Introduction to the Open RFID Tag

The motivation of the OPEN RFID projects is to create the necessaries tools for experimenting and testing the security of different RFID implementations.

Concretely, the OPEN RFID Tag is an open-hardware/open-software implementation of a passive RFID tag, which is compatible with most of the ISO and proprietary RFID protocols and has some advanced security testing capabilities. This project is complimented with the “OPEN RFID Interface” project.

Several solutions are already available – like OPEN PICC or PROXMARK – but they do not support the low frequency tags, are too expensive  or too complex. They are also not “portable” because they require to be externally powered and usually to be connected to a computer.

OPEN RFID tag has been designed with the next objectives:

  • Educative. Simple enough to understand the inner working. Easy to develop new firmware and collaborate with the project.
  • Create a flexible and powerful programmable tag, able to test any low and high frequency tag.
  • Cheap and easy to build. All the parts are easily found in any electronic store.

FEATURES

The OPEN RFID tag  implements different features according to the firmware used and the hardware version.

Some of these features are:

  • Can emulate almost any current tag: EM4100, TK5551, Verichip, ISO 11784 compatibles, Mifare (expected)…
  • Biphase, Manchester, PSK, RAW encoding
  • Data rate from 8 to 256 clocks per bit.
  • Emulates tags with up to 1920 bits (firmware limit).
  • Multiple memory maps stored in the OPEN RFID tag.
  • Brute forcing, cloning timing attack and other complex attacks.
  • 100% passive. No battery required.

DOCUMENTATION

Read more about OPEN RFID Tag:

LICENSE

The project is released under the terms of this license.

SPECIFICATIONS

Currently, there are two version of the Open RFID Tag: the normal and the LITE version.

The LITE is a compact and cheaper version intended only for low frequency tags.

The normal version however, is a more powerful tag which can be used for both low and high frequency systems.

HARDWARE
Open RFID Tag LITE Open RFID Tag
Processor PIC 12F683
8 bits architecture
8 MHz (2 MIPS)
PIC PIC24F04KA201
16 bits architecture
32MHz (16 MIPS)
Memory 3.5KB program memory
128B RAM
256B EEPROM
4KB program memory
512B RAM
256KB EEPROM  (external)
Supported
Frequencies
Low Frequency
(115KHz – 140KHz aprox)
Low Frequency
(115KHz – 140KHz aprox)High Frequency
(13.56 MHz)
User Interface 2 LEDs
2  Buttons
4 LEDs
3  Buttons
Programming Interface ICSP / ICD  (prog. + debug)
RS232
ICSP / ICD (prog. + debug)
RS232
RFID
Power Passive (no battery) Passive (no battery)
Current Version 0.3 with modifications
(28/Jan/2010)
Early prototype
(unreleased)
SOFTWARE
Open RFID Tag LITE Open RFID Tag
Programming Language ASM
C (not recommended)
C
Self programmable NO
(expected in version 0.4)
YES
Read  operations
(Comms. from tag to reader)
YES YES
Write  operations
(Comms. from reader to tag)
YES
(Version 0.3 with modifications)
YES
RFID -
Encoding schemes
Manchester
BiPhase
RAW
Manchester
BiPhase
PSK
RAW
RFID -
Data rates
From 8 to 256 RF clocks per bit From 8 to 256 RF clocks per bit
LF FREQUENCY TAGS SUPPORTED
Open RFID Tag LITE Open RFID Tag
EM4100
EM4102
(& compatibles)
YES
(multimap firmware)
YES
EM4005
EM4105
YES
(multimap firmware)
YES
Verichip
YES
(multimap firmware)
YES
TK5551
T555X
Read only
(multimap firmware)Read & Write
(Unreleased beta)
EXPECTED
Texas Instruments
HDX Tags
NO
(due to hardware limitations)
NO
(but could be in a future…)
ISO 11784/5 YES
(multimap firmware)
YES
HiTAG 1/2/S NO
(due to CPU limitations)
EXPECTED
Others… Almost any LF tag can be emulated in “read only” mode with the “multimap” firmware.
Passive cloning (sniffing).
Brute forcing attacks
Timing attacks
HF FREQUENCY TAGS SUPPORTED
Open RFID Tag LITE Open RFID Tag
ISO 14443 - EXPECTED
MIFARE
ULTRALIGHT
& CLASSIC
- EXPECTED
MIFARE DESFIRE
- PROBABLY NO
( due to CPU limitations)
A CPU upgrade can solve this problem, but due to the high power consumption it couldn’t be powered passively.