Ripping Up A Rothult

NFC locks are reaching a tipping point where the technology is so inexpensive that it makes sense to use it in projects where it would have been impractical months ago. Not that practicality has any place among these pages. IKEA carries a cabinet lock for $20USD and does not need any programming but who has a jewelry box or desk drawer that could not benefit from a little extra security? Only a bit though, we’re not talking about a deadbolt here as this teardown shows.

Rothult has all the stuff you would expect to find in an NFC scanner with a moving part. We find a microcontroller, RFID decoder, supporting passives, metal shaft, and a geartrain. The most exciting part is the controller which is an STM32L051K8 processor by STMicroelectronics and second to that is the AS3911 RFID reader from AMS. Datasheets for both have links in the teardown. Riping up a Rothult in the lab, we find an 25R3911B running the RFID, and we have a link to that PDF datasheet. Both controllers speak SPI.

There are a couple of things to notice about this lock. The antenna is a flat PCB-mounted with standard header pins, so there is nothing stopping us from connecting coax and making a remote antenna. The limit switches are distinct so a few dabs of solder could turn this into an NFC controlled motor driver. Some of us will rest easy when our coworkers stop kidnapping our nice pens.

Rothult first came to our attention in a Hackaday Links where a commenter was kind enough to tip us off to this teardown. Thanks, Pio! If this whets your appetite for NFC, we have more in store.

21 thoughts on “Ripping Up A Rothult

  1. Most exciting “AS3911 > NFC Initiator / HF Reader IC”

    In the docs it says:


    The AS3911 includes several features, which make it
    incomparable for low power applications. It contains a low
    power capacitive sensor, which can be used to detect the
    presence of a card without switching on the reader field.

    Bit confusing :) yet, i haven’t seen before battery powered NFC devices that can last for long. I didn’t think there is “Initiator” chip :) I definitely have to make something with this :D

  2. The connector very obviously has the SWD pins on it. These would be the primary way to reprogram the board and would probably not require boot0 to be touched unless the SWD pins are disabled by the exiting firmware.

    So just buy a cheap STLink dongle and you’re all set to reprogram it.

        1. yeah, or you could just use a large screwdriver or a little crowbar to force the thing open.

          This thing is more of a convenient tamper proofing against the casual fridge raider or office supplies borrower that a serious security device..

    1. You could extend the battery contacts outside of the cabinet, to a hidden location. If I did that, I would also use protection diodes and a couple capacitors to protect against a high or reverse voltage applied to such contacts.

  3. You’d have to be careful not to freeze the mechanism too. Also, when it loses power, it erases the extra key card data, so it’s still apparent that someone tampered with it.

    But what am I talking about, this is a $20 cabinet lock, it’s not designed to be particularly strong or secure. A stern enough look at it is also a possible attack.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.