[Aaron] was looking for a cheap RFID reader that had some easy to follow documentation and a standardized interface. Most everything he saw was pretty expensive, so he decided to buy a cheap $10 reader from eBay to see how easy it would be to work with.
The reader came with very little documentation, but [Aaron] did know that the device identifies itself as a USB keyboard, outputting scan tag data into a text editor. That functionality wasn’t incredibly useful, so he took it apart to see if he could interface with it in some other manner. Exposing the PCB revealed an unknown IC for which he could find no documentation, but the board did include some breakout pins, so [Aaron] started by probing those for data.
He tried reading the data in both a terminal program and with a logic analyzer, but nothing seemed to make a whole lot of sense. He turned the sampling rate of the sniffer down, and things started looking a little better. After comparing the data from the sniffer with known tag codes, he noticed that each digit had an offset of 39 applied, so he whipped up a bit of code to correct the numbers.
[Aaron] did a good amount of legwork to get usable data from the reader, but at a cost of $10 it can’t be beat. We certainly know what we’re going to be hunting for on eBay this afternoon…
WOW, we didn’t expect this much traffic, please hold on for a bit (should be an hour or two) while we upgrade the server that currently hosts thetransistor.com
Thanks
“Waiting for thetransistor.com…” 4:25 EST
Linky no worky, looks like thetransistor.com has no voltage at it’s gate… however Google cache: http://webcache.googleusercontent.com/search?q=cache:jTs5r5eLJFoJ:http://thetransistor.com/2011/10/hacking-cheap-rfid-readers/
Thanks for that! And here’s the same seller’s US ebay auction: http://www.ebay.com/itm/Proximity-USB-Interface-Reader-125Khz-EM4100-ID-Cards-/110774360113?pt=LH_DefaultDomain_0&hash=item19caaa9831
BTW this appears to be the same RFID reader, at around $10 and they’ve got hundreds in stock: http://cgi.ebay.co.uk/ws/110774361494
Think I’ll order one for the hell of it, something to tinker with on a rainy day, especially at that price and the great work Aaron put into hacking this thing for microcontroller usage.
You can get a cheap, UART-based RFID reader with documentation from iTeadStudio: http://iteadstudio.com/store/index.php?main_page=product_info&cPath=16&products_id=6
I have a couple of these and can attest that they are indeed cheap, incredibly easy to use, have good documentation.
I’ve just done a bit of decoding, the Data is sent in packets –
189 – Start of Packet
5 – Number of keypresses
39 – USB Key Code for “0” 27 Hex
39 – USB Key Code for “0” 27 Hex
30 – USB Key Code for “1” 1E Hex
33 – USB Key Code for “4” 21 Hex
38 – USB Key Code for “9” 26 Hex
5 – ??? End of packet / Check Digits
3 – ??? End of packet / Check Digits
(delay of 100 ms)
189 – Start of Packe
6 – Number of Keypresses
31 – USB Key Code for “2” 1F Hex
31 – USB Key Code for “2” 1F Hex
32 – USB Key Code for “3” 20 Hex
35 – USB Key Code for “6” 23 Hex
36 – USB Key Code for “7” 24 Hex
40 – USB Key Code for “Enter” 28 Hex
5 – ??? End of packet / Check Digits
? – ??? End of packet / Check Digits
Usb scan codes from http://www.quadibloc.com/comp/scan.htm
Great sleuthing work there, it also brings up the question; could it be possible to inject codes from a microcontroller into the RFID board somehow to produce key presses on the USB keyboard output.
Can somebody explain me why he had to lower the Logic Sniffer’s scan rate frequency to get the correct data???
It’s to do with sampling theorem. Once you start sampling at a rate that is inverse square of the input frequency, the signal becomes messy. Just need to back things off a little.
You can always Google it for more info.
Oh the data was correct. He just didn’t get all of it. I guess lowering the frequency made it possible to capture a longer timespan.
I puked a little in my mouth when I saw the USB-A-Plug to USB-A-Plug cable :-(
Indeed that reminds me of a cigarette lighter usb power adapter that outputted 13.8V instead of 5V.
i can still smell the ‘burned phone’ smell in the car.
Great work Aaron,
Which wire is which on the breakout pix?
http://lh4.ggpht.com/-tWz_4d0jlkY/Tp0UHfzpqmI/AAAAAAAAGu4/oR0lsJ2VuwY/IMG_20110927_194836_thumb%25255B1%25255D.jpg?imgmax=800
I forgot to mention that in the post, it’s the orange wire.
Quite interesting. I had a quick look around and found that there is another cheap reader / door-opener available through ebay.
It is called M236B. Does anyone have any experience with it? Apparently it is a standalone device.
Could you please post a link? Sounds interesting.
Hm, actually they are called MG236B. Here is an example. Seems like they are also sold as AD2000-M.
http://www.ebay.com/itm/RFID-Proximity-Door-Lock-Access-Control-System-10-Kefobs-Keys-Silver-New-/180720984314?pt=LH_DefaultDomain_0&hash=item2a13cf60fa
I do not know the seller and do not recommend them!
I recently bought one of these readers and I am extremely confused. What is the proper procedure for it to output data over USB? Windows finds it as a keyboard, however, after scanning a multitude of tags I have no data in Notepad. Is the red LED supposed to change to green? I can see from your teardown it is a bicolor LED, but mine never changes color, only beeps twice when I power it on. Any help would be appreciated, I would like to find out if I can use this reader for anything useful.
would be great to know how to get the correct information out