Default · Nice · Light · Big · Grey/Yellow Ugly · Plain


Home
Prox / RFID
[...mark3] †
[...markii] †
Verichips
Web Stuff
Ladder Logic
PCB Router
Photographs
Other Trivia
Resumé / Consulting
Contact Me

A Test Instrument for HF/LF RFID

[Update, Jul 2006: a public release is available for download.]

This device can do almost anything involving almost any kind of low-(~125 kHz) or high-(~13.56 MHz) frequency RFID tag. It can act as a reader. It can eavesdrop on a transaction between another reader and a tag. It can analyze the signal received over the air more closely, for example to perform an attack in which we derive information from the tag's instantaneous power consumption. It can pretend to be a tag itself. It is also capable of some less obviously useful operations that might come in handy for development work.

This flexibility is achieved using digital signal processing techniques. The signal from the antenna is either immediately followed by an A/D, or digitized after only a little bit of analog signal processing to improve the signal's dynamic range. The subcarrier frequencies for many of the high-frequency tags (e.g. the ISO-standard tags) are fast; it would be possible to filter for them in software, but impractical with a general-purpose microcontroller. I therefore route the signal from the A/D through a small FPGA; this can either relay the signal to the micro, over a synchronous serial port, or perform the filtering operations itself, in hardware, and pass only the result to the micro. The latter option greatly reduces the workload of the micro.

Since the signal processing is performed almost entirely in software (or in the FPGA), it is possible to reconfigure the device for a completely different modulation scheme with only software changes. This flexibility is also useful when looking for other information in the signal sent over the air; for example, it would be helpful when trying to perform a power attack.

The proxmark3 is an improved version of my proxmarkii. The proxmarkii had a slow A/D, and no FPGA assist for the signal processing; this made it impractical to deal with many of the ISO-standard (and other) 13.56 MHz tags, which now represent a large fraction of the market. The proxmarkii was also incapable of bypassing the peak-detector hardware and going straight from the antenna to the A/D, a mode that might be useful for certain eavesdropping operations. Finally, the proxmarkii lacked some minor but useful features, such as the ability to derive its timing from the incident carrier (as opposed to its own crystal) while pretending to be a 13.56 MHz tag. I consider the proxmarkii to be obsolete, and inferior in every way to this latest device.

The hardware is built on a four-layer printed circuit, laid out to 8/8 thou rules with an 0.4 mm minimum drill size. The entire unit is about the size of a playing card. The largest IC is the FPGA; the ARM7 is to its right. The tall component at the bottom left is a relay, which is an easy way to cope with the large dynamic range of the signal from the antenna in ‘read’ (we drive the antenna ourselves, hard) vs. ‘eavesdrop’ (we see only the signal received over the air) modes. Most of the passives and small ICs on the left side of the device are part of the analog signal chain. The very large header is for JTAG to the ARM, with the standard pinout. The six-pin single-row header is for JTAG to the FPGA, again with the standard pinout. (These are needed only for debugging; the ARM executes code out of flash, and can reprogram itself over USB, and the FPGA is configured by the ARM.) The USB connector is clearly visible at the top left, and the antenna connector is below it.

An effort is made at USB compliance, but not a very strong one. I think that the hardware should be capable of that, if anyone cares. The only thing that might be doubtful is the power consumption in suspend, and there is a big FET switch that can turn everything except the ARM off. In practice, it all just works.

The software is at this point minimal. All systems software is provided; this includes the bootloader, the FPGA loader, and a debug logger that works over USB. I've written software to support a few different kinds of tag; for example, I can:

  • read a TI ‘glass transponder’
  • read and clone a VeriChip
  • read and clone a Motorola FlexPass
  • read an ISO15693 tag

For example, the trace below is the beginning of the ‘Inventory Response’ transmitted by a TI Tag-It Plus (ISO15693) tag, in response to the ‘Inventory Request’ command that I sent:

I still have to improve my signal processing code; at the moment it is not very close to optimal. I should generally clean things up, and add a more structured set of interfaces for adding new families of tags (as opposed to just bolting things on wherever they fit, as I do now).

Most of the software is written in C, for arm-elf-gcc. For the numerical stuff it looks like I could get maybe a factor of two speedup by hand-coding in assembly, but I haven't yet. That (or more complexity in the FPGA) would be required to eavesdrop in real time. The logic is written in Verilog, for the Webpack tools.

A mini-release is available for download:

The software and other materials may be distributed and modified according to the terms of the GPL; see the license enclosed in the zip file.

I am not sure how useful this will be, though; not very many people are set up to assemble (and debug) the hardware, and even stuff like the DSP routines is rather specialized.

July 2006, Cambridge MA