RFID Modding

2 min read

My apartment building uses some older 125kHz HID RFID Cards to access the building & elevator. The card they gave was bulky, awkwardly fitting onto my keychain. For this reason, I'd constantly be leaving my keys around on short trips, and be locked out. Soon, I remembered an older video from N-O-D-E on how they had modified a Casio F-91W to fit an NFC tag, and I've been looking at a few of my $20 Walmart Casios with starry eyes ever since.

Doing some quick eBay searches found what seemed to be the smallest and flattest 125kHz tag with a T5577 chip. It had a diameter of 30mm (~1.18in) and based on some sloppy casio measurements, it looked like it would fit but would certainly be snug. The tags came in the next week and upon first glace, it looked like there was no way this tag would fit in the Casio F-91W. So, I made a resentful trip picking up the analog Casio MQ-24.

Getting it home, this seemed like a perfect fit. I liked the look, and it seemed to mirror the diameter of the 125kHz tag. With my proxmark3, I read and duplicated the HID card. After fighting with the firmware of the proxmark for too long and finally getting it working, cloning was a breeze - the tag would open the elevator with no issue.

I worked to pull the chip and antenna from it's laminated plastic confines to make it as small as possible. Afterwards, it fit and seemed to be read properly by the proxmark. Finalizing the last step, I realized I missed a crucial detail: the clip-on back plate of the Casio was metal, creating a type of faraday cage around the RFID tag. The proxmark would no longer identify it.

..back to the drawing board...

I wasn't ready to design and 3D print a new backing, as it was held on with tension rather than screws so that engineering would take some iterations - I just wanted quick and dirty. Glancing at my Casio F-91W, I took the back off that. It was also metal but was held on with screws, which made duplicating it in CAD more in the bounds of my skills. After some meticulous measurements I was able to design and print a back plate that would house the tag. After gluing the tag in place and screwing it on the watch, I was able to get reads without issue!

The only downsides to this are you lose water resistence and the piezo alarm, but these were pretty small tradeoffs for me as I rarely utilize either.