1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
|
%include "default.mgp"
%default 1 bgrad
%%%
%page
%nodefault
%back "blue"
%center
%size 7
OpenPCD / OpenPICC
Free Software and Hardware for 13.56MHz RFID
Apr 17, 2008
DORS/CLUC
%center
%size 4
by
Harald Welte <laforge@openpcd.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
Introduction
Who is speaking to you?
an independent Free Software developer
one of the authors of Linux kernel packet filter
busy with enforcing the GPL at gpl-violations.org
working on Free Software for smartphones (openezx.org)
...and Free Software for RFID (librfid)
...and Free Software for ePassports (libmrtd)
...among other things ;)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
Introduction RFID
Short introduction on 13.56MHz RFID systems
Magnetic Coupling
ISO 14443-A / -B (proximity IC cards)
ISO 15693 (vicinity IC cards)
Proprietary: FeliCa, Legic, Mifare Classic, ...
Applications: RFID tagging (15693), Smartcards (14443)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
RFID Reader Designs
Overview on available reader designs
Most readers based on ASIC (Philips, TI, ...) + Microcontroller
Readers for PC's usually have USB, RS232 or PCMCIA IF
Some reader designs with Ethernet, RS-485
Important: If you need Mifare, you need Philips reader ASIC
Active readers implement protocols in firmware, passive in host sw
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
The OpenPCD project
The OpenPCD project
design a RFID reader that gives full power and all interfaces
reader hardware design is under CC share alike attribution license
reader firmware and host software under GPL
use hardware that doesn't require proprietary development tools
don't license any RTOS but write everything from scratch
ability to modify firmware
can be active or passive
can produce protocol violations
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
The OpenPCD project
The OpenPCD project
various hardware interfaces
connector for analog and digital intermediate demodulation steps
connector for firmware-configurable trigger pulse
connector for unmodulated (tx) and demodulated (rx) bitstream
RS232 (@ 3.3V) port for debug messages
versatile internal connection between ASIC and microcontroller
enables microcontroller to directly modulate carrier
using serial bitstream from SSC
using PWM signal from TC (timer/counter) unit
enables microcontroller to sample Tx and/or Rx signal
using SSC Rx
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD hardware configuration
OpenPCD hardware configuration
Atmel AT91SAM7S128 microcontroller
48MHz 32bit ARM7TDMI core
many integrated peripherals (SPI, SSC, ADC, I2C, ..)
USB full speed peripheral controller
128kB user-programmable flash
32kB SRAM
integrated SAM-BA emergency bootloader, enables ISP
Philips CL RC632 reader ASIC
documentation 'freely' available (40bit RC4 / 5days)
commonly used by other readers
supports 14443-A and B, including higher bitrates up to 424kBps
can be configured up to 848kBps, even though it's not guaranteed
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD schematics
OpenPCD schematics
Please see the schematics in PDF form
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD firmware build environment
OpenPCD firmware build environment
Standard GNU toolchain for ARM7TDMI (armv4)
binutils-2.16.1
gcc-4.0.2
Custom Makefiles to create flash images
sam7utils for initial flash using SAM-BA
'cat dfu.bin firmware.bin > foo.samba' produces SAM-BA image
Parts of newlib are linked if DEBUG=1 is used (snprintf, ...)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD device firmware
OpenPCD device firmware
since firmware is hackable, it should be easy to download a new image
USB Forum published "USB Device Firmware Upgrade" (DFU) specification
sam7dfu project (developed as part of OpenPCD) implements DFU on SAM7
dfu-programmer (sf.net) implemented 90% of what was required on host
DFU works by switching from normal (application) mode into separate mode with its own device/configuration/endpoint descriptors
since firmware bug could render device in broken 'crashed' state, we added a button that can be pressed during power-on to force DFU mode
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD device firmware
OpenPCD device firmware
The firmware build system allows for different build targets for different firmware images
Normal reader operation using librfid supported by 'main_dumbreader' target
main_librfid: Intelligent firmware with full RFID stack built-in
main_analog: Analog signals can be output on U.FL socket
main_pwm: PWM modulation of 13.56MHz carrier (variable frequency/phase)
main_reqa: Implement 14443-123 (Type A) in reader firmware, send REQA/WUPA/anticol
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD device firmware
OpenPCD device firmware source
lib
some generic C library routines (bitops, printf, ...)
src/os
shared 'operating system' code
src/pcd
OpenPCD specific code (reader side)
src/picc
OpenPICC specific code (tag side)
src/dfu
USB Device Firmware Upgrade
src/start
low-level assembly startup code
scripts
scripts to generate UTF8LE usb strings, etc
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD USB protocol
OpenPCD USB protocol
All communication on the USB is done using a vendor-specific protocol on three endpoints (BULK OUT, BULK IN, INT IN)
All messages (usb transfers) have a common four-byte header
%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
main_dumbreader firmware
OpenPCD 'main_dumbreader' firmware
The main_dumbreader firmware exports four primitives for RC632 access
read register
write register
read fifo
write fifo
Using those primitives, the full 14443-1234 A+B and 15693 can be implemented in host software (librfid)
This is the main production firmware at this point
%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
main_pwm firmware
OpenPCD 'main_pwm' firmware
The main_pwm firmware allows emitting
a 13.56MHz carrier
modulated with an arbitrary PWM signal
frequency and phase controlled by console on UART port
Using main_pwm, it's easy to test link-layer characteristics, e.g. when developing a PICC device
%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
main_reqa firmware
OpenPCD 'main_reqa' firmware
The main_reqa firmware contains code to either
repeatedly transmit ISO14443A REQA
repeatedly transmit ISO14443A WUPA
repeatedly go through full ISO14443A anticollision
The progress is shown on the serial debug port
This firmware is mainly for demonstration and debugging
%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
main_mifare firmware
OpenPCD 'main_mifare' firmware
The main_mifare firmware contains code to
repeatedly dump one page of a mifare classic card
This only works, if the INFINEON default key is used
The progress is shown on the serial debug port
This firmware is mainly for demonstration and debugging
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD host software (librfid)
The librfid project
predates OpenPCD by 1.5 years
was originally written as part of the OpenMRTD project for ePassports
supported Omnikey CM5121 / CM5321 readers
OpenPCD main_dumbreader support has been added
implements 14443 -2, -3, -4 (A+B), ISO 15693, Mifare
http://openmrtd.org/projects/librfid
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD status
OpenPCD status
Hardware design finished
Prototype state is over
First 80 units shipped to customers
Orders can be placed (100EUR excl. VAT) at http://shop.openpcd.org/
DIY folks: We also sell the PCB for 18EUR :)
We have readers with us, in case anyone is interested
%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
main_librfid firmware
OpenPCD 'main_librfid' firmware
The main_librfid firmware contains the full librfid stack
offers librfid C API
allows easy port of librfid host applications into device firmware
allows OpenPCD to operate 100% autonomous
does not have a USB protocol for host applications yet
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD outlook
OpenPCD outlook
main_librfid USB protocol specifications
'bset of both worlds' approach for many applications
emulate USB-CCID profile (designed for contact based smartcard readers)
thus, OpenPCD could be used to transparently access 14443-4 (T=CL) protocol cards just like contact based smartcards
emulate ACG serial protocol on debug port
thus, software like RFIDiot and RFdump could be used
write nice frontend for Rx/Tx sampling
including software decoding on host pc to recover data
finally be able to do some cryptoanalysis on e.g. Mifare
Lots of other interesting projects
Volunteers wanted!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
The OpenPICC project
conterpart to OpenPCD
design RFID transponder simulator that gives full control / all interfaces
hardware schematics and software licensed like OpenPCD
based on the same microcontroller
much of the firmware (USB stack, SPI driver, ...) is shared
no ASIC's for 'transponder side' available
analog frontend and demodulator had to be built discrete, from scratch
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC hardware configuration
OpenPICC hardware configuration
Atmel AT91SAM7S256
almost 100% identical to S128 (OpenPCD)
has twice the RAM and flash
Analog antenna frontend / matching network
Diode based demodulator
Two FET and NAND based load modulation circuit
subcarrier generated in software
SSC clock rate == (2*fSubc) == 2*847.5kHz = 1.695MHz
Output of 101010 produces 847.5kHz subcarrier
two GPIO pins configure three steps of modulation depth
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC hardware (Rx path)
OpenPICC hardware (Rx path)
Antenna builds resonant circuit with capacitor
low-capacity diode for demodulation
active filter + buffering/amplification
comparator for quantization of signal
resulting serial bitstream fed into SSC Rx of SAM7
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC hardware (Rx path)
OpenPICC hardware (Rx path)
Problem: bit clock regeneration
bitclock is fCarrier / 128
PCD modulates 100% ASK => no continuous clock at PICC
Solution:
PICC needs to recover/recreate fCarrier using PLL
PLL response can be delayed via low pass
Problem:
However, PLL will drift in long sequence of bytes
Solution:
Sample-and-Hold in PLL loop can solve this problem
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC hardware (Rx path)
OpenPICC hardware (Rx path)
Problem: bit clock / sample clock phase coherency
bitclock is not coherent over multiple frames
PCD can start bitclock at any fCarrier cycle
PICC needs to recover bit clock
Solution:
OpenPICC uses SAM7 Timer/Counter 0 as fCarrier divider
First falling edge of demodulated data resets counter
Therefore, sample clock is in sync with bit clock
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC hardware (Tx path)
OpenPICC hardware (Tx path)
Two FET and NAND based load modulation circuit
subcarrier generated in software
SSC clock rate == (2*fSubc) == 2*847.5kHz = 1.695MHz
Output of 101010 produces 847.5kHz subcarrier
two GPIO pins configure three steps of modulation depth
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC USB protocol
OpenPICC USB protocol
100% identical to OpenPCD, just different set of commands
Most commands based on virtual register set (content: protocol params)
modulation width / depth
frame delay time for synchronous replies
encoding (manchester, OOK / NRZ-L, BPSK)
decoding (miller / NRZ)
UID for anticollision
ATQA content
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC status
OpenPICC status
second generation prototype not yet 100% functional
still some problems with clock recovery + analog side
finished 'really soon now'
first production units expected for January
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
Links
Links
http://openpcd.org/
http://wiki.openpcd.org/
http://shop.openpcd.org/
http://openmrtd.org/project/librfid/
http://openbeacon.org/ (active 2.4GHz RFID)
|