You are on page 1of 47

Intro to Hardware Hacking

with a Cheap RFID Reader

Kevin Bong

AD2000-M RFID Lock

Inspecting the board

Voltage Regulator
Get the datasheet

Many components have standard part
numbers across manufacturers
Components are well documented, can find
the datasheets online
7805 datasheet

The W78E054D/W78E052D/W78E051D series is an 8-bit
microcontroller which can accommodate a wider
frequency range with low power consumption. The
instruction set for the W78E054D/W78E052D/W78E051D
series is fully compatible with the standard 8051. The
78E054D/W78E052D/W78E051D series contains
16K/8K/4K bytes Flash EPROM programmable by
hardware writer; a 256 bytes RAM; four 8-bit bidirectional (P0, P1, P2, P3) and bit-addressable I/O ports;
an additional 4-bit I/O port P4; three 16-bit
timer/counters; a hardware watchdog timer and a serial
port. These peripherals are supported by 8 sources 4level interrupt capability. To facilitate programming and
verification, the Flash EPROM inside the
W78E054D/W78E052D/W78E051D series allows the
program memory to be programmed and read
electronically. Once the code is confirmed, the user can
protect the code for security.

Integrated Circuits
Hex Inverter - chip with six logic gates, logical negation.


Store charge
Power Conditioning
Resonating (with an
inductor or IC)

Voltage Dividers
Protection (limit current flow)
Pull-up or Pull-down
Weakly pulls the voltage of the wire
towards voltage or ground.
+ signal means connected to voltage
- signal means connected to ground
high impedance means not connected

Surface Mount Resistors

Switch turns a high voltage & current on/off
with a low (logic) voltage signal
Physical connection (solenoid magnet), click
sound when activated.

Allow current to only flow one direction
Clamp only allow voltages above/below a
certain threshold
Often used to protect ICs, etc.

A crystal oscillator is an electronic oscillator
circuit that uses the mechanical resonance of
a vibrating crystal of piezoelectric material to
create an electrical signal with a very precise
Acts as the clock for the
12Mhz here

Gate that changes the
amount of current that
flows through based on
changes to the current or
voltage on another pin
Used as switches
Used as amplifiers

Tool: Multitester
Test voltage between two points
An active data line will often show
a voltage between ground and +V

Test resistance between two

Also test current, batteries,

Finding Interesting Signals

With the board running, probe different pins
on the Microprocessor
Pin 16
shows 2.9V

Tools: Logic Analyzer

Measure the logic on 8 separate lines

I get by with cheap knock-off
More MHz better
Some include
digital oscilloscope

Serves as a reference what is the voltage as
compared to Ground?
Different circuit boards may be powered from
different power supplies.
Likely wont end up with the same ground.

Usually you can and do want to connect the

grounds of different board together to create a
common ground.
e.g. connect the ground of the RFID lock to the
Arduino ground

Logic Analyzer Demo

RFID Research: Manchester Encoding

EM400 Cards use Manchester encoding

EM 400 RFID Protocol

For interfacing, reading and crunching data
Only using one data pin, and ground
5 volt version (not 3.3V)

Tools: Soldering Iron

The one place I dont recommend going with
the cheapest.
Dont forget some solder
0.031" dia.(21 gauge/.079 cm) rosin core

Soldering on the pins

Solder leads onto ground and pin 16

Signal Decoding/Binary Analysis

Think in binary and Hex
B11111100 = 0xFC

Pay attention to data types

Byte = unsigned 8 bits
Char = signed 8 bits (-128 to 127)
Int = signed 16 bits

Byte Arrays

Arduino EM400 Example

Count the length of each high or low
With Manchester encoding we should either
have a length of x or 2x for each high or low.
First pass count the highs or lows
Second pass have the Arduino convert to 0s
or 1s

EM400 Arduino Pseudocode

Create a buffer holds the length of each
Manchester high/low signal
Start a loop
Read the pin state (high/low)
If state has changed, write loopcounter to buffer
and reset
Else increment loopcounter and loop

When buffer is full, dump buffer and start


Read Output
Single Manchester bits are between 55-75
counts long
Double Manchester bits are between 110 and
150 counts
Sometimes an extra up-down or two in

Arduino Pseudocode convert to 1s

and 0s
Another buffer stream 110101101001
GoodBitsGoing. As long as Im reading high
or low signals that are ~60 or ~120 counts
long, add bits to the stream
If GoodBitsGoing ends, then see if the buffer is
long enough to look for an EM400 signal
Go to the EM400 Decode

Stream of 0s and 1

Manchester Decode

EM 400 RFID Protocol

Decode and Send via Serial

Making a Cloner
Now we have the number of the intercepted
Need to make a copy of the key

On the shoulders of others

How does the tag actually work

Tuned 125KHz circuit
LC (inductor-capacitor) circuit
The blue RFID keys require a 560 pf capacitor
Coilcraft inductors

A transistor is used as a switch to short the

circuit - opens and closes to create the signal

Spoofer circuit


PCB Etching
Copper board off E-Bay
Etchant off of E-Bay
Family Fun magazine

Spoofer using RFID key for inductor

Project Ideas EEPROM memory

Remember that 32K memory chip?
Likely where tag IDs, master passcode, other
passcodes are stored

Project Ideas HID Cards

Very common system
Also 125KHz

HID Card
HID uses Frequency Shift Keying
Compressed frequency = 1
Stretched frequency = 0

Capturing and decoding this signal stretches

the capabilities of the standard arduino.

Project Ideas
Remote RFID Snooper
Pack the arduino, a battery, and a Wifi travel
router board inside the lock casing
Paint the casing flat black
Mount on the wall next to the real tag reader
Capture RFID tags, send to the travel router via
serial, access captured tag IDs via web page.

Thanks and Notes

AD2000-M RFID Lock
Logic Analyzer (Seleae Logic clone)
Code @
Stuff from harborfreighttools