Diving into RFID Protocols with Flipper Zero (2024)

RFID is a contactless radio-tag technology. It is quite common and you may see it in a lot of places: intercoms, bank cards, public transport passes, office passes, they are used to track domestic animals, for toll collection, etc. The two main RFID tag types are high frequency and low frequency.

  • Low-Frequency tags (125 kHz) — work at a higher range. Despite being insecure and dumb, they are still used in primitive access control systems: in building intercoms, offices, sports facilities, museums.
  • High-Frequency tags (13.56 MHz) — have a lower effective range when compared with the low-frequency ones but have more complex protocols. They support encryption, authentication, and cryptography. These tags are commonly used in contactless bank cards, to pay for public transport, and in high-security access control systems.

Here we will compare these two types of tags, take a look at the main protocols and learn to work with them using Flipper Zero — we will read, emulate, save and clone them. You will see how you will be able to save your office, sports, home whatever RFID keys you have and we'll take a glimpse at what Flipper can read from a bank card.

Diving into RFID Protocols with Flipper Zero (1)

Most RFID tags are passive tags with no internal power source. The chip inside is completely turned off until the tag is exposed to a reader's electromagnetic field. As soon as it comes within range, the tag's antenna begins absorbing energy from the reader's EM field and the chip receives power. The chip then turns on and begins communicating with the reader. It's worth mentioning, that a tag's antenna is tuned to a specific frequency, so the tag can only activate when it is inside a suitable electromagnetic field.

RFID Tag Types

On the outside RFID tags can be quite different: cards both fat or thin, key fobs, bracelets, coins, rings, or even stickers. Judging by the visuals alone it's almost impossible to distinguish the frequency or protocol the tag operates on.

Diving into RFID Protocols with Flipper Zero (2)

Quite often manufacturers use similar plastic cases for different types of RFID fobs operating on different frequencies. Two absolutely visually similar tags might be totally different inside. It is worth considering when you try to distinguish the type of tag you have. In this article, we will be looking at the two most popular types of RFID tags that are used in access control systems. Flipper Zero supports both their frequencies.

There is a variety of RFID protocols working on other frequencies. UHF for example uses the 840-960 MHz range. They are used for tracking assets in warehouses, paying for toll roads, tracking wild animals during their migration and so forth. These tags may have a battery and work from a couple of meters to kilometers. They are quite rare though, and you may not encounter them unless you go looking for them specifically. We will omit them entirely for the purpose of this article.

125 kHz & 13.56 MHz – Which is Which?

The easiest way to understand what range of the RFID tag is operating on is to look at the antenna. Low-frequency tags (125 kHz) have an antenna made of a very thin wire, literally thinner than a hair. But such antennas have a large number of turns, therefore, such an antenna looks like a solid piece of metal. High-frequency cards (13.56 MHz) have a significantly smaller number of thicker turns, with visible gaps between them.

Diving into RFID Protocols with Flipper Zero (3)

You can shine some light through an RFID card to see an antenna inside. If the antenna has only a few large turns, it is most likely a high-frequency antenna. If the antenna looks like a solid piece of metal with no gaps between the turns, it is a low-frequency antenna.

Diving into RFID Protocols with Flipper Zero (4)

Low-frequency tags are often used in systems that do not require high security: building access, intercom keys, gym membership cards, etc. Due to their higher range, they are convenient to use for paid car parking: the driver does not need to bring the card close to the reader, as it is triggered from further away. At the same time, low-frequency tags are very primitive, they have a low data transfer rate. For that reason, it's impossible to implement complex two-way data transfer for such things as keeping balance and cryptography. Low-frequency tags only transmit their short ID without any means of authentication.

High-frequency tags are used for a more complex reader-tag interaction when you need cryptography, a large two-way data transfer, authentication, etc.
It's usually found in bank cards, public transport, and other secure passes.

Diving into RFID Protocols with Flipper Zero (5)

Low-Frequency 125 kHz Tags

  • Long Range — lower frequency translates to higher range. There are some EM-Marin and HID readers, which work from a distance of up to a meter. These are often used in car parking.
  • Primitive protocol — due to the low data transfer rate these tags can only transmit their short ID. In most cases, data is not authenticated and it's not protected in any way. As soon as the card is in the range of the reader it just starts transmitting its ID.
  • Low security — These cards can be easily copied, or even read from somebody else's pocket due to the protocol's primitiveness.

High-Frequency 13.56 MHz Tags

  • Low range — high-frequency cards are specifically designed so that they would have to be placed close to the reader. This also helps to protect the card from unauthorized interactions. The maximum read range that we managed to achieve was about 15 cm, and that was with custom-made high-range readers.
  • Advanced protocols — data transfer speeds up to 424 kbps allow complex protocols with full-fledged two-way data transfer. Which in turn allows cryptography, data transfer, etc.
  • High security — high-frequency contactless cards are in no way inferior to smart cards. There are cards that support cryptographically strong algorithms like AES and implement asymmetrical cryptography.

RFID in Flipper Zero

Diving into RFID Protocols with Flipper Zero (6)

Flipper supports both high-frequency and low-frequency tags. To support both frequencies we developed a dual-band RFID antenna that is situated on the bottom part of the device.

A separate NFC controller (ST25R3916) is used for high-frequency protocols (NFC). It takes care of everything related to hardware interaction with the cards: reading and emulation. Low-frequency 125 kHz protocols are implemented programmatically via a custom analog frontend, that works in cooperation with MCU and also allows to read, write and emulate.

The top part of the PCB is shielded with a ferromagnetic layer which isolates the rest of the electronic components from interference and extends the operating range by reflecting the high-frequency field.

During assembly, the antennas are glued into Flipper's back panel. It connects to the PCB with pogo-pins. This greatly simplifies the assembly, as no cables are used and no UFL connectors are required.

Low-Frequency 125 kHz Protocols

Low-frequency tags store a short ID, just a couple bytes long. The tag's ID is compared to IDs stored in the database of a controller or an intercom. However, the card will transmit its ID to anyone asking as soon as it receives power. Quite often the ID is inscribed on the card itself, so you can take a picture and input it into the Flipper manually.

Diving into RFID Protocols with Flipper Zero (8)

Popular 125 kHz protocols:

  • EM-Marin — EM4100, EM4102. The most popular protocol in CIS. Can be read from about a meter because of its simplicity and stability.
  • HID Prox II — low-frequency protocol introduced by HID Global. This protocol is more popular in the western countries. It is more complex and the cards and readers for this protocol are relatively expensive.
  • Indala — very old low-frequency protocol that was introduced by Motorola, and later acquired by HID. You are less likely to encounter it in the wild compared to the previous two because it is falling out of use.

In reality, there are a lot more low-frequency protocols. But they all use the same modulation on the physical layer and may be considered, in one way or another, a variation of those listed above. At the time of writing Flipper can read, save, emulate and write all three protocols. There may be other ones, which are not supported in Flipper's firmware, but as the 125 kHz subsystem is implemented programmatically, we can add them in the future.

EM-Marin

EM-Marin is the most common format we have in CIS. It is simple and has no copy-protection. EM-Marin cards usually have EM4100 chips inside, but there are others as well. For example, you can have an EM4305 which can be re-written unlike the EM4100.

To read a low-frequency card go into the Flipper menu 125 kHz RFID —> Read and place the tag on the back of the device. Flipper will attempt to determine the protocol and on success will display it alongside the card's ID. Since Flipper is trying all the protocols in one go it takes a bit of time. For example, you will need a couple of seconds to read an Indala card.

Diving into RFID Protocols with Flipper Zero (10)

EM4100's unique code is 5 bytes long. Sometimes you can find it on the card itself. The unique code may be written both as a decimal or in hex. Flipper displays the code in hex, however, EM-Marin cards usually just have the 3 lower bytes written on them, and not the full 5-byte number. If there is no way to read them from the card, the other 2 bytes can be brute-forced.

To emulate an RFID tag we need to go into the menu 125 kHz RFID —> Saved, choose the necessary tag and then press Emulate.

Some intercoms try to protect themselves from key duplication by sending a write command prior to reading. If the write succeeds, that tag is considered fake. When Flipper emulates RFID there is no way for the reader to distinguish it from the original one, so no such problems occur.

HID Prox

HID Global — is the largest manufacturer of RFID devices in the world. They have several high and low-frequency RFID protocols. The most popular low-frequency HID protocol is the 26-bit H10301 (also known as HID26 or HID PROX II). The unique code is 3 bytes (24 bits) long, and 2 more bits are used for parity check (to ensure the integrity of data).

Some HID26 cards have numbers written on them - they are the sales order number and the card's ID. You can't figure out the whole 3 bytes with that information alone, the card only has the 2 bytes printed on it in decimal format. That is the card's ID.

Diving into RFID Protocols with Flipper Zero (13)

Flipper can only work with the HID26 protocol of the HID family. In the future, we plan to extend this list. HID26 is the most popular one since it is compatible with most digital access control systems.

Indala

Indala is an RFID protocol developed by Motorola and later acquired by HID. It's a very old protocol that you won't find in modern access control systems. Rare as it is, you may sometimes find it in the field. At the time of writing Flipper works with Indala I40134.

Same as with HID26, cards using Indala I40134 have a unique code that is 3 byte long. Unfortunately, Indala's data structure is proprietary and everyone who wishes to support this protocol is forced to choose whichever byte order they want, and also how they interpret the signal on the hardware level.

All these protocols are so simple that the card's ID may be entered manually without the original card. Having your card's ID in text format, anyone owning a Flipper could enter it manually.

Manually Entering the Card's ID

To add the card's ID go to the menu and choose 125 kHz RFID —> Add manually, then the protocol and enter the ID. The card added will be saved to the SD-card, and may then be emulated or written to a blank.

Writing to a Blank Card

There are special blank cards that support any of the three protocols mentioned above (EM-Marin, HID Prox, Indala). T5577 is the most popular blank card type. To write an ID to a blank card go to the menu 125 kHz RFID —> Saved, then choose the key you want and press Write.

High-Frequency 13.56 MHz Protocols

Diving into RFID Protocols with Flipper Zero (18)

High-frequency 13.56 MHz tags are a set of standards and protocols. They are usually referred to as NFC, but that's not always correct. The basic protocol set used on the physical and logical levels is ISO 14443. High-level protocols, as well as alternative standards (like ISO 19092), are based upon it.

ISO 14443-A seems to be the most common implementation. Almost all of the public transport and office passes use it, and it's used in bank cards as well.

Diving into RFID Protocols with Flipper Zero (19)

To put it simply, NFC's architecture works like this: the transmission protocol is chosen by the company making the cards and implemented based on the low-level ISO 14443. For example, NXP invented its own high-level transmission protocol called Mifare. But on the lower level, Mifare cards are based on ISO 14443-A standard.

Flipper can interact with both the low-level ISO 14443 protocol, as well as Mifare Ultralight data transfer protocol and EMV used in bank cards. We're working on adding support for Mifare Classic and NFC NDEF. A thorough look at the protocols and standards that make up NFC is worth a separate article which we plan to have up later.

Plain UID of the ISO 14443-A Standard

All high-frequency cards based on ISO 14443-A standard have a unique chip ID. It acts as the card's serial number, like a network card's MAC address. Usually, the UID is 4 or 7 bytes long, but can rarely go up to 10. UIDs are not a secret and they are easily readable, sometimes even printed on the card itself.

There are many access control systems that rely on UID to authenticate and grant access. Sometimes this happens even when RFID tags support cryptography. Such misuse brings them down to the level of the dumb 125 kHz cards in terms of security. Virtual cards (like Apple Pay) use a dynamic UID so that phone owners won't go opening doors with their payment app.

Since UID is a low-level attribute, you might find yourself in a situation when UID is already read, but the high-level data transfer protocol is still unknown. You can read, emulate and manually input UID using Flipper for the primitive readers that use UID for authorization.

Reading the UID VS Reading the Data Inside

Diving into RFID Protocols with Flipper Zero (22)

In Flipper, reading 13.56 MHz tags can be divided into two parts:

  • Low-level read — reads only the UID, SAK, and ATQA. Flipper tries to guess the high-level protocol based on this data read from the card. You can't be 100% certain with this, as it is just an assumption based on certain factors.
  • High-level read — reads the data from the card's memory using a specific high-level protocol. That would be reading the data on a Mifare Ultralight, reading the sectors from a Mifare Classic, or reading the card's attributes from PayPass/Apple Pay.

To use a specific high-level protocol when reading data go to NFC —> Run special action and choose the type of tag you want to read.

To try and guess the type of tag and to read the UID go to NFC -> Read card. So far Flipper can only detect Mifare Ultralight and EMV bank card.

Mifare Ultralight

Mifare is a family of contactless smart cards with several high-level protocols. The simplest of those is Mifare Ultralight. In its basic version, it has only 64 bytes of embedded flash memory and no cryptographic protection. Flipper can both read and emulate Mifare Ultralight cards. Such tags are often used as passes granting access to offices, houses and public transport. Moscow public transport tickets for example are using Mifare Ultralight.

EMV Bank Cards (PayPass, payWave, Apple Pay, Google Pay)

EMV (Europay, Mastercard, and Visa) — is the international standard set for bank cards. Bank cards now are full-fledged smart cards with complex data exchange protocols and support for asymmetric encryption. Apart from simply reading the UID, you can extract a lot more data from a bank card. It's possible to get the full card number (the 16 digits on the front of the card), validity date, and in some cases even the owner's name along with a list of the most recent transactions.

Since the EMV standard might be implemented differently, the data that can be extracted may vary from card to card. You can't read the CVV this way (the 3 digits on the back of the card).

Bank cards are protected from replay attacks, so copying it with Flipper and then trying to emulate it to pay for something won't work.

Tokenized Apple Pay Card VS Physical Bank Card

Diving into RFID Protocols with Flipper Zero (25)

Compared to a plastic bank card, the virtual card you have in your phone provides less information and is safer for offline payments.

Apple Pay and Google Pay have several advantages:

  • They don't allow using captured data for online payments – a normal card can be used for Card-Not-Present transactions (CNP), you can sometimes pay online or on the phone. Intercepted virtual card data can't be used in this manner. After registering a card with Apple Pay all payments go through the virtual token and all operations are cryptographically signed. Reading Apple Pay data results in a PAN and an expiration date of the virtual token, not the original physical card. Thus if someone tries to use the data intercepted from a virtual card to pay online such payment will be declined without a specific signature.
  • They don't disclose the card owner's name — some contactless cards can transfer the cardholder name and recent transactions data. Virtual cards don't do that.
Bank card support in Flipper is implemented solely for high-level protocol demonstration purposes only. We do not plan to extend this function further. Contactless bank cards security is good enough not to worry that devices such as Flipper can be used to attack bank cards.

Stay Tuned

Our social media subscribers get all the Flipper Zero news first! Join in and get access to sneak peeks, insides, and more.

@flipper_zero

@flipper_zero

Diving into RFID Protocols with Flipper Zero (2024)

FAQs

Can Flipper Zero read RFID tags? ›

Flipper Zero allows you to read 125 kHz RFID cards with the preselected ASK or PSK coding. Go to Main Menu -> 125 kHz RFID -> Extra Actions.

Can Flipper Zero clone RFID? ›

The Flipper Zero is an easily concealable, small handheld device. It can copy RFID, NFC, Sub-GHz, and infrared signals. It has become renowned as a hacking multitool, exposing the weaknesses of outdated systems.

What frequency is the Flipper Zero RFID? ›

125 kHz RFID hardware

The low-frequency 125 kHz antenna is placed on the Dual Band RFID antenna next to the high-frequency 13.56 MHz antenna.

Can Flipper Zero read bank cards? ›

Supported NFC cards

Flipper Zero supports the following NFC cards type A (ISO 14443A): Bank cards (EMV) — only read UID, SAK, and ATQA without saving. Unknown cards — read (UID, SAK, ATQA) and emulate an UID.

Can a Flipper Zero unlock a safe? ›

Yes, the Flipper Zero can bypass the security on some Sentry Safe electronic safes using an output from the GPIO.

Can you jam signals with Flipper Zero? ›

We can use Flipper zero to jam various Sub Ghz Frequencies.

Can you track a Flipper Zero? ›

The FindMy Flipper app turns your FlipperZero into an AirTag or other tracking device, compatible with Apple AirTags and Samsung SmartTag and Tile Trackers.

Can Flipper Zero do NFC? ›

Flipper Zero has a built-in 13.56 MHz NFC module capable of reading, saving, and emulating NFC cards. Before using the NFC app, make sure to update your Flipper Zero firmware with a microSD card inserted since Flipper Zero stores databases on a microSD card.

Can you do illegal things with Flipper Zero? ›

Yet, it has the ability to be used for illegal purposes. IT Audit Labs does not condone any illegal activities enabled by the Flipper Zero and recommends that anyone who uses the Flipper Zero ensures that they're complying with local laws and regulations.

Can the Flipper Zero hack Bluetooth? ›

Flipper Zero, a versatile hacking device, can manipulate Bluetooth connections maliciously; we will break down the latest tools hackers use to control your endpoint.

What is the Flipper Zero capable of? ›

Flipper Zero explores hardware, flash firmware, debugging, and fuzz. It is able to function as a USB converter for UART, SPI, or I2C. The built-in GPIO pins connect to hardware, operate by buttons, send out code, and display messages on the LCD screen.

How far can Flipper Zero go on sub-GHz? ›

Sub-GHz hardware

Flipper Zero has a built-in sub-1 GHz module based on a CC1101 transceiver and a radio antenna (the maximum range is 50 meters). Both the CC1101 chip and the antenna are designed to operate at frequencies in the 300-348 MHz, 387-464 MHz, and 779-928 MHz bands.

Can Flipper Zero read UHF RFID? ›

Flipper Zero supports both their frequencies. There is a variety of RFID protocols working on other frequencies. UHF for example uses the 840-960 MHz range.

What can Flipper Zero hack into? ›

Furthermore, the Flipper can duplicate iButton key fobs and radio remotes that operate on the 433-MHz frequency. It can read near-field communication (NFC) devices like MIFARE key cards and identify signals from contactless credit card chips.

Can Flipper Zero emulate NFC? ›

Flipper Zero can emulate an entire NFC card or just the UID depending on the NFC card type and saved data.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Margart Wisoky

Last Updated:

Views: 6472

Rating: 4.8 / 5 (78 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Margart Wisoky

Birthday: 1993-05-13

Address: 2113 Abernathy Knoll, New Tamerafurt, CT 66893-2169

Phone: +25815234346805

Job: Central Developer

Hobby: Machining, Pottery, Rafting, Cosplaying, Jogging, Taekwondo, Scouting

Introduction: My name is Margart Wisoky, I am a gorgeous, shiny, successful, beautiful, adventurous, excited, pleasant person who loves writing and wants to share my knowledge and understanding with you.