summaryrefslogtreecommitdiff
path: root/2008/openpcd_openpicc-cluc2008/openpcd_openpicc.mgp
blob: 162db41db3b1afa629d5cf9c98adc7f7f40348eb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
%include "default.mgp"
%default 1 bgrad
%%%
%page
%nodefault
%back "blue"

%center
%size 7
OpenPCD / OpenPICC
Free Software and Hardware for 13.56MHz RFID

Apr 17, 2008
DORS/CLUC

%center
%size 4
by

Harald Welte <laforge@openpcd.org>

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
Introduction

Who is speaking to you?
		an independent Free Software developer
		one of the authors of Linux kernel packet filter
		busy with enforcing the GPL at gpl-violations.org
		working on Free Software for smartphones (openezx.org)
		...and Free Software for RFID (librfid)
		...and Free Software for ePassports (libmrtd)
		...among other things ;)

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
Introduction RFID

Short introduction on 13.56MHz RFID systems
	Magnetic Coupling
	ISO 14443-A / -B (proximity IC cards)
	ISO 15693 (vicinity IC cards)
	Proprietary: FeliCa, Legic, Mifare Classic, ...
	Applications: RFID tagging (15693), Smartcards (14443)

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
RFID Reader Designs

Overview on available reader designs
	Most readers based on ASIC (Philips, TI, ...) + Microcontroller
	Readers for PC's usually have USB, RS232 or PCMCIA IF
	Some reader designs with Ethernet, RS-485
	Important: If you need Mifare, you need Philips reader ASIC
	Active readers implement protocols in firmware, passive in host sw

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
The OpenPCD project

The OpenPCD project
	design a RFID reader that gives full power and all interfaces
	reader hardware design is under CC share alike attribution license
	reader firmware and host software under GPL
	use hardware that doesn't require proprietary development tools
	don't license any RTOS but write everything from scratch
	ability to modify firmware
		can be active or passive
		can produce protocol violations

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
The OpenPCD project

The OpenPCD project
	various hardware interfaces
		connector for analog and digital intermediate demodulation steps
		connector for firmware-configurable trigger pulse
		connector for unmodulated (tx) and demodulated (rx) bitstream
		RS232 (@ 3.3V) port for debug messages
	versatile internal connection between ASIC and microcontroller
		enables microcontroller to directly modulate carrier
			using serial bitstream from SSC
			using PWM signal from TC (timer/counter) unit
		enables microcontroller to sample Tx and/or Rx signal
			using SSC Rx 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD hardware configuration

OpenPCD hardware configuration
	Atmel AT91SAM7S128 microcontroller 
		48MHz 32bit ARM7TDMI core
		many integrated peripherals (SPI, SSC, ADC, I2C, ..)
		USB full speed peripheral controller
		128kB user-programmable flash
		32kB SRAM
		integrated SAM-BA emergency bootloader, enables ISP
	Philips CL RC632 reader ASIC
		documentation 'freely' available (40bit RC4 / 5days)
		commonly used by other readers
		supports 14443-A and B, including higher bitrates up to 424kBps
		can be configured up to 848kBps, even though it's not guaranteed

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD schematics

OpenPCD schematics
	Please see the schematics in PDF form

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD firmware build environment

OpenPCD firmware build environment

	Standard GNU toolchain for ARM7TDMI (armv4)
		binutils-2.16.1
		gcc-4.0.2
	Custom Makefiles to create flash images
	sam7utils for initial flash using SAM-BA
	'cat dfu.bin firmware.bin > foo.samba' produces SAM-BA image
	Parts of newlib are linked if DEBUG=1 is used (snprintf, ...)

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD device firmware

OpenPCD device firmware
		since firmware is hackable, it should be easy to download a new image
		USB Forum published "USB Device Firmware Upgrade" (DFU) specification
		sam7dfu project (developed as part of OpenPCD) implements DFU on SAM7
		dfu-programmer (sf.net) implemented 90% of what was required on host
		DFU works by switching from normal (application) mode into separate mode with its own device/configuration/endpoint descriptors
		since firmware bug could render device in broken 'crashed' state, we added a button that can be pressed during power-on to force DFU mode

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD device firmware

OpenPCD device firmware
	The firmware build system allows for different build targets for different firmware images
	Normal reader operation using librfid supported by 'main_dumbreader' target
	main_librfid: Intelligent firmware with full RFID stack built-in
	main_analog: Analog signals can be output on U.FL socket
	main_pwm: PWM modulation of 13.56MHz carrier (variable frequency/phase)
	main_reqa: Implement 14443-123 (Type A) in reader firmware, send REQA/WUPA/anticol

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD device firmware

OpenPCD device firmware source
	lib
		some generic C library routines (bitops, printf, ...)
	src/os
		shared 'operating system' code
	src/pcd
		OpenPCD specific code (reader side)
	src/picc
		OpenPICC specific code (tag side)
	src/dfu
		USB Device Firmware Upgrade
	src/start
		low-level assembly startup code
	scripts
		scripts to generate UTF8LE usb strings, etc

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD USB protocol

OpenPCD USB protocol
	All communication on the USB is done using a vendor-specific protocol on three endpoints (BULK OUT, BULK IN, INT IN)
	All messages (usb transfers) have a common four-byte header

%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
main_dumbreader firmware

OpenPCD 'main_dumbreader' firmware
	The main_dumbreader firmware exports four primitives for RC632 access
		read register
		write register
		read fifo
		write fifo
	Using those primitives, the full 14443-1234 A+B and 15693 can be implemented in host software (librfid)
	This is the main production firmware at this point

%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
main_pwm firmware

OpenPCD 'main_pwm' firmware
	The main_pwm firmware allows emitting
		a 13.56MHz carrier
		modulated with an arbitrary PWM signal
		frequency and phase controlled by console on UART port
	Using main_pwm, it's easy to test link-layer characteristics, e.g. when developing a PICC device

%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
main_reqa firmware

OpenPCD 'main_reqa' firmware
	The main_reqa firmware contains code to either
		repeatedly transmit ISO14443A REQA
		repeatedly transmit ISO14443A WUPA
		repeatedly go through full ISO14443A anticollision
	The progress is shown on the serial debug port
	This firmware is mainly for demonstration and debugging

%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
main_mifare firmware

OpenPCD 'main_mifare' firmware
	The main_mifare firmware contains code to 
		repeatedly dump one page of a mifare classic card
	This only works, if the INFINEON default key is used
	The progress is shown on the serial debug port
	This firmware is mainly for demonstration and debugging

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD host software (librfid)

The librfid project
	predates OpenPCD by 1.5 years
	was originally written as part of the OpenMRTD project for ePassports
	supported Omnikey CM5121 / CM5321 readers
	OpenPCD main_dumbreader support has been added
	implements 14443 -2, -3, -4 (A+B), ISO 15693, Mifare
	http://openmrtd.org/projects/librfid

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD status

OpenPCD status
	Hardware design finished
	Prototype state is over
	First 80 units shipped to customers
	Orders can be placed (100EUR excl. VAT) at http://shop.openpcd.org/
	DIY folks: We also sell the PCB for 18EUR :)
	We have readers with us, in case anyone is interested

%%%%%%%%I%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
main_librfid firmware

OpenPCD 'main_librfid' firmware
	The main_librfid firmware contains the full librfid stack
		offers librfid C API
		allows easy port of librfid host applications into device firmware
		allows OpenPCD to operate 100% autonomous
		does not have a USB protocol for host applications yet

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPCD outlook

OpenPCD outlook
	main_librfid USB protocol specifications
		'bset of both worlds' approach for many applications
	emulate USB-CCID profile (designed for contact based smartcard readers)
		thus, OpenPCD could be used to transparently access 14443-4 (T=CL) protocol cards just like contact based smartcards
	emulate ACG serial protocol on debug port
		thus, software like RFIDiot and RFdump could be used
	write nice frontend for Rx/Tx sampling
		including software decoding on host pc to recover data
		finally be able to do some cryptoanalysis on e.g. Mifare
	Lots of other interesting projects
		Volunteers wanted!

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
The OpenPICC project

	conterpart to OpenPCD
	design RFID transponder simulator that gives full control / all interfaces
	hardware schematics and software licensed like OpenPCD
	based on the same microcontroller
		much of the firmware (USB stack, SPI driver, ...) is shared
	no ASIC's for 'transponder side' available
	analog frontend and demodulator had to be built discrete, from scratch


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC hardware configuration

OpenPICC hardware configuration
	Atmel AT91SAM7S256
		almost 100% identical to S128 (OpenPCD)
		has twice the RAM and flash
	Analog antenna frontend / matching network
	Diode based demodulator
	Two FET and NAND based load modulation circuit
		subcarrier generated in software
		SSC clock rate == (2*fSubc) == 2*847.5kHz = 1.695MHz
		Output of 101010 produces 847.5kHz subcarrier
		two GPIO pins configure three steps of modulation depth

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC hardware (Rx path)

OpenPICC hardware (Rx path)
	Antenna builds resonant circuit with capacitor
	low-capacity diode for demodulation
	active filter + buffering/amplification
	comparator for quantization of signal
	resulting serial bitstream fed into SSC Rx of SAM7


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC hardware (Rx path)

OpenPICC hardware (Rx path)
	Problem: bit clock regeneration
		bitclock is fCarrier / 128
		PCD modulates 100% ASK => no continuous clock at PICC
	Solution:
		PICC needs to recover/recreate fCarrier using PLL
		PLL response can be delayed via low pass
	Problem:
		However, PLL will drift in long sequence of bytes
	Solution:
		Sample-and-Hold in PLL loop can solve this problem
	

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC hardware (Rx path)

OpenPICC hardware (Rx path)
	Problem: bit clock / sample clock phase coherency
		bitclock is not coherent over multiple frames
		PCD can start bitclock at any fCarrier cycle
		PICC needs to recover bit clock
	Solution:
		OpenPICC uses SAM7 Timer/Counter 0 as fCarrier divider
		First falling edge of demodulated data resets counter
		Therefore, sample clock is in sync with bit clock


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC hardware (Tx path)

OpenPICC hardware (Tx path)
	Two FET and NAND based load modulation circuit
		subcarrier generated in software
		SSC clock rate == (2*fSubc) == 2*847.5kHz = 1.695MHz
		Output of 101010 produces 847.5kHz subcarrier
		two GPIO pins configure three steps of modulation depth


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC USB protocol

OpenPICC USB protocol
	100% identical to OpenPCD, just different set of commands
	Most commands based on virtual register set (content: protocol params)
		modulation width / depth
		frame delay time for synchronous replies
		encoding (manchester, OOK / NRZ-L, BPSK)
		decoding (miller / NRZ)
		UID for anticollision
		ATQA content

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
OpenPICC status

OpenPICC status
	second generation prototype not yet 100% functional
	still some problems with clock recovery + analog side
	finished 'really soon now'
	first production units expected for January

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
OpenPCD / OpenPICC
Links 

Links
	http://openpcd.org/
	http://wiki.openpcd.org/
	http://shop.openpcd.org/
	http://openmrtd.org/project/librfid/
	http://openbeacon.org/ (active 2.4GHz RFID)
personal git repositories of Harald Welte. Your mileage may vary