Ripping Up A Rothult

NFC locks are reaching a tipping point where the technology is so inexpensive that it makes sense to use it in projects where it would have been impractical months ago. Not that practicality has any place among these pages. IKEA carries a cabinet lock for $20USD and does not need any programming but who has a jewelry box or desk drawer that could not benefit from a little extra security? Only a bit though, we’re not talking about a deadbolt here as this teardown shows.

Rothult has all the stuff you would expect to find in an NFC scanner with a moving part. We find a microcontroller, RFID decoder, supporting passives, metal shaft, and a geartrain. The most exciting part is the controller which is an STM32L051K8 processor by STMicroelectronics and second to that is the AS3911 RFID reader from AMS. Datasheets for both have links in the teardown. Riping up a Rothult in the lab, we find an 25R3911B running the RFID, and we have a link to that PDF datasheet. Both controllers speak SPI.

There are a couple of things to notice about this lock. The antenna is a flat PCB-mounted with standard header pins, so there is nothing stopping us from connecting coax and making a remote antenna. The limit switches are distinct so a few dabs of solder could turn this into an NFC controlled motor driver. Some of us will rest easy when our coworkers stop kidnapping our nice pens.

Rothult first came to our attention in a Hackaday Links where a commenter was kind enough to tip us off to this teardown. Thanks, Pio! If this whets your appetite for NFC, we have more in store.

28 thoughts on “Ripping Up A Rothult

  1. Most exciting “AS3911 > NFC Initiator / HF Reader IC”

    In the docs it says:

    The AS3911 includes several features, which make it
    incomparable for low power applications. It contains a low
    power capacitive sensor, which can be used to detect the
    presence of a card without switching on the reader field.

    Bit confusing :) yet, i haven’t seen before battery powered NFC devices that can last for long. I didn’t think there is “Initiator” chip :) I definitely have to make something with this :D

  2. The connector very obviously has the SWD pins on it. These would be the primary way to reprogram the board and would probably not require boot0 to be touched unless the SWD pins are disabled by the exiting firmware.

    So just buy a cheap STLink dongle and you’re all set to reprogram it.

        1. yeah, or you could just use a large screwdriver or a little crowbar to force the thing open.

          This thing is more of a convenient tamper proofing against the casual fridge raider or office supplies borrower that a serious security device..

    1. You could extend the battery contacts outside of the cabinet, to a hidden location. If I did that, I would also use protection diodes and a couple capacitors to protect against a high or reverse voltage applied to such contacts.

  3. You’d have to be careful not to freeze the mechanism too. Also, when it loses power, it erases the extra key card data, so it’s still apparent that someone tampered with it.

    But what am I talking about, this is a $20 cabinet lock, it’s not designed to be particularly strong or secure. A stern enough look at it is also a possible attack.

  4. Hello,
    I really love these locks but I usually make them open all with the same rfid card for not have to use 10 different cards on my cabinet. This is one of the features I love Rothulst but I would like to have an extra and spare key in case I lose the main one and not having to go back to 10 different keycards, but the locks only allow to program one extra card.
    And my problem is exactly there on how to get my main keycard succesfully copyed and having a spare card since I already bought different rewritable cards and a copier and the copyed cards dont get to be recognized on any of the locks.
    Can someone please advise on the correct keycards and copier, preferably with links, in order to get this done?

    Thank you

    1. NFC (13.56MHz) isn’t a good option for making multiple copies. There is some dark magic with inexpensive tags which allow the UID to be rewritten, but you probably need a $300USD Proxmark just to get started. Low frequency RFID (125KHz) is meant for that sort of thing.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.