It all started one day at work. I had used my swipe card to get through the front doors, and without thinking too much, I put it in my back pocket. Later that day I sat down — crunch! The card had cracked from side to side. I wrapped it in tape to hold it together, and it still worked for two weeks, but then something in it failed. I tailgated people in and out of the building that day.
I had paid my company a $100 deposit on that pass card, and that night I decided I wasn’t going to give it up by asking HR for a new one. I was determined to fix it myself.
Step #1: BackgroundNext
- It all started one day at work. I had used my swipe card to get through the front doors, and without thinking too much, I put it in my back pocket. Later that day I sat down — crunch! The card had cracked from side to side. I wrapped it in tape to hold it together, and it still worked for two weeks, but then something in it failed. I tailgated people in and out of the building that day.
- I had paid my company a $100 deposit on that pass card, and that night I decided I wasn’t going to give it up by asking HR for a new one. I was determined to fix it myself. A bit of research showed that these pass cards are often called “proximity cards,” and operate in a manner similar to the tiny RFID tags found inside the new U.S. passports and even pet dogs.
- See Step 6, "How Does It Work?” for a basic explanation of their operation.
Step #2: Next
- Bending the card slightly to widen the crack revealed a coil of fine copper wire inside, and when I dismantled the card completely, I was surprised to find that its plastic shell contained not only a coil but also a small integrated circuit (IC) on a printed circuit board (PCB). Even more surprisingly, it had no battery!
- I carefully removed some of the outside shell to reveal more, and then exposed the coil and PCB completely.
- With the aid of a jeweler’s loupe, I could see that the wire coil had broken —in many places, unfortunately. It would have been a major job just to identify the correct wires to solder back together, let alone actually doing it! Plan B was to wind my own coil, but back in the depths of my mind were the makings of Plan C: replacing the coil with one from another card.
Step #3: Extract the Donor CoilNext
- After 20 minutes pawing through one of my junk boxes in the attic, I found an old pass card from a previous employer. It carried a different code, so it wouldn’t work at my current office, but its coil was intact. What’s more, the heat in the attic had dried out the glue — the card practically fell apart in my hands. Plan C was the way to go!
- I used a sharp craft knife to pry away the old glue that held the coil and mini PCB to the plastic shell. I took great care, as I couldn’t afford any breakages. After 10 minutes, the salvaged coil was free.
- I unsoldered the donor coil from its original PCB using a fine-tipped soldering iron, holding the PCB with a pair of locking tweezers. This was easy, as I didn’t have to worry about overheating and possibly damaging the old IC. After removing the coil, I tested its continuity with a multimeter. Success! The coil was intact.
Step #4: Attach the New CoilNext
- The tricky part was attaching the new PCB. This time, I had to be careful to keep the iron on the joint for as little time as possible, since the PCB was small and could quickly overheat, killing it forever.
- Things went well, though, and because the ends of the coil were already tinned where I removed them from the old board, the joints were easy to make. The coil from my old card was now connected to the mini PCB from my new card.
Step #5: Seal It UpNext
- Now it was time to look at the housing. My old card’s shell was filled with dried-out glue and covered with ground-in grime. Fifteen minutes later the case was clean, thanks to some isopropyl alcohol, a soft cotton rag, and a bit of elbow grease.
- The last step was to position the coil and PCB in the old case and hold it in place with a few drops of glue. The card’s thin plastic backing had suffered from the cleaning process, so I elected to replace it with a piece of clear, self-adhesive book film trimmed in place with a craft knife. (White book film would have been fine, but with clear film, the card made a great talking point with my co-workers.) The results looked good, but the acid test would have to wait until the next morning at work.
- At 8:36 a.m. I waltzed up to the front door and waved my pass at the security panel. “Click!” went the door. “Woo hoo!” I shouted. The guys in HR couldn’t understand why I was smiling so much that day.
Step #6: RFID Tag: How Does It Work?
- There is a lot of misinformation out there about how RFID works. Here’s a typical explanation:
- The reading unit (attached to the door) transmits radio energy. The card receives this energy, converts it to electrical energy, and then uses it to transmit its serial number back to the reading unit, which recognizes the card and opens the door.
- While this is neat and simple, it’s also wrong. Yes, the card’s coil antenna absorbs the RF energy, and this is used to power the chip, but technically speaking, the card doesn’t transmit anything at all!
- Without going into the gory details (look up “load modulation” if you want them), you can better explain RFID with the following analogy:
- Let’s say you’re out on a boat, and you want to use a mirror to send information to a lighthouse. You can encode it in a binary format and then transmit one bit each time that the lighthouse beam sweeps by, where reflect means 1 and not reflect means 0.
- Security pass cards use the same principle, but instead of one sweep every 10 seconds or so, the reader transmits at 125kHz. The card’s chip communicates its data by selectively shorting out its coil over successive cycles of the 125kHz transmission. A shorted coil doesn’t absorb any of the RF energy, while a non-shorted coil does, so the reader then distinguishes 1 from 0 by measuring the peak voltage on its antenna to see if it’s high or low. In this way, the card communicates its 24-bit serial number, along with synchronizing and checksum data.