This device is obsolete; my proxmark3
replaces it completely. I will leave the description, but it is
of only historical interest.
* * *
My initial prox card `cloner' did the job, but it
was not very general. Because I use analog circuitry to demodulate the
signal from the antenna, the hardware is capable of dealing with only
a single modulation scheme—BPSK, with the modulating frequency
and bit times that I chose to work with the Flexpass cards. It has to
be like that; the PIC is not powerful enough to do it any other way.
Since then I have built a considerably more general device. My
new device is capable of working with nearly any kind of 125 kHz
card, and many types of 13.56 MHz cards. It is also capable of
bidirectional communication, so that it can send data from the reader
to the tag. This is necessary to work with most of the newer tags,
including any cryptographic tag. (Note, of course, that a tag that uses
cryptographic techniques can resist any practical attempts to clone it
over the air; but I can still talk to the tag, and do anything that its
reader could, even if I cannot clone the thing.)
The system is based around an ARM7 microprocessor. I chose an AT91
part from Atmel, for its ease of integration—it has adequate on-chip
flash and SRAM—and for its wide range of peripherals. In particular, the
AT91SAM7S64 has a USB slave peripheral. That makes it convenient to send
large amounts of data from the device to a PC, very quickly; for example,
I can do an `oscilloscope view' of the signal from the tag, so that I can
get some idea of what a tag is doing, without additional test equipment
and before I write the code to demodulate that signal into bits.
A small amount of analog circuitry is used to fix the dynamic range of
the signal from the antenna. This is the usual problem, that we receive
the superposition of our transmitted carrier and the returned signal
from the tag, and that we really just care about the latter. After
that the signal goes straight into an A/D; all further processing is
digital. To date I have tested against two different prox cards: a
`Radionics' card with no other markings, and an HID Prox Card II.
This is a waveform from the Radionics card:
It is easy to see that this card uses ASK. The Prox Card II
uses slow FSK:
Since these were all ID-only cards, there was no need to demodulate
the signal in real time. I therefore just transfer the samples to my PC,
and convert them into bits over there.
I can also read or simulate TI-type
tags; these tags communicate with the reader in a somewhat different
way, so that special hardware was required to deal with them. Still,
they seem to work fine:
The trace is not the raw signal from the ADC; it is the difference
between the output powers of matched filters for the two FSK tones,
so that it is basically a plot of the soft decision on the bit.
I designed this device to be as flexible as possible. Certainly, I
can read or simulate most kinds of tags. In addition to this, the device
is capable of working in `snoop' mode, in which it passively listens to
signals from other RFID tags and readers. This is necessary to investigate
`reader talks first' bidirectional tags—it is necessary to start
out by snooping, to find out what the reader is saying to the tags,
so that you can duplicate it.
There is circuitry to modulate the transmitted carrier, in order to
send data to the tag. This is also what I use for the `simulated tag'
modes. I use the synchronous serial port's data-out line as a sort
of a 1-bit DAC. That allows me to queue up the desired pattern in a
DMA buffer, and to send it from there to a serial port. The timing is
therefore determined by the serial port, which is easily programmed, and
not by processor cycle-counting, or something inconvenient like that.
The ARM7 at 48 MHz gives more than enough processing power. There
is no need to be very efficient, so everything can be written in C. I
used arm-elf-gcc, which generates more than good enough code. I wrote
a bootrom, so that I can load new code over USB.
The hardware is not really that remarkable. It is a low-end RFID
tag reader, with an interesting receive path, though with a curiously weak
transmitter. The `simulated tag' modes are the only thing that is
unique. Still, I expect that it will take a lot of the drudgery out
of cloning ID-only tags, and it is really the only practical way to
experiment with the more advanced transponders.
A commercial RFID tag reader offers no possibility to manipulate the
lower layers of the protocol over the air; it just gives you the ID, or
the piece of information that you requested, and it doesn't tell you what
it went through that get that. For ID-only tags (like most low-frequency
prox cards), the ID is really all that there is to know. Modern tags
are more complex, though; they do things like anti-collision, or crypto,
or addressable memory on the tag. As these more interesting tags become
more prevalent, it seems terrible not to be able to know this, and that
is not possible without either (a) getting schematics and code for a
suitable commercial reader, or (b) starting from scratch. Option (a)
did not seem plausible; I therefore started from scratch.
The hardware works, but so far I have been unfortunately lazy. I have
written code to read and clone a few types of ID-only cards, but that's
about it. I can program rewritable TI-type tags, but that's pretty easy;
they barely talk back when you do. As far as I can tell, the hardware is
perfect. The A/D that I thought might be too slow turned out to be too
slow; my fallback plan, which was to sample only every other or (for BPSK
at 62.5 kHz, where every other breaks down) every third 125 kHz
cycle, works just as well in practice. A fast sample-and-hold is really
more important than a fast A/D....
I run it off a lithium-poly cell, which can be recharged when the
device is plugged in to USB. The user interface is a bit spartan, just
three LEDs and a pushbutton. The smaller size is nice; it's
no larger than a business card. Certainly this is a much more fun device
to carry; you can read people's cards, and look at the 'scope view on
your laptop, and reverse-engineer the protocol in real time. I have yet
to do anything with a not-ID-only tag, which is somewhat pathetic.
As far as I know, it is not possible to buy a device like the one
that I have described above, and an instrument like this is practically
essential for anyone experimenting with the latest generation of
transponders. If anyone is interested in doing low-level work with
RFID tags, then you could presumably save some time by starting with the
platform that I have built. I do have many extra bare boards. At some
point I intend to freely distribute the schematics, layout, and software,
but there is a lot that must first be cleaned up. I will see.
As an example of the capabilities of this device, I go through the
steps involved in cloning a Verichip. This
is the same sort of process that would be required to clone any kind
of ID-only tag. For a bidirectional (e.g multipage or anticollision)
tag, the process would be similar but more complex.
December 2005; Cambridge MA
|