
8/20/2019 Rfid Hacking
12/47
Relay
• Switch – turns a high voltage & current on/off
with a low (logic) voltage signal
• Physical connection (solenoid magnet), click
sound when activated.
8/20/2019 Rfid Hacking
13/47
Diode
• Allow current to only flow one direction
• Clamp only allow voltages above/below a
certain threshold
• Often used to protect IC’s, etc.
• LED’s
8/20/2019 Rfid Hacking
14/47
Crystal
• A crystal oscillator is an electronic oscillator
circuit that uses the mechanical resonance of
a vibrating crystal of piezoelectric material to
create an electrical signal with a very precisefrequency.
• Acts as the clock for the
Microprocessor
• 12Mhz here
8/20/2019 Rfid Hacking
15/47
Transistor
• Gate that changes the
amount of current that
flows through based on
changes to the current orvoltage on another pin
• Used as switches
• Used as amplifiers
8/20/2019 Rfid Hacking
16/47
Tool: Multitester
• Test voltage between two points
– An active data line will often show
a voltage between ground and +V
• Test resistance between two
points
• Also test current, batteries,
transistors
8/20/2019 Rfid Hacking
17/47
Finding Interesting Signals
• With the board running, probe different pins
on the Microprocessor
– Pin 16
shows 2.9V
8/20/2019 Rfid Hacking
18/47
Tools: Logic Analyzer
•Measure the logic on 8 separate lines
• I get by with cheap knock-off
• More MHz better
• Some includedigital oscilloscope
8/20/2019 Rfid Hacking
19/47
Grounding
• Serves as a reference – what is the voltage ascompared to Ground?
• Different circuit boards may be powered from
different power supplies. – Likely won’t end up with the “same” ground.
• Usually you can and do want to connect thegrounds of different board together to create a
common ground. – e.g. connect the ground of the RFID lock to the
Arduino ground
8/20/2019 Rfid Hacking
20/47
Logic Analyzer Demo
8/20/2019 Rfid Hacking
21/47
RFID Research: Manchester Encoding
• EM400 Cards use Manchester encoding
8/20/2019 Rfid Hacking
22/47
EM 400 RFID Protocol
8/20/2019 Rfid Hacking
23/47
Arduino
• For interfacing, reading and crunching data
• Only using one data pin, and ground
•
5 volt version (not 3.3V)
8/20/2019 Rfid Hacking
24/47
Tools: Soldering Iron
• The one place I don’t recommend going with
the cheapest.
• Don’t forget some solder –
0.031" dia.(21 gauge/.079 cm) rosin core
8/20/2019 Rfid Hacking
25/47
Soldering on the pins
• Solder leads onto ground and pin 16
8/20/2019 Rfid Hacking
26/47
Signal Decoding/Binary Analysis
• Think in binary and Hex
– B11111100 = 0xFC
• Pay attention to data types
– Byte = unsigned 8 bits
– Char = signed 8 bits (-128 to 127)
– Int = signed 16 bits
• Byte Arrays
8/20/2019 Rfid Hacking
27/47
Arduino EM400 Example
• “Count” the length of each “high” or “low”
signal.
• With Manchester encoding we should either
have a length of x or 2x for each high or low.
• First pass – count the highs or lows
• Second pass – have the Arduino convert to 0’s
or 1’s
8/20/2019 Rfid Hacking
28/47
EM400 Arduino Pseudocode
• Create a buffer – holds the “length” of eachManchester high/low signal
• Start a loop
• Read the pin state (high/low) – If state has changed, write loopcounter to buffer
and reset
–
Else increment loopcounter and loop• When buffer is full, dump buffer and start
over.
8/20/2019 Rfid Hacking
29/47
Read Output
• Single Manchester bits are between 55-75
counts long
• Double Manchester bits are between 110 and
150 counts
• Sometimes an extra up-down or two in
between.
•
8/20/2019 Rfid Hacking
30/47
Arduino Pseudocode – convert to 1’s
and 0’s
• Another buffer – stream – 110101101001…
• GoodBitsGoing…. As long as I’m reading high
or low signals that are ~60 or ~120 counts
long, add bits to the stream
• If GoodBitsGoing ends, then see if the buffer is
long enough to look for an EM400 signal
• Go to the EM400 Decode
8/20/2019 Rfid Hacking
31/47
Stream of 0’s and 1’
8/20/2019 Rfid Hacking
32/47
Manchester Decode
8/20/2019 Rfid Hacking
33/47
EM 400 RFID Protocol
8/20/2019 Rfid Hacking
34/47
Decode and Send via Serial
8/20/2019 Rfid Hacking
35/47
Making a Cloner
• Now we have the number of the intercepted
key
• Need to make a copy of the key
8/20/2019 Rfid Hacking
36/47
On the shoulders of others
wiki.smallroom.net
8/20/2019 Rfid Hacking
37/47
How does the tag actually work
• Tuned 125KHz circuit
– LC (inductor-capacitor) circuit
– The blue RFID keys require a 560 pf capacitor
– Coilcraft inductors
• A transistor is used as a switch to short the
circuit - opens and closes to create the signal
http://localhost/var/www/apps/conversion/tmp/scratch_7/Coilcraft.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_7/Coilcraft.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_7/Coilcraft.pnghttp://localhost/var/www/apps/conversion/tmp/scratch_7/Coilcraft.png
8/20/2019 Rfid Hacking
38/47
Spoofer circuit
8/20/2019 Rfid Hacking
39/47
Fritzing
8/20/2019 Rfid Hacking
40/47
PCB Etching
• Copper board off E-Bay
• Etchant off of E-Bay
• Family Fun magazine
8/20/2019 Rfid Hacking
41/47
Spoofer using RFID key for inductor
8/20/2019 Rfid Hacking
42/47
8/20/2019 Rfid Hacking
43/47
Project Ideas – EEPROM memory
access
• Remember that 32K memory chip?
• Likely where tag ID’s, master passcode, other
passcodes are stored
8/20/2019 Rfid Hacking
44/47
Project Ideas HID Cards
• Very common system
• Also 125KHz
8/20/2019 Rfid Hacking
45/47
HID Card
• HID uses Frequency Shift Keying
– Compressed frequency = 1
– Stretched frequency = 0
• Capturing and decoding this signal stretches
the capabilities of the standard arduino.
8/20/2019 Rfid Hacking
46/47
Project Ideas
• Remote RFID Snooper
– Pack the arduino, a battery, and a Wifi travel
router board inside the lock casing
– Paint the casing flat black
– Mount on the wall next to the real tag reader
– Capture RFID tags, send to the travel router via
serial, access captured tag ID’s via web page.
8/20/2019 Rfid Hacking
47/47
Thanks and Notes
AD2000-M RFID Lock
Logic Analyzer (Seleae Logic clone)
Code @ minipwner.com
Stuff from harborfreighttools
Top Related