When I stumbled across this blog post, I was sure I have to try this at home. I had some interest in RFID for a while, but the Proxmark was too pricy for me just to play with. So this experiment came just right.
The attiny85’s were difficult to get in Switzerland, so I ordered them from Germany along with an ISP programmer. I think it would also work with other AtTiny’s for example the 45 is available from Conrad. The hex file is just 1.7 kB, so the AtTiny45 should suffice.
After learning how to use the programmer with avrdude, the chip was quickly programmed. But I couldn’t get it to work with the tiny fixed coils. So I refreshed some theory about coils and LC filters, that I didn’t use in ten years, and wrapped a coil myself with 1 mH. ElectroDrod simplified the caluations. With this coil connected to the IC, I got the same reading from my RFID-Reader as for the reference tag.
I don’t understand how the copy protection that some vendors advertise their system works. I always thought entrance qualification systems used some sort of cryptographic challenge response scheme. But that would require two way communication… I wouldn’t consider these systems secure if it’s so easy to copy the keys.
Now the interesting part was if my prototype would work not just with my RFID reader, but with a real entrance qualification system… And eureka, it works!! It needs half a second longer to charge, but then lets me in. The same housing also supports mifare or legic readers, but ours are only proX2 and the tags are EM4102. While the other options are also possible to copy, that’s a lot harder.
Here is the mterial list:
And what you need as well:
- An ISP programmer for example a diamex avr
- Useful, but not required: programmer PCB
- An RFID reader such as the Towitech
- An Oscilloscope such as the DSO Nano
- And of course a soldering iron and computer
Meanwhile I found another very interesting site about RFID.