A tale of 102 RFID cards

About 6 months ago i bought 102 EM4100 protocol RFID cards (From here) and a compatible RFID reader https://www.sparkfun.com/products/8419.

EM4100 protocol cards are factory programed with an 8bit Customer or Version ID, 32bit unique code and some parity information. Once the card powers up from being within proximity of a reader it starts blasting out this code encoded in Manchester and looks something like this.

Data capture

The theoretical minimum transmission speed possible is about 28ms, however many readers require you to transmit this code twice for it to be accepted.

This gives a total keyspace of 4,294,967,296 (2^32) or 1,099,511,627,776 (2^40) if you are using unique Customer or Version ID’s. At the theoretical minimum transmission speed of 28ms this gives a worst case brute force time of 3.81086182 years or 975.580625 years if using unique Customer or Version ID’s.

Duplicating house keys using a 3d printer

I had the idea to duplicate some house keys on my Makerbot Thing-O-Matic 3D printer after seeing a post about in on thingiverse here.

So after messing around with the script for a while i couldnt really get it to work so i decided to just make a script from scratch to improve my SCAD skills. (SCAD is like a programing language for creating parametric 3d CAD objects)

After a few hours with a key and a pair of digital calipers i got an object that fit in the lock but has not been cut (think of a blank key).

Key Blank Openscad

Blank comparison - front

Blank comparison - Top

From there i started working on the cuts. On this particular key the cut depth appeared to be a multiple of 0.58mm with spacing from every cut being equal to 4.12mm. Some of these measurements where gained by using this cheat sheet.

This step was mostly trial and error, i made modifications halfway through to reduce printing time and many modifications to the multipliers, cut depths, ect…

All keys

Eventually came up with some results as shown above. After the measurements where perfected the keys started to work. The keys are brittle but do work and most locks don’t have much resistance turning the key when the key fits. The use of a torsion bar to turn the lock could be used on rusted or heavy locks.

Every key has a bit-code, this is a set of numbers that identify the key’s ID number. Any similar style key with the same bit-code will work in the same lock. I was able to guess the bit-code but this photo will show what im doing. We are measuring the dips and not the ridges, the ridges exist to ensure the tumbler pins rest in place.

Note: In my script the bit-code goes from base to tip, other scripts or even official documentation may be different.


The keys only have 7 ridges based on documentation linked above. This gives a total key-space of 7^7 or 823,543 different combinations.

With such a small combination of ridges its not hard to see why lock-picking isn’t difficult. Not only that but the keys are pretty easy to duplicate based off visual identification, the SNEAKEY system deminstrated this as shown here.

OpeSCAD Render

Cut comparison

Cut - Lock

In total i did this entire project in just a few hours, its scary how simple many of these keys are in design. I would estimate that i could duplicate high security keys in a similar time if my printer has the accuracy. Sure some of these high security keys are very difficult to pick but if all it takes is visual inspection of a key to breach a lock then this presents a problem for people who wish to keep things behind locked doors.

Perhaps now with the boom of consumer grade 3D Printers its more important than ever to move to digital keys.

Fixing a broken Samsung 2233 LCD

I bought 3 Samsung 2233 120hz LCD’s on the cheap before they where being discontinued over a year ago. They are great screens and the 120hz refresh rate is just very nice on the eyes.

However one of them broke! Devastated i immediately took the thing apart. It would turn on for only a second, the back-light would flash and turn off with the LCD still functioning, a broken backlight. Having encounterd the problem many many times i immediately thought it was a leaky capacitor. Easy enough thing to fix, replace a few broken capacitors with some from jaycar. However all the capacitors where 100% fine.

I checked the primary rails of 13v, 5v, 3.3v and they where all fine when the screen was on. So its not the capacitors or the rails. So i checked the Backlight control lines that lead into the power supply for spikes or changes. Everything still operating as expected.


I followed where the control lines lead on the PCB and was lead to a Control chip. After some probing i noticed one of its feed back lines was out of the expected range according to the datasheet of 1-2v. Its lines connected to a set of transistors that in turn connected to the LCD inverter output.

Backlight outline

This meant that either the MOSFET was blown or the transformer was broken. Some probing later and it appeared as if the MOSFET was working fine. I then de-soldered the transformer to measure its coil resistance.

Coil resistance

The identical secondary coils where out of sync by a massive 40%! 881 and 1233 ohms respectively. I have zero idea how a passive component could fail like this but it has.

I ordered a replacement off ebay here and the screen was then fine! The coil resistance was 890 ohms on both secondary coils The feedback loop was then stable at 1.5V. Exactly between the expected range of 1-2V

← Archive