Dangerous Things
Custom gadgetry for the discerning hacker

The Store is now open! Check out the gadgetry »
Like what you're reading?
Share It.

RFID enhanced motorcycle ignition

A while back the good folks over at MakeZine TV asked me to put together some video clips of me talking and using my implant. The episode should be airing tomorrow. This is one of the clips I shot for them.

Basically I stuffed a smart RFID reader and some relays into my bike in parallel with the key so I can use the key or my implant. There has been some interest in the tinkering/biker community about this so I’m currently working with a guy up in Vancouver BC (Canada!) to make up some really cheap kits. I’ll post an update when those kits are ready.

– UPDATE –

It turns out the kits never really panned out, and another GSXR rider needed some help, so I posted a wiring diagram.

Tags: , ,

17 Responses to “RFID enhanced motorcycle ignition”

  1. Alex says:

    very interesting, i’m going to do the same on my bike! 🙂
    what reader/antenna did you use? i found the innovations id-12, it works at 125khz, it’s small (25x26mm) and it has integrated antenna, do you know it? thank you!

  2. Amal says:

    I do know that reader… it’s pretty cool. You will need to connect it to a microprocessor in order to authenticate tag IDs and activate relays. I used a reader I found on ebay that had a cylindrical antenna, which works very well with cylindrical glass encased implant tags.

  3. Alex says:

    wow, thanks for your quick reply!
    I just begun to learn all this new (for me) stuff on the rfid world, but I’m already planning to implant one tag in my hand like you did.
    after i put the comment I saw your page where you compared 2x12mm and 3x13mm tags, and now I’m wondering if it’s better to choose the bigger one in order to do not have problems…
    I ordered yesterday from sparkfun an arduino and the id-12 just to practice and use it to activate/deactivate security system in my home.
    then I’ll buy a reader for my car and at that point i’ll do my implant 😀
    maybe with the next readers it’s better if I’ll choose those which have cylindrical antennas.
    (sorry for grammatical errors, I’m Italian :P)

  4. Amal says:

    Yeah, the 3mm tag has advantages, but it is also easier to break. I’ve not yet heard of anyone breaking one, and mine has done well over the last 4-5 years… but it is a possibility. The Arduino would probably work, but from what I remember it is rather bulky. You might consider a Parallax STAMP. Have you read the RFID Toys book? There are lots of examples (and code) in there that show how to use the STAMP with TTL serial readers. There is also a free sample chapter located here: http://www.rfidtoys.net/bonus.asp

  5. Alex says:

    thank you for everything, now i’ll play around a bit with the things that I’ve ordered, and then I’ll follow your advices for the next applications (car and bike, where I need smaller dimensions)
    only one more thing… how do you use you hitag chip with encrypted data storage?
    I don’t understand very well how I could use a tag with encrypted data storage… more security in authentication? personal information in it? how do you use it?
    Thank you again. Alex.

  6. Amal says:

    I use the HITAG with more expensive readers that can make use of the secure functions and access the read/write memory blocks. Typically I use the HITAG memory blocks to store a random one time use key that changes every time I use the tag to access various secure applications.

    You can read more about that concept via these posts:
    http://blog.amal.net/?p=1256

    http://blog.amal.net/?p=538

    http://rfidtoys.net/forum/search.asp?KW=hitag+key&SM=1&SI=PT&FM=0&OB=1

  7. Marc Jump says:

    I am interested in setting my bike like yours! If you havent come up with any kits, could you please share what i would need and how to get started on this setup?

  8. Amal says:

    Hi Mark,

    Kits are hard to put together because bikes are all wired a little bit differently. I did work briefly with a guy up in Vancouver BC (Canada) who was looking to or may have already produced some kits. I’ll check with him to see if he has any for sale.

    What is your bike’s make/model/year?

  9. Alex says:

    Hi Amal, does your bike have immobilizer system?
    I have a 2006 Kawasaki Z750, and it has immobilizer (my car does too, same problem), so unless a recognized key is inserted, it won’t ignite up.
    How did you do?

  10. Amal says:

    Hi Alex,

    My bike does not have an immobilizer, however you can still hotwire around the immobilizer. Those are not intended to stop people will extended access to the vehicle, only people who would normally break the key switch and try to hotwire and run in a 5 minute time span.

    You’ll have to get a wiring diagram for your bike/car and probably do some investigating on your own to figure out how to get it to work. The wiring diagram for my bike excluded the fact that, actually there was a very simple little “immobilizer” trick the computer used to detect a hotwire vs key… a specific resistance on one of the lines was required to get the computer to recognize a key vs a direct short (hotwire). After scratching my head a bit, I finally measured the resistance of all the switched pairs coming from the keyswitch and found one pair that was not a direct short when the key was on. I got a resistor from my workbench that matched the value and stuck it into my RFID design and it worked… the bike came to life.

    I suspect the wiring diagram for your Z750 may exclude something similar, but you should be able to figure it out with some testing and trial and error 🙂

  11. Alex says:

    You’re lucky! 😀
    I’ve spent last 2.5 hours looking at the wiring diagrams for my bike, and the only acceptable solution is to emulate the signal coming from the immobilizer amplifier to the ecu or the signal from the antenna to the amplifier (I think the first one is easier).
    Sadly everything is controlled by ECU, so when recognizes that the start button is pressed, it checks that the signal from the amplifier is the right one, then it begins with all the routine to start the bike.
    I’ll try to figure out something with the oscilloscope, I’ll let you know. 🙂

  12. Amal says:

    Hmm that’s interesting… so the ECU actually has the RF signal processor in it? I don’t know much about immobilizers but that seems extreme to me. I would think there would be a separate RF processor that simply passed a high voltage on an I/O line to the ECU… or maybe even just had a simple relay/transistor gate in there that blocked ignition.

    I’m very interested to hear what the outcome is with the o-scope!

  13. Alex says:

    I have only two old analog oscilloscopes with no memory, so I could see almost anything, because the id transmission is made only once when i turn the key.
    I don’t know what to do… maybe the amplifier is also a reader, it seemed to send a digital signal, but I’m not sure of this neither.
    what I’m sure of, is that the comparison between the key id and the allowed ids is made inside the ECU, in fact if I loose the master key, I have to change the entire ECU! (1200€, 1700 usd :S )
    I also don’t know on which frequency operates (I only have a id-12 reader, and it don’t recognizes the key, so it isn’t at 125khz…) and if it has encryption (maybe not, on a kawasaki forum I follow I read that someone has a spare key with a battery in it that simply works, without reprogramming the ECU with the master key, so I suppose it’s an emulation of the original tag)…
    I’m stuck in the poop, give me an advice 😀
    I could try with a pic, making somehow read that data in input and then replicate it in output on command, but I’m not sure it is going to work…

  14. Amal says:

    Hmm, yeah, it sounds like maybe there is a reader that forwards the ID of the key to the ECU. This could be a simple TTL serial communication, or maybe an I2C or SPI communication.

    The tag could still be an LF tag… it just might not be speaking the same langauge. Many vehicles use a LF Texas Instruments challenge/response tag. Not all LF tags are the same, and the ID-12 can only read one type of LF tag.

    I think your best bet is to try to determine where the RFID reader is in the scheme of things. Somewhere it’s going to communicate either a simple “you’re good to start” signal, or it will communicate the RFID tag ID to the ECU, which will probably be in the clear (unencrypted). Your best bet in either of these scenarios will be to emulate the signal coming from the RFID reader to the ECU.

    If you want to post some pictures and a good scan of the wiring diagram, try posting to the forum: http://rfidtoys.net/forum under the “reader projects” section.

  15. Amal says:

    Hi Alex,

    I’m not sure if you’ve checked it out yet or not, but is there possibly an immobilizer bypass kit available for your bike?

    http://www.google.com/search?q=immobilizer+bypass

  16. Alex says:

    wow, those things are awesome! I never heard about them, I’ll try to understand how they’re made so I can do one for myself, thank you so much! 😛
    (last week I tried with an arduino and some connections to step down the 12v signal to a 5v signal, I don’t know precisely what happened but I think I fried it anyway :D, so I was thinking if I could find another solution… I’m going toward this one 😛 )

  17. […] while back I posted a video of me starting my ‘05 Hayabusa using my RFID implant. I had always intended to post a diagram […]

Leave a Reply

Get Adobe Flash player