Jump to content
Nytro

RFIDler - A Software Defined RFID Reader/Writer/Emulator

Recommended Posts

Posted

RFIDler - A Software Defined RFID Reader/Writer/Emulator

RFIDler (RFID Low-frequency Emulater & Reader). An open platform RFID reader/writer/emulator that can operate in the 125-134 KHz range.

Software Defined is the buzz-word in RF these days, and we use SDR (Software Defined Radio) in our work as reverse-engineers all the time, with great projects like HackRF and GNU Radio, etc.

So when it came to looking at RFID for a recent engagement, we decided to see if we couldn't apply the same thinking to that technology. And guess what? Yes, you can!

One of our team, Adam Laurie (aka Code Monkey), has spent many years playing with RFID, and is the author of RFIDIOt, the open-source RFID python software library, so is very familiar with the higher-level challenges associated with these devices. However, a complete understanding of what goes on 'under the hood' is harder to come by, and it was only when he teamed up with Chip Monkey, Zac Franken, who has been hardware hacking and pulling things to bits (and putting them back together so they do something much more fun) since he was big enough to hold a screwdriver, that the full picture started to emerge...

The Goal

To produce a tool for Low Frequency (125-134Khz) RFID research projects, as well as a cut-down (Lite) version that can be embedded into your own hardware projects. The fully featured version we hope to bring in for around £30.00, and the Lite version for under £20.00.

Features

We have written extensive firmware which includes a user interface and an API to allow easy use of the system and to allow you to explore, read and emulate a wide range of low frequency RFID tags.

  • Utilise ANY modulation scheme, including bi-directional protocols
  • Write data to tag
  • Read data from tag
  • Emulate tag
  • Sniff conversations between external reader & tag
  • Provide raw as well as decoded data
  • Built-in antenna
  • External antenna connection
  • USB power and user interface
  • TTL interface
  • GPIO interface
  • JTAG interface for programming
  • USB Bootloader for easy firmware updating
  • External CLOCK interface if not using processor

  • External power connector if not using USB

The hardware gives you the capability to read/write/emulate more or less any LF tag, but we've also taken the hard work out of most of them by implementing all the tag types we can find in the public domain. These include:

  • EM4102 / Unique
  • Hitag 1/2/S
  • FDX-B (ISO 11784/5 Animal Standard)
  • Q5
  • T55xx
  • Indala
  • Noralsy
  • HID Prox
  • NXP PCF7931
  • Texas Instruments
  • VeriChip
  • FlexPass

Firmware

We have working firmware that proves the concept, and we will continue to develop the code to provide both command line interface and API for end-user applications. This will be posted in a github repository, here:

https://github.com/ApertureLabsLtd/RFIDler

Hardware

The three devices we will produce are:

RFIDler-LF-Nekkid - The bare naked circuit board with built-in antenna, ready for you to populate the electronic components yourself.

RFIDler-LF-Lite - This is the board with only the low-level RFID communication components, to allow you to incorporate it into your own projects (e.g. controlling it with Arduino, Rasperry-pi, Beagle-Bone etc.), providing GPIO, power and clock interfaces only. Firmware can be ported from (and/or contributed to) the RFIDler repository, or write your own from scratch.

RFIDler-LF-Standard - This is the fully populated Low Frequency (125/134KHz) board with on-board processor that can be used as a stand-alone device for research and in-the-field testing etc., providing TTL and USB serial command line and API interfaces as well as raw GPIO, clock and power.

Your pledges will help us get this from working prototype to final production run, and incorporate where possible any cool ideas/features that we hadn't thought of, and bring Software Defined RFID to the masses!

The challenges we have left to complete are:

Processor selection - we've used the Pic32 as a proof-of-concept chip, but there may be others better suited to this kind of application. We will research and test 2 or 3 other chips before making a final decision.

Coil design - coils are almost as mysterious as RFID itself, so we need to try various designs to see which on-board and external coils give us the best performance across the target frequency ranges.

Final Board Layout - Layout the final boards and send to manufacturing.

Further Details

Here is Adam's blog entry on the subject:

Obviously a Major Malfunction...: RFIDler - An open source Software Defined RFID Reader/Writer/Emulator

And here is the prototype:

And here we are reading an Indala PSK tag:

3acad4446a9c579b894d84af28aa272e_large.png?1374834601

The logic analyser trace shows that RFIDler is pulsing on the PSK Reader line whenever there is a phase change on the analogue line (the small green pulses are negative, and the large ones positive). All our software has to do is detect those pulses at each bit period, and clock out the data. The 'Bitstream' line shows the software bit value detection in action, as it's being driven by the UBW32 board. The other nice thing we can do in software is monitor the quality of the read: the width of the reader pulse will narrow as the coil goes in and out of the field, and the coils 'de-couple', so we can flag a read error when the pulse gets too narrow. This is important when you're looking at unknown tag types: the manufacturer may have a built-in parity or other data checks so their native reader knows when it's getting a good read, but we don't have the knowledge of the relevant algorithms, so cannot do the same. With this technique, we can easily filter out bad reads that will give us corrupt data.

Of course, as well as reading a tag, we want to be the tag, so here we are emulating PSK:

and we could do that for any bitrate, modulation scheme or data pattern (within reason), as well as have 2-way conversations (e.g. Hitag2).

So that brings us to where we are now...

Timeframe

We've allowed the following timeframes for each stage:

Project starts in October (assuming we get funded! :)

Full circuit design and CPU selection: 4 weeks, taking us to November.

Beta test phase: 6 weeks up to mid-December, then it's the Christmas & New Year break...

Final production run: 4 weeks starting in January, so we should be done by February.

We all know that in real life timescales slip, but since the underlying hardware is already proven in our prototype, and all we're really doing now is fine-tuning and incorporating feedback from the beta test, we expect this to be a fairly quick project!

Risks and challenges Learn about accountability on Kickstarter

We have great facilities in-house for prototyping electronic circuits, and so we expect the main challenges to have been worked out before we go to the trouble and expense of outside manufacturing. However, we also have a great relationship with our fab company, who we have used for several years on many successful projects, so we know they have the resources to get the job done.

We look forward to working with you! :)

FAQ

Have a question? If the info above doesn't help, you can ask the project creator directly.

Sursa: RFIDler - A Software Defined RFID Reader/Writer/Emulator by Aperture Labs Ltd. — Kickstarter

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...