PicNic - yet another emulator/spyware for HF RFID

 

(c) Copyright by Tomas Rosa in 2008-2009, http://crypto.hyperlink.cz

Email to: tomas_dot_rosa (at) rb_dot_cz

This material can be freely used for an educational purpose only. Anyway, its usage can be a subject to a law regulation.

The author takes no responsibility for any direct/indirect damage or incident done by using the content of this page.

 

Last update: November 27^th 2009

 

Page history

            November 27^th 2009: Note on PicNic enhanced by Crypto1 VHDL-based coprocessor added. Cf. bellow. 

 

Abstract

Rather than a final construction, this is just an experimental kit addressed to anybody, who wants to play with e.g. MIFARE chip emulation etc. It has two main parts – HW module which is a simple microcontroller driven HF RFID transceiver and a particular SW module which does the particular job (fake UID sending, terminal spying, MIFARE hacking, etc.). The modules currently available in public are listed bellow. Of course, it is definitely up to you to build your own HW/SW modules basing on some of those already existing. Remember – this is a kit... it all started as a demo project for my students, then I decided to put it here - just for an inspiration.

 

The name PicNic itself explain the main design paradigm and also tells why I did construct „yet another emulator/spyware“. The word “Pic” comes from the name of the microcontroller family being used, while “Nic” comes from the Czech word for “Nothing”. So, PicNic = PIC and „Nothing else around it“. Thus, in opposite to the other designs available on the internet which often try to be as robust as possible, I searched for a minimal design possible. I do not say I have reached the absolute minimum, but I feel I am close enough.

 

The whole design is addressed to people with a moderate knowledge of radio electronics, PIC programming, and RFID technology.

 

Documentation

Rosa, T.: PicNic for HF RFID, Santa’s Crypto Get-together 2008, Rump Session presentation, Prague

 

Klima, V. and Rosa, T.: PicNic pro RFID-KV, Sdelovaci technika, 1/2009

(this is article is in Czech, I hope I will find a time to translate it, nevertheless, the scheme and short notes  presented bellow together with source code comments in assembler files should be enough to understand how it works and how to build it up)

 

HW design

 

Note on the PIC clock source

The microcontroller oscillator is driven by X-tal with resonant frequency at 13.56 MHz. We should use a parallel cut with a load capacitance approx. 30 pF. Using the same frequency as of the basic carrier, we can get easily synchronized with the RFID terminal on the very basic level of the instruction flow.

 

Note on the magnetic antenna design

The analog part uses magnetic antenna which is dictated by the fact that HF RFID operates in the near field range where the inductive coupling is possible. Rather than a particular antenna type, a general design rules are presented here. The antenna is composed of the main coil, the serial resistor, and the resonant capacitor. From the electromagnetic field viewpoint, the coil should be constructed as 4 to 15 turns in a plane around a surface similar to a general ISO card. From the circuit viewpoint, the inductance should be kept on a moderate level (tents of uH at maximum) as we need to set resonant capacitor accordingly. The well known Thomson formula can be used as an estimate here:

f = 1/[2*Pi*sqrt(LC)].

 

Furthermore, we must care about the quality factor of the antenna as it limits the transceiver bandwidth. Let say we need 1.7 MHz bandwidth (as the subcarrier for ISO 14443A is 847.5 kHz), then we can use the following estimation for the serial resistance:

R > 3.4*Pi*10^6*L.

 

We keep the value of R_ANT as low as possible otherwise, as we do not want to mute the antenna too much. A classical diode AM detector is coupled to the antenna directly. Its output is then fed to the analog input RA1. An internal comparator is working there which output is fed to TMR0 and CCP modules of PIC. TMR0 is used to de-modify the Miller encoding used by ISO 14443A for terminal data transmission. The CCP module is used as a capture register for TMR1 which is then used to synchronize the time frame for the emulator response (cf. ISO 14443-3A for the detailed requirements). Another part attached to the antenna circuit is the load modulator. It is composed of a Graetz bridge which load impedance is driven by an induced N channel MOSFET. Note that using this technology over a classical bipolar transistor turned out to be necessary due to a poor switching characteristic of the bipolar one when driven by an asymmetric input source at 847.5 kHz. On the other hand, the gate saturation voltage affects the minimum power requirements of the whole PicNic. If we want to go bellow 4.5 V, a different part with a lower saturation voltage should be considered. The whole modulation impedance is mainly resistive and the resistance can be adjusted by R13 (we start at the value of 100 Ohms typically). The MOSFET itself is driven by RB5 digital output.

 

Note on the external communication

The design expects an USART connection to the outside world as well. We shall not forget to do a proper signal conversion, of course. To connect a RS232 of PC, we can use, for instance, a well known MAX232 convertor of Maxim. We can also use the FTDI chips if we want a straight forward connection via USB. I also have a very good experience with the Bluetooth serial adaptor OEMSPA311i of ConnectBlue. The particular communication speed etc. is up to the particular SW module. As the clock frequency is the same as of the basic carrier, we can derive the (13.56*10^6/128) bps (approx. 106 kbps) easily. The question is, of course, what we can set on the receiver’s part. The signals used for the communication are Rx, Tx, and DTR. There is a circuit (cf. the scheme and the source code initialization) that performs automatic hard reset of the PIC on each DTR signal change. The simple scheme works mainly because of the PORTA pins going to the high impedance state with the falling edge on MCLR and the possibility to ex-or the comparator output with a user defined bit value. The serial line is planned mainly for sniffing and monitoring purpose.

 

Crypto1 enhancement

To support MIFARE Classic attacks on schemes relying both on UID and crypto memory access, the version with Crypto1 coprocessor support is currently under construction. The coprocessor itself is a (V)HDL design (many thanks to Jiri Bucek <jiri_dot_bucek (at) fit_dot_cvut_dot_cz> for his vital help and patience) targeted for a simple CPLD devices. In particular, the Digilent Digilab XCRP circuit board featuring the Xilinx XCR3064XL is used, now.

 

Current status of the project:

-          VHDL design: OK

-          VHDL testbench: OK

-          PicNic interconnection: OK

-          Key load procedure: OK

-          UID and n_T load procedure: OK

-          MIFARE Classic login procedure: written, to be tested

-          MIFARE Classic simple read procedure: written, to be tested

 

Some pictures of the whole prototype design can be found here: device detail, inner side, outer box.

 

SW modules

FakeUID 1.3.2 – emulator of ISO14443A anticollison handshake for 4 bytes long UID, certain support for data gathering for MIFARE Classic cryptanalysis added (see comments in the source code)

 

FakeUID 1.4-beta – supports ISO14443A UID of all lengths (4/7/10 bytes) and presents a redesigned Tx synchronization to allow easier application protocol extension (see comments in the source code)

 

 

Recommended reading

[1] Finkenzeller K.: RFID Handbook, John Wiley & Sons Ltd., 2nd edition, 2004

[2] Lee, Y.: Antenna Circuit Design for RFID Applications, Microchip Tech. Inc., 2003

[3] PIC16F627A/628A/648A Data Sheet, Microchip Tech. Inc., 2007