RFID Exploration

Louis Yi, Mary Ruthven, Kevin O'Toole, & Jay Patterson

What did you do?

We made an Radio Frequency ID (RFID) card reader and, while attempting to create a long-range spoofer, created an jammer which overcomes card's signals.

The reader uses filtering circuitry following a 125kHz driven resonator to produce the returned FSK signal from the HID brand RFID proximity cards used around Olin college. Reading was initially performed by capturing data with an oscilloscope and then processing in MATLAB, but was eventually implemented on an FPGA using Verilog.

Reading the cards provided the binary data we attempted to reproduce with the RFID spoofer. Trying several transmission hardware designs and many encoding methods failed to yield a successful RFID activation. We discovered while testing that sending similar signals at high amplitudes blocked real RFID cards, effectively jamming them and locking the door.

Why did you do it?

RFID systems are currently and increasingly a part of our lives. We use them at school, at work, and on the roads for fare collection in systems like the Northeast's E-ZPass. Frighteningly, many online papers and our own experiments show, they're not very secure. Personal data stored on such cards is available to anyone nearby with a suitable, inexpensive RFID reader.

We were curious about the technology involved and whether we could implement a full RFID system. Also, Eric really wanted an RFID gun, which we are disappointed to say we couldn't deliver.

How did you do it?

The RFID protocol of communication is a nesting of three different encodings: Backscattering of a carrier frequency, Frequency Shift Keying, and Manchester encoding.

The RFID reader outputs a constant 125kHz signal to all nearby tags, amplifying the signal when it detects any reflected signal. Since an RFID tag is passive, it needs to send back a signal without drawing any power itself. Using the sent signal as both a power source and a clock, the RFID tag flips a transistor in a predefined sequence (a black box described in the Frequency Shift Keying section) to send a sequence of HIGH and LOW values through the backscattered signal back to the reader.

On top of this encoding, HIGH and LOW signals are determined by the frequency of the backscattered ONs and OFFs. In Frequency Shift Keying, which is used by Olin’s Prox Cards, switching from ON to OFF at a rate of 12.5kHz (period every 10 cycles of the carrier frequency) denotes a LOW signal, and switching from ON to OFF at a rate of 15.6kHz (period every 8 cycles of the carrier frequency) denotes a HIGH signal. Thus the HIGH and LOW digital signals are encoded by The advantages of this encoding is that it is computationally simpler and less susceptible to noise than traditional pulse-amplitude modulated signals. Because only takes two frequencies to send a message, proper filtering can ensure the system is only susceptible to white noise around those two frequencies. Additionally, no channel equalization or phase calibration is needed, since the decoding method simply calculates the distance between peaks, and determines if it is closer to 12.5kHz or 15.6kHz. The HIGH and LOW frequencies are switched between according to a predetermined signal, a black box determined by the Manchester encoding of the tag’s data. 
On top of this encoding, 1s and 0s are encoded and decoded from the highs and lows using Manchester Encoding. Manchester Encoding simply encodes a 1 as (HIGH, LOW) and a 0 as (LOW, HIGH).

Diagram of a decoding of a Manchester-Encoded sequence of HIGH and LOW signals

The advantage of Manchester encoding is a huge improvement in the accuracy of readers and writers that are out of phase, and signals that stay high or low for extended periods of time. Manchester encoding guarantees that there is a flip from high to low in the center of each bit transmitted, so it is trivial to determine the phase of the writer’s signal. It is also impossible to be half a bit off, because a random sequence will include consecutive HIGHs or LOWs if the phase is half a period off. Manchester Encoding also prevents timing errors in long strings of 1s or 0s by making it trivial to count the number of bits in a long string of (LOW, HIGH)s.

RFID Reader

Circuit used to decode the rfid tag modulated with a 125KHz down to a digital signal to be processed. 
Photos of comparator'd traces

Our first implementation of the RFID reader was to take an analog signal and measure the peaks in order to find the signal was at 15KHz or 12.5KHz. We then graphed those differences representing different frequencies with as either a 'one' bit or a 'zero' bit. Finally we manually pieced multiple graphs together and then also manually decoded the graphs.

Spoofer

We tried three different driving methods for the RFID spoofer: a bipolar transistor, a pair of FETs, and a rectifying full-bridge followed by a loading FET.

All three methods modulated the signal quite successfully, but failed when tested on a commercial HID prox reader.

Circuits for the three different driving methods.

The Signal was sent by an Arduino using port manipulation to keep delays low and precise. Note that one side of each resonating coil and capacitor is grounded.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
// Coil control pin
int coil_pin = 8;
  
void setup() {
    digitalWrite(coil_pin, LOW);
    DDRB = B00000001; // set pin 8 OUTPUT
    PORTB = B00000000; // set Pin 8 Low, port manipulation
}
  
void set_pin_manchester(int clock_half, int signal) {\
    // encoded and send data
    int man_encoded = clock_half ^ signal; // xor
  
    if(man_encoded == 1) {
        send_1();
    } else {
        send_0();
    }
}
  
int data_to_spoof[45] = {0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0,
                         0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0,
                         0,0,0,0, 0,0,0,0, 0,0,0,0, 0}; // insert binary card data here
  
//int i = 33;
void loop() {
    // start sequence //
    send_0();
    send_0();
    send_0();
    send_0();
    send_1();
    send_1();
    send_1();
    // data payload //
    for(int i = 0; i < 45; i++) {
        set_pin_manchester(0, data_to_spoof[i]);
        set_pin_manchester(1, data_to_spoof[i]);
    }
}
  
int one = 40; // microsecond delay to send 12.5kHz
int zero = 32; // microsecond delay to send 15kHz
  
void send_1() {
    // send six periods of 12.5kHz signal
    PORTB = B00000000;
    delayMicroseconds(one);
    PORTB = B00000001;
    delayMicroseconds(one);
    PORTB = B00000000;
    delayMicroseconds(one);
    PORTB = B00000001;
    delayMicroseconds(one);
    PORTB = B00000000;
    delayMicroseconds(one);
    PORTB = B00000001;
    delayMicroseconds(one);
    PORTB = B00000000;
    delayMicroseconds(one);
    PORTB = B00000001;
    delayMicroseconds(one);
    PORTB = B00000000;
    delayMicroseconds(one);
    PORTB = B00000001;
    delayMicroseconds(one);
}
  
void send_0() {
    // send six periods of 15kHz signal
    PORTB = B00000000;
    delayMicroseconds(zero);
    PORTB = B00000001;
    delayMicroseconds(zero);
    PORTB = B00000000;
    delayMicroseconds(zero);
    PORTB = B00000001;
    delayMicroseconds(zero);
    PORTB = B00000000;
    delayMicroseconds(zero);
    PORTB = B00000001;
    delayMicroseconds(zero);
    PORTB = B00000000;
    delayMicroseconds(zero);
    PORTB = B00000001;
    delayMicroseconds(zero);
    PORTB = B00000000;
    delayMicroseconds(zero);
    PORTB = B00000001;
    delayMicroseconds(zero);
    PORTB = B00000000;
    delayMicroseconds(zero);
    PORTB = B00000001;
    delayMicroseconds(zero);
}

Future Work

Our efforts were focused on recording the data from an RFID card and then reproducing it with separate harware. Instead of this two stage process, we could have tried to simply amplify the RFID card by reading it with one coil, amplifying the signal and directing the amplified signal toward a prox card reader. This solution may have resolved our issues with properly reproducing the prox signal and allowed us to focus simply on extending the prox card's range. This approach effectively makes a passive system into an active one.

The algorithms we used to process data were not as efficient and clean as they could have been. Instead of simply edge-triggering to determine the location of a peak, we could have found the center of each pulse which may have yielded cleaner and more consistent results.

Because the input signal to the comparator was noisy, there were regular incorrect pulses that the software had to be resilient to. A Schmitt trigger (a comparator with hysteresis) could have cleaned up the signal and simplified the software.

Sources

RFID Exploration and Spoofer a bipolar transistor, a pair of FETs, and a rectifying full-bridge followed by a loading FET的更多相关文章

  1. Inverted bipolar transistor doubles as a signal clamp

    A number of circuits, such as level detectors and AM demodulators, benefit from a rectifier with a l ...

  2. Bipolar transistor boosts switcher's current by 12 times

    The circuit in Figure 1 uses a minimal number of external parts to raise the maximum output current ...

  3. RFID 仿真/模拟/监控/拦截/检测/嗅探器

    Sound card based RFID sniffer/emulator (Too tired after recon.cx to do draw the schematics better th ...

  4. Transistor 晶体管 场效应 双极型 达林顿 CMOS PMOS BJT FET

    Transistor Tutorial Summary Transistor Tutorial Summary Bipolar Junction Transistor Tutorial We can ...

  5. Dual transistor improves current-sense circuit

    In multiple-output power supplies in which a single supply powers circuitry of vastly different curr ...

  6. 常见电子元器件检测方法。——Arvin

    电子设备中使用着大量各种类型的电子元器件,设备发生故障大多是由于电子元器件失效或损坏引起的.因此怎么正确检测电子元器件就显得尤其重要,这也是电子维修人员必须掌握的技能.我在电器维修中积累了部分常见电子 ...

  7. VCC、VDD、VEE、VSS等有关电源标注的区别

    Almost all integrated circuits (ICs) have at least two pins which connect to the power rails of the ...

  8. 5V and 3V Level Translators

    http://www.daycounter.com/Circuits/Level-Translators/Level-Translators.phtml Interfacing 5V and 3V l ...

  9. [转]OrCAD PSpice DIODE model parameter

    1.从OrCAD PSpice help文档: 2.国外网站的相关介绍: The DC characteristics of the diode are determined by the param ...

随机推荐

  1. Daily Scrum 12.1

    今日完成任务: 完成了对源代码结构的修改,删除冗余等:和其他小组讨论了关于整合的问题,向其他小组介绍自己小组使用的数据库等. 明日任务: 晏旭瑞 初步完成文档上传下载 孙思权 深入了解数据库中每个表, ...

  2. unreal3对象属性自动从配置文件中加载的机制

    unrealscript中有两个与属性自动配置相关的关键字: config/globalconfig 当把它们应用于属性时,对象在创建后,该属性的初始值会被自动设置为相对应ini文件中的值. 举例来说 ...

  3. Mispelling 1510

    #include<iostream>#include<string>#include<cstdio>using namespace std;int main(){  ...

  4. Tomcat7.0安装配置详细

    说明:Tomcat服务器上一个符合J2EE标准的Web服务器,在tomcat中无法运行EJB程序,如果要运行可以选择能够运行EJB程序的容器WebLogic,WebSphere,Jboss等:Tomc ...

  5. tomcat 虚拟主机配置

    1.虚拟主机 服务器接收到客户端请求时,会根据HTTP请求报文中的HOST头选择web站点进行响应.发送请求时,url中的主机名会被作为HTTP请求报文中的HOST发送给服务器.因此,可以根据不同的H ...

  6. vijos1144(小胖守皇宫)

    也是ural1039 描述 huyichen世子事件后,xuzhenyi成了皇上特聘的御前一品侍卫. 皇宫以午门为起点,直到后宫嫔妃们的寝宫,呈一棵树的形状:某些宫殿间可以互相望见.大内保卫森严,三步 ...

  7. 热烈庆祝杨学明老师为苏宁、中兴、烽火、CNNIC、创维、金立、中航信等知名企业提供培训和咨询服务!

    在2015年三季度,研发资深顾问.资深讲师杨学明先生为国内多家名企提供了培训和咨询服务!由于杨学明老师在软件及互联网方面的管理经验极为丰富,被多家公司选为首席研发讲师!并聘为常年顾问!

  8. 在Ubuntu14.04 32位中安装mongodb

    curl -O https://fastdl.mongodb.org/linux/mongodb-linux-i686-3.0.6.tgz .tgz mkdir -p mongodb / mongod ...

  9. Android 自定义View 三板斧之一——继承现有控件

    通常情况下,Android实现自定义控件无非三种方式. Ⅰ.继承现有控件,对其控件的功能进行拓展. Ⅱ.将现有控件进行组合,实现功能更加强大控件. Ⅲ.重写View实现全新的控件 本文重点讨论继承现有 ...

  10. [Xamarin] 透過WebClient跟網路取得資料 (转帖)

    之前寫過一篇文章,關於在Android上面取得資料 透過GET方式傳資料給Server(含解決中文編碼問題) 我們來回顧一下 Android 端的Code: 有沒有超多,如果是在Xaramin下面,真 ...