Late 2025, I came across a Taobao listing that was selling a UHF RFID Reader for less than 10USD, this is fairly uncommon as most readers go for 15+usd onwards. I decided to buy one to add to my reader collection. (I ended up buying 6 units)
This UHF RFID reader is sold under the model numbers below (with Taobao links)
Searching online based on provided software, and screenshots, I was able to track down the company that made the software to Cykeo, they are a company that specializes in making industrial rfid readers and antennas.
The reader comes with its own software and SDK, and is able to output in multiple formats including Wiegand, Modbus, as well as emulating a USB Keyboard.
Cracking open the reader, we are greeted with a 30mm x 30mm PCB soldered to a another PCB that provides a USB-C connector, a buzzer, and some led's, to keep the PCB compact, 0603 SMD components were used.
Taking a closer look at the front, we see the MCU and an unknown RF chip has their markings lasered off, and the back has descriptions on what each pin does, what catches my eye is the SWDIO and SWCLK pins, this means theres Serial Wire Debug capabilities, and a chance to dump firmware.
Before we can attempt to dump the firmware, we'd need to try to figure out what MCU is used, and lucky for us when plugging in the reader the device identifies itself as a N32g43xCustom HID, this led me to believe that the MCU was a N32G435
Connecting the SWD header to a J-LINK, setting up its parameters, and attempting to read the firmware, I was able to get a successful dump. Usually MCU's have code readout protection which prevents the downloading of flash contents, the manufacturer did not turn this feature on.
The firmware can now be thrown into IDA/Ghidra for analysis, using the strings within, around 70% of the firmware can be mapped back to the N32G43x SDK and example implementation found on github. From within the firmware, the RF chip can be identified, they are using an Si4463 Transceiver chip that supports the ISM band.
The reversing of the firmware is left as an exercise for the user and will not be covered here.
The reversing of the PCB would not be possible if the firmware dump was not successful, now that we have the firmware, my next goal is to recreate the PCB but using larger 0805 SMD components.
With PCB reversing, the first steps are component identification, using a hot-plate, components were removed one by one, and their values recorded.
When dealing with small value components like inductors and capacitors, a Nano-VNA can be used to identify their values.
Identification of parts took a while as finding parts with the same name was challenging. Using part numbers, a multimeter, a component tester, an oscilloscope, image searching and pouring over datasheets helped find most of the components.
| Marking | Name | Notes |
|---|---|---|
| N32G435 | MCU Datasheet |
|
| Si4463 | RF Transceiver Datasheet |
|
| 87t | Planar Schottky barrier diode | 1PS70SB84 (Obsolete), the closest is BAT54S |
| 1F | 45 V, 100 mA NPN/NPN general-purpose transistor | Datasheet |
| -V4 | 2-ch, 1.65-V to 5.5-V inverters | SN74LVC2G04 |
| AM | NPN switching transistor | MMBT3904 |
| G4B | RF Switching Diode | No exact match found, the closest is BAV70 |
| N933 | 500mA uCap Ultra-Low Dropout, High PSRR LDO Regulator | Datasheet |
For the Si4463 matching and filter network, the datasheet was used to identify the nominal values.
After the components and their positions have been identified, the solder mask of the PCB is stripped using a 200-600 grit sandpaper to expose the front and back copper layers. This PCB is 4 layers and is 1mm thick.
Next using high resolution images, Inkscape, and a multimeter, the traces of the PCB and its via's are drawn in separate layers
This step also maps the MCU and RF pins, an overlay from the datasheet is added for pin identification. The position and values of components measured earlier are also noted, grounds and power lines (5V, 3V3) are color coded.
Using KiCad, the schematic is then redrawn with their component values. In this step, the component names from KiCad are mapped back to the PCB Trace in Inkscape. Some modifications were made around the USB-C and 3V3 power regulators circuit.
Schematics are released in the schematic directory of this repo.
When recreating the PCB, KiCad's Calculator Tools and JLCPCB's Capabilities are used to calculate trace width and spacing for the RF trace line.
After weeks of tracing and schematic drawing, PCB's are sent for fabrication. When placing components, i mimicked the layout of the original board, this was done to make circuit debugging easier
Below is a size comparison of the original and recreated PCB.
After soldering all the components, the original MCU was soldered on for testing. In the first attempt, the reader was not picking up any tags.
Going back to the drawing board, a few components had to be re-measured from another working reader and a few mistakes were identified. At this point an oscilloscope was used to debug the circuit using references from a functional reader. After fixing mis-typed components and much experimenting, the reader works!.
One area that needs to be studied more is the matching network and filter sections as the current PCB isn't as fast/sensitive enough at picking up tags vs the original reader.
In v0.2 of the schematic, additional capacitors were added to the 5V rail. Also fixed incorrectly measured value for some components.