the "simplest possible RFID emulator" is useful to do a simple test of a RFID system.
However, if you need to do something a little more "complex" like a brute forcing or a timing-attack, you will miss some things.
This section covers how to improve the "simplest possible RFID emulator" step by step till reaching a more flexible hardware.
The first thing that we need to add is a simple user interface. It can be useful for controlling the tag behavior and for getting some feedback about the software status.
SPST buttons connected to the GP2 and GP3 pins are the input interface.
Two capacitors (C5 and C6) have been connected in parallel with each button to debounce the signal. Note that the GP3 pin has a pull-up resistor (R5) and GP2 has not, because it uses the internal programmable pull-up. Remember that the PIC 12F* devices have internal programmable pull-ups in every IO pin except GP3.
The 1K resistors R3 and R4 isolates the IO pins from the capacitors. That is needed, for example, to use a ICSP programmer or a debugger. Without the isolation, the capacitor could load the GP3/#MCLR/Vpp pin, avoiding the ICSP programmer to set the programming voltage and preventing the microcontroller from entering into programming mode.
As "output device", we use two LEDs polarized through 470 ohms resistors (R1 and R2).
Be careful when using the LED in your firmware. Each led can consume up to 8 mA, several time more than the rest of the circuit. Turning on a LED can load too much the antenna coil and it could be interpreted by the reader as a carrier modulation. Moreover, if the antenna has not enough magnetical flux, it can make the power supply voltage to drop below the minimum.
When using the "simplest possible RFID emulator", the first thing that you realize is that it has a not very long reading distance.
Creating a helicoidal coil antenna and tunning it properly helps a lot. However, the reading distance is still shorter than with a "real" RFID tag.
The problem is the way to obtain the energy from the carrier signal.
We are using the bridge rectifier formed by the clamping diodes to extract a power supply signal. Those internal diodes have a forward voltage of 0.6V, causing it a drop of 1.2 volts in the rectified power signal.
Using a external bridge formed by four Schottky diodes will save us more than 600 mV. The omnipresent 1N5819 (with a Vf=0.2V @ 10mA) can be perfect for the task.
In next two images, you can appreciate the difference between using or not using the Schottky bridge rectifier.
The blue trace is the Vcc signal rectified with the Schottky bridge, the green one is without the Schottky diodes and the yellow one is the carrier signal measured in GP5 pin. In both images the oscilloscope was set to 500 mV/div and 4uS/div.
Yellow: Max. = 2.27V Blue: Mean = 2.03V Green: Mean = 1.36V White = GND
As you can see, using the Schottky diodes instead the internal clamping diodes can save more than 0.6 volts.
More capacitors are added for filtering the power signal. A electrolytic (C4), a tantalum (C3) and a ceramic (C1) capacitors are used. Not all of them are required, but it helps to minimize the impact of high current peaks when, for example, lighting on a LED or using the 8 internal MHz oscillator.
AUTOMATIC GAIN CONTROL (AGC)
First of all, this is not a proper ACG... but I liked the name :)
Most of the time, the rectificated power supply will not be high enough ( >6V) to ruin any of the parts. However, the possibility could be given if the reader creates enough magnetic field.
In order to avoid this situation, a protection circuit has been added.
While the power supply voltage is below 5.1 volts, the zenner diode (D1) does not conduct. The base of the transistor (Q1) is tied to GND and is switched off.
How ever, when the Vcc voltage reaches the 5.1 threshold, the transistor starts to conduct current through the 100 ohms resistor (R7). This current loads the antenna coil and makes the Vcc voltage to drop.
A 6 pins connector has been added. It allows an easy access to the microcontroller pins. It can be used for programming/debugging or as input/output device (Example: RS232 bootloader)
The connector's pin-out is the same than the used by the PicKit2 programmer/debugger. You can buy one for less than 30€ or doing it yourself. Of course, you can use any other programmer like a JDM.
OPEN RFID TAG LITE VERSION 0.3
With all the improvements already mentioned , our design looks like this:
Click the image to download the PDF
This is the Open RFID Tag Lite Version 0.3, a very flexible and powerful hardware that can emulates almost any read-only low frequency RFID tag.
All the design has been accomodated in a credit card sized PCB with a printed antenna. Check the gallery for photos and videos.
ADDING THE "WRITE" CAPABILITY
The hardware described until now allows to emulate almost any "READ ONLY" tag, which are those tags that send data (normally a serial or a unique ID number) to the reader as soon as the RF carrier is detected.
There are also other more complex tags that can receive commands from the reader. Normally this feature is used to write data in the memory map of the RFID tag, but other more interesting functions can be implemented like password or "Challenge-Response" authentication.
The reader will send the command to the tag in the same way that the tag send data to the reader: modulating the RF carrier by loading the antenna coil.
We have to demodulate the RF carrier in order to extract the modulating signal, and the simplest way to do this is using an "envelope detector" circuit like this:
The diode D4 rectifies the carrier and charges the capacitor C7 when the carrier signal amplitude increases. When the carrier amplitude decreases the capacitor is discharged trough the resistor R8 (no current will "flow back" trough the diode). The output signal is the envelope of the carrier... that is, the modulating signal that contain the data information
Green: Modulated carrier at the input of the detector
Yellow: Modulating signal at the output of the detector
The resulting signal is connected to a coupling capacitor C8 to block the DC voltage and the coupled output is connected to the internal voltage comparator of the PIC microcontroller.
Green: before DC coupling Yellow: after DC coupling White: GND
Reference: 0.5V/V-div 0.4ms/H-div
The voltage comparator will compare the demodulated signal with a voltage reference (0.1 volts aprox, software defined) and the output will be a "regenerated" signal similar to the data signal transmitted by the reader, ready to be decoded and processed.
Yellow: comparator input (0.2V / V-div)
Green: comparator output (1V / V-div)
As you can see in the images, as consequence of the DC coupling, the comparator input signal is negative (< GND) in half of the cycle.
According to the microcontroller datasheet, a -0.3V voltage at the input of a I/O pin can blow that pin.
I haven't blow any PIC yet, but keep in mind that you are stressing the microcontroller and it could be fatal.
The values of the capacitor (C7) and resistor (R8) of the envelope detector has to be correctly calculated.
They both form a low-pass filter whose cutoff frecuency (flp) is
The cutoff frecuency has to be high enough to pass the frequency of the modulating signal (fm) but low enough to block the frequency of the carrier signal (fc).
If flp is too high, the carrier signal will pass and some ripple (noise) will appear in the filtered signal. However if flp is too low, the modulating signal will be also filtered, and the output will be "clipped".
Ideally, we have to choose a flp value such as:
Let's calculate R and C!!!
fc = 125 KHz
fm = 1953.125 Hz <- Considering a Manchester or a bi-phase encoding at 64 carrier cicles for a bit (the most common modulation).
In the next image, the effects of choosing a too low flp value are show:
Yellow: R=100K C=10nF flp=1000Hz
Green: R=56K C=10nF flp=1785Hz
The output signal should be "square shaped", but we can observe how a low flp introduces a distortion in the output signal by "rounding off" the falling edges. More rounded as lower is the flp.
In order to avoid this "clipping" effect, flp has to be higher than fm (1953.125 Hz), but not much higher because it could appear some "ripple" effects:
Yellow: R=10K C=10nF flp=10KHz
The chosen design values are:
flp = 3030 Hz
R = 33 Kohms
C = 10 nF
3030 Hz should be enough to filter correctly the 1953 Hz signal without having too much ripple noise, neither too "clipping".
If you want to support a faster encoding scheme, you could have problems with the ripple noise. In that case, a more complex filtering network is required. But don't worry... 3030 Hz is enough to emulate almost any low frequency RFID tag.
OPEN RFID TAG LITE 0.4
[ TO DO: finish this ]
The next version of the Open RFID TAG lite has all the modifications to support data reception.
This will allow not only to emulate R/W tags, but also sniff communications and some other interesting features.
People ask me when I am going to finish the 0.4 design. Well... the answer is "as soon as Microchip decide to release the PIC 12F1822".
One important feature I want to add to the next version of the Open RFID Tag is the ability to program the firmware using the RS232 port or using a RFID writer. To implement this, the microcontroller has to be "self-writable" and no actual PIC12F microcontroller support this and has EEPROM.
Moreover, the 12F1822 has - or will have - an internal 32 MHz clock, much faster than the actual 8 MHz. This speed improvement will be useful to implement some complex algorithms like the HiTAG encryption.
Expect this microcontroller to be released in Q1 of 2010...
Meanwhile you can modify your 0.3 PCB in order to support data reception. More about this in the "GET IT! BUILD IT!" article.
The different firmwares allows different features. Check the firmware section.