Hello Dave! I worked for a security contracting firm that would do the RFID for our clients. The HID Proxy Cards Usually use a 32 or 35Bit Wiengad protocol which is different than the other 125 Khz cards. HID also makes combo cards that are 125 KHz and 13Mhz Mifare duo cards so they can be read by both types of readers (NFC and Mifare as well as Proximity)
Great video, I never thought of taking apart one of these cards. Thanks for showing us again how simple electronics is so much apart of our everyday lives. Your a gem mate.
I have a couple of button sized RFID tags that are essentially covered in plastic. They have no noticable flex but the plastic is not 100% hard so it can handle some impact. Since the item was a free sample, I tried running it through an autoclave and it still worked :)
RFID card, I took 100 turns of #32 wire and wrapped around my finger, soldered the TWO CONDUCTOR 125MHZ CHIP, epoxied and molded a ring. this worked very well!!! The coil is a power source for the chip.
I program RFiD systems as part of my job, so here's a hint to the number of turns. I know the coil should be around 850uH inductance. But, to work out the number of turns you'll still need to know the wire diameter and coil diameter. Sorry, I don't know these ones off the top of my head.
I have wrote software to capture the id codes from these cards for a project at work. The card come pre-programmed from the factory when you order them. You need to specify a facility code and id code range when ordering them. EX(190, 000001 - 190, 00100) The reader I used for my project was the HID OMNIKEY 5325 CL. It has a SDK and sample code for visual studio.
They do interfere, but in fact the standards have anti-collision protocols that allows selecting a specific card out of multiple presented simultaneously. Sadly, very few systems have bothered to implement this and will just give an error when the AC protocol detects multiple cards.
We gave up on the cards at our work, we went through to many being damaged. Now we use the key ring type. They are much more robust all though they are 6 times the price.
I counted 25 turns in the top layer! But my best guess is that the diameter of the spool makes it tuned for the carrier, and the # of turns actually increases the voltage / range to be scanned at? I'm using that card myself, and got it inside my wallet (facing other RFID-cards), but when I need to access my lab, its enough to put the whole wallet (with all my 5 different RFID-cards) nearby the reader, and it works! Those must be designed for good sensibility / accuracy.
I pulled apart an older "Honeywell" card years ago.It was basically a dual sided PCB,with some coils routed on it,and some SMD caps,IIRC there were 4-5 of these L/C's (like 3 on one side,and two on the other?). With a couple of stickers on the outside,to cover it all up. No idea of values/frequency,I never really measured it.
Dave, to my knowledge this isn't backscatter modulation. It should be load modulation, the same principle used as in 13.56 Mhz systems. Backscatter is used in UHF (far field).
because that would change the number of winds. the number of winds and length of the antenna are specific for a given frequency. changing from this would reduce performance
My old key card, had a really butch construction. It was 1,5 mm at least, and it was a two part key, so no sticker, sonic welded. The coil and chip were of similar construction but it they were glued properly to one of the sides. I took it apart some years ago after i got a new one because i accidentally fried it on an electromagnet.
Here is a bit of an idea. Get your sig-gen setup for 125khz and tap it directly to the coil. Use a 'salvaged' coil and put it on the scope and see if you can get a pattern saved on a scope.
OMG! "Mantis"! There's another part of the puzzle. I bought my "bench magnifier" at Staples and it does what I need but had I heard of the brand name of "Mantis" then I would have gladly bought one because as everybody knows electronics requires magnification in many circumstances and high quality makes the job that much more easier.
Thank you for explaining thet, I hed absolutelee no idea watt he was talking abaut if you hadn't poynted thet aut to me. Thank you for your most magnificent contribution.
Thanks fir the vid. The hard part is how small it is, lol. A jewelers loop would be nice. It's crazy how common it is for this to happen and wouldn't if the card makers simply made the connection wires THUICKER!. But then they could charge people a ton of money for their broken cards.
I've got it against one other 125kHz cards, and 4 "ordinary" ones. One problem I found, was that the other LF-card did not work nearby the lab access card. I think there are some strange engineering behind this cards, it may be nearly impossible to copy them. My guess is because they're used by the Securitas (homeland security) in Sweden.
i think its based on how much range you want, and the freq its running on ive played with some of the RFID cards from sparkfun, and the large coils work much better then the small ones
That was straight forward. :-) I had once to repair my 13MHz id card. Was complete potted, had to dig out the antenna with a glass filament brush to repair it. I would much rather have a card I can repair properly. ^^
I think these card contain a serial EEPROM with XOR circuit to compare the card reader password with the serial data in the EEPROM before allowing any data read or write. It works like the SIM card but with the input/output connected to that "Dave CAD" drawing.
I should also add that the site code is almost never printed on the card. We read unknown cards on new sites by using a feature in the access control system to read in the raw data.
No, only the ones who complain about trivial stuff like that where I'm just having some fun. If I had to satisfy every request from every viewer, I'd be in a straight jacket in a padded cell. If you produced content for 90,000 subscribers, you'd understand.
I've researched this a little bit. When I tried to copy my RFID card from school and integrate this into sonic screwdriver. Some type of cards contains hardcoded ID. So you cannot write anything. Only read a specific ID. That is paired with your account. I needed to figure out the electronics to emulate the ID and play it for the RFID card reader.
If the myth busters were trying to prove that credit cards were unhackable, they were using the wrong frequency tags, and the wrong protocols. The RFIDs, which credit cards use, have proprietary protocols, and are high frequency tags. From what I understand, the MBs were using low frequency, EM4102 tags, with very open protocols. If they couldn't clone one of those... Well.
Probably. I'd be surprised is someone hasn't done it. The card companies missed a golden opportunity here. Put pressure on TI to feed only enough info to the Mythbusters team to come to the conclusion that's it's NOT hackable, and the whole world will believe it. It it turns out they fluked it or were super clever and found a way to hack it, call in the lawyers to bury it before it airs.
Just to expand a little further... It's difficult to tell from the footage in the car park but the reader looks like a HID mini prox. HID 125kHz Prox uses FSK.
The story goes that the discovery producers decided to put the brakes on that episode after some somewhat intimidating calls from companies such as mastercard, there are some somewhat interesting defcon talks on rfid watch?v=HjT7wJusuW4
That most RFID access control systems are secure (which they aren't). I bet your 125kHz card is a bog standard ID-only dumb card (like HID Prox) that can be cloned into an Atmel T55x7 card (that Atmel chip can emulate many dumb cards and modulation formats). Maybe try building a coil and scoping out the data when you use the card, see if you can identify what format it uses? I'm sure you could build your own clone chip if you wanted :-) (or just buy a Proxmark3 which can sniff/read/write/clone)
Absolutely correct, but does someone you pay minimal wages really think/care about that? At the minimum, the old card should be returned even if it isn't working. Preferred though, is also having that particular number disabled and a new number issued. Takes only a minute with good software. But the real fact of the matter is that RFID is not all that secure in the first place since the signal can be read with inconspicuous devices.
Dave, I was hoping you would throw you're card back across the reader. If you tried it before you repaired the loop, it wouldn't have worked regardless. I kept thinking you would retry it. The video seems to suggest it was tried pre-repair.
These cards are rather crude compared what's on the market today. I've worked at a company where they used mifare cards (desfire I believe) and those were just creditcard shaped (i,e. a LOT thinner) and you could not open them like that. You also could not copy them with standard equipment as it had a bunch of crypto in it.
We have a similar "wireless" card at work. Though ours look more like a real white credit card, they cannot be opened. The card reader communicate with a computer, which has the access level stored for each user\card. Just out of curiosity, how many bits of data can a card like this contain?
I think the myth was about a person going through an MRI, with an RFID implanted in their body, or extremities. Extensive tests have been done on the technology, beyond what that television show did (duh). Anyway, from all of my research, they have tested the implants, up to 7 Tesla, and they're safe.
I have some programmable RDID tags they just look like little pieces of plastic about 6mmtall 4mm wide. Ive seen them floating about in the bottom of boxes from online orders (delivery tracking i assume). how come those dont need such a big coil?
Great teardown! I've always wondered how those cards work. thanks Dave! Can't you make your own card reader? Send a 125kHz signal and read what comes back?
Those companies really don't want their weaknesses to leak out. One might find a horrible amount of weak spots in the system once one start investigating.
Hi Dave, amazing video, please tell me what kind of passive rectifiers can rectify such a faint signal???, I had problems in the stability of the full-wave/Half-wave precision rectifiers and coupling them to other Op-Amps to compare the DC measurement of an AC signal. also can you please do some episode about the Tank circuit and to build a working one for us, i crave to build one to use it in any application (example low power FM Transceiver ) Best Regards
Haha, very good :) Keep up the amazing videos, maybe you can do more "myth" testing, like the bouncing batteries, clearing up some common misconceptions obout electronics/engineering
The card has your ID number, and assuming it's the usual type, it'll have "site code" or a facility code, so that an employee at your neighbour's building with the same number can't come and burgle your buildiing. Source: I program these suckers into the systems.
@EEVblog, Any idea how much power the coil produces? Might be kinda fun to make a gag card that does something else with the power rather than power the RFID. I was thinking a voice chip and piezo speaker that says "Not bloody likely!" or something fun. Heck it might even be a cool EEVblog RFID powered business card. Another pozible campaign? I have another $10 burning a hole in my pocket.
The 125kHz card Dave has is easily copied. When energised the card simply transmits an 'id' (just as Dave suggested). There is no security in this particular card.
Can rfid cards interfere with each other? because if i have my work card and my train pass in my wallet the work card will work but i have to take my train pass out to use it at the ticket gate.
![[UNCUT] The Loyal Pin ปิ่นภักดิ์ EP.15 (2/4)](http://i.ytimg.com/vi/qbHbshrA1f0/mqdefault.jpg)
![[안방1열 풀캠4K] 베이비몬스터 'DRIP' (BABYMONSTER FullCam)│@SBS Inkigayo 241110](http://i.ytimg.com/vi/AQ4RIghEvUs/mqdefault.jpg)
Hello Dave! I worked for a security contracting firm that would do the RFID for our clients. The HID Proxy Cards Usually use a 32 or 35Bit Wiengad protocol which is different than the other 125 Khz cards. HID also makes combo cards that are 125 KHz and 13Mhz Mifare duo cards so they can be read by both types of readers (NFC and Mifare as well as Proximity)
Great video, I never thought of taking apart one of these cards. Thanks for showing us again how simple electronics is so much apart of our everyday lives. Your a gem mate.
I have a couple of button sized RFID tags that are essentially covered in plastic. They have no noticable flex but the plastic is not 100% hard so it can handle some impact.
Since the item was a free sample, I tried running it through an autoclave and it still worked :)
RFID card, I took 100 turns of #32 wire and wrapped around my finger, soldered the TWO CONDUCTOR 125MHZ CHIP, epoxied and molded a ring. this worked very well!!! The coil is a power source for the chip.
Interesting video. I'm seeing use of RFID in many places. Thanks for the tear down.
Good demo. Had to give a salute with my ESD tweezer, comrade.
We watch the videos to be entertained. Dave watches us for his entertainment. :)
I program RFiD systems as part of my job, so here's a hint to the number of turns. I know the coil should be around 850uH inductance. But, to work out the number of turns you'll still need to know the wire diameter and coil diameter. Sorry, I don't know these ones off the top of my head.
Ok, checked, it seems you could be right. Load modulation seems to be the correct terminology for this implementation.
I second that. I miss Fundamentals Friday...it was my very favourite thing on EEVblog.
I have wrote software to capture the id codes from these cards for a project at work. The card come pre-programmed from the factory when you order them. You need to specify a facility code and id code range when ordering them. EX(190, 000001 - 190, 00100) The reader I used for my project was the HID OMNIKEY 5325 CL. It has a SDK and sample code for visual studio.
Dave, whenever you want to remove any glued-on thing like here, heat it a few seconds with a hair dryer, it makes the job wayyy easier.
They do interfere, but in fact the standards have anti-collision protocols that allows selecting a specific card out of multiple presented simultaneously. Sadly, very few systems have bothered to implement this and will just give an error when the AC protocol detects multiple cards.
We gave up on the cards at our work, we went through to many being damaged. Now we use the key ring type. They are much more robust all though they are 6 times the price.
I counted 25 turns in the top layer! But my best guess is that the diameter of the spool makes it tuned for the carrier, and the # of turns actually increases the voltage / range to be scanned at? I'm using that card myself, and got it inside my wallet (facing other RFID-cards), but when I need to access my lab, its enough to put the whole wallet (with all my 5 different RFID-cards) nearby the reader, and it works! Those must be designed for good sensibility / accuracy.
I pulled apart an older "Honeywell" card years ago.It was basically a dual sided PCB,with some coils routed on it,and some SMD caps,IIRC there were 4-5 of these L/C's (like 3 on one side,and two on the other?). With a couple of stickers on the outside,to cover it all up. No idea of values/frequency,I never really measured it.
I'm sure it is, which is why I was impressed, and hence stated that I was impressed.
This was fantastic! Thanks!
Nice video Dave. Thanks.
Dave, to my knowledge this isn't backscatter modulation. It should be load modulation, the same principle used as in 13.56 Mhz systems. Backscatter is used in UHF (far field).
because that would change the number of winds. the number of winds and length of the antenna are specific for a given frequency. changing from this would reduce performance
My old key card, had a really butch construction. It was 1,5 mm at least, and it was a two part key, so no sticker, sonic welded. The coil and chip were of similar construction but it they were glued properly to one of the sides. I took it apart some years ago after i got a new one because i accidentally fried it on an electromagnet.
Here is a bit of an idea. Get your sig-gen setup for 125khz and tap it directly to the coil. Use a 'salvaged' coil and put it on the scope and see if you can get a pattern saved on a scope.
Indala cards apparent use a special challenge protocol using strongly encrypted 2-way communication to prevent improperly copied cards from working...
I know the generic term as backscattering modulation, but you could be right, I have not checked.
OMG! "Mantis"! There's another part of the puzzle. I bought my "bench magnifier" at Staples and it does what I need but had I heard of the brand name of "Mantis" then I would have gladly bought one because as everybody knows electronics requires magnification in many circumstances and high quality makes the job that much more easier.
Thank you for explaining thet, I hed absolutelee no idea watt he was talking abaut if you hadn't poynted thet aut to me. Thank you for your most magnificent contribution.
Thanks fir the vid. The hard part is how small it is, lol. A jewelers loop would be nice. It's crazy how common it is for this to happen and wouldn't if the card makers simply made the connection wires THUICKER!. But then they could charge people a ton of money for their broken cards.
I've got it against one other 125kHz cards, and 4 "ordinary" ones. One problem I found, was that the other LF-card did not work nearby the lab access card.
I think there are some strange engineering behind this cards, it may be nearly impossible to copy them. My guess is because they're used by the Securitas (homeland security) in Sweden.
i think its based on how much range you want, and the freq its running on
ive played with some of the RFID cards from sparkfun, and the large coils work much better then the small ones
My guesses are, could have damaged the coil in doing so and it's possible that it requires a specific amount of turns or length.
That was straight forward. :-)
I had once to repair my 13MHz id card. Was complete potted, had to dig out the antenna with a glass filament brush to repair it. I would much rather have a card I can repair properly. ^^
Neat and simple. Elevator tour next?
I think these card contain a serial EEPROM with XOR circuit to compare the card reader password with the serial data in the EEPROM before allowing any data read or write. It works like the SIM card but with the input/output connected to that "Dave CAD" drawing.
I should also add that the site code is almost never printed on the card. We read unknown cards on new sites by using a feature in the access control system to read in the raw data.
Because there was enough length already.
No, only the ones who complain about trivial stuff like that where I'm just having some fun. If I had to satisfy every request from every viewer, I'd be in a straight jacket in a padded cell. If you produced content for 90,000 subscribers, you'd understand.
I've researched this a little bit. When I tried to copy my RFID card from school and integrate this into sonic screwdriver. Some type of cards contains hardcoded ID. So you cannot write anything. Only read a specific ID. That is paired with your account. I needed to figure out the electronics to emulate the ID and play it for the RFID card reader.
If the myth busters were trying to prove that credit cards were unhackable, they were using the wrong frequency tags, and the wrong protocols. The RFIDs, which credit cards use, have proprietary protocols, and are high frequency tags. From what I understand, the MBs were using low frequency, EM4102 tags, with very open protocols. If they couldn't clone one of those... Well.
Probably. I'd be surprised is someone hasn't done it. The card companies missed a golden opportunity here. Put pressure on TI to feed only enough info to the Mythbusters team to come to the conclusion that's it's NOT hackable, and the whole world will believe it. It it turns out they fluked it or were super clever and found a way to hack it, call in the lawyers to bury it before it airs.
Just to expand a little further... It's difficult to tell from the footage in the car park but the reader looks like a HID mini prox. HID 125kHz Prox uses FSK.
I've also got it in my wallet against other credits cards, but they are the 13MHz type.
Now do one on copying fingerprints, iris codes and quantum code inputs, and we're on! ;)
Damn, missed that opportunity!
Why were they banned? and by whom?
The story goes that the discovery producers decided to put the brakes on that episode after some somewhat intimidating calls from companies such as mastercard, there are some somewhat interesting defcon talks on rfid watch?v=HjT7wJusuW4
That most RFID access control systems are secure (which they aren't).
I bet your 125kHz card is a bog standard ID-only dumb card (like HID Prox) that can be cloned into an Atmel T55x7 card (that Atmel chip can emulate many dumb cards and modulation formats). Maybe try building a coil and scoping out the data when you use the card, see if you can identify what format it uses? I'm sure you could build your own clone chip if you wanted :-) (or just buy a Proxmark3 which can sniff/read/write/clone)
Could you do an episode on RFID cards? I would find it really interesting!
Yeah, but do they support my card type?
Just ordered my own card copier and some blank keychain doodles, now i have to wait 3 to 6 weeks to get them and try to copy my offices card :D
Nice video. Thumbs up. Thanks
Absolutely correct, but does someone you pay minimal wages really think/care about that? At the minimum, the old card should be returned even if it isn't working. Preferred though, is also having that particular number disabled and a new number issued. Takes only a minute with good software. But the real fact of the matter is that RFID is not all that secure in the first place since the signal can be read with inconspicuous devices.
A much stronger connection.
He's thinking of the theft prevention tags used in shops, which quite often are just a dumb L-C resonant circuit.
No idea. Someone did the outro video for me.
encapsulated. usually via epoxy.
Dave, I was hoping you would throw you're card back across the reader. If you tried it before you repaired the loop, it wouldn't have worked regardless. I kept thinking you would retry it. The video seems to suggest it was tried pre-repair.
Looking at the waveform on that little DSO Quad - did anyone else think it looked like there was some phase shift modulation going on there?
Search youtube for a video called "Mythbusters Banned From Talking About RFID by VISA and Mastercard" for Adam mentioning the story.
I think I saw someone replacing the whole winding with a 1mH inductor and creating a very compact RFID card :)
I don't know the current limits right now, but I know there are cards/tags with at least 64kbit eeproms in them.
Indeed. The brain is awesome at subconsciously evaluating empirical evidence. Probably only took a couple of goes.
Could you do a full video about RFID? Mythbusters were banned to do a RFID episode, so you could do one.
Opps, forgot that, I just had some fun with library books with rfid's in...
Yeah, had already found it! Who at TI blabbed?
Normally that whole coil is glued to the backside so it doesn't move in there at all.
These cards are rather crude compared what's on the market today. I've worked at a company where they used mifare cards (desfire I believe) and those were just creditcard shaped (i,e. a LOT thinner) and you could not open them like that.
You also could not copy them with standard equipment as it had a bunch of crypto in it.
is this the same idea as NFC we use for payments with our phones/cc cards etc? great vid, thanks.
Then why when I fixed it does it now work perfectly every time?
Then why can't my card reader copy it? It's obviously an unsupported format. Not all 125KHz cards are created equal.
We have a similar "wireless" card at work. Though ours look more like a real white credit card, they cannot be opened. The card reader communicate with a computer, which has the access level stored for each user\card. Just out of curiosity, how many bits of data can a card like this contain?
Could you send some info with the math behind some RFID tags?
I think the myth was about a person going through an MRI, with an RFID implanted in their body, or extremities.
Extensive tests have been done on the technology, beyond what that television show did (duh). Anyway, from all of my research, they have tested the implants, up to 7 Tesla, and they're safe.
Send building management the bill for your repair work, 1 hr minimum charge + consumables + GST should be looking at around $100 to fix the RFID card?
Sure, you can read it, but how about writing to a new card?
It doesn't work. I also tried another lab card that is not programmed for after hours, and it didn't work either.
I have some programmable RDID tags they just look like little pieces of plastic about 6mmtall 4mm wide. Ive seen them floating about in the bottom of boxes from online orders (delivery tracking i assume). how come those dont need such a big coil?
I feel like I've heard it before too. It seems most likely to be a generic audio sample.
Great teardown! I've always wondered how those cards work. thanks Dave! Can't you make your own card reader? Send a 125kHz signal and read what comes back?
HID have not done that for a long time now.
actually i think you broke the coil connection so that fault is not what is causing it...
Could You rewire the antenna?
What was the "myth" supposed to be?
Those companies really don't want their weaknesses to leak out.
One might find a horrible amount of weak spots in the system once one start investigating.
Hi Dave, amazing video, please tell me what kind of passive rectifiers can rectify such a faint signal???,
I had problems in the stability of the full-wave/Half-wave precision rectifiers and coupling them to other Op-Amps to compare the DC measurement of an AC signal.
also can you please do some episode about the Tank circuit and to build a working one for us, i crave to build one to use it in any application (example low power FM Transceiver )
Best Regards
Haha, very good :) Keep up the amazing videos, maybe you can do more "myth" testing, like the bouncing batteries, clearing up some common misconceptions obout electronics/engineering
The card has your ID number, and assuming it's the usual type, it'll have "site code" or a facility code, so that an employee at your neighbour's building with the same number can't come and burgle your buildiing. Source: I program these suckers into the systems.
Where can I download DaveCAD, it looks quite useful for simple designs.
@EEVblog, Any idea how much power the coil produces? Might be kinda fun to make a gag card that does something else with the power rather than power the RFID. I was thinking a voice chip and piezo speaker that says "Not bloody likely!" or something fun.
Heck it might even be a cool EEVblog RFID powered business card. Another pozible campaign? I have another $10 burning a hole in my pocket.
Phones are only 13MHz AFAIK
load modulation, not backscattering!
How much swearing was involved in soldering those two wires together? :) It looked like a difficult task, well done.
The 125kHz card Dave has is easily copied. When energised the card simply transmits an 'id' (just as Dave suggested). There is no security in this particular card.
Can rfid cards interfere with each other? because if i have my work card and my train pass in my wallet the work card will work but i have to take my train pass out to use it at the ticket gate.
Think about when whatever technology you embed in to your body becomes obsolete / hacked. What if the capsule broke?
I think Mike from Mikeselectricstuff uses the pirate version of DaveCAD in one of his videos.
Dave can I mod my rfid to have a higher range? I was thinking a 555 timer to make the frequency and a battery on the coil in the card....
The construction of the first card was almost as if was made to fail. No wonder the wire breaks when the coil can flop around freely.
I would of thought they would of deactivate the old card once you have a new one. They probably know you still using it.
haven't you seen SuperHouseTV ? John Oxer like the king of freetronics