Statement of Purpose:

Our project is an RFID interception and emulation device intended for RFID protocol analyzing for security research. Our goal is to make a research tool for those looking into RFID protocols. Current implementations rely on FPGAs and slower microprocessors in order to decode and encode data transmissions, however our implementation relies solely on a faster microprocessor in order to process the data.

Background Research:

In order to successfully implement an RFID analysis solution, our group studied previous solutions as well as international RFID standards in order to better gauge the scope of the project.

RFID Standards

125kHz:

The 125kHz range is commonly used in low cost RFID solutions, hence devices adhering to these specifications tend to lack features that are designed to enhance security such as encryption and frequently bidirectional communication. Although the format in which data is digitally encoded varies from manufacturer to manufacturer, they share a common physical communication method. RFID readers on the 125kHz frequency transmit data via Amplitude Shift Keying (ASK), while cards transmit data via Load Modulation.

13.5MHz:

The 13.5MHz range is becoming the de facto standard in RFID based solutions due to its improved capabilities, including bidirectional communications and on device encryption. This proves to be challenging to implement as the RFID reader and card use separate modulation schemes in order to communicate. Additionally, 13.5MHz RFID communication comes in two types, Type A and Type B, although both types implement (ASK) in the reader to interrogate cards, they differ in card to reader modulation scheme. Type A utilizes On Off Keying (OOK) with Manchester encoding while Type B uses Binary Phase Shift Keying (BPSK) with NRZ-L encoding.

Previous Implementations

ProxMark III:

At the time of writing, the most popular solution for RFID security analysis is the ProxMark III. The ProxMark III is an open source FPGA based RFID card/reader emulator that allows researchers to analyse communications between cards and readers in the standard ~125kHz and ~13.56MHz frequency ranges. This device relies heavily on an FPGA for its digital signal processing, which increases throughput at the cost of complexity, mainly requiring C and Simulink in order to program custom (de)modulation schemes.

RFID Emulator:

Another design for the emulation of RFID cards that we referenced is located on Instructables and was created by user kukata86. This design closely implements the role of PICC or proximity card, both drawing power and communicating via the built in coil. This design relies on a common circuit known as an envelope detector, which is used to demodulate the subcarrier and produce a steady signal for analysis. This solution is smaller in size than the proxmark, however it only supports communications in the 125kHz range and does not support communication and sending of data to external devices.

Design Details

Block Diagram:

System Overview:

The system begins with a swappable coil that will facilitate all communications with cards and readers. This then leads to a Double Pole Double Throw relay that selects whether to connect the coil to the Low Frequency and High Frequency peak detectors, or to the LF and HF gain amplifiers which directly amplify the signal in order to capture the unmodified wave. The both RF frontends contain a gain amplifier, peak detector, and a comparator to 0v volts in order to generate a digital clock signal for us to clock our data out. The frontends then connect to a quad bilateral switch which acts as an analog mux, allowing us to select which signal we would like to sample without analog to digital converter. The selected signal is then sent to the ADC, at which point the voltage is digitized and stored into memory via DMA at a frequency determined by the microcontroller. The microcontroller then parses this data in memory in order to demodulate the signal, and determine what command is sent by the reader, or what data is sent from the card. Finally, given we have enough time we may implement a LF/HF output that allows us to emulate cards and readers in order to fully emulate the whole RFID communication chain. There are two approaches that we may follow in order to implement RFID output. Following the proxmark, we may use tristated buffer drivers as unity gain amps to power the coil and depend on its tuning to smooth the square wave. The other option is to build out a carrier /subcarrier/bitstream analog mixer for the HF side and a Load Modulation circuit in order to simplify the digital processing and follow specifications more closely.

Possible Challenges

Overall, due to the complexity of the analog and digital signal processing that must be done in order to communicate with cards and readers we foresee a few issues. Mainly, due to the lack of an FPGA we may run into an issue where the digital signal processing used to demodulate the signal may take too many clocks to calculate the input signal, thus running out of time to transmit the next set of data in bidirectional 13.5MHz communication. Additionally, the output generator from our proxmark design reference is implemented in digital logic, relying on the tuning of the coil to smooth the square wave into the proper sign wave. This poses a challenge for us as we may not have the processing power to calculate the timings necessary for the proper output. In response to these concerns, we may choose to implement an analogue transmit path in order to minimize the digital overhead, however this comes at the cost of not being able to implement any modulation scheme we like without switch hardware.

References

[1]"Proxmark/proxmark3", GitHub, 2018. [Online]. Available: https://github.com/Proxmark/proxmark3/wiki/Hardware-Description. [Accessed: 14- Feb- 2020].

[2]"RFID Emulator - How to Clone RFID Card, Tag ...", Instructables. [Online]. Available: https://www.instructables.com/id/RFID-Emulator-How-to-Clone-RFID-Card-Tag-/. [Accessed: 14- Feb- 2020].

[3]"AM Demodulation: Amplitude Modulation Detection » Electronics Notes", Electronics-notes.com. [Online]. Available: https://www.electronics-notes.com/articles/radio/modulation/amplitude-modulation-am-demodulation-detection.php. [Accessed: 14- Feb- 2020].

[4]A. Taqi and Z. Faris, "Implementation of Digital Communication using Matlab (Graduation project for B.Sc. degree)", B.S., University of Technology, Iraq, 2015.

[5]N. Motlagh, "Near Field Communication (NFC) - A technical Overview", Ph.D., University of Helsinki, 2020.

[6]"square wave to sine wave RC filter", Electrical Engineering Stack Exchange, 2017. [Online]. Available: https://electronics.stackexchange.com/questions/299420/square-wave-to-sine-wave-rc-filter. [Accessed: 14- Feb- 2020].

[7]J. Bae, K. Kim, W. Choi and C. Park, "Design and Implementation of Reader Baseband Receiver Structure in a Passive RFID Environment", IntechOpen, 2010. [Online]. Available: https://www.intechopen.com/books/current-trends-and-challenges-in-rfid/design-and-implementation-of-reader-baseband-receiver-structure-in-a-passive-rfid-environment. [Accessed: 14- Feb- 2020].

[8]E. Ehrlich, "Digital Demodulator Architecture of a Contactless Reader System for HF RFID Applications Supporting Data Rates up to 13.56 Mbit/sec", Dr. techn., Graz University of Technology, 2011.

[9]P. Sorrells, "Passive RFID Basics", Murdoch University, 1998. [Online]. Available: http://ftp.it.murdoch.edu.au/units/ICT219/Papers%20for%20transfer/Passive%20RFID%20Basics.pdf. [Accessed: 14- Feb- 2020].

[10]L. Sevgi and C. Uluicik, "Testing ourselves: DigiComm: A MATLAB-based digital communication system simulator", ResearchGate, 2014. [Online]. Available: https://www.researchgate.net/publication/264591517_Testing_ourselves_DigiComm_A_MATLAB-based_digital_communication_system_simulator. [Accessed: 14- Feb- 2020].

[11]"Advanced RFID Measurements: Basic Theory to Protocol Conformance Test - National Instruments", National Instruments, 2014. [Online]. Available: http://www.ni.com/tutorial/6645/en/#toc2. [Accessed: 14- Feb- 2020].