RFID Exploration

I recently picked up a USB RFID reader/writer pod to play with, partly to learn enough to be dangerous about the tech, and partly hoping to tamper with the RFIDs in the current university ID cards. I’m pretty sure I failed on the latter point, but am succeeding at the former in the process.

RFIDKit

Notes from the first round of fiddling with it follow.

It’s branded “Mifare Card Encoder M302,” I paid about $23 at NewConcept on Aliexpress for a bundle with the device, a standard A to mini B USB cable, five fobs, and five cards, all of which should be writable cards of the Mifare Classic flavor. Product link New Contactless USB Interface 13.56MHZ RFID 14443A Card Encoder IC Card Reader for Mifare Writer with 5pcs Cards 5pcs Key Fob – I bought several things from the seller and one of the other ones came as single items when the description was lots of 3, so this is neither an endorsement nor a warning, I’ve seen apparently the same kit for similar prices many, many places online. It included the standard unlabeled 25Minute MiniCD that comes with all cheap Chinese electronics, which in addition to various drivers and instructions, and some RAR files I’m not terribly excited to find out what are lurking in, included an extremely useful PDF describing the device protocol in reasonable detail.

Linux sees the devices as a 1a86:7523 QinHeng Electronics HL-340 USB-Serial adapter in lsusb, which is simply a USB/Serial adapter. Support for the device seems to be extremely limited, however Michael Ablassmeier has shared a little 33-line python script on github which literally converts part of the text of the provided PDF into an absolutely minimal dumper for reading the serial numbers off of MIFARE tags. I haven’t tried the Windows drivers or found other more featureful software that works with it under Linux, but this was just a first pass to verify that it works.

Being me, as soon as I verified that it basically worked, I pulled it apart to see what I actually got.

RFIDBoard

Photo quality improved by the rather awesome collapsible soft box I got in the same Aliexpress binge.

The main RFID chip is a NXP MFRC500 (PDF Warning!), the “Original” Mifare Classic/1K/4k part, with support for all of ISO/IEC 14443 A.
It is USB interfaced via a CH340T (PDF Warning!) USB/Serial adapter, which works under Linux with the ch341 module in mainline, and whose datasheet is, despite being an exercise in Chinglish, readily available, comprehensible and complete.
The board is glued together with a STC 89C52RC microcontroller, which is a typical cheap 8051 part with 8k of flash and 512 byes of RAM onboard.

The three chips each have their own crystal can, at the expected 12.0000Mhz for the USB/Serial, 11.0592 for the micro, and 13.5600 for the RFID.

RFIDAntenna
It has R/G indicator LEDs and a buzzer, both of which are easily controlled by serial. The antenna is a five loop PCB antenna on the underside of the board.

There are also quite a number of unpopulated pads, including two rows marked 5V/TXL/RXL/G that I suspect are a programming interfaces for the USB/Serial bridge and microcontroller respectively, though the one near the bridge may simply be a second port on the bridge. There are also a couple of extra pads for (probably redundant) indicator LEDs, what I suspect are pads for an external antenna connector, and footprints for two extra SOIC packages, one 8 pin labeled U4 and one 21 pin with a weird bidirectional silkscreen labeled U7 at one end and U8 at the other, and surrounded by footprints for decoupling caps – my first guess is optional external RAM/ROM.

I haven’t yet succeeded in talking to either the HID iClass Px G8H card or XceedID Proximity 7610 fob I have from the university, most likely because I didn’t read carefully and they are ISO/IEC15693 type RFID devices not supported by the reader/writer I bought. The pin-compatible NXP CLRC63201T part offers 14443 A, B and ISO/IEC 15693 support, but that’s not what’s in here, nor what the vendor claimed. While trying to figure out my mistake, I eventually came across and learned a great deal from this handy multi-vendor RFID Selection Guide from EVB which explains the various RFID flavors in circulation and, like so much good documentation, is hosted by Adafruit.

It should still make a fun toy.

This entry was posted in Computers, DIY, Electronics, General, Objects and tagged , . Bookmark the permalink.

21 Responses to RFID Exploration

  1. Wesley King says:

    Would you be able to upload the software that came on the CD to somewhere? I purchased the reader from another provider and didn’t get the software but I need it to change the output format on the reader.

    Cheers.

    • Graham says:

      Looks like there are more of us in the same boat. IF I get the s/w I will post it or send. Is a nice little box other than that. Please, if you find the s/w let me know.
      Thanks
      Graham

  2. Jonas says:

    Same question here. I got the CD but it was blank, so if possible would you be able to upload the software somewhere?

    • Graham says:

      Hi.. I am in the same boat as you.. Blank CD. If you find something that works let me know. I will do likewise.
      Graham

  3. Graham says:

    Looks like a few of us got the same box…. with blank CD.. Is a nice little box, but useless without something to read / write to the cards. Would appreciate if some software that works in windows 10 could be uploaded somewhere. I did try Mifaer_V_1_2_1. It sends commands to the box, but does not do anything. Please help if you know of anything that will work.
    Thanks Graham

  4. Pramana says:

    Hi,
    You may download the software and video simple tutorial at
    http://www.mediafire.com/download/fdr5t3m7qdd7795/s340.rar

  5. Boris says:

    I recently purchased the M302 reader, so I have made a zip file of the software that came on the cd and uploaded it for you here:

    https://mega.nz/#!cg8kHJxI!oCTLSPg2fPjlyB29MYw4xcjttlfhAlSTsHTu-eVfRbA

  6. Racheal says:

    Hi, may I know is this product compatible with raspbian for raspberry pi? I have no idea how to run the .exe file comes with the M302 reader writer in the raspberry pi and the driver can’t install to the pi too. Please help. Thanks a lot in advanced.

    • pappp says:

      The python script I linked works for Linux, but it’s quite limited in what you can do with it. I don’t know of a better option for using these with Linux.

  7. Mark says:

    Hi,

    Were you able to confirm what were the external antenna ports?

  8. Aamir says:

    I’ve recently bought this device and looking to use it as a part of a staff clock in system. I have seen solutions where the rfid reader acts as a HID device. Is there any way I can get it to output the serial numeber of the card? Currently I can only use it in the software thats provided with the disk. In device manager it shows up as a USB serial device instead of a HID device.

    • pappp says:

      I don’t expect you could get HID behavior out of this particular device.

    • Phil says:

      I don’t think you could get it to do HID natively, unless you were to reflash the SoC with your own firmware… however I’m guessing you’re using Windows, so I’d suggest you *could* use a small Visual Basic (or similar) program to communicate with the reader on the serial port and emulate keypresses – that’d be pretty trivial if that’s all you need.

      • Phil says:

        Actually scratch the comment about reflashing… I just remembered that there is a USB-Serial chip in between the processor and the host.. so no, you can’t get HID. But you can emulate a keyboard in software.

  9. Daryl says:

    Can you write NTAG215(s) with this?

  10. MeanOscar says:

    Just got one and got driver loaded and it must be doing something because if you put a card on it, it says “Read Successful” and Read Failed if you take the card away.

    What does Initialize have to do with it?

    It keeps saying it failed the password. What is the password? Why are there 4 kinds (KEYA,KEYB, Etc) How do you change this mysterious password?

    Where do you start? I have a D302 for 125 KHz and once I figured out it worked in Win 10 / 64 bits, it was easy to use.

  11. Pablo E says:

    Hello, what differences does it have with the M301?

    Thank you

    • pappp says:

      No idea; I think those M301/M302 branding are just inventions by the manufacturer/distributor to imply Mifare compatibility without actually using trademarks.

Leave a Reply

Your email address will not be published. Required fields are marked *