A tale of 102 RFID cards

About 6 months ago i bought 102 EM4100 protocol RFID cards (From here) and a compatible RFID reader https://www.sparkfun.com/products/8419.

EM4100 protocol cards are factory programed with an 8bit Customer or Version ID, 32bit unique code and some parity information. Once the card powers up from being within proximity of a reader it starts blasting out this code encoded in Manchester and looks something like this.

Data capture

The theoretical minimum transmission speed possible is about 28ms, however many readers require you to transmit this code twice for it to be accepted.

This gives a total keyspace of 4,294,967,296 (2^32) or 1,099,511,627,776 (2^40) if you are using unique Customer or Version ID’s. At the theoretical minimum transmission speed of 28ms this gives a worst case brute force time of 3.81086182 years or 975.580625 years if using unique Customer or Version ID’s.

Lets assume you don’t know the Customer or Version ID and you are attacking a door with 10,000 valid cards, at 0.028 seconds per card it would take 35.63 days. Knowledge of the Customer or Version ID takes this time down to 3.341 hours.

A more realistic example of 200 cards would take 6.959 days or 4.87895 years without knowledge of the Customer or Version ID.

One major security feature is the relatively slow transmission speed, you will have a hard time finding a commercial reader that can read cards back to back at 28 milliseconds each. Generally you get a reading time between 0.1 and 1 seconds.

However this security is relining on the numbers being uniquely random. If a company use the same Customer or Version ID and an attacker has knowledge of this number they have reduced the system entropy by 1,095,216,660,480 potential combinations, a 99.61% reduction.

So with the entire security of the system relying on the strength of the random number generator used to program these cards, lets have a look at two separate packs of 51 cards i bought on eBay from china.

99 of the cards had the same Customer or Version ID of 0×06 with the remaining 3 cards having 0×07.

Here is a graph showing the 99 cards in the order they where shipped in with their Customer or Version ID omitted.

Data capture

Min: 25773269859
Max: 25785845002
Range: 12575143

Right off the bat you can tell that there is a problem here, the vast majority of cards are with a very close proximity of others. The problem is even worse when the cards have been clustered.

Cluster % Mean STD Deviation
1 42.42% 25775067346.5 14166.12
2 39.39% 25774974455 11566.25
3 10.10% 25785758931.5 6361.64
4 4.04% 25785473311.5 9401.02
5 1.01% 25785845002 N/A One card only
6 1.01% 25785343243 N/A One card only
7 1.01% 25773269859 N/A One card only
8 1.01% 25775166994 N/A One card only

Even with a more realistic reading time of 0.2 seconds per card you have a 40.4% chance of guessing a valid RFID card within 5666.448 seconds or 95 minutes based on 1 card within cluster 1 alone. Including cluster 2 you have a 78.08% chance of guessing a valid RFID card in under 10292.948 seconds or 172 minutes.

This pattern persisted through two stacks of cards (individually packaged i might add) so if you know the supplier used you could have a good chance of guessing a valid card. The big “security by X” logo stuck on the door can be a big hint here. The clusters appear pretty quickly so buying even 10 cards from a company could be enough to start an attack with good chances.

Another scenario is if you obtain a lost invalid or partially valid (eg. low security areas only) card, you can use that to stage an attack by guessing numbers around it with potentially some success.

However the addition of even a 2 digit pincode along with the RFID card makes these attacks infeasible on increased input time alone.

Another mitigation strategy is to increase the processing time of cards into the range of seconds. This has the added benefit of not only decreasing the feasibility of such an attack but also not requiring users to change their behavior. This however does not protect from lost or stolen cards like an additional pincode.

Raw Data available as an ODS file: RFID Results

Duplicating house keys using a 3d printer

I had the idea to duplicate some house keys on my Makerbot Thing-O-Matic 3D printer after seeing a post about in on thingiverse here.

So after messing around with the script for a while i couldnt really get it to work so i decided to just make a script from scratch to improve my SCAD skills. (SCAD is like a programing language for creating parametric 3d CAD objects)

After a few hours with a key and a pair of digital calipers i got an object that fit in the lock but has not been cut (think of a blank key).

Key Blank Openscad

Blank comparison - front

Blank comparison - Top

From there i started working on the cuts. On this particular key the cut depth appeared to be a multiple of 0.58mm with spacing from every cut being equal to 4.12mm. Some of these measurements where gained by using this cheat sheet.

This step was mostly trial and error, i made modifications halfway through to reduce printing time and many modifications to the multipliers, cut depths, ect…

All keys

Eventually came up with some results as shown above. After the measurements where perfected the keys started to work. The keys are brittle but do work and most locks don’t have much resistance turning the key when the key fits. The use of a torsion bar to turn the lock could be used on rusted or heavy locks.

Every key has a bit-code, this is a set of numbers that identify the key’s ID number. Any similar style key with the same bit-code will work in the same lock. I was able to guess the bit-code but this photo will show what im doing. We are measuring the dips and not the ridges, the ridges exist to ensure the tumbler pins rest in place.

Note: In my script the bit-code goes from base to tip, other scripts or even official documentation may be different.


The keys only have 7 ridges based on documentation linked above. This gives a total key-space of 7^7 or 823,543 different combinations.

With such a small combination of ridges its not hard to see why lock-picking isn’t difficult. Not only that but the keys are pretty easy to duplicate based off visual identification, the SNEAKEY system deminstrated this as shown here.

OpeSCAD Render

Cut comparison

Cut - Lock

In total i did this entire project in just a few hours, its scary how simple many of these keys are in design. I would estimate that i could duplicate high security keys in a similar time if my printer has the accuracy. Sure some of these high security keys are very difficult to pick but if all it takes is visual inspection of a key to breach a lock then this presents a problem for people who wish to keep things behind locked doors.

Perhaps now with the boom of consumer grade 3D Printers its more important than ever to move to digital keys.

Motorbike Clock Part 1

I bought 3 Samsung 2233 120hz LCD’s on the cheap before they where being discontinued over a year ago. They are great screens and the 120hz refresh rate is just very nice on the eyes.

However one of them broke! Devastated i immediately took the thing apart. It would turn on for only a second, the back-light would flash and turn off with the LCD still functioning, a broken backlight. Having encounterd the problem many many times i immediately thought it was a leaky capacitor. Easy enough thing to fix, replace a few broken capacitors with some from jaycar. However all the capacitors where 100% fine.

I checked the primary rails of 13v, 5v, 3.3v and they where all fine when the screen was on. So its not the capacitors or the rails. So i checked the Backlight control lines that lead into the power supply for spikes or changes. Everything still operating as expected.


I followed where the control lines lead on the PCB and was lead to a Control chip. After some probing i noticed one of its feed back lines was out of the expected range according to the datasheet of 1-2v. Its lines connected to a set of transistors that in turn connected to the LCD inverter output.

Backlight outline

This meant that either the MOSFET was blown or the transformer was broken. Some probing later and it appeared as if the MOSFET was working fine. I then de-soldered the transformer to measure its coil resistance.

Coil resistance

The identical secondary coils where out of sync by a massive 40%! 881 and 1233 ohms respectively. I have zero idea how a passive component could fail like this but it has.

I ordered a replacement off ebay here and the screen was then fine! The coil resistance was 890 ohms on both secondary coils The feedback loop was then stable at 1.5V. Exactly between the expected range of 1-2V

← Archive