PREFACE Recently I have been travelling quite a bit and I could appreciate the fact to pay for bus/metro rides or coffee/beers around just with technology. Apple/Google/Samsung-Pay based systems require actively unlocking your tech device and this generates some slow-down in the payment process. contactless If you’re standing in line with a bunch of people behind you awaiting and something goes wrong, you’re toast 🥪. As an inveterate , I’ve worn a since I still had pimples on my face. This legendary timepiece graces the wrists of tech aficionados worldwide with its sleek design, sturdy build, and impressive battery life (is said to last ). It became a symbol of the digital watch revolution starting from the 80’s with the quartz adoption. NERD CASIO F-91W ~ 7 years I thought it would be nice not to have to take out my from the or my from the to pay, but instead, to bring the watch closer to the and just pay with ✨. credit/debit card wallet mobile phone pocket PoS a pinch of modern-day magic So I decided to give it a new life and take it to the by combining nostalgia and innovation . next level in pure hacking style ANALYSIS The ( ) technology enables an exchange of information without direct physical contact between two devices involved. In the case of , they can be used without being inserted in a slot or by entering a code, making financial transactions faster and more convenient. NFC Near Field Communication contactless payment cards PoS PIN Inside a plastic (or metallic) , we can find several components: contactless payment card : often referred to as a ( ) or a , it serves as the brain of the card and contains various sub-components like the (it controls the card’s operations and manages data processing), the (stores data information such as account details, transaction history and ) and a (it can generate , it helps in solving arithmetical challenges, it can perform encryption/decryption of data and be helpful in the authentication process of the card and the terminal). Microchip secure integrated circuit IC chip smart chip CPU Memory security keys Crypto Core true-random numbers : usually made of or , is responsible for transmitting and receiving to enable communication. It is designed in a specific pattern to ensure efficient . Antenna copper aluminum radio frequency signals contactless signal transmission Through an antenna it is possible to and , a form of energy that can travel through space or materials by carrying information. The frequency of the protocol is (in some cases it can vary and be slightly higher, around ~ for payment systems or ATMs). The (represented by the symbol , in simpler terms, is the measurement of the length of a single wave cycle) in free space is calculated by dividing the (~ 300'000Km/s) by the target frequency. transmit receive radio-frequency waves NFC 13.56 MHz 14.5 15.5 MHz wavelength λ-lambda speed of light constant Therefore, an ideal antenna should consist of a long wire, but by convention of λ-lambda (λ/2, λ/4, λ/8, λ/16, etc.) are opportunely chosen. Another important factor is the of the wire, which depends mainly on the it is made of, its as well as the of the wire itself. 22.12 metre fractions electrical impedance material resistivity cross-section are devices that do not require their own power source. Instead, they are powered by when they come into proximity with an device, such as a or a . The device generates a , which induces a in the ’ . This provides enough to activate it by allowing it to operate and communicate with the device. Payment cards passive electromagnetic induction active NFC smartphone contactless payment terminal active NFC magnetic field current NFC s target device antenna induced current power active Most old technology had the antenna embedded in a plastic (or resin) enclosure, , which was consequently powered from the . smart cards soldered to the chip directly induced current New technology consists in a that doesn’t need any wired contacts between the and the modules. The in the card body has a around the area where the module is embedded. This card body into a that is integrated into the module. This simplifies the card production process as the antenna does not need to be attached (e.g. glued, welded or soldered) to the module. payment cards dual interface microchip antenna antenna few additional turns chip antenna inductively couples tiny loop antenna directly microchip chip Curious to see what the shape antenna looks like (realistically speaking) inside the plastic envelop of the card? The “squares” connected in line act like variable capacitors. This, together with the windings grafted on multiple levels allow the module to couple at different frequencies. Overall, the components work together to enable secure and convenient transactions. The allows for wireless communication, while the manages data processing, security, and authentication, ensuring the privacy and integrity of the cardholder’s information. contactless antenna microchip TOOLS To “see” through the and world of , I had to rely on some specific . complex invisible radio waves equipment Nano is a portable and affordable handheld device used for measuring and analyzing the characteristics of ( ) and circuits. It is designed to provide precise measurements of complex , coefficient, coefficient, and other parameters of RF components and networks. : NanoVNA Vector Network Analyzer radio frequency RF microwave impedance reflection transmission : is an open-source hardware and software platform designed for (Radio Frequency Identification) research and development. It is a versatile tool widely used by , , and enthusiasts to explore, analyze, and interact with various technologies. It consists of a compact circuit board equipped with an integrated antenna and multiple modules. It supports various protocols, including (LF) and (HF) standards such as 125kHz, , and 900MHz. The device can both emulate and act as a , allowing users to , , and signals. It’s important to note that while the is a valuable tool for security research and learning, . Proxmark3 RFID security researchers pentesters RFID RFID radio frequency RFID low-frequency high-frequency RFID 13.56MHz RFID cards/tags reader/writer clone simulate manipulate RFID Proxmark3 it should be used responsibly and within the legal boundaries of the applicable jurisdictions is a popular module that is commonly used for communication with . It is based on the MFRC522 chip, which is a highly integrated reader/writer for communication. : RFID-RC522 RFID RFID tags or cards IC contactless In this particular scenario, the chip was cannibalised in order to exploit the on the as a probe for the . RFID-RC522 microstrip antenna PCB NanoVNA I desoldered the and and I proceeded by soldering two female jumper wires connectors in their place. C10 C11 capacitors Then, I ripped off a coaxial connector cable supplied with the device. After separating the inner core wire (+) from the outer shield mesh (-) I soldered respectively, in order to have a detachable interface (from the theory: the the , the the “noise” when reading values, so, keep it as as possible). NanoVNA male jumper wire connectors longer jumpers wires higher RF short By coupling this “frankenstein” with the through the → input, I could swim through . antenna-probe NanoVNA S11 CH0 radio waves SETUP I started with the + combo. NanoVNA RFID-RC522 Once turned on, the displays of information but mostly happens to be for this purpose. It has a resistive touchscreen alongside a wheel-based joystick that can help in moving through its . NanoVNA a lot irrelevant menus The focus is all on the trace so I disabled all the unnecessary traces by going to the sub-menu and by double-clicking on (cyan), (green) and (magenta). It is possible to see them disappear from the screen. yellow DISPLAY TRACE 1 TRACE 2 TRACE 3 I then clicked on and I set “4” (it gives a good proportion). BACK → SCALE → SCALE/DIV I confirmed by clicking on the button. ENT I then went back to the main menu and clicked on . STIMULUS By clicking on I set up . START 12.5 MHz By clicking on I then set up . STOP 16 MHz In this way it is possible to filter all the signals by allowing the device to display only the ones in the to band. 12.5 16 MHz To see if the setting was good, I placed on the antenna surface a spare tag. NFC Simple rule: the the lower wedge, the the “resonance”. deeper higher In other terms, it means that the NFC tag used for the test is well with the (it is absolutely normal to see varying ranges around the frequency of depending on the approached). coupled antenna 13.56MHz tags/cards Moving to the device, it needs a computer to work. Inside the original I could find all the installation instructions (very exhaustive and well explained). I am running on so I used the tutorial for quickness. Proxmark3 GitHub repository macOS brew-based Before the very first run it is to the device with the available. In order to do so, the procedure requires to press the “half-hidden” button and plug the cable while keeping it pressed. In this way the device boots in . recommended upgrade firmware latest version Micro-USB DFU-mode Once in , just run the following command: DFU-mode pm3-flash-all and it should perform everything “automagically”. Once done, and the cable to the allows it to be detected in the serial port list. By running the following command: disconnecting reconnecting Micro-USB Proxmark3 pm3 > it is now possible to enter in the magical world of the hacking/auditing. NFC The Tools has an (I’ll suggest you to study all the information in the documentation, as this machinery allows to do some — even — very interesting and complex things). Proxmark3 interactive shell illegal To test it I put the same used for the on top of the antenna surface. NFC tag NanoVNA high-frequency By running the following command in the interactive shell: pm3 → hf search > it was possible to read the information related to the . NFC although both the and the devices are well “insulated” electrically, they may suffer from some noise if placed on conductive surfaces such as metal or similar. I placed them on a rubbery mouse pad to make them work solidly. Keep this in mind if you’re facing some “strange” behaviour in the readings. NOTE: NanoVNA Proxmark3 Let’s move to the reading by recalling the last command: payment card pm3 → hf search > As can be observed, the output is much more than the previous one, as the card contains a “smart chip” for more and operations. This output comes handy for later comparison. verbose complex secure All good. All the equipment are fully working, the setup is complete and we can now move to the most interesting part. DISASSEMBLY In order to discover the type of my , I had to rip it apart. payment card With the help of a soldering station’s nozzle (set to I started heating the surface around the card chip by drawing circles near and far, back and forth. hot air 100 °C) The real trick here to avoid doing is not to stay on the same spot for (preventing everything from ). irreversible damages too long melting down After around of , I gently started to fuzz around the with a pair of tweezers and with a bunch of swings I was able to detach it from the plastic housing. 45 sec ~ 1 min heating chip Although slightly covered by , it is possible to see the of the , so no soldering joints from the inner to the outer . glue residue windings integrated antenna chip antenna It turns out that this type of belongs to the technology category, a combination of a with a small that and with the bigger hidden inside the plate, as explained in a previous paragraph. payment card new chip embedded antenna resonates couples antenna card Moving to the watch disassembly, I went . I first removed the wristbands in order to work on without hindrance. CASIO F-91W all-in Then with the help of a pair of tweezers and a small screwdriver I could tear it down to the bones (I had no intention of customising the internal circuits, so I left the central unit intact since in addition to it would be convenient to always be able to consult the 😂). contactless payments time By heating the with the heat gun used previously (same temperature set to , same hi-lo circular patterns at a distance), for approximately I applied a good amount of force from the inside to the outside of the watch case and it naturally without too much effort. front plate 100 °C ~ 1.5 min popped out INSPECTION After ascertaining the nature of the , I realized that I was dealing with not one, but . I wanted to see clearly so I did recall my equipment. demolished card two antennas Taken separately, each one has its own . The card housing alone resonates at . operating frequency ~ 15.28 MHz When together, however, the result is a entirely from the individual ones. The + resonates at paired new frequency different card housing chip ~ 14.85 MHz. In projection to the next steps, this experiment made me realise that in order to exploit an approach for reproducing a matching from scratch, other factors besides must be taken into account, including the and/or the of materials. additive/subtractive synthesis antenna impedance thickness magnetic permeability TUNING Dealing with . It requires a lot of and , acquired over many years of testing and frustrations, dissipated in some laboratory, maybe. antennas is no easy job theoretical practical experience Overall, is a of design aimed to optimize the performance of an system. It involves mathematically adjusting the ’s length, surface dimensions, matching, (Standing Wave Ratio) minimization to achieve the desired , efficient and operating characteristics. antenna tuning very critical process antenna antenna impedance SWR resonance power transfer Ok, but… We , extremely people, always look for the path with the effort to achieve the results. hackers lazy shortest least maximum Acknowledged the above statement, my goal was to work around any specific digging into the boredom in order to provide the way possible of iterating over the design process. For this, I invented the so called “fishing tuning” (thanks ., my friend and supporter, for suggesting me this name), a ghetto (but clever) way of blindly tuning a homebrew . electromagnetical fastest antenna Daniele G true amazing NFC antenna Simply speaking, the process behind this involves basic concepts and materials. From the specs of the new tech of it was possible to understand that , then, it should have some in order to have enough with the reader. payment cards the chip needs to be coiled quite tightly outer coils around resonance NFC The reading procedure (from an active device) is , not specific and fixed frequencies. The intrinsic variability of device coupling, given the boundary conditions, is relatively high, so any small inaccuracy is equally tolerated. NFC spread over frequency intervals  I took my calibre and I got the dimensions. precision chip With a widely used online tool I could design a simple with the holder (placed at the very center), leaving space for both the and the wire that I could extrude with the help of my . 3D CAD spool chip inner outer windings 3D printer I used a copper wire (very cheap, priced a few bucks) and I started it around the housing and then I continued generating on the . 0.10mm enamelled winding innermost chip coils outermost spool In order to keep everything on , I found tremendously useful a feature that comes with the tool. By triggering the following command: track Proxmark3 pm3 → hf tune > is possible to watch in the in (millivolt) of any -compatible tag that approaches the surface. real-time voltage drop mV NFC high-frequency antenna Simple rule: the the , the the (and thus the is more ). higher voltage drop greater antenna resonance coupling efficient https://youtu.be/YM-jqoAD-Vw?embedable=true (Fishing tuning technique demonstration) As you can see in the demonstration video above, the is keeping the in line with the antenna surface (photo below). left hand spool Proxmark3 The is slowing pulling the wire off the while keeping an eye on the continuous readings. I continued while reaching the highest voltage drop (~ the maximum reached) at / . right hand spool pm3 → hf tune 11mV 3mV 14mV Then, I the wire from the , keeping a little for later, in case of and/or for a more finer-grained . Now, we have an wire (mine was around long) of a wire that can be again in a cutest enclosure. cut exceeding spool extra error frequency trimming arbitrary-length antenna 1.6 meters 0.10mm electromagnetic coiled DESIGN Side to side, from the to the , the digital watch has of components: the metal cover, the battery holder, the coin-cell battery, the PCB, the display, the plastic casing and the screen protector. The installation of an on the (trust me, I did an infinite amount of trials and troubleshooting before coming to this conclusion). This is due to “shielding” components that and do not allow a potential placed on the to decently with any reader. front plate back plate CASIO F-91W several layers antenna back does not work too many interfere NFC antenna back pair NFC To come at a decent design (without disfiguring the original aesthetics of the watch), I replicated the original front plate in the software, where I cut out the area to the and carved a around the whole perimeter in to the wire. antenna 3D CAD hold chip cavity wind antenna As for the , I decided to replace the original metal one with a - based one. back plate PLA 3D-printed This allowed me to give the ensure the entire structure the in generated by the presence of the metal plate, while preserving a purely aesthetic uniformity. reduction electromagnetic noise TESTING In order to understand the of wire needed, I frequently tested the through the + device combo, while and the wire, one small chunk at a time. right amount resonance peak NanoVNA RFID-RC522 un-winding cutting In addition, I used the device to check wether the shrunk in its new shape could still be well read. Proxmark3 contactless payment card FINISHING The hole left by the (for the watch display) in the front plate was filled with to achieve the finish. 3D print ultra clear epoxy resin glass The exposure to a sufficiently powerful ( ) for about per side contribute to the (hardening) of the . 48W UV lamp 1~2 mins polymerisation UV resin ASSEMBLY It is time to put all the pieces together. With a pair of scissors, tweezers and a bunch of double-sided repair tape for electronics, I managed to reconstruct the of the . adhesion surface front plate To finish, I re-assembled the remaining components closing everything with the back plate and the original screws. I could not miss a cool strap to complete the visual appearance and fit. DEMONSTRATIONS I some stuff in different stores/vending-machines in order to prove live that the system in the works flawlessly. bought contactless payment embedded CASIO F-91W A few videos are worth more than many words. https://youtu.be/0PICO_ZKYkw?embedable=true https://youtu.be/rAI_4DIjmfU?embedable=true https://youtu.be/mGhXoThcEUo?embedable=true They are all good at paying with their , but with a vintage ? smartwatches CASIO The pure delight that all efforts is seeing people’s faces → 😯 when happen that they what I paid with at the checkout 🤣. repays shocked realise DEVELOPMENTS There are a couple of thoughts flashing through my mind: The relates to issues: exploring the possibility of having an and a way of it with one of the watch buttons, thus preventing attempts on the fly. first security interrupted antenna short-circuit mobile pickpocketing The as an evolution of the previous will consider adding an and a coil that can be with the push of a watch button, by playing with circuits. second — one — extra chip second switched open/close EXTRAS Just some more fun stuff. Plus, I created a where I hosted a bunch of I found useful and the files for the and the you can and by yourself → . GitHub repository docs *.STL front back plates download 3D-print here CONCLUSIONS This journey into the realm of technology, and has been thrilling. As a , I feel super lucky to be living in an era where the rapid evolution of tools, software, and digital ecosystems has opened-up new domains of possibilities allowing us to see through things and challenging us to embrace the ever-changing landscape of technology. Being a tech goes beyond a mere passion for or ; it encompasses a mindset driven by , , and the desire to . It is a lifelong dive into , where each new breakthrough serves as a stepping stone to even greater advancements. It’s about being at the forefront of innovation, pushing boundaries, and contributing to a future driven by imagination and technological prowess. NFC contactless payments radio waves hacker NERD electronics coding curiosity problem-solving insatiable learn discovery However, amidst all the excitement and marvels of technology, I must also remember the importance of considerations, , and usage. With great power comes great responsibility. ethical privacy responsible Let’s continue to , , and our knowledge with the world. explore tinker share GREETINGS A special thanks for special friends: for always enriching my crazy ideas with priceless advice ✨; Daniele G. for the fun, the support and for being the cameraman 📹; Marco L. for all the valuable brainstorming sessions 🧠; Lorenzo F. for genuinely believing in my capabilities 🧙🏻♂️. Pierluigi C. P. Guys, this was EPIC 🤙. DISCLAIMER Any information provided in this article is for educational purposes only. I am not responsible for any illegal actions taken by individuals or entities based on the information acquired from this tutorial. The content is intended to provide general guidance and it is your responsibility to ensure that you comply with all applicable laws, regulations, and ethical standards when applying the information provided. Any actions you take based on the tutorial are done at your own risk and discretion. I disclaim all liability for any damages, losses, or legal consequences resulting from the use or misuse of the information presented in the tutorial. I strongly encourage you to seek professional advice or consult with relevant authorities to ensure compliance with the law. By accessing and using this tutorial, you agree to release me from any liability for any illegal actions or their consequences that may occur downstream as a result of applying the information provided. Please use the information responsibly and exercise caution when applying it in practical situations. Also published . here
