summaryrefslogtreecommitdiff
path: root/2006/openpcd_openpicc-0sec
diff options
context:
space:
mode:
Diffstat (limited to '2006/openpcd_openpicc-0sec')
-rw-r--r--2006/openpcd_openpicc-0sec/openpcd_openpicc.mgp352
1 files changed, 352 insertions, 0 deletions
diff --git a/2006/openpcd_openpicc-0sec/openpcd_openpicc.mgp b/2006/openpcd_openpicc-0sec/openpcd_openpicc.mgp
new file mode 100644
index 0000000..f81c448
--- /dev/null
+++ b/2006/openpcd_openpicc-0sec/openpcd_openpicc.mgp
@@ -0,0 +1,352 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+OpenPCD / OpenPICC
+Free Software and Hardware for 13.56MHz RFID
+
+Oct 13, 2006
+0sec, Bern
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@gnumonks.org>
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+Introduction
+
+Who is speaking to you?
+ an independent Free Software developer
+ one of the authors of Linux kernel packet filter
+ busy with enforcing the GPL at gpl-violations.org
+ working on Free Software for smartphones (openezx.org)
+ ...and Free Software for RFID (librfid)
+ ...and Free Software for ePassports (libmrtd)
+ ...among other things ;)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+Introduction RFID
+
+Short introduction on 13.56MHz RFID systems
+ Magnetic Coupling
+ ISO 14443-A / -B (proximity IC cards)
+ ISO 15693 (vicinity IC cards)
+ Proprietary: FeliCa, Legic, Mifare Classic, ...
+ Applications: RFID tagging (15693), Smartcards (14443)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+RFID Reader Designs
+
+Overview on available reader designs
+ Most readers based on ASIC (Philips, TI, ...) + Microcontroller
+ Readers for PC's usually have USB, RS232 or PCMCIA IF
+ Some reader designs with Ethernet, RS-485
+ Important: If you need Mifare, you need Philips reader ASIC
+ Active readers implement protocols in firmware, passive in host sw
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+The OpenPCD project
+
+The OpenPCD project
+ design a RFID reader that gives full power and all interfaces
+ reader hardware design is under CC share alike attribution licnese
+ reader firmware and host software under GPL
+ use hardware that doesn't require proprietary development tools
+ don't license any RTOS but write everything from scratch
+ ability to modify firmware
+ can be active or passive
+ can produce protocol violations
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+The OpenPCD project
+
+The OpenPCD project
+ various hardware interfaces
+ connector for analog and digital intermediate demodulation steps
+ connector for firmware-configurable trigger pulse
+ connector for unmodulated (tx) and demodulated (rx) bitstream
+ RS232 (@ 3.3V) port for debug messages
+ versatile internal connection between ASIC and microcontroller
+ enables microcontroller to directly modulate carrier
+ using serial bitstream from SSC
+ using PWM signal from TC (timer/counter) unit
+ enables microcontroller to sample Tx and/or Rx signal
+ using SSC Rx
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPCD hardware configuration
+
+OpenPCD hardware configuration
+ Atmel AT91SAM7S128 microcontroller
+ 48MHz 32bit ARM7TDMI core
+ many integrated peripherals (SPI, SSC, ADC, I2C, ..)
+ USB full speed peripheral controller
+ 128kB user-programmable flash
+ 32kB SRAM
+ integrated SAM-BA emergency bootloader, enables ISP
+ Philips CL RC632 reader ASIC
+ documentation 'freely' available (40bit RC4 / 5days)
+ commonly used by other readers
+ supports 14443-A and B, including higher bitrates up to 424kBps
+ can be configured up to 848kBps, even though it's not guaranteed
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPCD schematics
+
+OpenPCD schematics
+ Please see the schematics in PDF form
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPCD firmware build environment
+
+OpenPCD firmware build environment
+
+ Standard GNU toolchain for ARM7TDMI (armv4)
+ binutils-2.16.1
+ gcc-4.0.2
+ Custom Makefiles to create flash images
+ sam7utils for initial flash using SAM-BA
+ 'cat dfu.bin firmware.bin > foo.samba' produces SAM-BA image
+ Parts of newlib are linked if DEBUG=1 is used (snprintf, ...)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPCD device firmware
+
+OpenPCD device firmware
+ since firmware is hackable, it should be easy to download a new image
+ USB Forum published "USB Device Firmware Upgrade" (DFU) specification
+ sam7dfu project (developed as part of OpenPCD) implements DFU on SAM7
+ dfu-programmer (sf.net) implemented 90% of what was required on host
+ DFU works by switching from normal (application) mode into separate mode with its own device/configuration/endpoint descriptors
+ since firmware bug could render device in broken 'crashed' state, we added a button that can be pressed during power-on to force DFU mode
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPCD device firmware
+
+OpenPCD device firmware
+ The firmware build system allows for different build targets for different firmware images
+ Normal reader operation using librfid supported by 'main_dumbreader' target
+ main_analog: Analog signals can be output on U.FL socket
+ main_pwm: PWM modulation of 13.56MHz carrier (variable frequency/phase)
+ main_reqa: Implement 14443-123 (Type A) in reader firmware, send REQA/WUPA/anticol
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPCD USB protocol
+
+OpenPCD USB protocol
+ All communication on the USB is done using a vendor-specific protocol on three endpoints (BULK OUT, BULK IN, INT IN)
+ All messages (usb transfers) have a common four-byte header
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+main_dumbreader firmware
+
+OpenPCD 'main_dumbreader' firmware
+ The main_dumbreader firmware exports four primitives for RC632 access
+ read register
+ write register
+ read fifo
+ write fifo
+ Using those primitives, the full 14443-1234 A+B and 15693 can be implemented in host software (librfid)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPCD host software (librfid)
+
+The librfid project
+ predates OpenPCD by 1.5 years
+ was originally written as part of the OpenMRTD project for ePassports
+ supported Omnikey CM5121 / CM5321 readers
+ OpenPCD main_dumbreader support has been added
+ implements 14443 -2, -3, -4 (A+B), ISO 15693, Mifare
+ http://openmrtd.org/projects/librfid
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPCD status
+
+OpenPCD status
+ Hardware design finished
+ Prototype state is over
+ First 25 units shipped to customers
+ Orders can be placed (100EUR excl. VAT) at http://shop.openpcd.org
+ DIY folks: We also sell the PCB for 18EUR :)
+ I have three readers with me, in case anyone is interested
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPCD outlook
+
+OpenPCD outlook
+ redesign librfid so it can easily be compiled for host or device
+ get rid of dynamic allocations
+ try to be more memory efficient
+ emulate USB-CCID profile (designed for contact based smartcard readers)
+ thus, OpenPCD could be used to transparently access 14443-4 (T=CL) protocol cards just like contact based smartcards
+ write nice frontend for Rx/Tx sampling
+ including software decoding on host pc to recover data
+ finally be able to do some cryptoanalysis on e.g. Mifare
+ Lots of other interesting projects
+ Volunteers wanted!
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+The OpenPICC project
+
+ conterpart to OpenPCD
+ design RFID transponder simulator that gives full control / all interfaces
+ hardware schematics and software licensed like OpenPCD
+ based on the same microcontroller
+ much of the firmware (USB stack, SPI driver, ...) is shared
+ no ASIC's for 'transponder side' available
+ analog frontend and demodulator had to be built discrete, from scratch
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPICC hardware configuration
+
+OpenPICC hardware configuration
+ Atmel AT91SAM7S256
+ almost 100% identical to S128 (OpenPCD)
+ has twice the RAM and flash
+ Analog antenna frontend / matching network
+ Diode based demodulator
+ Two FET and NAND based load modulation circuit
+ subcarrier generated in software
+ SSC clock rate == (2*fSubc) == 2*847.5kHz = 1.695MHz
+ Output of 101010 produces 847.5kHz subcarrier
+ two GPIO pins configure three steps of modulation depth
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPICC hardware (Rx path)
+
+OpenPICC hardware (Rx path)
+ Antenna builds resonant circuit with capacitor
+ low-capacity diode for demodulation
+ active filter + buffering/amplification
+ comparator for quantization of signal
+ resulting serial bitstream fed into SSC Rx of SAM7
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPICC hardware (Rx path)
+
+OpenPICC hardware (Rx path)
+ Problem: bit clock regeneration
+ bitclock is fCarrier / 128
+ PCD modulates 100% ASK => no continuous clock at PICC
+ Solution:
+ PICC needs to recover/recreate fCarrier using PLL
+ PLL response can be delayed via low pass
+ Problem:
+ However, PLL will drift in long sequence of bytes
+ Solution:
+ Sample-and-Hold in PLL loop can solve this problem
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPICC hardware (Rx path)
+
+OpenPICC hardware (Rx path)
+ Problem: bit clock / sample clock phase coherency
+ bitclock is not coherent over multiple frames
+ PCD can start bitclock at any fCarrier cycle
+ PICC needs to recover bit clock
+ Solution:
+ OpenPICC uses SAM7 Timer/Counter 0 as fCarrier divider
+ First falling edge of demodulated data resets counter
+ Therefore, sample clock is in sync with bit clock
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPICC hardware (Tx path)
+
+OpenPICC hardware (Tx path)
+ Two FET and NAND based load modulation circuit
+ subcarrier generated in software
+ SSC clock rate == (2*fSubc) == 2*847.5kHz = 1.695MHz
+ Output of 101010 produces 847.5kHz subcarrier
+ two GPIO pins configure three steps of modulation depth
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPICC USB protocol
+
+OpenPICC USB protocol
+ 100% identical to OpenPCD, just different set of commands
+ Most commands based on virtual register set (content: protocol params)
+ modulation width / depth
+ frame delay time for synchronous replies
+ encoding (manchester, OOK / NRZ-L, BPSK)
+ decoding (miller / NRZ)
+ UID for anticollision
+ ATQA content
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+OpenPICC status
+
+OpenPICC status
+ first prototype not yet 100% functional
+ still some problems with clock recovery + analog side
+ finished 'really soon now' (december)
+ first production units expected for January
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+OpenPCD / OpenPICC
+Links
+
+Links
+ http://openpcd.org/
+ http://wiki.openpcd.org/
+ http://shop.openpcd.org/
+ http://openmrtd.org/project/librfid/
personal git repositories of Harald Welte. Your mileage may vary