Proxmark3 community

atmel9077

Contributor

Registered: 2017-06-25

Posts: 46

Interesting feature of $5 RFID reader

Hello

2 years ago I bought a RFID reader module to use with my Arduino for $5. Now it seems that price have dropped, you can buy one for less than $2 here.

This reader module uses a RC522 chip from NXP, it does only support ISO-14443 Type A and also supports the CRYPTO1 encryption for (in)secure communication with MIFARE tags.

Today I found some interesting stuff in the datasheet

On page 5, on the block diagram, the RX pin is connected to I and Q demodulators followed by I and Q ADCs (analog to digital converters). This strongly suggests that the RC522 does not use analog components like mixers, integrators, etc... for demodulating the signal, but instead the complex baseband components are digitized then processed in the digital domain. Actually, many radio receivers works like this today, for example Wi-Fi, mobile phones, television receivers all does the modulation/demodulation in the digital domain.

Then on page 68 the datasheet states that there is a register called "TestADCReg" that allows to read the value of the I and Q ADCs. What's interesting is that accessing this register would actually turn the RC522 into a "software-defined radio".

And on page 24 the datasheet states that the MFIN pin can be used to externally provide modulation to the RC522. There are also registers that can set the modulation index.

This means that this chip could be capable of reading tags of different standards:
-ISO 14443 Type B
-ISO 15693
-FeliCa
-IClass (modified ISO 15693)
-Legic RF

As I haven't tested anything, I don't know if the demodulator works if the reader is not transmitting. If it was the case the RC522 could also be used for sniffing.

I can't prove this is working, because I haven't tested, and making it work would need a lot of work (programming a demodulator). And it certainly couldn't replace a Proxmark, the performance will probably be much inferior. I posted because I found this interesting and I think there is something to explore here.

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Interesting feature of $5 RFID reader

Hi atmel9077!
That's right, for example this encoder is based on MFRC522. Can read ISO15693 cards
tesa.es/en/site/tesa/products/tesa-hotel-product/management-devices/proximity-encoder

atmel9077

Contributor

Registered: 2017-06-25

Posts: 46

Re: Interesting feature of $5 RFID reader

On the site there is no mention of RC522, how can you know it it uses this chip?

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Interesting feature of $5 RFID reader

I have it )

atmel9077

Contributor

Registered: 2017-06-25

Posts: 46

Re: Interesting feature of $5 RFID reader

Did you check if it does not have another chip for 15693? My idea of using the I/Q ADC of the RC522 is to use it "like a proxmark". For "normal operation" they can use a chip that natively supporte 15693

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Interesting feature of $5 RFID reader

they only use mfrc522
TxSelReg         =0x20;     //MFIN: active,   MFOUT:  three-state
AnalogTestReg = 0x60;     //AUX1: ADC_Q,   AUX2:  three-state
Through a MFIN they control the field, through a AUX1 they remove the signal

atmel9077

Contributor

Registered: 2017-06-25

Posts: 46

Re: Interesting feature of $5 RFID reader

Interesting! What microcontroller is it using? If it can be reprogrammed it could be used for sniffing.

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Interesting feature of $5 RFID reader

cy8c29466  cypress

Sentinel

Contributor

Registered: 2012-11-26

Posts: 191

Re: Interesting feature of $5 RFID reader

unfortunately, I do not understand this architecture(((   but, the board has a connector for debugging, 5 pin, left on the photo

Last edited by Sentinel (2018-02-20 16:53:18)