OpenPCD - A 13.56MHz RFID reader
Harald
Welte
hwelte@hmw-consulting.de
Milosch
Meriac
meriac@bitmanufaktur.de
2006
Harald Welte <hwelte@hmw-consultin.de>
Oct 12, 2006
1
$Revision: 1.0 $
This is the reference documentation for the OpenPCD RFID
reader.
Introduction
The OpenPCD project is about desinging and building both hardware and software
for a user-programmable reader (proximity coupling device, PCD) of the ISO
14443 A+B (and later ISO15693) RFID protocols.
The hardware is based on the Atmel AT91SAM7S128 microcontroller, featuring a
48MHz, 32bit ARM7TDMI core with many integrated peripherals, such as USB
device, SSC, ADC, 128kByte Flash, 32kByte SRAM, ...
Next to the AT91SAM7, there is the Pilips CL RC 632 RFID reader ASIC. It
is attached via SPI (Serial Peripheral Interface) to the AT91SAM7.
The SAM7 attaches to a host PC using a USB 1.1 interface. The SAM7 firmware
implements various forms of interface between the RC632 and the host PC.
There are multiple firmware images available, some of them acting as a dumb
transceiver, while others implement the full ISO 14443 protocol suite inside
the SAM7 firmware.
All device firmware and host software source code is released under GNU General
Public License. The hardware design (schematics, PCB) is released under
"Creative Commons share-alike attribution" License.
Hardware
FIXME: to be filled by milosch
Software
PICC specific commands
CMD_PICC_REG_WRITE
Using this command, a given OpenPICC register can be written to.
CMD_PICC_REG_READ
Using this command, a given OpenPICC register can be read.
GPIO IRQ commands
Using these commands, the host software can request a USB interrupt
transfer to be sent once a given GPIO pin changes its level
The main_dumbreader firmware
The main_dumbreader firmware implements a very basic PCD/VCD firmware, where
the USB device only implements an access layer to the RC632 registers and
FIFO. All protocol and application logic has to be implemented on the host
PC.
This provides the greatest flexibility to the host software, since it can
easily alter the behaviour of the device completely. Host development is
easier than cross-compilation and remote debugging required for firmware
development.
Therefore, this firmware is the choice for most security researchers, since
all timing and every bit of the protocol can be dealt with on the host.
The main_librfid firmware
This firmware is called 'main_librfid' because it contains a full copy of the
librfid library, cross compiled for ARM. The librfid library implements
various 13.56MHz RFID protocols from layer 2 to layer 4 and higher, including
ISO 14443, ISO 15693, Mifare classic, Mifare ultralight and others.
The USB protocol of this firmware has not yet been fully speicified, also
there currently is no finished host software that could interface this
firmware yet. Stay tuned for upcoming news on this subject.