%include "default.mgp" %default 1 bgrad %%% %page %nodefault %back "blue" %center %size 7 OpenPCD / OpenPICC Free Software and Hardware for 13.56MHz RFID Apr 17, 2008 DORS/CLUC %center %size 4 by Harald Welte %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC Introduction Who is speaking to you? an independent Free Software developer one of the authors of Linux kernel packet filter busy with enforcing the GPL at gpl-violations.org working on Free Software for smartphones (openezx.org) ...and Free Software for RFID (librfid) ...and Free Software for ePassports (libmrtd) ...among other things ;) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC Introduction RFID Short introduction on 13.56MHz RFID systems Magnetic Coupling ISO 14443-A / -B (proximity IC cards) ISO 15693 (vicinity IC cards) Proprietary: FeliCa, Legic, Mifare Classic, ... Applications: RFID tagging (15693), Smartcards (14443) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC RFID Reader Designs Overview on available reader designs Most readers based on ASIC (Philips, TI, ...) + Microcontroller Readers for PC's usually have USB, RS232 or PCMCIA IF Some reader designs with Ethernet, RS-485 Important: If you need Mifare, you need Philips reader ASIC Active readers implement protocols in firmware, passive in host sw %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC The OpenPCD project The OpenPCD project design a RFID reader that gives full power and all interfaces reader hardware design is under CC share alike attribution license reader firmware and host software under GPL use hardware that doesn't require proprietary development tools don't license any RTOS but write everything from scratch ability to modify firmware can be active or passive can produce protocol violations %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC The OpenPCD project The OpenPCD project various hardware interfaces connector for analog and digital intermediate demodulation steps connector for firmware-configurable trigger pulse connector for unmodulated (tx) and demodulated (rx) bitstream RS232 (@ 3.3V) port for debug messages versatile internal connection between ASIC and microcontroller enables microcontroller to directly modulate carrier using serial bitstream from SSC using PWM signal from TC (timer/counter) unit enables microcontroller to sample Tx and/or Rx signal using SSC Rx %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPCD hardware configuration OpenPCD hardware configuration Atmel AT91SAM7S128 microcontroller 48MHz 32bit ARM7TDMI core many integrated peripherals (SPI, SSC, ADC, I2C, ..) USB full speed peripheral controller 128kB user-programmable flash 32kB SRAM integrated SAM-BA emergency bootloader, enables ISP Philips CL RC632 reader ASIC documentation 'freely' available (40bit RC4 / 5days) commonly used by other readers supports 14443-A and B, including higher bitrates up to 424kBps can be configured up to 848kBps, even though it's not guaranteed %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPCD schematics OpenPCD schematics Please see the schematics in PDF form %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPCD firmware build environment OpenPCD firmware build environment Standard GNU toolchain for ARM7TDMI (armv4) binutils-2.16.1 gcc-4.0.2 Custom Makefiles to create flash images sam7utils for initial flash using SAM-BA 'cat dfu.bin firmware.bin > foo.samba' produces SAM-BA image Parts of newlib are linked if DEBUG=1 is used (snprintf, ...) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPCD device firmware OpenPCD device firmware since firmware is hackable, it should be easy to download a new image USB Forum published "USB Device Firmware Upgrade" (DFU) specification sam7dfu project (developed as part of OpenPCD) implements DFU on SAM7 dfu-programmer (sf.net) implemented 90% of what was required on host DFU works by switching from normal (application) mode into separate mode with its own device/configuration/endpoint descriptors since firmware bug could render device in broken 'crashed' state, we added a button that can be pressed during power-on to force DFU mode %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPCD device firmware OpenPCD device firmware The firmware build system allows for different build targets for different firmware images Normal reader operation using librfid supported by 'main_dumbreader' target main_librfid: Intelligent firmware with full RFID stack built-in main_analog: Analog signals can be output on U.FL socket main_pwm: PWM modulation of 13.56MHz carrier (variable frequency/phase) main_reqa: Implement 14443-123 (Type A) in reader firmware, send REQA/WUPA/anticol %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPCD device firmware OpenPCD device firmware source lib some generic C library routines (bitops, printf, ...) src/os shared 'operating system' code src/pcd OpenPCD specific code (reader side) src/picc OpenPICC specific code (tag side) src/dfu USB Device Firmware Upgrade src/start low-level assembly startup code scripts scripts to generate UTF8LE usb strings, etc %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPCD USB protocol OpenPCD USB protocol All communication on the USB is done using a vendor-specific protocol on three endpoints (BULK OUT, BULK IN, INT IN) All messages (usb transfers) have a common four-byte header %%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC main_dumbreader firmware OpenPCD 'main_dumbreader' firmware The main_dumbreader firmware exports four primitives for RC632 access read register write register read fifo write fifo Using those primitives, the full 14443-1234 A+B and 15693 can be implemented in host software (librfid) This is the main production firmware at this point %%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC main_pwm firmware OpenPCD 'main_pwm' firmware The main_pwm firmware allows emitting a 13.56MHz carrier modulated with an arbitrary PWM signal frequency and phase controlled by console on UART port Using main_pwm, it's easy to test link-layer characteristics, e.g. when developing a PICC device %%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC main_reqa firmware OpenPCD 'main_reqa' firmware The main_reqa firmware contains code to either repeatedly transmit ISO14443A REQA repeatedly transmit ISO14443A WUPA repeatedly go through full ISO14443A anticollision The progress is shown on the serial debug port This firmware is mainly for demonstration and debugging %%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC main_mifare firmware OpenPCD 'main_mifare' firmware The main_mifare firmware contains code to repeatedly dump one page of a mifare classic card This only works, if the INFINEON default key is used The progress is shown on the serial debug port This firmware is mainly for demonstration and debugging %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPCD host software (librfid) The librfid project predates OpenPCD by 1.5 years was originally written as part of the OpenMRTD project for ePassports supported Omnikey CM5121 / CM5321 readers OpenPCD main_dumbreader support has been added implements 14443 -2, -3, -4 (A+B), ISO 15693, Mifare http://openmrtd.org/projects/librfid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPCD status OpenPCD status Hardware design finished Prototype state is over First 80 units shipped to customers Orders can be placed (100EUR excl. VAT) at http://shop.openpcd.org/ DIY folks: We also sell the PCB for 18EUR :) We have readers with us, in case anyone is interested %%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC main_librfid firmware OpenPCD 'main_librfid' firmware The main_librfid firmware contains the full librfid stack offers librfid C API allows easy port of librfid host applications into device firmware allows OpenPCD to operate 100% autonomous does not have a USB protocol for host applications yet %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPCD outlook OpenPCD outlook main_librfid USB protocol specifications 'bset of both worlds' approach for many applications emulate USB-CCID profile (designed for contact based smartcard readers) thus, OpenPCD could be used to transparently access 14443-4 (T=CL) protocol cards just like contact based smartcards emulate ACG serial protocol on debug port thus, software like RFIDiot and RFdump could be used write nice frontend for Rx/Tx sampling including software decoding on host pc to recover data finally be able to do some cryptoanalysis on e.g. Mifare Lots of other interesting projects Volunteers wanted! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC The OpenPICC project conterpart to OpenPCD design RFID transponder simulator that gives full control / all interfaces hardware schematics and software licensed like OpenPCD based on the same microcontroller much of the firmware (USB stack, SPI driver, ...) is shared no ASIC's for 'transponder side' available analog frontend and demodulator had to be built discrete, from scratch %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPICC hardware configuration OpenPICC hardware configuration Atmel AT91SAM7S256 almost 100% identical to S128 (OpenPCD) has twice the RAM and flash Analog antenna frontend / matching network Diode based demodulator Two FET and NAND based load modulation circuit subcarrier generated in software SSC clock rate == (2*fSubc) == 2*847.5kHz = 1.695MHz Output of 101010 produces 847.5kHz subcarrier two GPIO pins configure three steps of modulation depth %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPICC hardware (Rx path) OpenPICC hardware (Rx path) Antenna builds resonant circuit with capacitor low-capacity diode for demodulation active filter + buffering/amplification comparator for quantization of signal resulting serial bitstream fed into SSC Rx of SAM7 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPICC hardware (Rx path) OpenPICC hardware (Rx path) Problem: bit clock regeneration bitclock is fCarrier / 128 PCD modulates 100% ASK => no continuous clock at PICC Solution: PICC needs to recover/recreate fCarrier using PLL PLL response can be delayed via low pass Problem: However, PLL will drift in long sequence of bytes Solution: Sample-and-Hold in PLL loop can solve this problem %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPICC hardware (Rx path) OpenPICC hardware (Rx path) Problem: bit clock / sample clock phase coherency bitclock is not coherent over multiple frames PCD can start bitclock at any fCarrier cycle PICC needs to recover bit clock Solution: OpenPICC uses SAM7 Timer/Counter 0 as fCarrier divider First falling edge of demodulated data resets counter Therefore, sample clock is in sync with bit clock %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPICC hardware (Tx path) OpenPICC hardware (Tx path) Two FET and NAND based load modulation circuit subcarrier generated in software SSC clock rate == (2*fSubc) == 2*847.5kHz = 1.695MHz Output of 101010 produces 847.5kHz subcarrier two GPIO pins configure three steps of modulation depth %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPICC USB protocol OpenPICC USB protocol 100% identical to OpenPCD, just different set of commands Most commands based on virtual register set (content: protocol params) modulation width / depth frame delay time for synchronous replies encoding (manchester, OOK / NRZ-L, BPSK) decoding (miller / NRZ) UID for anticollision ATQA content %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC OpenPICC status OpenPICC status second generation prototype not yet 100% functional still some problems with clock recovery + analog side finished 'really soon now' first production units expected for January %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenPCD / OpenPICC Links Links http://openpcd.org/ http://wiki.openpcd.org/ http://shop.openpcd.org/ http://openmrtd.org/project/librfid/ http://openbeacon.org/ (active 2.4GHz RFID)