A Brief Intro to RFID Tags

What is RFID

I asked my friendly neighborhood AI, Llama.cpp.

User: What is rfid

Llama: RFID stands for Radio Frequency Identification. It's a technology that allows storing and remotely retrieving data using radio waves. An RFID tag contains a small microchip, antenna, and memory. When an RFID reader sends out electromagnetic waves, the tag responds by transmitting its unique identification number to the reader.

User: Rc522

Llama: RC522 is an IC (Integrated Circuit) that is part of the MIFARE family designed for contactless smart card applications and RFID tag reading/writing systems. It operates on the ISO14443A standard in the 13.56 MHz frequency band, making it suitable for various proximity access control projects or IoT (Internet of Things) initiatives. RC522 IC can be used to manufacture custom RFID cards and readers using appropriate tools like Arduino and other microcontrollers. It's important to note that the protocol used with RC522, MIFARE Classic, has certain security vulnerabilities that may require additional precautions for sensitive applications or larger installations.

ESP8266/Arduino RC522 library.

MFRC522 by Miki Balboa

https://github.com/miguelbalboa/rfid

An Arduino library for MFRC522 and other RFID RC522 based modules.

Reads and writes different types of Radio-Frequency IDentification (RFID) cards on your Arduino using a RC522 based reader connected via the Serial Peripheral Interface (SPI) interface.

For advanced and further development please use library RFID_MFRC522v2.

The library allows the user to authenticate and read and write data without having to deal with the hardware implementation. If you want to deal with the hardware, read the library source code and the Mifare datasheets.

Bread Board with RC522 reader/writer and ESP8266 microcontroller

Reader Writer Structure

Tag/Card Use and Structure

https://www.youtube.com/watch?v=b4QKfx2M1Hc&t=110s

MF1S50 chip
PCD - Proximity Coupling Device

Data structure

The data on the tag/card is organized into 16 sectors of 4 blocks each. Each block is 16 bytes.
Reads and writes read/write a complete block.

The first block on a card (block 0) contains the UID, card type and manufacturers information.

The last block in a sector ( Blocks 3, 7, 11, ..., 63 ) contains the two keys A and B as well as access information on the keys and data in the sector. Each sector has its own keys and access permissions.

All keys are set to 0xFFFFFFFFFFFF at the factory and should be changed before the card is used in the wild. Note exploits below.

Some detail:

More detail: http://deid.ca/pi/rfid/access/test2.html

Card Block 0 Data

Card UID: 3B 0A 48 04 PICC type: MIFARE 1KB

UID - Unique ID
PICC - Proximity Integrated Circuit Card

Sector Trailer Data

KEYS - 48 bits and there are 2
Auth Who can do what with the data.

Read example

Note that the UID block is read before authentication. This leads to one exploit, or just laziness.

Write or Read rfid tag.
Enter W or R
Reading

Enter key 1 or 2
Using ff key.

Card UID: A4 08 48 04 PICC type: MIFARE 1KB
Reading:
Next time!
Done reading.

Card UID: CF FC 48 04 PICC type: MIFARE 1KB
Reading:
LED
Done reading.

Write example

Write or Read rfid tag.
Enter W or R
Writing

Enter key 1 or 2
Using ff key.

Card UID: C3 F9 E8 1A PICC type: MIFARE 1KB
Writing
Enter characters, Max 16, <enter>.
PCD_Authenticate() success:
MIFARE_Write() success:

Done writing.

Games

"Find the LED": a variation on "Find the Pea".
"Remember the space" - a variation matching games.
Now, if I could just think of something really useful to do with this.

Exploits

The UID in some cards can be changed - so the card can be cloned. The UID is not protected by encryption so if all that "security" is expecting is a "unique" UID to allow access then ... oops.
https://www.sidechannel.blog/en/mifare-classic-2/.

Actual data on the card and a key changed from the factory default will provide more security. But, the encryption algorithm has some flaws wrt randomness and size. The keys can be brute forced given the right equipment and a bit of time. But, as I understand it, you do need to have possession of the tag or card

If you are concerned then consider how secure are your key locks. At least for the above you need the rfid tag close to your reader.

https://www.youtube.com/watch?v=zWkFTHFcgvs
https://www.youtube.com/watch?v=uHxEIukrBus

Code

Write/Read

Rewrite a key

Wiring

GPIO12: MISO. D6 (Master in Slave Out)

GPIO13: MOSI. D7 (Master Out Slave In)

GPIO14: SCLK. D5 (Serial Clock)

GPIO15: CS. D8 (Slave (Chip) Select)

GPIO04: Reset D2 Reset RC522 (RF off/pins off)

The ESP is the master

Update the following Tuesday

Several questions were asked during the presentation on how are the signals actually passed back and forth. Discussion ensued and no definitive answer was found.

Some searching by Craig and myself found this:

The reader/writer carrier is always on as it provides power to the tag. Quoting from the link immediately below.

"The interrogator communicates with the tag by modulating a carrier wave by varying the amplitude, phase, or frequency of the carrier. This modulation can be directly detected as current changes in the coil of the tag. The tag communicates with the interrogator by varying how much it loads its antenna. This in turn affects the voltage across the interrogator’s antenna. By switching the load on and off rapidly, the tag can create sideband frequencies, which are then coupled into the interrogator antenna."

https://rfid4u.com/inductive-and-backscatter-coupling/

Where to get the hardware.

All prices are in Canadian Dollars

ESP8266: 1 for $3.66 from AliExpress I usually by a bunch at a time.

https://a.aliexpress.com/_mMmEBBy

RFID Reader/Writer: 3 for $16.00 from Amazon



https://a.co/d/j8wFXr0

Breadboard: 4 for $13.64 from AliExpress



https://a.aliexpress.com/_mPlLXyO

LED: 100 for $5.30 from AliExpress

You need one LED. This link will sell you 100 for $5.30. You will have one the next time you need it, and the next and the next ... I've used up about 1/2 of mine in ~8 years.

https://a.aliexpress.com/_mLbC3vo

Resistor: 2600 for $15.86 from AliExpress

You need one resistor, about 200 Ohms - This link will get you 2600 assorted for $15.86. Trust me you will need more as you build more things. Or, ask a friend. They may already have 2000+ resistors.

https://www.aliexpress.com/item/1005006157089607.html

Hook up wire: $23.00 from Amazon

Again, more than you need for this project but there will be more projects.

https://www.amazon.ca/TUOFENG-Hookup-Wires-6-Different-Colored/dp/B0CM2Y7V1Z/

Links

Thanks to all the following for information used in creating this presentation.

ESP8266/Arduino RC522 library
https://github.com/miguelbalboa/rfid

Mifare 1K classic data structure:
https://grave-rose.medium.com/mifare-1k-classic-dd561424a41b
https://shop.sonmicro.com/Downloads/MIFARECLASSIC-UM.pdf

Mifare 1K classic data sheet
https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf

Reader/Writer chip:
https://www.nxp.com/docs/en/data-sheet/MFRC522.pdf

Ascii converter:
https://www.rapidtables.com/convert/number/hex-to-ascii.html

Details on RFID:
https://lastminuteengineers.com/how-rfid-works-rc522-arduino-tutorial/

Vulnerabilities:
https://www.sidechannel.blog/en/mifare-classic-2/

Access bits calculator:

Glossary
http://www.nfc-research.at/index.php@id=40.html