Diving into RFID Protocols with Flipper Zero

Diving into RFID Protocols with Flipper Zero

RFID is a contactless radio-tag technology. It is quite common and you may see it in a lot of places: intercoms, bank cards, public transport passes, office passes, they are used to track domestic animals, for toll collection, etc. The two main RFID tag types are high frequency and low frequency.

  • Low-Frequency tags (125 kHz) — work at a higher range. Despite being insecure and dumb, they are still used in primitive access control systems: in building intercoms, offices, sports facilities, museums.
  • High-Frequency tags (13.56 MHz) — have a lower effective range when compared with the low-frequency ones but have more complex protocols. They support encryption, authentication, and cryptography. These tags are commonly used in contactless bank cards, to pay for public transport, and in high-security access control systems.

Here we will compare these two types of tags, take a look at the main protocols and learn to work with them using Flipper Zero — we will read, emulate, save and clone them. You will see how you will be able to save your office, sports, home whatever RFID keys you have and we'll take a glimpse at what Flipper can read from a bank card.

How RFID Tags Work

RFID chip turns on when it receives power from the reader's RF field

Most RFID tags are passive tags with no internal power source. The chip inside is completely turned off until the tag is exposed to a reader's electromagnetic field. As soon as it comes within range, the tag's antenna begins absorbing energy from the reader's EM field and the chip receives power. The chip then turns on and begins communicating with the reader. It's worth mentioning, that a tag's antenna is tuned to a specific frequency, so the tag can only activate when it is inside a suitable electromagnetic field.

RFID Tag Types

On the outside RFID tags can be quite different: cards both fat or thin, key fobs, bracelets, coins, rings, or even stickers. Judging by the visuals alone it's almost impossible to distinguish the frequency or protocol the tag operates on.

On the outside RFID tags can be quite different

Quite often manufacturers use similar plastic cases for different types of RFID fobs operating on different frequencies. Two absolutely visually similar tags might be totally different inside. It is worth considering when you try to distinguish the type of tag you have. In this article, we will be looking at the two most popular types of RFID tags that are used in access control systems. Flipper Zero supports both their frequencies.

There is a variety of RFID protocols working on other frequencies. UHF for example uses the 840-960 MHz range. They are used for tracking assets in warehouses, paying for toll roads, tracking wild animals during their migration and so forth. These tags may have a battery and work from a couple of meters to kilometers. They are quite rare though, and you may not encounter them unless you go looking for them specifically. We will omit them entirely for the purpose of this article.

125 kHz & 13.56 MHz – Which is Which?

The easiest way to understand what range of the RFID tag is operating on is to look at the antenna. Low-frequency tags (125 kHz) have an antenna made of a very thin wire, literally thinner than a hair. But such antennas have a large number of turns, therefore, such an antenna looks like a solid piece of metal. High-frequency cards (13.56 MHz) have a significantly smaller number of thicker turns, with visible gaps between them.

With enough backlight, you can guess the card's operating frequency

You can shine some light through an RFID card to see an antenna inside. If the antenna has only a few large turns, it is most likely a high-frequency antenna. If the antenna looks like a solid piece of metal with no gaps between the turns, it is a low-frequency antenna.

Low-frequency antennas have a thin wire for their turns, while high-frequency use a thicker one

Low-frequency tags are often used in systems that do not require high security: building access, intercom keys, gym membership cards, etc. Due to their higher range, they are convenient to use for paid car parking: the driver does not need to bring the card close to the reader, as it is triggered from further away. At the same time, low-frequency tags are very primitive, they have a low data transfer rate. For that reason, it's impossible to implement complex two-way data transfer for such things as keeping balance and cryptography. Low-frequency tags only transmit their short ID without any means of authentication.

High-frequency tags are used for a more complex reader-tag interaction when you need cryptography, a large two-way data transfer, authentication, etc.
It's usually found in bank cards, public transport, and other secure passes.

125 kHz & 13.56 MHz RFID tag comparison

Low-Frequency 125 kHz Tags

  • Long Range — lower frequency translates to higher range. There are some EM-Marin and HID readers, which work from a distance of up to a meter. These are often used in car parking.
  • Primitive protocol —  due to the low data transfer rate these tags can only transmit their short ID. In most cases, data is not authenticated and it's not protected in any way. As soon as the card is in the range of the reader it just starts transmitting its ID.
  • Low security — These cards can be easily copied, or even read from somebody else's pocket due to the protocol's primitiveness.

High-Frequency 13.56 MHz Tags

  • Low range — high-frequency cards are specifically designed so that they would have to be placed close to the reader. This also helps to protect the card from unauthorized interactions. The maximum read range that we managed to achieve was about 15 cm, and that was with custom-made high-range readers.
  • Advanced protocols — data transfer speeds up to 424 kbps allow complex protocols with full-fledged two-way data transfer. Which in turn allows cryptography, data transfer, etc.
  • High security — high-frequency contactless cards are in no way inferior to smart cards. There are cards that support cryptographically strong algorithms like AES and implement asymmetrical cryptography.

RFID in Flipper Zero

How RFID antenna works in Flipper Zero

Flipper supports both high-frequency and low-frequency tags. To support both frequencies we developed a dual-band RFID antenna that is situated on the bottom part of the device.

A separate NFC controller (ST25R3916) is used for high-frequency protocols (NFC). It takes care of everything related to hardware interaction with the cards: reading and emulation. Low-frequency 125 kHz protocols are implemented programmatically via a custom analog frontend, that works in cooperation with MCU and also allows to read, write and emulate.

[Video] RFID antenna inside Flipper Zero

The top part of the PCB is shielded with a ferromagnetic layer which isolates the rest of the electronic components from interference and extends the operating range by reflecting the high-frequency field.

During assembly, the antennas are glued into Flipper's back panel. It connects to the PCB with pogo-pins. This greatly simplifies the assembly, as no cables are used and no UFL connectors are required.

Low-Frequency 125 kHz Protocols

Low-frequency tags store a short ID, just a couple bytes long. The tag's ID is compared to IDs stored in the database of a controller or an intercom. However, the card will transmit its ID to anyone asking as soon as it receives power. Quite often the ID is inscribed on the card itself, so you can take a picture and input it into the Flipper manually.

Popular 125 kHz protocols:

  • EM-Marin — EM4100, EM4102. The most popular protocol in CIS. Can be read from about a meter because of its simplicity and stability.
  • HID Prox II — low-frequency protocol introduced by HID Global. This protocol is more popular in the western countries. It is more complex and the cards and readers for this protocol are relatively expensive.
  • Indala — very old low-frequency protocol that was introduced by Motorola, and later acquired by HID. You are less likely to encounter it in the wild compared to the previous two because it is falling out of use.

In reality, there are a lot more low-frequency protocols. But they all use the same modulation on the physical layer and may be considered, in one way or another, a variation of those listed above. At the time of writing Flipper can read, save, emulate and write all three protocols. There may be other ones, which are not supported in Flipper's firmware, but as the 125 kHz subsystem is implemented programmatically, we can add them in the future.

EM-Marin

[Video] Flipper reading an EM-Marin tag

EM-Marin is the most common format we have in CIS. It is simple and has no copy-protection. EM-Marin cards usually have EM4100 chips inside, but there are others as well. For example, you can have an EM4305 which can be re-written unlike the EM4100.

To read a low-frequency card go into the Flipper menu 125 kHz RFID —> Read and place the tag on the back of the device. Flipper will attempt to determine the protocol and on success will display it alongside the card's ID. Since Flipper is trying all the protocols in one go it takes a bit of time. For example, you will need a couple of seconds to read an Indala card.

Unique EM-Marin ID on the card and on the Flipper

EM4100's unique code is 5 bytes long. Sometimes you can find it on the card itself. The unique code may be written both as a decimal or in hex. Flipper displays the code in hex, however, EM-Marin cards usually just have the 3 lower bytes written on them, and not the full 5-byte number. If there is no way to read them from the card, the other 2 bytes can be brute-forced.

[Video] Emulating 125 kHz RFID to open an electric door lock

To emulate an RFID tag we need to go into the menu 125 kHz RFID —> Saved, choose the necessary tag and then press Emulate.

Some intercoms try to protect themselves from key duplication by sending a write command prior to reading. If the write succeeds, that tag is considered fake. When Flipper emulates RFID there is no way for the reader to distinguish it from the original one, so no such problems occur.

HID Prox

[Video] Flipper reading a HID26 tag

HID Global — is the largest manufacturer of RFID devices in the world. They have several high and low-frequency RFID protocols. The most popular low-frequency HID protocol is the 26-bit H10301 (also known as HID26 or HID PROX II). The unique code is 3 bytes (24 bits) long, and 2 more bits are used for parity check (to ensure the integrity of data).

Some HID26 cards have numbers written on them - they are the sales order number and the card's ID. You can't figure out the whole 3 bytes with that information alone, the card only has the 2 bytes printed on it in decimal format. That is the card's ID.

HID26 data structure on the card and when read using Flipper

Flipper can only work with the HID26 protocol of the HID family. In the future, we plan to extend this list. HID26 is the most popular one since it is compatible with most digital access control systems.

[Video] Flipper emulating a low-frequency card and opening the turnstile

Indala

Indala is an RFID protocol developed by Motorola and later acquired by HID. It's a very old protocol that you won't find in modern access control systems. Rare as it is, you may sometimes find it in the field. At the time of writing Flipper works with Indala I40134.

[Video] Flipper reading an Indala card

Same as with HID26, cards using Indala I40134 have a unique code that is 3 byte long. Unfortunately, Indala's data structure is proprietary and everyone who wishes to support this protocol is forced to choose whichever byte order they want, and also how they interpret the signal on the hardware level.

All these protocols are so simple that the card's ID may be entered manually without the original card. Having your card's ID in text format, anyone owning a Flipper could enter it manually.

Manually Entering the Card's ID

[Video] Entering an Indala card's ID without having the card itself

To add the card's ID go to the menu and choose 125 kHz RFID —> Add manually, then the protocol and enter the ID. The card added will be saved to the SD-card, and may then be emulated or written to a blank.

Writing to a Blank Card

There are special blank cards that support any of the three protocols mentioned above (EM-Marin, HID Prox, Indala). T5577 is the most popular blank card type. To write an ID to a blank card go to the menu 125 kHz RFID —> Saved, then choose the key you want and press Write.

[Video] Writing to a T5577 blank card

High-Frequency 13.56 MHz Protocols

High-frequency 13.56 MHz tags are a set of standards and protocols. They are usually referred to as NFC, but that's not always correct. The basic protocol set used on the physical and logical levels is ISO 14443. High-level protocols, as well as alternative standards (like ISO 19092), are based upon it.

ISO 14443-A seems to be the most common implementation. Almost all of the public transport and office passes use it, and it's used in bank cards as well.

NFC's architecture simplified

To put it simply, NFC's architecture works like this: the transmission protocol is chosen by the company making the cards and implemented based on the low-level ISO 14443. For example, NXP invented its own high-level transmission protocol called Mifare. But on the lower level, Mifare cards are based on ISO 14443-A standard.

Flipper can interact with both the low-level ISO 14443 protocol, as well as Mifare Ultralight data transfer protocol and EMV used in bank cards. We're working on adding support for Mifare Classic and NFC NDEF. A thorough look at the protocols and standards that make up NFC is worth a separate article which we plan to have up later.

Plain UID of the ISO 14443-A Standard

[Video] Reading a UID from a High-frequency tag of an unknown type

All high-frequency cards based on ISO 14443-A standard have a unique chip ID. It acts as the card's serial number, like a network card's MAC address. Usually, the UID is 4 or 7 bytes long, but can rarely go up to 10. UIDs are not a secret and they are easily readable, sometimes even printed on the card itself.

There are many access control systems that rely on UID to authenticate and grant access. Sometimes this happens even when RFID tags support cryptography. Such misuse brings them down to the level of the dumb 125 kHz cards in terms of security. Virtual cards (like Apple Pay) use a dynamic UID so that phone owners won't go opening doors with their payment app.

[Video] iPhone generates a new UID for each time Apple Pay is read

Since UID is a low-level attribute, you might find yourself in a situation when UID is already read, but the high-level data transfer protocol is still unknown. You can read, emulate and manually input UID using Flipper for the primitive readers that use UID for authorization.

Reading the UID VS Reading the Data Inside

NFC read menu is divided into two parts, low-level read and high-level read

In Flipper, reading 13.56 MHz tags can be divided into two parts:

  • Low-level read — reads only the UID, SAK, and ATQA. Flipper tries to guess the high-level protocol based on this data read from the card. You can't be 100% certain with this, as it is just an assumption based on certain factors.
  • High-level read — reads the data from the card's memory using a specific high-level protocol. That would be reading the data on a Mifare Ultralight, reading the sectors from a Mifare Classic, or reading the card's attributes from PayPass/Apple Pay.

To use a specific high-level protocol when reading data go to NFC —> Run special action and choose the type of tag you want to read.

To try and guess the type of tag and to read the UID go to NFC -> Read card. So far Flipper can only detect Mifare Ultralight and EMV bank card.

Mifare Ultralight

[Video] Reading data off a Mifare Ultralight

Mifare is a family of contactless smart cards with several high-level protocols. The simplest of those is Mifare Ultralight. In its basic version, it has only 64 bytes of embedded flash memory and no cryptographic protection. Flipper can both read and emulate Mifare Ultralight cards. Such tags are often used as passes granting access to offices, houses and public transport. Moscow public transport tickets for example are using Mifare Ultralight.

EMV Bank Cards (PayPass, payWave, Apple Pay, Google Pay)

[Video] Reading data from a bank card

EMV (Europay, Mastercard, and Visa) — is the international standard set for bank cards. Bank cards now are full-fledged smart cards with complex data exchange protocols and support for asymmetric encryption. Apart from simply reading the UID, you can extract a lot more data from a bank card. It's possible to get the full card number (the 16 digits on the front of the card), validity date, and in some cases even the owner's name along with a list of the most recent transactions.

Since the EMV standard might be implemented differently, the data that can be extracted may vary from card to card. You can't read the CVV this way (the 3 digits on the back of the card).

Bank cards are protected from replay attacks, so copying it with Flipper and then trying to emulate it to pay for something won't work.

Tokenized Apple Pay Card VS Physical Bank Card

Comparing the security of a virtual bank card and its physical counterpart

Compared to a plastic bank card, the virtual card you have in your phone provides less information and is safer for offline payments.

Apple Pay and Google Pay have several advantages:

  • They don't allow using captured data for online payments – a normal card can be used for Card-Not-Present transactions (CNP), you can sometimes pay online or on the phone. Intercepted virtual card data can't be used in this manner. After registering a card with Apple Pay all payments go through the virtual token and all operations are cryptographically signed. Reading Apple Pay data results in a PAN and an expiration date of the virtual token, not the original physical card. Thus if someone tries to use the data intercepted from a virtual card to pay online such payment will be declined without a specific signature.
  • They don't disclose the card owner's name — some contactless cards can transfer the cardholder name and recent transactions data. Virtual cards don't do that.
Bank card support in Flipper is implemented solely for high-level protocol demonstration purposes only. We do not plan to extend this function further. Contactless bank cards security is good enough not to worry that devices such as Flipper can be used to attack bank cards.

Stay Tuned

Our social media subscribers get all the Flipper Zero news first! Join in and get access to sneak peeks, insides, and more.