paint-brush
How I Hacked and Turned My CASIO F-91W Into a Contactless Payment Deviceby@matteopisani91
2,072 reads
2,072 reads

How I Hacked and Turned My CASIO F-91W Into a Contactless Payment Device

by Matteo P.July 6th, 2023
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

This journey into the realm of NFC technology, contactless payments and radio waves has been thrilling.
featured image - How I Hacked and Turned My CASIO F-91W Into a Contactless Payment Device
Matteo P. HackerNoon profile picture

PREFACE

Recently I have been travelling quite a bit and I could appreciate the fact to pay for bus/metro rides or coffee/beers around just with contactless technology. Apple/Google/Samsung-Pay based systems require actively unlocking your tech device and this generates some slow-down in the payment process.


If you’re standing in line with a bunch of people behind you awaiting and something goes wrong, you’re toast 🥪.


Metro turnstile with contactless payment device in Milano, Italy


As an inveterate NERD, I’ve worn a CASIO F-91W since I still had pimples on my face. This legendary timepiece graces the wrists of tech aficionados worldwide with its sleek design, sturdy build, and impressive battery life (is said to last ~ 7 years). It became a symbol of the digital watch revolution starting from the 80’s with the quartz adoption.


I thought it would be nice not to have to take out my credit/debit card from the wallet or my mobile phone from the pocket to pay, but instead, to bring the watch closer to the PoS and just pay with a pinch of modern-day magic ✨.


So I decided to give it a new life and take it to the next level by combining nostalgia and innovation in pure hacking style.

ANALYSIS

The NFC (Near Field Communication) technology enables an exchange of information without direct physical contact between two devices involved. In the case of contactless payment cards, they can be used without being inserted in a PoS slot or by entering a PIN code, making financial transactions faster and more convenient.


Vendor-censored contactless payment card I own(ed)


Inside a plastic (or metallic) contactless payment card, we can find several components:


  • Microchip: often referred to as a secure integrated circuit (IC) chip or a smart chip, it serves as the brain of the card and contains various sub-components like the CPU (it controls the card’s operations and manages data processing), the Memory (stores data information such as account details, transaction history and security keys) and a Crypto Core (it can generate true-random numbers, it helps in solving arithmetical challenges, it can perform encryption/decryption of data and be helpful in the authentication process of the card and the terminal).

  • Antenna: usually made of copper or aluminum, is responsible for transmitting and receiving radio frequency signals to enable contactless communication. It is designed in a specific pattern to ensure efficient signal transmission.


Through an antenna it is possible to transmit and receive radio-frequency waves, a form of energy that can travel through space or materials by carrying information. The frequency of the NFC protocol is 13.56 MHz (in some cases it can vary and be slightly higher, around 14.5 ~ 15.5 MHz for payment systems or ATMs). The wavelength (represented by the symbol λ-lambda, in simpler terms, is the measurement of the length of a single wave cycle) in free space is calculated by dividing the speed of light constant (~ 300'000Km/s) by the target frequency.


Formula for the wavelength calculation of an antenna


Therefore, an ideal antenna should consist of a 22.12 metre long wire, but by convention fractions of λ-lambda (λ/2, λ/4, λ/8, λ/16, etc.) are opportunely chosen. Another important factor is the electrical impedance of the wire, which depends mainly on the material it is made of, its resistivity as well as the cross-section of the wire itself.


Payment cards are passive devices that do not require their own power source. Instead, they are powered by electromagnetic induction when they come into proximity with an active NFC device, such as a smartphone or a contactless payment terminal. The active NFC device generates a magnetic field, which induces a current in the NFCs target device antenna. This induced current provides enough power to activate it by allowing it to operate and communicate with the active device.


A variety of microchip + antenna designs of contactless payment cards


Most old technology smart cards had the antenna embedded in a plastic (or resin) enclosure, soldered to the chip, which was consequently powered directly from the induced current.


Card and chip module with separate, inductively coupled antennas


New payment cards technology consists in a dual interface that doesn’t need any wired contacts between the microchip and the antenna modules. The antenna in the card body has a few additional turns around the area where the chip module is embedded. This card body antenna inductively couples into a tiny loop antenna that is directly integrated into the microchip module. This simplifies the card production process as the antenna does not need to be attached (e.g. glued, welded or soldered) to the chip module.


Curious to see what the shape antenna looks like (realistically speaking) inside the plastic envelop of the card?


Variable capacitor antenna embedded in a Coil on Module (CoM) contactless payment card


The “squares” connected in line act like variable capacitors. This, together with the windings grafted on multiple levels allow the module to couple at different frequencies.


Overall, the components work together to enable secure and convenient contactless transactions. The antenna allows for wireless communication, while the microchip manages data processing, security, and authentication, ensuring the privacy and integrity of the cardholder’s information.

TOOLS

To “see” through the complex and invisible world of radio waves, I had to rely on some specific equipment.


Top: NanoVNA | Bottom-Left: Proxmark3 | Bottom-Right: RFID-RC522


  • NanoVNA: Nano Vector Network Analyzer is a portable and affordable handheld device used for measuring and analyzing the characteristics of radio frequency (RF) and microwave circuits. It is designed to provide precise measurements of complex impedance, reflection coefficient, transmission coefficient, and other parameters of RF components and networks.
  • Proxmark3: is an open-source hardware and software platform designed for RFID (Radio Frequency Identification) research and development. It is a versatile tool widely used by security researchers, pentesters, and RFID enthusiasts to explore, analyze, and interact with various RFID technologies. It consists of a compact circuit board equipped with an integrated antenna and multiple radio frequency modules. It supports various RFID protocols, including low-frequency (LF) and high-frequency (HF) RFID standards such as 125kHz, 13.56MHz, and 900MHz. The device can both emulate RFID cards/tags and act as a reader/writer, allowing users to clone, simulate, and manipulate RFID signals. It’s important to note that while the Proxmark3 is a valuable tool for security research and learning, it should be used responsibly and within the legal boundaries of the applicable jurisdictions.
  • RFID-RC522: is a popular RFID module that is commonly used for communication with RFID tags or cards. It is based on the MFRC522 chip, which is a highly integrated reader/writer IC for contactless communication.


In this particular scenario, the RFID-RC522 chip was cannibalised in order to exploit the microstrip antenna on the PCB as a probe for the NanoVNA.


Zoom-in on the microstrip antenna probes


I desoldered the C10 and C11 capacitors and I proceeded by soldering two female jumper wires connectors in their place.


Cannibalised RFID-RC522 circuit with a coaxial connector + cable


Then, I ripped off a coaxial connector cable supplied with the NanoVNA device. After separating the inner core wire (+) from the outer shield mesh (-) I soldered male jumper wire connectors respectively, in order to have a detachable interface (from the theory: the longer the jumpers wires, the higher the “noise” when reading RF values, so, keep it as short as possible).


By coupling this “frankenstein” antenna-probe with the NanoVNA through the S11CH0 input, I could swim through radio waves.

SETUP

I started with the NanoVNA + RFID-RC522 combo.


NanoVNA device just switched-on


Once turned on, the NanoVNA displays a lot of information but mostly happens to be irrelevant for this purpose. It has a resistive touchscreen alongside a wheel-based joystick that can help in moving through its menus.


NanoVNA menu aiming for DISPLAY settings


The focus is all on the yellow trace so I disabled all the unnecessary traces by going to the DISPLAY sub-menu and by double-clicking on TRACE 1 (cyan), TRACE 2 (green) and TRACE 3 (magenta). It is possible to see them disappear from the screen.


NanoVNA DISPLAY -> TRACE sub-menu


I then clicked on BACK → SCALE → SCALE/DIV and I set “4” (it gives a good proportion).


NanoVNA DISPLAY -> SCALE -> SCALE/DIV sub-menu


I confirmed by clicking on the ENT button.


NanoVNA menu aiming for STIMULUS settings


I then went back to the main menu and clicked on STIMULUS.


NanoVNA STIMULUS sub-menu


By clicking on START I set up 12.5 MHz.


NanoVNA STIMULUS -> START sub-menu


By clicking on STOP I then set up 16 MHz.


NanoVNA STIMULUS -> START sub-menu


In this way it is possible to filter all the signals by allowing the device to display only the ones in the 12.5 to 16 MHz band.


To see if the setting was good, I placed on the antenna surface a spare NFC tag.


Testing a standard NFC tag


Simple rule: the deeper the lower wedge, the higher the “resonance”.


In other terms, it means that the NFC tag used for the test is well coupled with the antenna (it is absolutely normal to see varying ranges around the frequency of 13.56MHz depending on the tags/cards approached).


Proxmark3 device


Moving to the Proxmark3 device, it needs a computer to work. Inside the original GitHub repository I could find all the installation instructions (very exhaustive and well explained). I am running on macOS so I used the brew-based tutorial for quickness.


Before the very first run it is recommended to upgrade the device firmware with the latest version available. In order to do so, the procedure requires to press the “half-hidden” button and plug the Micro-USB cable while keeping it pressed. In this way the device boots in DFU-mode.


Proxmark3 “BUTTON” for the DFU


Once in DFU-mode, just run the following command:


pm3-flash-all


Proxmark3 in DFU-mode receives a firmware upgrade


and it should perform everything “automagically”.


Once done, disconnecting and reconnecting the Micro-USB cable to the Proxmark3 allows it to be detected in the serial port list. By running the following command:


> pm3


it is now possible to enter in the magical world of the NFC hacking/auditing.


Proxmark3 Tools interactive shell


The Proxmark3 Tools has an interactive shell (I’ll suggest you to study all the information in the documentation, as this machinery allows to do some — even illegal — very interesting and complex things).


To test it I put the same NFC tag used for the NanoVNA on top of the high-frequency antenna surface.


Proxmark3 approached with a NFC tag


By running the following command in the interactive shell:


> pm3 → hf search


Proxmark3 reading the NFC tag


it was possible to read the information related to the NFC.


NOTE: although both the NanoVNA and the Proxmark3 devices are well “insulated” electrically, they may suffer from some noise if placed on conductive surfaces such as metal or similar. I placed them on a rubbery mouse pad to make them work solidly. Keep this in mind if you’re facing some “strange” behaviour in the readings.


Contactless payment card approached to Proxmark3


Let’s move to the payment card reading by recalling the last command:


> pm3 → hf search


Proxmark3 reading the contactless payment card


As can be observed, the output is much more verbose than the previous one, as the card contains a “smart chip” for more complex and secure operations. This output comes handy for later comparison.


All good. All the equipment are fully working, the setup is complete and we can now move to the most interesting part.

DISASSEMBLY

In order to discover the type of my payment card, I had to rip it apart.


Heat gun banging the payment card chip front


With the help of a soldering station’s hot air nozzle (set to 100 °C) I started heating the surface around the card chip by drawing circles near and far, back and forth.


Heat gun banging the payment card chip back


The real trick here to avoid doing irreversible damages is not to stay on the same spot for too long (preventing everything from melting down).


Payment card chip front


After around 45 sec ~ 1 min of heating, I gently started to fuzz around the chip with a pair of tweezers and with a bunch of swings I was able to detach it from the plastic housing.


Payment card chip back


Although slightly covered by glue residue, it is possible to see the windings of the integrated antenna, so no soldering joints from the inner chip to the outer antenna.


It turns out that this type of payment card belongs to the new technology category, a combination of a chip with a small embedded antenna that resonates and couples with the bigger antenna hidden inside the card plate, as explained in a previous paragraph.


CASIO F-91W partially disassembled



Moving to the CASIO F-91W watch disassembly, I went all-in. I first removed the wristbands in order to work on without hindrance.


CASIO F-91W teardown


Then with the help of a pair of tweezers and a small screwdriver I could tear it down to the bones (I had no intention of customising the internal circuits, so I left the central unit intact since in addition to contactless payments it would be convenient to always be able to consult the time 😂).


CASIO F-91W front plate and back plate


By heating the front plate with the heat gun used previously (same temperature set to 100 °C, same hi-lo circular patterns at a distance), for approximately ~ 1.5 min I applied a good amount of force from the inside to the outside of the watch case and it naturally popped out without too much effort.

INSPECTION

After ascertaining the nature of the demolished card, I realized that I was dealing with not one, but two antennas. I wanted to see clearly so I did recall my equipment.


NanoVNA RF inspection of the payment card housing alone


Taken separately, each one has its own operating frequency. The card housing alone resonates at ~ 15.28 MHz.


NanoVNA RF inspection of the payment card housing + chip


When paired together, however, the result is a new frequency entirely different from the individual ones. The card housing + chip resonates at ~ 14.85 MHz.


In projection to the next steps, this experiment made me realise that in order to exploit an additive/subtractive synthesis approach for reproducing a matching antenna from scratch, other factors besides impedance must be taken into account, including the thickness and/or the magnetic permeability of materials.

TUNING

Dealing with antennas is no easy job. It requires a lot of theoretical and practical experience, acquired over many years of testing and frustrations, dissipated in some laboratory, maybe.


NFC antenna design, parameterisation and efficiency analysis


Overall, antenna tuning is a very critical process of design aimed to optimize the performance of an antenna system. It involves mathematically adjusting the antenna’s length, surface dimensions, impedance matching, SWR (Standing Wave Ratio) minimization to achieve the desired resonance, efficient power transfer and operating characteristics.


Ok, but…


We hackers, extremely lazy people, always look for the shortest path with the least effort to achieve the maximum results.


Acknowledged the above statement, my goal was to work around any specific digging into the electromagnetical boredom in order to provide the fastest way possible of iterating over the antenna design process. For this, I invented the so called “fishing tuning” (thanks Daniele G., my true friend and supporter, for suggesting me this amazing name), a ghetto (but clever) way of blindly tuning a homebrew NFC antenna.


A preview of "fishing tuning" in action



Simply speaking, the process behind this involves basic concepts and materials. From the specs of the new tech of payment cards it was possible to understand that the chip needs to be coiled quite tightly, then, it should have some outer coils around in order to have enough resonance with the NFC reader.


The NFC reading procedure (from an active device) is spread over frequency intervals, not specific and fixed frequencies. The intrinsic variability of device coupling, given the boundary conditions, is relatively high, so any small inaccuracy is equally tolerated.


![Payment card chip size measurement (width)

](https://cdn.hackernoon.com/images/vSoRcyvb6dP2JiCy2a0lFEycpoa2-ow1k35vy.png)


Payment card chip size measurement (height)


I took my precision calibre and I got the chip dimensions.


Fish tuning spool with payment card chip holder



With a widely used online 3D CAD tool I could design a simple spool with the chip holder (placed at the very center), leaving space for both the inner and the outer wire windings that I could extrude with the help of my 3D printer.


0.10mm enamelled copper wire for electromagnetic applications


I used a 0.10mm enamelled copper wire (very cheap, priced a few bucks) and I started winding it around the innermost chip housing and then I continued generating coils on the outermost spool.


Fishing tuning spool


In order to keep everything on track, I found tremendously useful a feature that comes with the Proxmark3 tool. By triggering the following command:


> pm3 → hf tune


is possible to watch in real-time the voltage drop in mV (millivolt) of any NFC-compatible tag that approaches the high-frequency antenna surface.


Proxmark3 high-frequency antenna voltage drop measuring


Simple rule: the higher the voltage drop, the greater the antenna resonance (and thus the coupling is more efficient).

(Fishing tuning technique demonstration)


As you can see in the demonstration video above, the left hand is keeping the spool in line with the Proxmark3 antenna surface (photo below).


Fishing tuning point of view


The right hand is slowing pulling the wire off the spool while keeping an eye on the pm3 → hf tune continuous readings. I continued while reaching the highest voltage drop (~11mV the maximum reached) at 3mV/14mV.


Then, I cut the exceeding wire from the spool, keeping a little extra for later, in case of error and/or for a more finer-grained frequency trimming. Now, we have an arbitrary-length antenna wire (mine was around 1.6 meters long) of a 0.10mm electromagnetic wire that can be coiled again in a cutest enclosure.

DESIGN

Side to side, from the front plate to the back plate, the CASIO F-91W digital watch has several layers of components: the metal cover, the battery holder, the coin-cell battery, the PCB, the display, the plastic casing and the screen protector. The installation of an antenna on the back does not work (trust me, I did an infinite amount of trials and troubleshooting before coming to this conclusion). This is due to too many “shielding” components that interfere and do not allow a potential NFC antenna placed on the back to decently pair with any NFC reader.


CASIO F-91W custom front plate with payment card chip and NFC antenna holder — top view


CASIO F-91W custom front plate with payment card chip and NFC antenna holder — perspective view


To come at a decent antenna design (without disfiguring the original aesthetics of the watch), I replicated the original front plate in the 3D CAD software, where I cut out the area to hold the chip and carved a cavity around the whole perimeter in to wind the antenna wire.


Custom CASIO F-91W digital watch front plate that allows contactless payment — inside view


Custom CASIO F-91W digital watch front plate that allows contactless payment — outside view


As for the back plate, I decided to replace the original metal one with a PLA- based 3D-printed one.


CASIO F-91W custom back plate


This allowed me to give the ensure the entire structure the reduction in electromagnetic noise generated by the presence of the metal plate, while preserving a purely aesthetic uniformity.


Custom CASIO F-91W digital watch back plate — outside view


Custom CASIO F-91W digital watch back plate — inside view

TESTING

In order to understand the right amount of wire needed, I frequently tested the resonance peak through the NanoVNA + RFID-RC522 device combo, while un-winding and cutting the wire, one small chunk at a time.


CASIO F-91W antenna’s resonance peak spotted via NanoVNA + RFID-RC522


In addition, I used the Proxmark3 device to check wether the contactless payment card shrunk in its new shape could still be well read.


Proxmark3 reading the modded CASIO F-91W front plate through the NFC interface

FINISHING

The hole left by the 3D print (for the watch display) in the front plate was filled with ultra clear epoxy resin to achieve the glass finish.


Ultra-Violet lamp fixing UV-Resin for the LCD window in the front plate


The exposure to a sufficiently powerful (48W) UV lamp for about 1~2 mins per side contribute to the polymerisation (hardening) of the UV resin.

ASSEMBLY

It is time to put all the pieces together.


CASIO F-91W in the re-assembly phase


With a pair of scissors, tweezers and a bunch of double-sided repair tape for electronics, I managed to reconstruct the adhesion surface of the front plate.


Front view of the custom CASIO F-91W digital watch


To finish, I re-assembled the remaining components closing everything with the back plate and the original screws.


360° view of the custom CASIO F-91W digital watch


I could not miss a cool strap to complete the visual appearance and fit.


Wearing my hacked CASIO F-91W with fully functional NFC contactless payment card embedded

DEMONSTRATIONS

I bought some stuff in different stores/vending-machines in order to prove live that the contactless payment system embedded in the CASIO F-91W works flawlessly.

A few videos are worth more than many words.


They are all good at paying with their smartwatches, but with a vintage CASIO?


The pure delight that repays all efforts is seeing people’s shocked faces → 😯 when happen that they realise what I paid with at the checkout 🤣.

DEVELOPMENTS

There are a couple of thoughts flashing through my mind:

  • The first relates to security issues: exploring the possibility of having an interrupted antenna and a way of short-circuit it with one of the watch buttons, thus preventing mobile pickpocketing attempts on the fly.
  • The second — as an evolution of the previous one — will consider adding an extra chip and a second coil that can be switched with the push of a watch button, by playing with open/close circuits.

EXTRAS

Just some more fun stuff.


Receipt of the very first contactless transaction done with the hacked CASIO F-91W digital watch


Night view of the CASIO F-91W digital watch — kryptonite-green led backlight


Plus, I created a GitHub repository where I hosted a bunch of docs I found useful and the *.STL files for the front and the back plates you can download and 3D-print by yourself → here.

CONCLUSIONS

This journey into the realm of NFC technology, contactless payments and radio waves has been thrilling. As a hacker, I feel super lucky to be living in an era where the rapid evolution of tools, software, and digital ecosystems has opened-up new domains of possibilities allowing us to see through things and challenging us to embrace the ever-changing landscape of technology. Being a tech NERD goes beyond a mere passion for electronics or coding; it encompasses a mindset driven by curiosity, problem-solving, and the insatiable desire to learn. It is a lifelong dive into discovery, where each new breakthrough serves as a stepping stone to even greater advancements. It’s about being at the forefront of innovation, pushing boundaries, and contributing to a future driven by imagination and technological prowess.


However, amidst all the excitement and marvels of technology, I must also remember the importance of ethical considerations, privacy, and responsible usage. With great power comes great responsibility.


Let’s continue to explore, tinker, and share our knowledge with the world.

GREETINGS

A special thanks for special friends:

  • Daniele G. for always enriching my crazy ideas with priceless advice ✨;
  • Marco L. for the fun, the support and for being the cameraman 📹;
  • Lorenzo F. for all the valuable brainstorming sessions 🧠;
  • Pierluigi C. P. for genuinely believing in my capabilities 🧙🏻‍♂️.

Guys, this was EPIC 🤙.

DISCLAIMER

Any information provided in this article is for educational purposes only. I am not responsible for any illegal actions taken by individuals or entities based on the information acquired from this tutorial. The content is intended to provide general guidance and it is your responsibility to ensure that you comply with all applicable laws, regulations, and ethical standards when applying the information provided. Any actions you take based on the tutorial are done at your own risk and discretion. I disclaim all liability for any damages, losses, or legal consequences resulting from the use or misuse of the information presented in the tutorial. I strongly encourage you to seek professional advice or consult with relevant authorities to ensure compliance with the law. By accessing and using this tutorial, you agree to release me from any liability for any illegal actions or their consequences that may occur downstream as a result of applying the information provided. Please use the information responsibly and exercise caution when applying it in practical situations.


Also published here.