HackerBox 0072: Tagger

With HackerBox 0072, we are exploring Radio Frequency Identification (RFID) technology, specifically passive RF access and ID cards operating at 125KHz and 13.56MHz. Understand operational and application differences between low-frequency (LF) and high-frequency (HF) RFID tags. Configure and program the most common modules for scanning both LF and HF tags. Experiment with a new dual-antenna, dual-frequency system capable of reading and writing all LF and HF tags. Explore emulating or spoofing RFID tags using microcontroller firmware. Deploy a Bluetooth locator tracker beacon. Understand the important security and privacy considerations for RF devices.

HackerBoxes is the monthly subscription box for enthusiasts of electronics and computer technology - Hardware Hackers - The Dreamers of Dreams.

There is a wealth of information for current and prospective members in the HackerBoxes FAQ. Almost all of the non-technical support emails that we receive are already answered there, so we'd really appreciate it if you can take a few minutes to read the FAQ.

This Instructable contains information for getting started with HackerBox 0072. The full box contents are listed on the product page for HackerBox 0072 where the box is also available for purchase while supplies last. If you would like to automatically receive a HackerBox like this right in your mailbox each month with a $15 discount, you can subscribe at HackerBoxes.com and join the revolution!

A soldering iron, solder, and basic soldering tools are generally needed to work on the monthly HackerBox. A computer for running software tools is also required. Have a look at the HackerBox Deluxe Starter Workshop for a set of basic tools and a wide array of introductory activities and experiments.

Most importantly, you will need a sense of adventure, hacker spirit, patience, and curiosity. Building and experimenting with electronics, while very rewarding, can be tricky, challenging, and even frustrating at times. The goal is progress, not perfection. When you persist and enjoy the adventure, a great deal of satisfaction can be derived from this hobby. Take each step slowly, mind the details, and don't be afraid to ask for help.

RFID (radio-frequency identification) uses electromagnetic fields to automatically identify and track tags attached to objects. An RFID system consists of a tiny radio transponder, a radio receiver and transmitter. When triggered by an electromagnetic interrogation pulse from a nearby RFID reader device, the tag transmits digital data, usually an identifying inventory number, back to the reader. This number can be used to track inventory goods. Unlike barcodes, an RF tag does not need to be within the line of sight of the reader, so it may be embedded in the tracked object. (Wikipedia)

RFID tags or cards generally comprise three elements:

• an integrated circuit chip that stores and processes information and modulates/demodulates radio-frequency (RF) signals
• an antenna for receiving and transmitting the RF signals
• a substrate or housing

RFID tags may be read-only, having a factory-assigned serial number that is used as a key into a database, or may be read/write, where object-specific data can be written into the tag by the system user.

There are three common frequency ranges used for RFID tags:

• Low-Frequency (LF): 120-135 KHz Key Fob
• High-Frequency (HF): 13.56 MHz Card
• Ultra High Frequency (UHF): 865 – 960 MHz

NFC, or near-field communication, is a modern subset of RFID. You’ll often see NFC at work in smartphones for identification and payment capabilities. In NFC format, devices can both send and receive messages. NFC tags operate in the HF (13.56 Mhz) range and can transmit data such as credit card account numbers, ID codes, and other information. You may also see NFC functionality incorporated into smartphones, which can act as both the transmitter or receiver. With NFC tags, phones with Apple Pay or similar programs can emulate credit cards as well as offer “tap to transfer” services. This type of data transfer service establishes a connection between two phones, then uses Bluetooth or Wi-Fi to transmit the data.

HackerBox 0072 RFID Cards

There are four white RFID cards included in HackerBox 0072.

Two of the RFID cards are know as T5577 RFID Cards. These are a common 125 kHz (LF) RFID card that use the ATMEL ATA5577 chip. The T5577 card is a rewritable card meaning you can rewrite the identifying data on the card.

Two of the RFID cards are S50 Mifare Classic 1K Cards operating at 13.56 MHz (HF). These support the ISO/IEC 14443 protocol standard and provide 1 KB of EEPROM memory organized in 16 sectors and 64 blocks. The specific type included are often called "UID MAGIC CARDS" because they are quite different from most HF RFID cards. The difference is that they do not come with a fixed unique ID (4 Byte UID). Instead, the UID is blank and may be programmed and reprogrammed.

Smartphone NFC

Your smartphone may have NFC functionally built-in or you can install a simple NFC app. Test this out with the included 13.56 MHz RFID cards.

Do the Right Thing

The tools and skills presented here can allow you to read, write, clone, and spoof RFID cards. Just as with the ability to pick physical locks, the power of such knowledge should be used for good and not evil. These tools are important for testing, designing, and validating systems to make them more secure and keep them secure against bad actors. Please make the choice to not be a bad actor.

Interesting RFID Links

• The confusing world of RFID tags and readers
• How reading and writing an 13.56 MHz RFID tag works
• Security Analysis of Pervasive Wireless Devices (a PhD Thesis)

The Arduino Nano is possibly the most common microcontroller (MCU) module currently in use. The Arduino Nano is a surface-mount, breadboard-friendly, miniaturized Arduino board with integrated USB. It is amazingly full-featured and easy to hack. The included variant is based on the ATmega328P MCU operating on 5V at 16Mhz. In includes an on-board MiniUSB port connected to a CH340 USB/Serial bridge chip. Detailed information on the CH340 (and drivers, if needed) can be found here.

Leave the pins unsoldered for now. The included Arduino Nano board comes with header pins, but they are not soldered to the module. Perform these initial tests on the Arduino Nano module prior to soldering on the header pins.

When you first plug the Arduino Nano into a USB port of your computer, the red power light should come on and shortly after that, another red LED should start to blink slowly. This happens because the Nano is pre-loaded with the BLINK program, which is running on the brand new Arduino Nano.

SOFTWARE: If you do not yet have the Arduino IDE installed, you can download it from Arduino.cc

Plug the Nano into a USB-C cable and the other end of the cable into a USB port on the computer. Launch the Arduino IDE software. Select "Arduino Nano" in the IDE under tools>board and "ATmega328P" under tools>processor. Select the appropriate USB port under tools>port.

Finally, load up a piece of example code:

File->Examples->Basics->Blink

Blink is actually the code that was preloaded onto the Nano and should be running right now to slowly blink the blue LED. Accordingly, if we load this example code, nothing will change. Instead, let's modify the code a little bit.

Looking closely, you can see that the program turns the LED on, waits 1000 milliseconds (one second), turns the LED off, waits another second, and then does it all again - forever.

Modify the code by changing both of the "delay(1000)" statements to "delay(100)". This modification will cause the LED to blink ten times faster, right?

Let's load the modified code into the Nano by clicking the UPLOAD button (the arrow icon) just above your modified code. Watch below the code for the status info: "compiling" and then "uploading". Eventually, the IDE should indicate "Uploading Complete" and your LED should be blinking faster.

If so, congratulations! You have just hacked your first piece of embedded code.

Once your fast-blink version is loaded and running, why not see if you can you change the code again to cause the LED to blink fast twice and then wait a couple of seconds before repeating? Give it a try! How about some other patterns? Once you succeed at visualizing a desired outcome, coding it, and observing it to work as planned, you have taken an enormous step toward becoming a competent hardware hacker.

Now that you have confirmed operation of the Nano module, go ahead and solder the header pins onto it. Note that the six pin (2x3 pin) header for the end of the board is usually not needed if you want to just leave it off.

If you would like additional introductory information for working in the Arduino ecosystem, we suggest checking out the Guide for the HackerBoxes Starter Workshop, which includes several examples and a link to a PDF Arduino Textbook.

The RDM6300 is a module for reading 125KHz RFID tags. It includes an external wire loop antenna.

In order to use the RDM6300 with the Arduino Nano, start by grabbing this library and placing it into your Arduino IDE Libraries folder.

Wire up the module as shown in the diagram with the out from the TX pin feeding pin D4 of the Arduino Nano.

Open the sketch at Examples > Rdm6300 > read_to_serial

Download and Run the sketch.

Open the serial monitor at 115200 baud.

Two of the included RFID cards (LF - 125KHz) can be read using this module, the other two (HF - 13.56MHz) however, are not operating at a frequency compatible with the RDM6300.

The PN532 (datasheet) is a highly integrated transceiver for contactless communication at 13.56 MHz. The integrated circuit features an 80C51 microcontroller core. The PN532 supports reading and writing RFID tags, as well as NFC functionality and wireless communications.

The PN532 Module (wiki) features a mode switch to select the wired connection between I2C, SPI, and UART modes. The module includes an integrated level shifter to support 3.3V or 5V working voltages.

Set the mode switch to (0, 1) to select SPI operations and wire the module to the Arduino Nano like so:

NANO ---- PN532
GND       GND
5V        VCC
D2        SCK
D3        MOSI
D4        SS
D5        MISO

In the Arduino IDE, use Tools > Manage Libraries to search for and install the Adafruit PN532 Library.

The Adafruit PN532 library has the ability to read 13.56MHz MiFare cards, including hard-coded ID numbers, as well as authenticate and read/write EEPROM chunks.

The wiring above should allow default operation of the example sketches such as: readMifare, iso14443a_uid, mifareclassic_memdump, and so forth.

The 7941W module is a multi-protocol dual-frequency module. It is capable of reading and writing RFID tags at both 125KHz and 13.56MHz. The module is easily wired up to the UART interface of any MCU, such as the Arduino Nano.

NANO ---- 7941W
5V        5V
D2        RX
D3        TX
GND       GND

The attached Arduino Sketch entitled, 7941W_demo illustrates some simple examples of reading and writing to both LF and HF RFID tags using a serial command line interface.

For the 13.56MHz cards, use command 1 to read from the card and command 2 to write to the card.

For the 125KHz cards, use command 6 to read from the card and command 7 to write to the card.

The special blank 125KHz cards need to have an ID written to them (command 7) before it is possible to read from them (commend 6).

The simple circuit shown here can be used to let a microcontroller (such as our Arduino Nano) pretend to be an LF RFID tag with any ID specified by the firmware. This is called emulating, spoofing, cloning, or mimicking the RFID tag. The attached sketch RFIDemu125K.ino does the heavy lifting to drive the antenna. A 10nF ceramic capacitor where shown helps improve the resonance of the antenna, but is not absolutely necessary.

Related Links:

• Stupid Simple Arduino LF RFID Tag Spoofer
• Simple LF RFID Emulator
• Cloning RFID Cards
• Inexpensive NFC Cloning
• SimpleNFC
• Using a AVR as an RFID Tag
• Proxmark - RFID Swiss-Army Tool
• Chameleon Tiny Pro

This simple beacon tag (sometimes called an iTag) can provide an audible alarm to locate lost items. It can also sound an alarm when your mobile device gets too far from the iTag indicating that you are leaving a tagged item behind or perhaps that someone is taking the tagged item away.

Pressing the button on the iTag activates operation. A mobile application, such as iTag or cTracing can be be used to scan for and connect to the iTag . Once connected, the application can trigger the alarm on the iTag or generate notifications associated with the iTag.

The iTag is based on the ST17H66B chip (datasheet) from Lenze Tech. While the chip is quite tiny (with only 16 pins), it features an ARM Cortex M0 processor, Bluetooth BLE5.1, 512KB Flash, 96KB ROM, and 64KB SRAM. The Bluetooth protocol stack is stored in ROM so it does not take up space in the program Flash Memory.

Lenze Tech has an SDK and toolkit online for this chip, which you can dig up if you wish.  Much of their published documentation is Chinese Language, but Google can find and translate it for you.

The Keyport SIM Card Clip is the only SIM extraction tool that you will ever need. Made of stainless steel and super tough, the innovative design can clip into your wallet or passport like a paperclip. Alternatively, you it can be hung conveniently on your keychain.

The SIM Card Clip is also compatible with the Keyport Pivot. The Pivot is a modular key organizer - kind of like a Swiss Army knife but with keys, tools, and smart tech. Keeping with our current box there, the Pivot can be fitted out with one or more Keyport RFID Key units. But wait - there's more - the Pivot even includes a lost & found service!

We know the Keyport team from the DEF CON Vendor Room. They've had a very popular vendor booth for the past nine years and we love seeing the new toys and tools they come up with year after year. They've given us a discount code to share with you - HCKR15 - which is good for 15% OFF Keyport products on their website. (Third-party products, pre-orders, or limited edition runs are not included.)

Another regular team that we know from the DEF CON vendor scene is Silent Pocket (SLNT.com). They hooked us up with their Camera Privacy Sticker Sheet for this box, which we hope you will make good use of to protect your privacy.

If you like the idea of the simple RF blocking sleeves found in HackerBox 0072, but want to upgrade to some next-level, high-end RF blocking products, SLNT has you covered, so to speak. They manufacture leather wallets, sleeves, and bags with embedded faraday-cage-style shielding technology. The shielding allows isolating your devices from sneaky snoopers, scanners, or would-be electronic pick-pockets.

Remember IRL? When people met each other In Real Life? Before we spent all of our time in the OASIS, jacked into custom cyberspace decks, running can-opener code with cyber-dolphins, and clicking LIKE in the Metaverse?

Many in our community have suggested, or asked for, ways to connect with other HackerBox members in their geographical area. Obviously, this would be a great way to get social IRL and hopefully allow members to work together on HackerBoxes and other projects.

The challenge here is one of privacy. How can we introduce you to another member who lives nearby without horribly violating the privacy of both of your locations and identities? There is no easy way.

While arranging opportunities for HackerBox 0072 to introduce you to a couple of our vendor friends from DEF CON (Keyport and Silent Pocket), we realized that DEF CON might be a common ground for allowing geographically proximate HackerBox members to find one another. Specifically through the many local DEF CON Groups. These groups are identified by telephone area code (and international country code where necessary). You can click the link above to find one closest to you.

For example:

San Diego is DC858, Atlanta is DC404, and NYC is DC212. 

Please consider finding and joining your local DEF CON Group. Many of them have very cool meetup activities with presentations, workshops, and social fun. Being part of a local group does not require that you have ever been to, or ever plan to attend, DEF CON in Las Vegas - but participating locally might get you excited about it.

Throw up a sign. This part depends on how, where, and how frequently your local group engages. Once you get in the flow of your local group's activities, suggest having a group meeting (or even just one agenda item for a meeting) on the theme of HARDWARE HACKING. Offer to give a brief overview or demo of some hardware you've worked on. (How about RFID spoofing?) There will surely be others in your local DEF CON Group that are curious about or are already working on hardware. Hopefully there will also be some HackerBox members who recently joined up by following this call to action. Either way, you can connect and share! At the very least, you'll be helping to educate and expose members in your local group to the fun world of hardware. They will thank you and probably buy you a beer. DEF CON family love learning from and teaching each other!

Of course, we're playing too! HackerBox HQ is in the Tampa Bay area where the local DEF CON Group is DC813. We are currently arranging a DC813 meeting to feature a HackerBox presentation and workshop on Hardware Hacking. If you're near the Tampa area, keep an eye out for the meeting announcement. We can't wait to see you there!

We hope you are enjoying this month's HackerBox adventure into electronics, computer technology, and hacker culture. Reach out and share your success in the comments below or other social media. Also, remember that you can email support@hackerboxes.com anytime if you have a question or need some help.

What's Next? Join the revolution. Live the HackLife. Get a cool box of hackable gear delivered right to your mailbox each month. Surf over to HackerBoxes.com and sign up for your monthly HackerBox subscription.