Recently I have been travelling quite a bit and I could appreciate the fact to pay for bus/metro rides or coffee/beers around just with contactless technology. Apple/Google/Samsung-Pay based systems require actively unlocking your tech device and this generates some slow-down in the payment process.
If you’re standing in line with a bunch of people behind you awaiting and something goes wrong, you’re toast 🥪.
As an inveterate NERD, I’ve worn a CASIO F-91W since I still had pimples on my face. This legendary timepiece graces the wrists of tech aficionados worldwide with its sleek design, sturdy build, and impressive battery life (is said to last ~ 7 years). It became a symbol of the digital watch revolution starting from the 80’s with the quartz adoption.
I thought it would be nice not to have to take out my credit/debit card from the wallet or my mobile phone from the pocket to pay, but instead, to bring the watch closer to the PoS and just pay with a pinch of modern-day magic ✨.
So I decided to give it a new life and take it to the next level by combining nostalgia and innovation in pure hacking style.
The NFC (Near Field Communication) technology enables an exchange of information without direct physical contact between two devices involved. In the case of contactless payment cards, they can be used without being inserted in a PoS slot or by entering a PIN code, making financial transactions faster and more convenient.
Inside a plastic (or metallic) contactless payment card, we can find several components:
Microchip: often referred to as a secure integrated circuit (IC) chip or a smart chip, it serves as the brain of the card and contains various sub-components like the CPU (it controls the card’s operations and manages data processing), the Memory (stores data information such as account details, transaction history and security keys) and a Crypto Core (it can generate true-random numbers, it helps in solving arithmetical challenges, it can perform encryption/decryption of data and be helpful in the authentication process of the card and the terminal).
Antenna: usually made of copper or aluminum, is responsible for transmitting and receiving radio frequency signals to enable contactless communication. It is designed in a specific pattern to ensure efficient signal transmission.
Through an antenna it is possible to transmit and receive radio-frequency waves, a form of energy that can travel through space or materials by carrying information. The frequency of the NFC protocol is 13.56 MHz (in some cases it can vary and be slightly higher, around 14.5 ~ 15.5 MHz for payment systems or ATMs). The wavelength (represented by the symbol λ-lambda, in simpler terms, is the measurement of the length of a single wave cycle) in free space is calculated by dividing the speed of light constant (~ 300'000Km/s) by the target frequency.
Therefore, an ideal antenna should consist of a 22.12 metre long wire, but by convention fractions of λ-lambda (λ/2, λ/4, λ/8, λ/16, etc.) are opportunely chosen. Another important factor is the electrical impedance of the wire, which depends mainly on the material it is made of, its resistivity as well as the cross-section of the wire itself.
Payment cards are passive devices that do not require their own power source. Instead, they are powered by electromagnetic induction when they come into proximity with an active NFC device, such as a smartphone or a contactless payment terminal. The active NFC device generates a magnetic field, which induces a current in the NFC’s target device antenna. This induced current provides enough power to activate it by allowing it to operate and communicate with the active device.
Most old technology smart cards had the antenna embedded in a plastic (or resin) enclosure, soldered to the chip, which was consequently powered directly from the induced current.
New payment cards technology consists in a dual interface that doesn’t need any wired contacts between the microchip and the antenna modules. The antenna in the card body has a few additional turns around the area where the chip module is embedded. This card body antenna inductively couples into a tiny loop antenna that is directly integrated into the microchip module. This simplifies the card production process as the antenna does not need to be attached (e.g. glued, welded or soldered) to the chip module.
Curious to see what the shape antenna looks like (realistically speaking) inside the plastic envelop of the card?
The “squares” connected in line act like variable capacitors. This, together with the windings grafted on multiple levels allow the module to couple at different frequencies.
Overall, the components work together to enable secure and convenient contactless transactions. The antenna allows for wireless communication, while the microchip manages data processing, security, and authentication, ensuring the privacy and integrity of the cardholder’s information.
To “see” through the complex and invisible world of radio waves, I had to rely on some specific equipment.
In this particular scenario, the RFID-RC522 chip was cannibalised in order to exploit the microstrip antenna on the PCB as a probe for the NanoVNA.
I desoldered the C10 and C11 capacitors and I proceeded by soldering two female jumper wires connectors in their place.
Then, I ripped off a coaxial connector cable supplied with the NanoVNA device. After separating the inner core wire (+) from the outer shield mesh (-) I soldered male jumper wire connectors respectively, in order to have a detachable interface (from the theory: the longer the jumpers wires, the higher the “noise” when reading RF values, so, keep it as short as possible).
By coupling this “frankenstein” antenna-probe with the NanoVNA through the S11 → CH0 input, I could swim through radio waves.
I started with the NanoVNA + RFID-RC522 combo.
Once turned on, the NanoVNA displays a lot of information but mostly happens to be irrelevant for this purpose. It has a resistive touchscreen alongside a wheel-based joystick that can help in moving through its menus.
The focus is all on the yellow trace so I disabled all the unnecessary traces by going to the DISPLAY sub-menu and by double-clicking on TRACE 1 (cyan), TRACE 2 (green) and TRACE 3 (magenta). It is possible to see them disappear from the screen.
I then clicked on BACK → SCALE → SCALE/DIV and I set “4” (it gives a good proportion).
I confirmed by clicking on the ENT button.
I then went back to the main menu and clicked on STIMULUS.
By clicking on START I set up 12.5 MHz.
By clicking on STOP I then set up 16 MHz.
In this way it is possible to filter all the signals by allowing the device to display only the ones in the 12.5 to 16 MHz band.
To see if the setting was good, I placed on the antenna surface a spare NFC tag.
Simple rule: the deeper the lower wedge, the higher the “resonance”.
In other terms, it means that the NFC tag used for the test is well coupled with the antenna (it is absolutely normal to see varying ranges around the frequency of 13.56MHz depending on the tags/cards approached).
Moving to the Proxmark3 device, it needs a computer to work. Inside the original GitHub repository I could find all the installation instructions (very exhaustive and well explained). I am running on macOS so I used the brew-based tutorial for quickness.
Before the very first run it is recommended to upgrade the device firmware with the latest version available. In order to do so, the procedure requires to press the “half-hidden” button and plug the Micro-USB cable while keeping it pressed. In this way the device boots in DFU-mode.
Once in DFU-mode, just run the following command:
pm3-flash-all
and it should perform everything “automagically”.
Once done, disconnecting and reconnecting the Micro-USB cable to the Proxmark3 allows it to be detected in the serial port list. By running the following command:
> pm3
it is now possible to enter in the magical world of the NFC hacking/auditing.
The Proxmark3 Tools has an interactive shell (I’ll suggest you to study all the information in the documentation, as this machinery allows to do some — even illegal — very interesting and complex things).
To test it I put the same NFC tag used for the NanoVNA on top of the high-frequency antenna surface.
By running the following command in the interactive shell:
> pm3 → hf search
it was possible to read the information related to the NFC.
NOTE: although both the NanoVNA and the Proxmark3 devices are well “insulated” electrically, they may suffer from some noise if placed on conductive surfaces such as metal or similar. I placed them on a rubbery mouse pad to make them work solidly. Keep this in mind if you’re facing some “strange” behaviour in the readings.
Let’s move to the payment card reading by recalling the last command:
> pm3 → hf search
As can be observed, the output is much more verbose than the previous one, as the card contains a “smart chip” for more complex and secure operations. This output comes handy for later comparison.
All good. All the equipment are fully working, the setup is complete and we can now move to the most interesting part.
In order to discover the type of my payment card, I had to rip it apart.
With the help of a soldering station’s hot air nozzle (set to 100 °C) I started heating the surface around the card chip by drawing circles near and far, back and forth.
The real trick here to avoid doing irreversible damages is not to stay on the same spot for too long (preventing everything from melting down).
After around 45 sec ~ 1 min of heating, I gently started to fuzz around the chip with a pair of tweezers and with a bunch of swings I was able to detach it from the plastic housing.
Although slightly covered by glue residue, it is possible to see the windings of the integrated antenna, so no soldering joints from the inner chip to the outer antenna.
It turns out that this type of payment card belongs to the new technology category, a combination of a chip with a small embedded antenna that resonates and couples with the bigger antenna hidden inside the card plate, as explained in a previous paragraph.
Moving to the CASIO F-91W watch disassembly, I went all-in. I first removed the wristbands in order to work on without hindrance.
Then with the help of a pair of tweezers and a small screwdriver I could tear it down to the bones (I had no intention of customising the internal circuits, so I left the central unit intact since in addition to contactless payments it would be convenient to always be able to consult the time 😂).
By heating the front plate with the heat gun used previously (same temperature set to 100 °C, same hi-lo circular patterns at a distance), for approximately ~ 1.5 min I applied a good amount of force from the inside to the outside of the watch case and it naturally popped out without too much effort.
After ascertaining the nature of the demolished card, I realized that I was dealing with not one, but two antennas. I wanted to see clearly so I did recall my equipment.
Taken separately, each one has its own operating frequency. The card housing alone resonates at ~ 15.28 MHz.
When paired together, however, the result is a new frequency entirely different from the individual ones. The card housing + chip resonates at ~ 14.85 MHz.
In projection to the next steps, this experiment made me realise that in order to exploit an additive/subtractive synthesis approach for reproducing a matching antenna from scratch, other factors besides impedance must be taken into account, including the thickness and/or the magnetic permeability of materials.
Dealing with antennas is no easy job. It requires a lot of theoretical and practical experience, acquired over many years of testing and frustrations, dissipated in some laboratory, maybe.
Overall, antenna tuning is a very critical process of design aimed to optimize the performance of an antenna system. It involves mathematically adjusting the antenna’s length, surface dimensions, impedance matching, SWR (Standing Wave Ratio) minimization to achieve the desired resonance, efficient power transfer and operating characteristics.
Ok, but…
We hackers, extremely lazy people, always look for the shortest path with the least effort to achieve the maximum results.
Acknowledged the above statement, my goal was to work around any specific digging into the electromagnetical boredom in order to provide the fastest way possible of iterating over the antenna design process. For this, I invented the so called “fishing tuning” (thanks Daniele G., my true friend and supporter, for suggesting me this amazing name), a ghetto (but clever) way of blindly tuning a homebrew NFC antenna.
Simply speaking, the process behind this involves basic concepts and materials. From the specs of the new tech of payment cards it was possible to understand that the chip needs to be coiled quite tightly, then, it should have some outer coils around in order to have enough resonance with the NFC reader.
The NFC reading procedure (from an active device) is spread over frequency intervals, not specific and fixed frequencies. The intrinsic variability of device coupling, given the boundary conditions, is relatively high, so any small inaccuracy is equally tolerated.
![Payment card chip size measurement (width)
](https://cdn.hackernoon.com/images/vSoRcyvb6dP2JiCy2a0lFEycpoa2-ow1k35vy.png)
I took my precision calibre and I got the chip dimensions.
With a widely used online 3D CAD tool I could design a simple spool with the chip holder (placed at the very center), leaving space for both the inner and the outer wire windings that I could extrude with the help of my 3D printer.
I used a 0.10mm enamelled copper wire (very cheap, priced a few bucks) and I started winding it around the innermost chip housing and then I continued generating coils on the outermost spool.
In order to keep everything on track, I found tremendously useful a feature that comes with the Proxmark3 tool. By triggering the following command:
> pm3 → hf tune
is possible to watch in real-time the voltage drop in mV (millivolt) of any NFC-compatible tag that approaches the high-frequency antenna surface.
Simple rule: the higher the voltage drop, the greater the antenna resonance (and thus the coupling is more efficient).
(Fishing tuning technique demonstration)
As you can see in the demonstration video above, the left hand is keeping the spool in line with the Proxmark3 antenna surface (photo below).
The right hand is slowing pulling the wire off the spool while keeping an eye on the pm3 → hf tune continuous readings. I continued while reaching the highest voltage drop (~11mV the maximum reached) at 3mV/14mV.
Then, I cut the exceeding wire from the spool, keeping a little extra for later, in case of error and/or for a more finer-grained frequency trimming. Now, we have an arbitrary-length antenna wire (mine was around 1.6 meters long) of a 0.10mm electromagnetic wire that can be coiled again in a cutest enclosure.
Side to side, from the front plate to the back plate, the CASIO F-91W digital watch has several layers of components: the metal cover, the battery holder, the coin-cell battery, the PCB, the display, the plastic casing and the screen protector. The installation of an antenna on the back does not work (trust me, I did an infinite amount of trials and troubleshooting before coming to this conclusion). This is due to too many “shielding” components that interfere and do not allow a potential NFC antenna placed on the back to decently pair with any NFC reader.
To come at a decent antenna design (without disfiguring the original aesthetics of the watch), I replicated the original front plate in the 3D CAD software, where I cut out the area to hold the chip and carved a cavity around the whole perimeter in to wind the antenna wire.
As for the back plate, I decided to replace the original metal one with a PLA- based 3D-printed one.
This allowed me to give the ensure the entire structure the reduction in electromagnetic noise generated by the presence of the metal plate, while preserving a purely aesthetic uniformity.
In order to understand the right amount of wire needed, I frequently tested the resonance peak through the NanoVNA + RFID-RC522 device combo, while un-winding and cutting the wire, one small chunk at a time.
In addition, I used the Proxmark3 device to check wether the contactless payment card shrunk in its new shape could still be well read.
The hole left by the 3D print (for the watch display) in the front plate was filled with ultra clear epoxy resin to achieve the glass finish.
The exposure to a sufficiently powerful (48W) UV lamp for about 1~2 mins per side contribute to the polymerisation (hardening) of the UV resin.
It is time to put all the pieces together.
With a pair of scissors, tweezers and a bunch of double-sided repair tape for electronics, I managed to reconstruct the adhesion surface of the front plate.
To finish, I re-assembled the remaining components closing everything with the back plate and the original screws.
I could not miss a cool strap to complete the visual appearance and fit.
I bought some stuff in different stores/vending-machines in order to prove live that the contactless payment system embedded in the CASIO F-91W works flawlessly.
A few videos are worth more than many words.
They are all good at paying with their smartwatches, but with a vintage CASIO?
The pure delight that repays all efforts is seeing people’s shocked faces → 😯 when happen that they realise what I paid with at the checkout 🤣.
There are a couple of thoughts flashing through my mind:
Just some more fun stuff.
Plus, I created a GitHub repository where I hosted a bunch of docs I found useful and the *.STL files for the front and the back plates you can download and 3D-print by yourself → here.
This journey into the realm of NFC technology, contactless payments and radio waves has been thrilling. As a hacker, I feel super lucky to be living in an era where the rapid evolution of tools, software, and digital ecosystems has opened-up new domains of possibilities allowing us to see through things and challenging us to embrace the ever-changing landscape of technology. Being a tech NERD goes beyond a mere passion for electronics or coding; it encompasses a mindset driven by curiosity, problem-solving, and the insatiable desire to learn. It is a lifelong dive into discovery, where each new breakthrough serves as a stepping stone to even greater advancements. It’s about being at the forefront of innovation, pushing boundaries, and contributing to a future driven by imagination and technological prowess.
However, amidst all the excitement and marvels of technology, I must also remember the importance of ethical considerations, privacy, and responsible usage. With great power comes great responsibility.
Let’s continue to explore, tinker, and share our knowledge with the world.
A special thanks for special friends:
Guys, this was EPIC 🤙.
Any information provided in this article is for educational purposes only. I am not responsible for any illegal actions taken by individuals or entities based on the information acquired from this tutorial. The content is intended to provide general guidance and it is your responsibility to ensure that you comply with all applicable laws, regulations, and ethical standards when applying the information provided. Any actions you take based on the tutorial are done at your own risk and discretion. I disclaim all liability for any damages, losses, or legal consequences resulting from the use or misuse of the information presented in the tutorial. I strongly encourage you to seek professional advice or consult with relevant authorities to ensure compliance with the law. By accessing and using this tutorial, you agree to release me from any liability for any illegal actions or their consequences that may occur downstream as a result of applying the information provided. Please use the information responsibly and exercise caution when applying it in practical situations.
Also published here.