Hi. In a previous video, we took a look at the security of the RFID payWave PayPass whatever you want to call it near field comms system in modern credit cards and be they Visa MasterCard or whatever they contain a coil in here which allows you to do a contactless payment. they're very common in Australia I Know they're not common or not available in some other countries, but very common here. You just basically tap the things and go and you can actually see the inductive coil inside there.

These little you know, a couple of turns around the outside of the card like that and so I click here if you haven't seen the previous video and watch that first. Now somebody on Twitter pointed out that you can buy active RFID scanners. You can actually get them from the local JB Hi-fi store here in Australia which is like a local. You know they sell electronic consumer goods TVs and DVDs and computers and everything else.

They sell an active RFID Jammer. So I Thought we'd do a teardown of it and also give it a try to see exactly how this thing actually works. It is an active one. It's not a passive one like we looked at.

You can just use some our foil. For those who don't know our foil aluminium foil Yanks Like to call it aluminium foil. now in Australia causes aluminum foil aluminium foil more than good enough if you put that adjust like it on one side of the card is good enough in your wallet or your purse or whatever. good enough to protect you against, um, any skimming or fraud or anything like that.

If Person: If a person is close to you with an Rfid reader and this is an active jammer instead of a passive attenuator which is what aluminium foil is. or you can buy wallets or purses that are looked at in the previous video. If so, this one's actually looks like it's from Australian Company: It's called the Armored Card. Omeka con au: it's electronic.

German Technology: Thirteen Point Five Six Megahertz only works on that frequency and it's supposed to be our powered so it's supposed to be a battery inside this thing. It's not just a passive thing like these cards are where they basically just work with the magnetic field that they pick up from the reader / transmitter. This one actually contains a battery and actively jams it. Um, so yeah.

I Thought we'd take a look at it I doesn't work and B hopefully I'm gonna do a teardown of what's inside this puppy. Let's go if we have a quick look at the card itself. It's A. It's reasonably thick so it's not credit card a thin.

It's like at least two or three credit cards or something like that. but considering that contains the circuitry, the battery, everything else, then you know. Yeah, that's okay. Designed to slip into your wallet or your purse and actively continuously actively Jam it.

And it's got a little capacitive touch switch on here that allows you to just test the thing or turn it off if you're doing a transaction, but it'll be pain in the butt if you've got to get this thing out of your wallet along with your credit card and then D you know and then, well, let's try it, press it and bingo it's flashing. There we go. So it does have an internal battery source. its disabling the jamming and doing the battery test.

Haven't read the instructions presumably green means the battery is okay, but it's also got an active jamming light which hopefully should come on when we put our near-field comms mobile phone next to it and try and actually read a card. And if we flip it over to the other side here, you can actually maybe start to see a pattern of stuff inside there, but you can actually see the coil around the outside. Check it out. There we go.

It looks like they got a couple of turns and this thing quite a few going all the way around. You have to get at the right light. of course there's a little via down there going down into the board, so we've just got a PCB material with this start. plastic sandwiched either side and it's been cool of the assurance tested.

So let's put our mobile phone up with an NFC card reading a tag. I've turned the NFC on and let's see if that hip that comes on. Sure, well it fly, yet it's flashing. There you go.

And that will probably coincide with the packets because as we saw in the previous video, the NFC is continually scanning out, continually sending out a signal. a packet. We're trying to get those cards to wake up. So yeah, it can detect that and work.

How far back? Oh, it's got to be. Let me let me try it. It's actually got to be fairly close. It's got to be like a couple of centimeters an inch away at most.

So yeah, it's not terrific. So presumably you don't need to disable this thing because this thing is going to typically stay in your wallet or your purse or whatever. Then you're going to get your card out and you can do what, tap it and do your payment. of course, like that.

So you know. Look, it still worked. No problems at all. And that was, you know, like six inches away from the thing or something.

So you know. Yeah, you don't really need to disable it. It's always active, it's always there, ready to receive and then jam. So let's try that again.

But have our card next to that and yeah, you didn't actually see it still flashing through there and that is not going to scan that at all. So yes, it does seem to work. And yes, I've played around with it and as long as you keep it, maybe if we keep it this far away. Well yeah, there we go.

Forget to a point where you're taking a once again, you know, five centimeters away, something like that. An inch or two away, you can easily still read your cards. So yeah, it's going to be right next to it in your wallet. So right there.

if you've got a large purse or something like that, then it actually may not be that effective. And check this out in the store where I bought it from JB Hi-fi I Couldn't believe this. It was absolutely hilarious. Look where it is positioned to the F post terminal there right next to it.

so you've got an our active RFID jammer right next to the RFID reader. And yes, I did actually have problems with it. and yes, the shop assistant said oh yeah, the cards. We have to put it at a certain angle to make him work.

Oh so right there. That's a downside of one of these are active Jam as it looks like it has to be reasonably close, as does the alfoil as well. But at least the alfoil can go like only outer pocket of your purse or something or your wallet that then folds over. It's going to protect your card fairly well.

Where is this thing? It has to be close, so just be aware of that, right? So just like in the previous video, I'm going to use my magnetic H field probe here. I'm going to be able to put that on there and then we're going to be able to await capture some packets on there and exactly and see exactly how scamming it. Oh, that's not a bad one, in fact, you can see the decay. Well, you can see it ramped up in amplitude as I approached it and then ramped back down in amplitude.

So it just captures and data here without the armor card card. So this is a proper credit card transaction. as we saw in the previous video. this is the 100% modulation that basically pings the card and then we've got the data returned over here.

You can see this is the modulation coming back, the 800 kilohertz or so modulation on the data coming back from the credit card. So this is what must get spoofed inside this armor card. It must be just sending back random data or doing something else. And as we saw in previous video, the Iso standard for these RFID contactless cards actually contains an anti-collision system.

so it's designed to have multiple cards in the field. So, but in theory, uh, it shouldn't be hard to actually, um, spoof this at all and just corrupt it. which is random data all over the place. You know, the window, the time window when it's actually supposed to happen.

So you know you can just go in there and just modulate randomly and just screw everything up. It's probably not that hard at all. Okay, I'll do that exact same mark CAPTCHA again with the same trigger point and everything else. But now I've got the Armor card directly under the credit card, so let's give it a go.

And Wow Bingo. Look, that's very periodic isn't it? No, it's periodic modulation right there and it's the same. It does not change at all. So once again, here is our here's our phone.

Our RFID reader pin this doing its hundred percent modulation and then it expects something bad. But look, this thing started started to corrupt juror like it's during the whole time period, before and after. it's just always doing it, so it looks like as soon as it detects any sort of field at all, it's just continually modulating like that, so that will definitely completely screw it up. Yeah, that's that's exactly how it's doing it.

and that's all you need to do I'm either. But in this case, it's not just random data, it's just complete. It's just continually repeating in that frequency range that we had before. We can get in there and actually measure that, but it's going to be a similar out frequency range to what's expected by the ISO standard of course.

But they're just continually pumping this crap out and that's what causes the interference. That's going to work a treat. And yep, there you go. 862 Kilohertz around about that 8:47 I'm not going to get in there and dick around.

so it's within the modulation frequency that the RFID protocol expects. and that's how it's screwing it up to easy. And by the way, for those wondering if you need to fully encase your credit card in our foil, the answer is no, you don't. It just has to be near enough that it affects the the transformer properties of because that's effectively as I explained in previous video effectively.

What? This is a transformer with a primary and a secondary here. So let's give that a try. Put it over there. Nope.

Doesn't work at all. Maybe if we raise it by that I don't know. Thin thickness of that, what? 15 millimeters or something? Yep, got it. Okay, so it needs to be somewhere under that.

So there you go. that's not very thick at all. Let's try that. That will maybe work.

Nope. Nope. let's try a thicker one, not as thick as the tape here. And yeah, we're able to get that.

So there you go. maybe 10 millimeters within that rule of thumb. and I know people wanted to see this thing torn down before I turned it on, but in this case it might be a destructive teardown. I'm not sure I'm not sure if it spotted inside, whether or not this is just a cap which will just pop off, or whether you know I don't know you have to Dremel the thing so I want to try it first, but anyway, let's tear it apart and it is starting to snap off not easily.

but it's coming and bingo this souls. The first start question I had was just what battery does it use inside this thing It's got a Lithium manganese dioxide dart selling it and I'll link in the datasheet down below. We can still make out the part number here. three volt nominal hundred milliampere capacity.

and even though this thing looks like a Lithium-ion rechargeable battery, it's not because that wouldn't work. That'd be silly because you would. You hardly ever would use this thing in a magnetic field and even then it's only for you know, a few seconds you wouldn't get the energy required in order to what recharge your battery. So it's got to have a primary battery in there.

How long it lasts? probably actually many, many years, because this thing does not require much at all. Low-power micros of course, are a dime a dozen, they you know, run on the sniff of an oily rag and you know, even on the tiny coin cell, this is like a hundred milliamp hour capacity. It's a fairly decent size you know, grunty cell for this kind of application and all you've got to do is have that low powered. It doesn't even need to be a micro in.

There could just be discrete circuitry that just as we saw on. because it's a regular periodic a pulse, you could just do that with just you know jelly bean logic stuff and get away with that and all you've got to do as I showed in the previous video is, well, I've got it here. There we go. All you've got to do is have the micro like this and then just have a treat herb in this case to be a MOSFET that just puts a load across the coil and that's all it is.

It doesn't really take any, you know any major energy to switch on that MOSFET and put that load across the coil so you could run for years on this thing. So I wouldn't worry I wouldn't be concerned with this thing going out I'm sure they've done their engineering to, you know, ensure that lasts for a long, long time. you know, five year, you know. Basically yeah, shelf life or the battery kind of thing and this thing actually still works A treat even after taking that.

I've haven't taken the front off yet and there we go. and if we hook that up there we go. It's still flashing away. So you know the the lids on these things are going to take the most current on this thing so it could like just it, may not even bother to detect the field.

Of course, it could must be continually going switching that transistor on and on in that fixed period because all you have to do and it takes bugger-all energy to switch a MOSFET like that off and on. so you know, why not just keep doing it all the time. It only needs to run at that 800 day kill a Hertz or whatever it's bugger-all and that there is no doubt in circuit programming interface for our micro. whatever that happens to be got to get the top side off.

It is sort of like heat staked in here. They are plastic so they just got some holes in there so hopefully we can pop the top off and have a look at the circuitry. And of course, even though I said you could do this with like jellybean logic kind of stuff, you know we've got to have the ability to read the capacitive touch sensor here and flash the LED and do stuff like that. So no doubt it's just some low-power micro like a Msp430 or something.

Oops, that's what you get. which funny here's a knife to try and slice across. I was being quite gentle, but it looks like it hooked some of the case of the battery. and yeah, that's the magic fluid.

And if this was smellivision yeah you'd be able to smell like and smell that it smells like a isopropyl alcohol. but no worries, like that still works. a treat and yep, beautiful. There we go.

Oh five, three, six something or other off the top of my head I'm not sure what that one is I'll have to give that a bit of a googol. a surprise. they use a crystal in there. you don't really need that sort of accuracy, so just an internal.

the own internal RC oscillator probably would have been enough inside a micro I would have thought. Anyway, so yeah, that's all there is. that's the only circuitry in there. just a bunch of passives and that one micro, that's it.

and the coil on the outside. of course. Now our battery died, but granted I have come back the next day and I'm shooting this so it all just dried out so it just hooked on a couple of triple A's there. and I've been trying to probe around the signals here and sorry I haven't been able to find anything and this is not the least bit surprising because the transistor on here.

there is no external transistor. There's no, you know, SOT 23 package or anything like that. There's no external transistor using an internal transistor in micro to drive the load across the coil here, but of course it's going to be. well, it's going to be a MOSFET see my cell put of course, but it's going to be an open drain one.

so if you go probing there, you're not going to see anything switching on the output because it's just going low low. Like, like it's not. You've got to have something. You've got to have an induced magnetic field to induce a current in here.

So they can actually have a current flowing through the coil and the transistor in order in order to see it switch. But I Do believe that it is simply continually switching the load across this coil. And of course, if there's no external magnet field, there's no current. so you can do that with essentially are no current a consumption penalty.

So unfortunately, there's nothing interesting to see if you probe around on this thing. But we've seen it with our H field probe here that it's basically continually. I'm not going to use the word transmit, it's continually modulating this coil here, continually putting a load across this coil so that as soon as and a coupling field comes in, then it will instantly start modulating onto the primary of the transformer here. and it's going to corrupt the thing because you know that's just going to screw your day.

If you're the reader here and you're expecting a coded protocol, back out of the modulation here at the eight hundred and forty seven point five Kilohertz modulation frequency, then you're just going to get the data is just going to be garbage. It's you know it's gonna completely screwed up. So yeah, this thing is going to work a treat. no worries whatsoever.

And it's drawing about four micro amps for those playing along at home or just to sit in there like that. And if we go there, the lead obviously will. Huge lead will jump that right up. no worries.

And if we bring our reader close to it, what do we get? Yeah, jumps up to well. 300. It's doing a few things there, but yeah, it's jumping around the place. But you've got to be careful actually using a magnetic coupling thing like this.

On to essentially what is we've got like, you know, loops in here. We've got wires it's gonna, and we're looking at microwaves here, so you've got to be careful. This doesn't induce something into the wiring and the test setup, and that's a real concern here. So I wouldn't take those figures at face value.

It's yeah, this is going to be Tryst, something that's a bit tricky to measure. So I'm just around here seeing what we've got. But yeah, you would have to check your tests up and rule out that you're not actually inducing current into either your test setup, your war in the ground system or anything like that. And of course, this thing has a patent.

so we can go in here and have a look at from a company called Harris Tisse Proprietor Limited here in New South Wales and they have had this granted apparently so we can look at the details. So here it is inhibiting unauthorized contactless reading of a contactless readable object patent speak Yet again, they actually call with an antenna. they don't call it a coil and basically I won't bore you with the details here. you can read it for yourself, but it's basically saying that it is sending that it emits the jamming sync or in response to receiving the interrogation signal.

so it looks like it's not continuously doing it. Even though I Think that's a perfectly valid technique, it appears to be what they're doing, but maybe they couldn't get the patent on that. Maybe they had to, you know, get it to get the interrogation signal before the JIT before they admit the jamming. Otherwise it said like it's a different use case usage case for patent in the idea, perhaps.

So yeah. Anyway, that's what it seems to be and blah blah blah. We can go and read all the details and it's as boring as the proverbial bat poo. But they are saying here that about three centimeters of the jamming device and they're saying about two centimeters here.

So which one is it? I'm not sure. but yeah, it's that's what we saw. Basically, it needs to be within. you know, a couple of centimeters.

This thing to be effective, although at a larger range. It could actually be annoying if it is transmitting all the time or it's just in periodically thinking that's got it's being interrogated, then it might just transmit something. So as we saw in the example of it's sitting next to the F post terminal on the counter of the store, that could be. You know that could be a problem, but it does get a bit more interesting down here.

We have a bit more of a block diagram modulator demodulator because it has two signal interrogation to take her. It's got to do all that sort of jazz. It says recharge port here, which that they've obviously gone away from that because this is a primary cell inside here and we've actually got some schematic stuff look ABC touch. So there they not implementing that with your more traditional thing and it's interesting that they've got a discreet driver transistors for the LEDs here.

We didn't see those in there, so they've obviously done away often. You don't need it. I Mean he's just pulse. it'll lead.

You can easily do that with the micro. So they've got the part numbers and everything though in the pattern. And here's the loop antenna. Here's the RF detection circuitry for diodes.

We did see a whole bunch of our diodes in there, so that's how they're getting the RF detection out there, detecting the modulation while they're detecting the interrogation frequency. The interrogation pulses that we saw before. That's boring. We've got a micro.

Oh, look, pin numbers. There we go. Can we work out what? Maybe I'll link in the pattern down below. Maybe we can actually get what micro that is because there goes that three.

Alright, Thirteen Point Five Six. So they are using their you? Is that the Thirteen Point Five Six megahertz crystal? They're interesting. Anyway, we should be able to get what micro that they're actually using there, but as I said, we didn't see any discrete MOSFETs on the output. So obviously it's it's changed.

and then they go into how it all works with the real web browser what serving processing system. Now they trying to do a broader get a broader pattern so that they can potentially patent troll people I Hope not. And then we've got the physical embodiment of the thing. and oh, look, even example Passport Like you know, example applications and everything else.

And then we've got a photo of the thing and but they're useless. Looks like it used to be called pay Guard. There you go and it's changed and that's the end of the pattern anyway. I'll link it in down below if you want to see all the gory details.

So there you have it. There's a look inside the armored card and RFID active Jammer and it's probably going to do the business, but ultimately I Can't see why you would bother having something like this and you know it's a battery's gonna run out in a few years time. Just if you're worried about his security with this thing, just put some Al foil inside you or your wallet or your purse or whatever. Oh Wrap your passport in it or you know you get one of the shielding you can for a much cheaper cost.

This was fifty eight dollars Australia Must cheaper. You can get just the shielding sleeves that you can put your passport or your credit cards into. But ultimately, as I said in the previous video, the threat is actually really quite low. Yes, it's possible that people can actually skim you by walking past you or whatever sitting in proximity to you wherever you are, but they've got to be able to do an authorized transaction.

It's not like they can just steal the details either card and then go off and do a transaction later. They've got to do a real-time transaction right there. Pretty much so you know. Yes, in theory it's possible.

In practice, the risk is, you know, fairly low and you're limited in Australia when limited to a hundred dollars per transaction here, and you're not legally liable for it anyway if somebody schemes it. So not a huge deal. but these things. this armored car in particular, from what they were tell me, is selling like hotcakes at JB Hi-fi So everyone's buying one of these things and I got what the last one? They're crazy and I don't know Anyway, I don't I don't see the point in having an active jammer like this.

It's just it's just a complex solution to a problem that either I has no real risk to it or be has a simple solution in the our foil or a shielding thing. So yeah, it's neat, but yeah, you're wasting your time I wouldn't I wouldn't buy one. So if you liked the video, please give it a big thumbs up and all that sort of jazz and you can always discuss it down below it linked to the Eevblog for YouTube Comments: try to read them all. Catch you next time.

Hi! just a quick impromptu teardown video of one of these RFID cards. This one is actually the card to access my lab here in the Eevblog corporate towers. right on down in the carpark. And about the only time that something like this a little deer so quad will actually be useful I Think I'm just going to check the frequency of this thing and see what we get, see whether or not it's the one of the 125 Kilohertz frequency readers because I don't know.

So let's there we go. That's 125 Kilohertz one. I'm just.