Home

OPEN RFID Tag

Main Menu

Introduction to the OPEN RFID Tag

The motivation of the OPEN RFID projects is to create the necessaries tools for experimenting and testing the security of different RFID implementations.

Concretely, the OPEN RFID Tag is an open-hardware/open-software implementation of a passive RFID tag, which is compatible with most of the ISO and proprietary RFID protocols and has some advanced security testing capabilities. This project is complimented with the "OPEN RFID Interface" project.

Several solutions are already available - like OPEN PICC or PROXMARK - but they do not support the low frequency tags, are too expensive or too complex. They are also not "portable" because they require to be externally powered and usually to be connected to a computer.

OPEN RFID tag has been designed with the next objectives:

Educative. Simple enough to understand the inner working. Easy to develop new firmware and collaborate with the project.
Create a flexible and powerful programmable tag, able to test any low and high frequency tag.
Cheap and easy to build. All the parts are easily found in any electronic store.

FEATURES

The OPEN RFID tag implements different features according to the firmware used and the hardware version.

Some of these features are:

Can emulate almost any current tag: EM4100, TK5551, Verichip, ISO 11784 compatibles, Mifare (expected)...
Biphase, Manchester, PSK, RAW encoding
Data rate from 8 to 256 clocks per bit.
Emulates tags with up to 1920 bits (firmware limit).
Multiple memory maps stored in the OPEN RFID tag.
Brute forcing, cloning timing attack and other complex attacks.
100% passive. No battery required.

DOCUMENTATION

LICENSE

The project is released under the terms of this license.

SPECIFICATIONS

Currently, there are two version of the Open RFID Tag: the normal and the LITE version.

The LITE is a compact and cheaper version intended only for low frequency tags.

The normal version however, is a more powerful tag which can be used for both low and high frequency systems.

HARDWARE
	Open RFID Tag LITE	Open RFID Tag
Processor	PIC 12F683 8 bits architecture 8 MHz (2 MIPS)	PIC PIC24F04KA201 16 bits architecture 32MHz (16 MIPS)
Memory	3.5KB program memory 128B RAM 256B EEPROM	4KB program memory 512B RAM 256KB EEPROM (external)
Supported Frequencies	Low Frequency (115KHz - 140KHz aprox)	Low Frequency (115KHz - 140KHz aprox) High Frequency (13.56 MHz)
User Interface	2 LEDs 2 Buttons	4 LEDs 3 Buttons
Programming Interface	ICSP / ICD (prog. + debug) RS232	ICSP / ICD (prog. + debug) RS232 RFID
Power	Passive (no battery)	Passive (no battery)
Current Version	0.3 with modifications (28/Jan/2010)	Early prototype (unreleased) First public release on May 2010

SOFTWARE
	Open RFID Tag LITE	Open RFID Tag
Programming Language	ASM C (not recommended)	C
Self programmable	NO (expected in version 0.4)	YES
Read operations (Comms. from tag to reader)	YES	YES
Write operations (Comms. from reader to tag)	YES (Version 0.3 with modifications)	YES
RFID - Encoding schemes	Manchester BiPhase RAW	Manchester BiPhase PSK RAW
RFID - Data rates	From 8 to 256 RF clocks per bit	From 8 to 256 RF clocks per bit

LF FREQUENCY TAGS SUPPORTED
	Open RFID Tag LITE	Open RFID Tag
EM4100 EM4102 (& compatibles)	YES (multimap firmware)	YES
EM4005 EM4105	YES (multimap firmware)	YES
Verichip	YES (multimap firmware)	YES
TK5551 T555X	Read only (multimap firmware) Read & Write (Unreleased beta)	EXPECTED
Texas Instruments HDX Tags	NO (due to hardware limitations)	NO (but could be in a future...)
ISO 11784/5	YES (multimap firmware)	YES
HiTAG 1/2/S	NO (due to CPU limitations)	EXPECTED
Others...	Almost any LF tag can be emulated in "read only" mode with the "multimap" firmware. Passive cloning (sniffing) Brute forcing attacks Timing attacks

HF FREQUENCY TAGS SUPPORTED
	Open RFID Tag LITE	Open RFID Tag
ISO 14443	-	EXPECTED
MIFARE ULTRALIGHT & CLASSIC	-	EXPECTED
MIFARE DESFIRE	-	PROBABLY NO ( due to CPU limitations) A CPU upgrade can solve this problem, but due to the high power consumption it couldn't be powered passively.