Group Actions
Engagement
  • Author Author: ralphjy
  • Date Created: Date Created
  • Views 3464 views
  • Likes 5 likes
  • Comments 19 comments
Related
Recommended

Reading and Writing RFID Tags

ralphjy

I am going to start a project soon where I want to use RFID tags to enable user authentication and individual profiles for a home automation remote controller.  I haven't worked with RFID tags before, even though they are fairly ubiquitous at this point.  I imagine this is old hat to most folks, but I thought I'd share my learning.

 

I purchased an RC522 RFID Reader/Writer module and a set of RFID tags on Amazon.  The RC522 chip itself offers multiple interfaces (SPI, I2C, Serial UART), but I discovered that the board that I got was only set up for SPI.  I had wanted to use I2C, but decided it wasn't worth hacking up the board.  The Reader/Writer supports most of the standard Mifare card types (Mini, 1K, 4K, Ultralight, DESFire EV1, and Plus).  The tags that were included were Mifare 1K.

 

I had a breadboard already set up with a Sparkfun ESP8266 Thing Dev and a 128x64 OLED display, so I decided to use that for testing.

image

 

I've been using the Arduino IDE to program my Thing Dev and there is an MFRC522 library available so that worked out well.  Took a while adjusting the pin configurations to get the SPI and I2C to coexist nicely.

 

Been having fun reading stuff that I have lying around.  I had a Ventra ticket from a recent trip to Chicago and it happened to be an Ultralight card.

 

Then I moved on to testing the write capability using the example code that is in the library.

 

Here's the output:

 

  Card UID: 72 DF 5D 96

  PICC type: MIFARE 1KB

  Authenticating using key A...

  Current data in sector:

     1      7   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]

             6   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]

             5   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]

             4   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]

 

  Reading data from block 4 ...

  Data in block 4:

   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 

  Authenticating again using key B...

  Writing data into block 4 ...

   01 02 03 04 05 06 07 08 09 0A FF 0B 0C 0D 0E 0F

 

  Reading data from block 4 ...

  Data in block 4:

   01 02 03 04 05 06 07 08 09 0A FF 0B 0C 0D 0E 0F

  Checking result...

  Number of bytes that match = 16

  Success :-)

 

  Current data in sector:

     1      7   00 00 00 00  00 00 FF 07  80 69 FF FF  FF FF FF FF  [ 0 0 1 ]

             6   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]

             5   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  [ 0 0 0 ]

             4   01 02 03 04  05 06 07 08  09 0A FF 0B  0C 0D 0E 0F  [ 0 0 0 ]

 

*************************************************************************************

 

The 1K card has 16 sectors of 4 blocks and each block has 16 bytes (16x4x16 = 1024 bytes).  The fourth block (sector trailer) in each sector contains the authentication keys.

In the example above I was writing Block 4 which is the first block in the second sector.  You can see the authentication key in Block 7.

The factory default is 0xFFFFFFFFFFFF.

 

Now I need to figure out what type of data keys I want to store for my application......

  • in reply to Fred27

    Paxton is a good system, used and installed it for years. Their token format is proprietary, though you can get multi-format readers that will read Paxton tokens, Mifare (13.56MHz) and EM4100 (125kHz).

  • in reply to ralphjy

    I probably still have about 50-old MFC 1k "clone" cards sitting around from when I was playing around with NFC. I did some experiments on them for fun, but I'd have to say that I was hoping NFC would get more popular. Unfortunately, none of my present smartphones have NFC anymore, so I've practically set it aside for now as well.

     

    - Gough

  • in reply to Gough Lui

    Thanks Gough.  I think I was enticed by how inexpensive the Mifare 1K tags were on Amazon.  I should have done more reading before diving in, but learning is worth a few $$.  And I think that I can use them for some non-critical applications.

     

    I did a little more research and had already decided that I should use some of the newer tags (maybe the NTAG 213?) and maybe get a better reader/writer.  Or really should just get a new phone (I still use an iPhone 6)

     

    I had not seen the hacking article, so thanks for that.

     

    -Ralph

  • I'd avoid any of the MiFare Classic 1K tags if you care about security. Retrieval of the keys is too easy with a bit of software running under Linux with a supported reader which could allow the data to be cloned. Many MiFare Classic 1K-compatible tags do not have genuine NXP chips which are even easier to break. You can see it in dumps as some of them have odd byte sequences "bcdefghi" in some areas. It is possible to make blocks permanently inaccessible if you set the trailer permission bytes to the wrong value (which I have done intentionally in the past). It is also possible to protect the tag with a code, but retain NDEF read capability (i.e. read only key permission is default, read/write is customised).

     

    While the UID byte is pre-burned into the chip, it's also important to note there are "backdoored" Chinese versions of the chip that allow for UID reprogramming. Being just a memory store, these really don't do much in the way of real authentication, not like the DESFire series do which is more akin to a smart card running a kind of operating system.

     

    MiFare Ultralight tags could be useful in some instances - don't know of UID clones of these, so perhaps using UID with their OTP bytes can also be used for security so that it doesn't get reprogrammed.

     

    - Gough