In my apartment building, I noticed the were using some older 125kHz HID RFID Cards to access the building & elevator. The card they gave was pretty big, and fit awkwardly onto my keychain. For this reason, I'd constantly be leaving my keys around on short trips, and be locked out. So I took to the internet. I remembered an older video from N-O-D-E on how he had modified a Casio F-91W to fit an NFC tag, and I've been looking at a few of my $20 Walmart Casios with starry eyes ever since.

Doing some quick eBay searches found what seemed to be the smallest and flattest 125kHz tag with a T5577 chip. It had a diameter of 30mm (~1.18in) and based on some quick & sloppy casio measurements, it looked lke it would fit, but would certainly be snug. The tags came in the next week, and upon first glace, It looked like there was no way this tag would fit in the Casio F-91W. So, frustrated at ~10:30 at night, I made a resentful Walmart trip, picking up the analog Casio MQ-24.

Getting it home, this seemed like a perfect fit. I liked the look, and it seemed to mirror the diameter of the 125kHz tag. So, I got out my proxmark3 copy and worked to read and duplicate the HID card. After fighting with the firmware of the proxmark for too long, it came around and cloning was a breeze - the tag would open the elevator with no issue.

I worked to pull the chip & antenna from it's laminated plastic confines to make it as small as possible. Afterwards, it fit and seemed to be read properly by the proxmark. Finalizing the last step, I realized I had potentially missed a crucial detail: the clip-on back plate of the Casio was metal, creating a type of faraday cage around the RFID tag. The proxmark would no longer identify it.

..back to the drawing board...

I wasn't ready to design and 3D print a new backing, as it was held on with tension rather than screws so that engineering would take some iterations - I just wanted quick and dirty. Glancing at my Casio F-91W, I took the back off that. It was also metal but was held on with screws, which could be more easily designed if I was lucky.Surprisingly, the tag without the lamination also fit in the back. The proxmark read it again with no back plate, so I thought "what the hell" and popped the back plate on. To my surprise, the expected data was read from the chip. To confirm this, I even took it out to the elevator, and was able to gain access with no issue. Weird, but success!

Moving forward I do think I would still make an attempt at some 3D printed back plates. This would mean a lack of a piezo alarm in the watches,but personally I'v never used that alarm. After a few months of use, it seems like the signal is slightly hindered by the metal, and when there's people behind you trying to get on the elevator, you're in a rush, or even getting home inebriated it isn't always smooth having to perfectly align the watch's antenna with the reader's. Updates will likely come.

Update (11/18/2022)

Quite a bit has changed with the RFID watches. First, I was noticing that the range was awful, and they would hardly ever scan on the first try. The solution to this was 3D printed backs! Specifically for the F-91W. This proved to extend the range a whole lot, was an easy design, and fit the watch so well that I would put my chips on some water resistance.

These watches were also all demo'd at the Rochester Maker Faire of Nov. 2022, and used to show off the vulnerabilites of using 125KHz RFID tech. Pics of the demo can be seen in the gallery! Moving forward, I'd like to keep up with the Casio hacking - maybe even start working on custom PCBs for them to do some crazy stuff down the line.