diff options
Diffstat (limited to '2008/openpcd_openpicc-cluc2008')
-rw-r--r-- | 2008/openpcd_openpicc-cluc2008/OpenPICC_Bm117_3_SCH.pdf | bin | 0 -> 485541 bytes | |||
-rw-r--r-- | 2008/openpcd_openpicc-cluc2008/librfid.tpp | 417 | ||||
-rw-r--r-- | 2008/openpcd_openpicc-cluc2008/openpcd.jpg | bin | 0 -> 48526 bytes | |||
-rw-r--r-- | 2008/openpcd_openpicc-cluc2008/openpcd_openpicc.mgp | 425 | ||||
-rw-r--r-- | 2008/openpcd_openpicc-cluc2008/openpcd_openpicc.pdf | bin | 0 -> 39694 bytes | |||
-rw-r--r-- | 2008/openpcd_openpicc-cluc2008/openpcd_v04-pcb.pdf | bin | 0 -> 595384 bytes | |||
-rw-r--r-- | 2008/openpcd_openpicc-cluc2008/openpcd_v04-sch.pdf | bin | 0 -> 853114 bytes | |||
-rw-r--r-- | 2008/openpcd_openpicc-cluc2008/openpicc.jpg | bin | 0 -> 60305 bytes |
8 files changed, 842 insertions, 0 deletions
diff --git a/2008/openpcd_openpicc-cluc2008/OpenPICC_Bm117_3_SCH.pdf b/2008/openpcd_openpicc-cluc2008/OpenPICC_Bm117_3_SCH.pdf Binary files differnew file mode 100644 index 0000000..969a692 --- /dev/null +++ b/2008/openpcd_openpicc-cluc2008/OpenPICC_Bm117_3_SCH.pdf diff --git a/2008/openpcd_openpicc-cluc2008/librfid.tpp b/2008/openpcd_openpicc-cluc2008/librfid.tpp new file mode 100644 index 0000000..7454241 --- /dev/null +++ b/2008/openpcd_openpicc-cluc2008/librfid.tpp @@ -0,0 +1,417 @@ +--author Harald Welte <laforge@gnumonks.org> +--title RFID Protocols, librfid +--date 17 Apr 2008 +Starting with November 2005, the German federal government has started to issue +epectronic passports with RFID interface. All other EU member states will have +to issue such passports no later than January 2007. Only Switzerland seems to +have a reasonable attitude by giving their citizens a choice. + +This presentation covers technical background about the RFID technology, the ICAO MRTD specification, and the authors' efforts to develop a free software stack to use Linux to communicate with those passports. +--footer This presentation is made with tpp http://synflood.at/tpp.html + +--newpage +--footer RFID Potocols and librfid +--header Overview +Introduction into RFID + What is RFID + Components of RFID System + Protocols and Standards + Security Issues +librfid - A free software RFID stack + Data Structures + Protocol Stack + Interaction with OpenCT + +--newpage +--footer RFID Potocols and librfid +--header Introduction into RFID +Definition of term RFID + Radio Frequency IDentification + +RFID is one of the recent buzzwords in lots of industries, such as + transportation + retail sector + governments + +Like most buzzwords, it's not very clearly defined. There is no such thing as "the RFID System. There are lots of different Systems, some standardized, most proprietary. Each of them uses it's own frequency, modulation, encoding and protocol combination. Often, systems of multiple vendors can not be used interchangibly. + +--newpage +--footer RFID Potocols and librfid +--header Components of an RFID system +Tag (Transponder) + Serial Number Tags + Replacement for EAN/UPC Barcodes + WORM Tags + Can be written once by Issuer + Read/Write Tags + Can be re-written many times + Read/Write Tags with "passive" security + Have state-machine based crypto for access control + Cryptographic smartcards with RF Interface + Like other crypto smartcards, just with RF interface + +--newpage +--footer RFID Potocols and librfid +--header Reader +Readers (Coupling Device) + Readers are always called readers, even if they can write ;) + Usually connected to a host computer via RS-323, USB or alike + Unfortunately no standard, for API, Hardware and/or Protocol :( + Most applications are written to vendor-provided device-specific API's + One exception: Readers for Smartcards with RF-Interface (use PC/SC) + +--newpage +--footer RFID Potocols and librfid +--header RF Interface +The RF interface is the key attribute of any RFID system. +Parameters that determine the RF interface are + frequency + modulation + operational principle + +--newpage +--footer RFID Potocols and librfid +--header RF Interface +Magnetic Coupling + used by many of todays RFID deployment + rely on the magnetic coupling ("transformer") principle + Tag/Transponder has a coil antenna to pick up RF-Field of Reader + Power for Tag/Transponder is drawn from the magnetic field + Common systems use 125kHz (old) or 13.56MHz (current) + Operational range often small, since high magnetic field strengh needed + +--newpage +--footer RFID Potocols and librfid +--header RF Interface +Backscatter + Used by many RFID systems under current development + Operate typically in UHF range (868 to 956 MHz) + Use electric field of the reader, employ backscatter modulation + Higher operational range (within tens of metres) + +Surface Accoustic Wave + SAW tags use low-power microwave radio signals + Tag/Transponder converts it to untrasonic signals (piezo crystal) + Variations of the reflected signal used to provide a unique number + +--newpage +--footer RFID Potocols and librfid +--header Protocols and Standards +Apart from the various vendor proprietary protocols, there are some ISO standards +ISO 11784 / 11785 + Identification of Animals + 134.2kHz, magnetic coupling, load modulation, 4191 bps +ISO 14223 + Extension of 11784/11785 and allows for more data +ISO 10536 + "close coupling" smart cards, range up to 1cm + Inductive or capacitive coupling at 4.9152MHz + Never attained any significant market share +ISO 18000 series + Current development of international "Auto-ID" standard + Includes operation on 13.56MHz, 2.4GHz, 868/956MHz + Not yet deployed + +--newpage +--footer RFID Potocols and librfid +--header Protocols and Standards +ISO 14443 + "proximity coupling ID cards" + Range of up to 10cm + Two variants: 14443-A and 14443-B + Both use 13.56MHz, but different parameters (see paper for details) + Specifies physical layer, link-layer (anticollision) + Specifies an optional transport level protocol (ISO 14443-4) + Speed up to 848kbits/sec + +ISO 15693 + "vicinity coupling", range up to 1m + Like ISO 14443, operates on 13.56MHz, magnetic coupling + Data rate 1.65kbits/sec or 26.48kbits/sec + Because of long distance, very little power + Therefore only used for passive tags + +--newpage +--footer RFID Potocols and librfid +--header Protocols and Standards +ISO 14443-A Details + Anti-Collision is based on binary search + Manchester Encoding allows reader to detect bit collisions + Reader can transmit bit-frames of variable length + + 1. Reader sends REQA / WUPA + 2. All transpondesr in range will reply with their address (UID) + 3a. If there is no collision, send SELECT comamand on full UID + 3b. If there is a collision, transmit bit frame which forces bit of collision to 0 or 1 + 4. Loop + +--newpage +--footer RFID Potocols and librfid +--header Protocols and Standards +ISO 14443-B Details + Anti-Collision is based on "Slotted ALOHA" protocol + Based in probabilistic scheme + Reader sends REQB/WUPB command with number of available slots + Every transponder chooses it's own number (rnd() % slots) + If there is a collision, we simply retry. + +Result: + Both 14443-A and 14443-B anti collision are subject to DoS + "blocker tags" have already been demonstrated. + +--newpage +--footer RFID Potocols and librfid +--header Protocols and (Non-)Standards +Mifare + Mifare is a marketing term by Philips + + Mifare refers to a complete family of RFID systems, comprising + Transponders, Reader ASICs and a set of prorprietary protocols. + Mifare Classic transponders (1k, 4k) + are memory transponders with state machine based crypto + Mifare Classic employs a proprietary stream cipher (CRYPTO 1) that + is implemented in both transponder and reader hardware + Mifare Ultralight has no crypto, plain passive memory transponder + Mifare transponders are segmented in blocks, every block has + it's own pair of CRYPTO1 access keys and permission management + +--newpage +--footer RFID Potocols and librfid +--header Closer look on Readers +There's a variety of readers for the 13.56MHz world +Usually they all use one of the (small number of) available ASIC's +Reader ASIC's integrate analog and digital part and have standard bus interface +End-User Reader products contain such an ASIC plus a microcontroller + +Active Readers + e.g. "Philips Pegoda" + Run the RFID protocol stack on the microcontroller + +Passive Readers + e.g. "Omnikey CardMan 5121" + Run the RFID protocol on the host system + +Passive readers obviously provide higher flexibility and are cheaper. + +--newpage +--footer RFID Potocols and librfid +--header Security Issues +Eavesdropping + Channel from reader to tag can be easily sniffed (even > 10m) + Channel from tag to reader is difficult (Author has managed 3m) + +Denial of Service + Anti-collision mechanism used to distinguish between multiple tags + Using a "fake tag" you can create Denial of Service + Products such as "blocker tags" have already been presented + +Authenticity/Confidentiality + None of the existing standards offers any kind of crypto + Standards-compliant systems like passports use crypto at layer 5 + Lots of proprietary "closed algorithm" vendor products with questionable security + + +--newpage +--footer RFID Potocols and librfid +--header librfid - A Free Software RFID stack +The librfid project intends to provide a free software reader-side implementation of common RFID protocols such as ISO 14443 and ISO 15693 + +Various abstraction layers and plugin interface allows for later addition of new protocols an readers. + +Optionally integrates with OpenCT. + +--newpage +--footer RFID Potocols and librfid +--header librfid - A Free Software RFID stack +struct rfid_asic + Contains all routines for a specific reader asic + Currently only Philips CL RC 632 and Philips Pegoda (partially) supported +struct rfid_asic_transport + A transport that gives access to the ASIC registers +struct rfid_reader + A container for rfid_asic and rfid_asic_transport +struct rfid_layer2 + An anticollision protocol such as ISO 14443-3A/B +struct rfid_protocol + A transport protocol such as ISO 14443-4 + +--newpage +--footer RFID Potocols and librfid +--header librfid - A Free Software RFID stack + +Typical Protocol Stack + rfid_protocol_stack + CM5121 Reader + CL RC632 ASIC + PC_to_RDR_Escape transport + USB-CCID driver of OpenCT + libusb + +--newpage +--footer RFID Potocols and librfid +--header librfid - A Free Software RFID stack +Application Interface + +Native API + librfid-specific API + quite low-level + requires application to know a lot about the stack + +OpenCT, PC/SC, CT-API + OpenCT integration provides PC/SC and CT-API for crypto smarcards + Is currently under development + +--newpage +--footer RFID Potocols and librfid +--header Electronic Passports +Electronic Passports (ePassports) are officially called MRTD +MRTD: Machine Readable Travel Document +Specifications by ICAO (International Civil Aviation Organization) +Basic idea + store passport data and additional biometrics on Transponder + alternate storage methods such as 2D barcodes covered, too + common standard for interoperability + some features required, others optional (up to issuing country) + +--newpage +--footer RFID Potocols and librfid +--header Electronic Passports +Organization of Data + According to LDS (Logical Data Structure) specification + Data is stored in DG (Data Groups) + DG1: MRZ information (mandatory) + DG2: Portrait Image + Biometric template (mandatory) + DG3-4: fingerprints, iris image (optional) + EF.SOD: Security Object Data (cryptographic signatures) + EF.COM: Lists with Data Groups Exist + All data is stored in BER-encoded ASN.1 + just think of all the ASN.1 parser bugs... + DG2-DG4 are encoded as CBEFF (common biometric file format, ISO 19785) + +--newpage +--footer RFID Potocols and librfid +--header Electronic Passports +Security Features + Randomization of Serial Number + Usually all ISO 14443 transponders have a unique serial number + This serial number is part of the anticollision procedure + Problem: Pseudonymized Tracking + ICAO MRTD specs don't require unique serial number + Therefore, some countries will generate random serial numbers + +--newpage +--footer RFID Potocols and librfid +--header Electronic Passports +Security Features + Passive Authentication (mandatory) + Proves that passport data is signed by issuing country + Inspection System verifies signature of DG's + EF.SOD contains individual signature for each DG + EF.SOD itself is signed + Document Signer Public Key from PKD / bilateral channels + Document Signer Public Key also stored on Passport (optional) + Useful only if Country Root CA public key known + +--newpage +--footer RFID Potocols and librfid +--header Electronic Passports +Security Features + Active Authentication (optional) + Verifies that chip has not been substituted + Uses challenge-response protocol between reader and chip + DG15 contains KPuAA + KPrAA is stored in secure memory of the chip + PPuAA is signed in EF.SOD + +--newpage +--footer RFID Potocols and librfid +--header Electronic Passports + Basic Access Control (optional, implemented in .de passports) + Denies Access to the chip until inspection system is authorized + Authorization is performed by deriving keys from MRZ + MRZ_info + nine digit document number + in many countries: issuing authority + incrementing number + six digit date of birth + can be guessed or assumed between + six digit expiry date + 16most significant bytes of SHA1-hash over MRZ_info is key + 3des keys used for S/M (ISO7816 secure messaging) + + +--newpage +--footer RFID Potocols and librfid +--header Electronic Passports + Extended Access Control (optional) + Prevents unauthorized access to additional bimetrics + Similar to Basic Access Control, but different keys + Not internationally standardized + Implemented by individual states + Only shared with those states that are allowed access + + +--newpage +--footer RFID Potocols and librfid +--header Electronic Passports + Encryption of Additional Biometrics (optional + The actual payload of the CBEFF + +--newpage +--footer RFID Potocols and librfid +--header Electronic Passports +Public Key Hierarchy + X.509 Certificates + Every country operates it's own CA + Document signer keys derived from CA root + Document signer public keys are distributed publicly via ICAO PKD + Everyone can verify + +--newpage +--footer RFID Potocols and librfid +--header libmrtd - Free Software library for MRTD's +libmtrd provides functions for + reading out and decoding data on MRTD + verifying data stored on MRTD + cryptograpy compliant with MRTD specs + basic access control + passive authentication + extended access control (planned) + +--newpage +--footer RFID Potocols and librfid +--header libmrtd - Free Software library for MRTD's +API towards the lower level (transport) + PC/SC (to work with readers/drivers other than librfid) + native librfid API +API towards the application + not really finished yet, lots of flux + +--newpage +--footer RFID Potocols and librfid +--header libmrtd - Free Software library for MRTD's +libmrtd status + parsing functions for LDS + parsing functions for DG1 + parsing functions for DG2 (CBEFF) + basic access control + still very much beta stage software + contributors welcome + no frontend application program + +--newpage +--footer RFID Potocols and librfid +--header Further Reading + +The slides + https://svn.gnumonks.org/trunk/presentation/2005/rfid-0sec2005/ +The paper + https://svn.gnumonks.org/trunk/presentation/2005/rfid-lk2005/ +librfid code + https://svn.gnumonks.org/trunk/librfid/ +libmrtd + https://svn.gnumonks.org/trunk/libmrtd +the mailinglist + librfid-devel@lists.gnumonks.org + https://lists.gnumonks.org/mailman/listinfo/librfid-devel +ICAO MRTD homepage (includes all MRTD specs in PDF format) + http://www.icao.org/ diff --git a/2008/openpcd_openpicc-cluc2008/openpcd.jpg b/2008/openpcd_openpicc-cluc2008/openpcd.jpg Binary files differnew file mode 100644 index 0000000..c07a96a --- /dev/null +++ b/2008/openpcd_openpicc-cluc2008/openpcd.jpg diff --git a/2008/openpcd_openpicc-cluc2008/openpcd_openpicc.mgp b/2008/openpcd_openpicc-cluc2008/openpcd_openpicc.mgp new file mode 100644 index 0000000..162db41 --- /dev/null +++ b/2008/openpcd_openpicc-cluc2008/openpcd_openpicc.mgp @@ -0,0 +1,425 @@ +%include "default.mgp" +%default 1 bgrad +%%% +%page +%nodefault +%back "blue" + +%center +%size 7 +OpenPCD / OpenPICC +Free Software and Hardware for 13.56MHz RFID + +Apr 17, 2008 +DORS/CLUC + +%center +%size 4 +by + +Harald Welte <laforge@openpcd.org> + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +Introduction + +Who is speaking to you? + an independent Free Software developer + one of the authors of Linux kernel packet filter + busy with enforcing the GPL at gpl-violations.org + working on Free Software for smartphones (openezx.org) + ...and Free Software for RFID (librfid) + ...and Free Software for ePassports (libmrtd) + ...among other things ;) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +Introduction RFID + +Short introduction on 13.56MHz RFID systems + Magnetic Coupling + ISO 14443-A / -B (proximity IC cards) + ISO 15693 (vicinity IC cards) + Proprietary: FeliCa, Legic, Mifare Classic, ... + Applications: RFID tagging (15693), Smartcards (14443) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +RFID Reader Designs + +Overview on available reader designs + Most readers based on ASIC (Philips, TI, ...) + Microcontroller + Readers for PC's usually have USB, RS232 or PCMCIA IF + Some reader designs with Ethernet, RS-485 + Important: If you need Mifare, you need Philips reader ASIC + Active readers implement protocols in firmware, passive in host sw + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +The OpenPCD project + +The OpenPCD project + design a RFID reader that gives full power and all interfaces + reader hardware design is under CC share alike attribution license + reader firmware and host software under GPL + use hardware that doesn't require proprietary development tools + don't license any RTOS but write everything from scratch + ability to modify firmware + can be active or passive + can produce protocol violations + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +The OpenPCD project + +The OpenPCD project + various hardware interfaces + connector for analog and digital intermediate demodulation steps + connector for firmware-configurable trigger pulse + connector for unmodulated (tx) and demodulated (rx) bitstream + RS232 (@ 3.3V) port for debug messages + versatile internal connection between ASIC and microcontroller + enables microcontroller to directly modulate carrier + using serial bitstream from SSC + using PWM signal from TC (timer/counter) unit + enables microcontroller to sample Tx and/or Rx signal + using SSC Rx + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPCD hardware configuration + +OpenPCD hardware configuration + Atmel AT91SAM7S128 microcontroller + 48MHz 32bit ARM7TDMI core + many integrated peripherals (SPI, SSC, ADC, I2C, ..) + USB full speed peripheral controller + 128kB user-programmable flash + 32kB SRAM + integrated SAM-BA emergency bootloader, enables ISP + Philips CL RC632 reader ASIC + documentation 'freely' available (40bit RC4 / 5days) + commonly used by other readers + supports 14443-A and B, including higher bitrates up to 424kBps + can be configured up to 848kBps, even though it's not guaranteed + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPCD schematics + +OpenPCD schematics + Please see the schematics in PDF form + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPCD firmware build environment + +OpenPCD firmware build environment + + Standard GNU toolchain for ARM7TDMI (armv4) + binutils-2.16.1 + gcc-4.0.2 + Custom Makefiles to create flash images + sam7utils for initial flash using SAM-BA + 'cat dfu.bin firmware.bin > foo.samba' produces SAM-BA image + Parts of newlib are linked if DEBUG=1 is used (snprintf, ...) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPCD device firmware + +OpenPCD device firmware + since firmware is hackable, it should be easy to download a new image + USB Forum published "USB Device Firmware Upgrade" (DFU) specification + sam7dfu project (developed as part of OpenPCD) implements DFU on SAM7 + dfu-programmer (sf.net) implemented 90% of what was required on host + DFU works by switching from normal (application) mode into separate mode with its own device/configuration/endpoint descriptors + since firmware bug could render device in broken 'crashed' state, we added a button that can be pressed during power-on to force DFU mode + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPCD device firmware + +OpenPCD device firmware + The firmware build system allows for different build targets for different firmware images + Normal reader operation using librfid supported by 'main_dumbreader' target + main_librfid: Intelligent firmware with full RFID stack built-in + main_analog: Analog signals can be output on U.FL socket + main_pwm: PWM modulation of 13.56MHz carrier (variable frequency/phase) + main_reqa: Implement 14443-123 (Type A) in reader firmware, send REQA/WUPA/anticol + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPCD device firmware + +OpenPCD device firmware source + lib + some generic C library routines (bitops, printf, ...) + src/os + shared 'operating system' code + src/pcd + OpenPCD specific code (reader side) + src/picc + OpenPICC specific code (tag side) + src/dfu + USB Device Firmware Upgrade + src/start + low-level assembly startup code + scripts + scripts to generate UTF8LE usb strings, etc + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPCD USB protocol + +OpenPCD USB protocol + All communication on the USB is done using a vendor-specific protocol on three endpoints (BULK OUT, BULK IN, INT IN) + All messages (usb transfers) have a common four-byte header + +%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +main_dumbreader firmware + +OpenPCD 'main_dumbreader' firmware + The main_dumbreader firmware exports four primitives for RC632 access + read register + write register + read fifo + write fifo + Using those primitives, the full 14443-1234 A+B and 15693 can be implemented in host software (librfid) + This is the main production firmware at this point + +%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +main_pwm firmware + +OpenPCD 'main_pwm' firmware + The main_pwm firmware allows emitting + a 13.56MHz carrier + modulated with an arbitrary PWM signal + frequency and phase controlled by console on UART port + Using main_pwm, it's easy to test link-layer characteristics, e.g. when developing a PICC device + +%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +main_reqa firmware + +OpenPCD 'main_reqa' firmware + The main_reqa firmware contains code to either + repeatedly transmit ISO14443A REQA + repeatedly transmit ISO14443A WUPA + repeatedly go through full ISO14443A anticollision + The progress is shown on the serial debug port + This firmware is mainly for demonstration and debugging + +%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +main_mifare firmware + +OpenPCD 'main_mifare' firmware + The main_mifare firmware contains code to + repeatedly dump one page of a mifare classic card + This only works, if the INFINEON default key is used + The progress is shown on the serial debug port + This firmware is mainly for demonstration and debugging + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPCD host software (librfid) + +The librfid project + predates OpenPCD by 1.5 years + was originally written as part of the OpenMRTD project for ePassports + supported Omnikey CM5121 / CM5321 readers + OpenPCD main_dumbreader support has been added + implements 14443 -2, -3, -4 (A+B), ISO 15693, Mifare + http://openmrtd.org/projects/librfid + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPCD status + +OpenPCD status + Hardware design finished + Prototype state is over + First 80 units shipped to customers + Orders can be placed (100EUR excl. VAT) at http://shop.openpcd.org/ + DIY folks: We also sell the PCB for 18EUR :) + We have readers with us, in case anyone is interested + +%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +main_librfid firmware + +OpenPCD 'main_librfid' firmware + The main_librfid firmware contains the full librfid stack + offers librfid C API + allows easy port of librfid host applications into device firmware + allows OpenPCD to operate 100% autonomous + does not have a USB protocol for host applications yet + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPCD outlook + +OpenPCD outlook + main_librfid USB protocol specifications + 'bset of both worlds' approach for many applications + emulate USB-CCID profile (designed for contact based smartcard readers) + thus, OpenPCD could be used to transparently access 14443-4 (T=CL) protocol cards just like contact based smartcards + emulate ACG serial protocol on debug port + thus, software like RFIDiot and RFdump could be used + write nice frontend for Rx/Tx sampling + including software decoding on host pc to recover data + finally be able to do some cryptoanalysis on e.g. Mifare + Lots of other interesting projects + Volunteers wanted! + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +The OpenPICC project + + conterpart to OpenPCD + design RFID transponder simulator that gives full control / all interfaces + hardware schematics and software licensed like OpenPCD + based on the same microcontroller + much of the firmware (USB stack, SPI driver, ...) is shared + no ASIC's for 'transponder side' available + analog frontend and demodulator had to be built discrete, from scratch + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPICC hardware configuration + +OpenPICC hardware configuration + Atmel AT91SAM7S256 + almost 100% identical to S128 (OpenPCD) + has twice the RAM and flash + Analog antenna frontend / matching network + Diode based demodulator + Two FET and NAND based load modulation circuit + subcarrier generated in software + SSC clock rate == (2*fSubc) == 2*847.5kHz = 1.695MHz + Output of 101010 produces 847.5kHz subcarrier + two GPIO pins configure three steps of modulation depth + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPICC hardware (Rx path) + +OpenPICC hardware (Rx path) + Antenna builds resonant circuit with capacitor + low-capacity diode for demodulation + active filter + buffering/amplification + comparator for quantization of signal + resulting serial bitstream fed into SSC Rx of SAM7 + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPICC hardware (Rx path) + +OpenPICC hardware (Rx path) + Problem: bit clock regeneration + bitclock is fCarrier / 128 + PCD modulates 100% ASK => no continuous clock at PICC + Solution: + PICC needs to recover/recreate fCarrier using PLL + PLL response can be delayed via low pass + Problem: + However, PLL will drift in long sequence of bytes + Solution: + Sample-and-Hold in PLL loop can solve this problem + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPICC hardware (Rx path) + +OpenPICC hardware (Rx path) + Problem: bit clock / sample clock phase coherency + bitclock is not coherent over multiple frames + PCD can start bitclock at any fCarrier cycle + PICC needs to recover bit clock + Solution: + OpenPICC uses SAM7 Timer/Counter 0 as fCarrier divider + First falling edge of demodulated data resets counter + Therefore, sample clock is in sync with bit clock + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPICC hardware (Tx path) + +OpenPICC hardware (Tx path) + Two FET and NAND based load modulation circuit + subcarrier generated in software + SSC clock rate == (2*fSubc) == 2*847.5kHz = 1.695MHz + Output of 101010 produces 847.5kHz subcarrier + two GPIO pins configure three steps of modulation depth + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPICC USB protocol + +OpenPICC USB protocol + 100% identical to OpenPCD, just different set of commands + Most commands based on virtual register set (content: protocol params) + modulation width / depth + frame delay time for synchronous replies + encoding (manchester, OOK / NRZ-L, BPSK) + decoding (miller / NRZ) + UID for anticollision + ATQA content + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +OpenPICC status + +OpenPICC status + second generation prototype not yet 100% functional + still some problems with clock recovery + analog side + finished 'really soon now' + first production units expected for January + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +OpenPCD / OpenPICC +Links + +Links + http://openpcd.org/ + http://wiki.openpcd.org/ + http://shop.openpcd.org/ + http://openmrtd.org/project/librfid/ + http://openbeacon.org/ (active 2.4GHz RFID) diff --git a/2008/openpcd_openpicc-cluc2008/openpcd_openpicc.pdf b/2008/openpcd_openpicc-cluc2008/openpcd_openpicc.pdf Binary files differnew file mode 100644 index 0000000..dae28c5 --- /dev/null +++ b/2008/openpcd_openpicc-cluc2008/openpcd_openpicc.pdf diff --git a/2008/openpcd_openpicc-cluc2008/openpcd_v04-pcb.pdf b/2008/openpcd_openpicc-cluc2008/openpcd_v04-pcb.pdf Binary files differnew file mode 100644 index 0000000..33165ac --- /dev/null +++ b/2008/openpcd_openpicc-cluc2008/openpcd_v04-pcb.pdf diff --git a/2008/openpcd_openpicc-cluc2008/openpcd_v04-sch.pdf b/2008/openpcd_openpicc-cluc2008/openpcd_v04-sch.pdf Binary files differnew file mode 100644 index 0000000..dd3d179 --- /dev/null +++ b/2008/openpcd_openpicc-cluc2008/openpcd_v04-sch.pdf diff --git a/2008/openpcd_openpicc-cluc2008/openpicc.jpg b/2008/openpcd_openpicc-cluc2008/openpicc.jpg Binary files differnew file mode 100644 index 0000000..519bb34 --- /dev/null +++ b/2008/openpcd_openpicc-cluc2008/openpicc.jpg |