Fork me on GitHub

Project Notes

#438 RFID/DeviceDumper

Getting started with some RFID research and using an RC522 RFID reader with MIFARE Classic cards and tags.

Build

Notes

RC522 RFID modules are widely available for no more than a few dollars. These typically come with a card and tag.

The module embeds the NXP MFRC522 Contactless Reader IC. Technically, this is known as the PCD (Proximity Coupling Device) The MFRC522 is an integrated reader/writer IC for contactless communication at 13.56 MHz, and supports ISO/IEC 14443 A/MIFARE and NTAG standards.

The cards and tags provided use the ISO 14443A/MIFARE standard. These are generically known as a PICC (Proximity Integrated Circuit Card).

kit_parts

RFID Standards

The Wikipedia RFID page is a good place to start, along with the MFRC522 and MIFARE Classic product documentation from NXP.

The first thing to note is that RFID is a generic term that covers a wide variety of systems, applications and standards.

Most “smart cards” operate in the 13.56 MHz HF band and comply with on of the standards:

  • ISO/IEC 14443 - proximity (close range), such as the NXP MFRC522 and MIFARE
  • ISO/IEC 15693 - vicinity cards, read at distances of 1–1.5 meters

Simple identification tags (such as used with inventory or livestock) operate around ~125kHz, and seem to mainly follow properitary standards. One of the most common is the so-called EM4100 or compatilble. Cards and readers are widely available, although it was originally a product of EM Microelectronic, and subsequently superceded by EM4200

Product identification tags (e.g. as used for products in staff-less shops) operate in UHF ISM bands and can operate at moderate range up to 12m. Most Electronic Product Code RFID tags comply with ISO/IEC 18000-6C for the RFID air interface standard.

At the higher end are solutions in the 2450-5800 MHz wireless band and even 3.1–10 GHz microwave.

Security

It doesn’t take much research to quickly discover that the security is one of the biggest issues with RFID.

Most if not all early security mechanisms have been compromised. This includes the NXP Crypto-1 encryption algorithm that is used by MFRC522 and MIFARE cards.

Getting Started

I think it was watching Julian Ilett’s “First Look: RC522 RFID Reader/Writer ($4 on eBay)” video that originally encouraged me to buy one to try…

clip

Bigclivedotcom’s RFID reader technology and cloning tags video is also a good intro..

clip

Construction

First step is to do some tag reading. Here’s a quick setup with an Arduino Uno, using Miguel Balboa’s MFRC522 RFID Library.

Power: the MFRC522 is 3.3V device, and officially tolerant up to around 4V. So, running it with the 5V Uno is not strictly legit. Power is supplied correctly at 3.3V, but data lines will stray up to 5V. But it does seem to work, as many have proven before, though I wouldn’t do it this way for anything other than short tests.

Pin connections:

MFRC522 Arduino
SDA 10
SCK 13
MOSI 11
MISO 12
IRQ -
GND GND
RST 9
3.3 3.3V

Breadboard

Schematic

Build

Test Program

The DeviceDumper.ino combines a few diagnostic tests:

  • runs a self-test on the MFRC522 PCD
  • waits for a PICC to be presented, then:
    • tries common keys to find one that authenticates (it doesn’t try a full crack of the card)
    • dumps and interprets the full contents of the card

It only does read operations.

The “common keys” come from the work in the MiFare Classic Universal toolKit (MFCUK).

Blank Card

Scanning the blank PICC that was supplied with the module..

card_test

-----------------------------
MFRC522 Digital self test
Firmware Version: 0x92 = v2.0
Performing test... Result: OK
-----------------------------
Scan PICC to see UID, SAK, type, and data blocks...
Authenticating using key A =  FF FF FF FF FF FF
Success with key: FF FF FF FF FF FF
Card UID: EB CC 0C C5
Card SAK: 08
PICC type: MIFARE 1KB
Sector Block   0  1  2  3   4  5  6  7   8  9 10 11  12 13 14 15  AccessBits
  15     63   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         62   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         61   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         60   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
  14     59   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         58   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         57   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         56   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
  13     55   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         54   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         53   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         52   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
  12     51   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         50   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         49   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         48   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
  11     47   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         46   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         45   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         44   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
  10     43   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         42   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         41   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         40   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
   9     39   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         38   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         37   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         36   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
   8     35   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         34   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         33   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         32   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
   7     31   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         30   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         29   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         28   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
   6     27   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         26   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         25   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         24   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
   5     23   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         22   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         21   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         20   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
   4     19   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         18   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         17   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         16   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
   3     15   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         14   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         13   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         12   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
   2     11   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         10   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
          9   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
          8   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
   1      7   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
          6   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
          5   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
          4   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
   0      3   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
          2   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
          1   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
          0   EB CC 0C C5  EE 88 04 00  85 00 B4 2E  F0 BB 6A A8  [ 0 0 0 ]

Breaking this down:

-----------------------------
MFRC522 Digital self test
Firmware Version: 0x92 = v2.0
Performing test... Result: OK
-----------------------------
Scan PICC to see UID, SAK, type, and data blocks...
Authenticating using key A =  FF FF FF FF FF FF
Success with key: FF FF FF FF FF FF
Card UID: EB CC 0C C5
Card SAK: 08
PICC type: MIFARE 1KB

The factory default key worked for authentication.

The card UID shown is actually from the first 4 bytes of the EEPROM.

The SAK (Select Acknowledge) is the code that the card returned when selected. The 08 is decoded to mean this is a MIFARE 1KB card.

The memory dump that follows lists the 16 sectors, each a total 64 bytes organised as 4 blocks of 16 bytes (for a total of 1024).

Sector 0:

  • first block (16 bytes) is for manufacturer data (usually read-only). This includes the card identification:
    • a 4-byte NUID (EB CC 0C C5 in this case)
    • or 7-byte UID (EB CC 0C C5 EE 88 04 in this case)
    • the 5th byte is a checksum of the first 4 bytes: EB ^ CC ^ 0C ^ C5 = EE
  • The next 2 blocks (32 bytes) are empty data blocks
  • The final block (16 bytes) is the sector trailer

The Sector Trailer comprises:

  • Bytes 0-5: Key A
  • Bytes 6-8: Access bits
  • Bytes 9: User data
  • Bytes 10-15: Key B (or user data)
Sector Block   0  1  2  3   4  5  6  7   8  9 10 11  12 13 14 15  AccessBits
   0      3   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
          2   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
          1   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
          0   EB CC 0C C5  EE 88 04 00  85 00 B4 2E  F0 BB 6A A8  [ 0 0 0 ]

Note that Key A appears to be 00 00 00 00 00 00 - but we authenticated with FF FF FF FF FF FF. What gives? The AccessBits 0 0 1 means Key A is write only, and Key B is read/write and may be used for data. When keys are write-only, they return 0 when read.

Sectors 1 through 15 are identical in structure, and on this card are initialised with blank default data:

  • 3 data blocks
  • 1 sector trailer
Sector Block   0  1  2  3   4  5  6  7   8  9 10 11  12 13 14 15  AccessBits
  15     63   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         62   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         61   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         60   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
(etc)

Blank Tag

The tag supplied with the modules reads just like the card and is cleanly initialised with no data.

Card UID: 46 B5 BC 93
Card SAK: 08
PICC type: MIFARE 1KB
Sector Block   0  1  2  3   4  5  6  7   8  9 10 11  12 13 14 15  AccessBits
  15     63   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
         62   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         61   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
         60   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
(etc)
   0      3   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]
          2   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
          1   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]
          0   46 B5 BC 93  DC 08 04 00  62 63 64 65  66 67 68 69  [ 0 0 0 ]

Conclusion

The MFRC522 readers and MIFARE cards/tags widely available in eBay/aliexpress are amazing bargains. While good for games and hobby projects, security is non-existant when coupled with the common libraries.

When real seurity is required, would need to at least swith up to 3DES or AES encryption. For example that could mean using the Mifare Desfire EV1 as described in projects like this - also featured on the Adafruit blog.

Credits and References

About LEAP#438 RFIDArduino
Project Source on GitHub Project Gallery Return to the LEAP Catalog

This page is a web-friendly rendering of my project notes shared in the LEAP GitHub repository.

LEAP is just my personal collection of projects. Two main themes have emerged in recent years, sometimes combined:

  • electronics - usually involving an Arduino or other microprocessor in one way or another. Some are full-blown projects, while many are trivial breadboard experiments, intended to learn and explore something interesting
  • scale modelling - I caught the bug after deciding to build a Harrier during covid to demonstrate an electronic jet engine simulation. Let the fun begin..
To be honest, I haven't quite figured out if these two interests belong in the same GitHub repo or not. But for now - they are all here!

Projects are often inspired by things found wild on the net, or ideas from the many great electronics and scale modelling podcasts and YouTube channels. Feel free to borrow liberally, and if you spot any issues do let me know (or send a PR!). See the individual projects for credits where due.