RFID Exploration and spoofer a bipolar transistor, a pair of FETs, and a rectifying full-bridge followed by a loading FET

RFID Exploration

Louis Yi, Mary Ruthven, Kevin O ' Toole, & Jay Patterson

What does it do?

We made an Radio Frequency ID (RFID) card reader and when attempting to create a long-range spoofer, created an jammer W Hich overcomes card ' s signals.

The reader uses filtering circuitry following a 125kHz driven resonator to produce the returned FSK signal from the HID BR and RFID proximity cards used around Olin College. Reading was initially performed by capturing data with a oscilloscope and then processing in MATLAB, but was eventually I Mplemented on an FPGA using Verilog.

Reading the cards provided the binary data we attempted to reproduce with the RFID spoofer. Trying several transmission hardware designs + many encoding methods failed to yield a successful RFID activation. We discovered while testing this sending similar signals at high amplitudes blocked real RFID cards, effectively jamming t Hem and locking the door.

Why does your do it?

RFID systems is currently and increasingly a part of our lives. We use them at school, at work, and on the roads for fare collection in systems like the Northeast ' s e-zpass. Frighteningly, many online papers and our own experiments show, they ' re not very secure. Personal data stored on such cards are available to anyone nearby with a suitable, inexpensive RFID reader.

We were curious about the technology involved and whether we could implement a full RFID system. Also, Eric really wanted an RFID gun, which we is disappointed to say we couldn ' t deliver.

How does your do it?

The RFID protocol of communication is a nesting of three different encodings:backscattering of a carrier frequency, frequ Ency Shift keying, and Manchester encoding.

The RFID reader outputs a constant 125kHz signal to all nearby tags, amplifying the signal if it detects any reflected s Ignal. Since an RFID tag was passive, it needs to send back a signal without drawing any power itself. Using the sent signal as both a power source and a clock, the RFID tag flips a transistor in a predefined sequence (a Blac K Box described in the Frequency Shift keying sections) to send a sequence of high and low values through the backscattered Signal back to the reader.

on top of this encoding, high and low signals are determined  by the frequency of the backscattered ons and offs. in  frequency shift keying, which is used by olin ' S Prox Cards,  switching from ON to OFF at a rate of 12.5kHz  (Period  every 10 cycles of the carrier frequency)  denotes a LOW  signal, and switching from on to off at a rate of  15.6kHz  (period every 8 cycles of the carrier frequency)   Denotes a high signal. thus the high and low digital signals  are encoded by the advantages of this encoding is that  it is computationally simpler and less susceptible to noise than traditional  pulse-amplitude modulated signals. because only takes two frequencies  To send a message, proper filtering can ensure the system is  only susceptible to white noise around those two frequencies.  Additionally, no channel equalization or phase calibration is  needed, since the decoding method simply calculates the distance  Between peaks, and determines if it is closer to 12.5khz or  15.6kHz. The HIGH and LOW frequencies are switched between  According to a predetermined signal, a black box determined by  the manchestEr encoding of the tag ' s data. 
On top of this encoding, 1s and 0s is encoded and decoded from the highs and lows using Manchester encoding. Manchester Encoding simply encodes a 1 as (high, low) and a 0 as (low, high).

Diagram of a decoding of a manchester-encoded sequence of high and low signals

The advantage of manchester encoding is a huge improvement in  the accuracy of readers and writers that are out of  phase, and signals that stay high or low for extended  Periods of time. manchester encoding guarantees that there is a  flip from high to low in the center of each bit  Transmitted, so it is trivial to determine the phase of the  writer ' s signal. it is also impossible to be half a  Bit off, because a random sequence will include consecutive highs  or lows if the phase is half a period off. manchester  encoding also p revents timing errors in long strings of 1s or 0s by  Making it trivial to count the number of bits in a long  string of  (Low, high) s. 

RFID Reader

Circuit used to decode the RFID tag modulated with a 125KHz off to a digital signal to be processed.
Photos of comparator ' d traces

Our first implementation of the RFID reader is to take a analog signal and measure the peaks in order to find the signal is at 15KHz or 12.5KHz. We then graphed those differences representing different frequencies with as either a ' one ' bit or a ' zero ' bit. Finally We manually pieced multiple graphs together and then also manually decoded the graphs.

Spoofer

We tried three different driving methods for the RFID spoofer:a bipolar transistor, a pair of FETs, and a rectifying full -bridge followed by a loading FET.

All three methods modulated the signal quite successfully and failed when tested on a commercial HID ProX reader.

Circuits for the three different driving methods.

The Signal is sent by a Arduino using port manipulation to keep delays low and precise. Note that one side of each resonating coil and capacitor is grounded.

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555 6575859606162636465666768697071727374757677787980818283848586878889909192939495

Coil control Pinint coil_pin = 8;  void Setup () {    digitalwrite (Coil_pin, low); &NBSP;&NBSP;&NBSP;&NBSP;DDRB = B00000001; Set pin 8 OUTPUT&NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000000; Set Pin 8 Low, port manipulation}  void set_pin_manchester (int clock_half, int signal) {\   & nbsp;//encoded and send data    int man_encoded = clock_half ^ signal; Xor      if (man_encoded = = 1) {         Send_1 ();     } else {        send_0 ();     }}  int data_to_spoof[45] = {0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0,                           0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0,                          0,0,0,0, 0,0,0,0, 0,0,0,0, 0}; Insert binary card data here  //int i = 33;void loop () {    //start sequence//&NBSP;&NB Sp;  send_0 ();     send_0 ();     send_0 ();     send_0 ();     send_1 ();     send_1 ();     send_ 1 ();     //data Payload//    for (int i = 0; i <; i++) {   & Nbsp;    set_pin_manchester (0, data_to_spoof[i]);         set_pin_manchester (1, data_to_spoof[i]);     }}  int one = 40; Microsecond delay to send 12.5kHzint zero = 32; Microsecond delay to send 15khz  void send_1 () {    //send six periods of 12.5kHz signal &NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000000; &nbsP;  delaymicroseconds (one); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = b00000001;     Delaymicroseconds (one); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000000;    delaymicroseconds (one); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000001;    delaymicroseconds (one);    &NBSP;PORTB = B00000000;    delaymicroseconds (one); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000001;     delaymicroseconds (one); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = b00000000;     delaymicroseconds (one); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000001;    delaymicroseconds (one); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000000;    delaymicroseconds (one);   &NBSP;&NBSP;PORTB = B00000001;    delaymicroseconds (one);}   void Send_0 () {    //send six periods of 15kHz SIGNAL&NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000000;    delaymicrOseconds (zero); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000001;    delaymicroseconds (zero);  &NBSP;&NBSP;&NBSP;PORTB = B00000000;    delaymicroseconds (zero);     PORTB = B00000001;    delaymicroseconds (zero); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000000;     delaymicroseconds (zero); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = b00000001;     Delaymicroseconds (zero); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000000;    delaymicroseconds (zero ); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000001;    delaymicroseconds (zero);    &NBSP;PORTB = B00000000;    delaymicroseconds (zero); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = B00000001;     delaymicroseconds (zero); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = b00000000;     delaymicroseconds (zero); &NBSP;&NBSP;&NBSP;&NBSP;PORTB = b00000001;     Delaymicroseconds (ZERO);}

Future work

our efforts were focused on recording the data from an  Rfid card and then reproducing it with separate harware. instead  of this two stage process, we could have tried to  Simply amplify the rfid card by reading it with one coil,  amplifying the signal and directing the amplified signal toward  a prox card reader. this solution may have resolved our  issues with properly reproducing the prox signal and allowed  us to focus simply on extending the prox card ' S range.  This approach effectively makes a passive system into an  Active one.

The algorithms we used to process data were not as efficient and clean as they could has been. Instead of Simply edge-triggering to determine the location of a peak, we could has found the center of each pulse which May has yielded cleaner and more consistent results.

Because the input signal to the comparator is noisy, there were regular incorrect pulses that the software had to be resi Lient to. A Schmitt trigger (a comparator with hysteresis) could has cleaned up the signal and simplified the software.

Sources

Microchip 125kHz RFID System Design Guide
Cornell Identification Card Project
Variety of RFID Projects using AVR
RFID Prox Card Spoofer
RFID Coil Design by Coilcraft
Microship RFID Coil Design App Note

From for notes (Wiz)

RFID Exploration and spoofer a bipolar transistor, a pair of FETs, and a rectifying full-bridge followed by a loading FET