The simplest possible RFID emulator

 

Before reading this section, you should check first “RFID for nerds and hobbyist“.
Keep in mind that this information applys for low frequency RFID. Several changes

When looking for a low frequency RFID emulator for security testing purposes, you can find several designs out there. However, their complexity can make you think twice before building one.

Is necessary that complexity? In some cases you don’t need too much functionality. Just a simple RFID emulator without fancy capabilities.

How simple can be an emulator? Let’s see.

The simplest possible RFID emulator

Look this!

Simplest possible emulator

And this is the schematic:

simplest possible emulator - schematic

Can something this simple works? Check this video. It emulates a EM4100 tag.

HOW IT WORKS?

In order to understand how this simple design can works, we have to consider the internal connections of the microcontroller IO ports.

Consulting the datasheet, we can observe that every IO pin has an internal parasite capacitor (around 5pF) and a pair of clamping diodes, as this diagram shows:

Considering internal capacitance and diodes, the result schematic of this simple emulator is something like:

The parasite capacitor in the IO pins and the external coil form a LC resonant circuit and act as an antenna. This antenna will pick up the carrier generated by the RFID reader.

The recovered carrier is rectified thanks to the bridge formed with the clamping diodes, feeding back the result signal to the power supply of the microcontroller.

Note that the coil (antenna) is connected to the GP5 / CLKIN / OSC1 port. This is important, but we will back to it later.

The other terminal of the coil is connected to the GP4 port. In order to transmit data to the RFID reader, we have to modulate the low frequency carrier by changing the coupling between the reader and tag antennas. We can achieve this by switching the GP4 as input (High-Impedance) or output (connected to GND).

THE FIRMWARE

Some knowledge on PIC assembler is requiered to understand perfectly this section.

Basically, The code for emulating a read-only tag is not more than a bunch of “well-timed” instructions that modify the GP4 state.

This microcontroller (like most of the modern PIC microcontrollers) has an internal oscillator. However, instead of using the internal oscillator, the firmware uses the RFID carrier, present in the GP4 pin, as the system clock.

This way, the firmware is simpler because there is no need to synchronize the data modulation (switching the GP4 pin to GND or High-Impedance) with the RFID carrier. The code execution is already synchronized with the carrier.

The oscillator block has a “relatively” high power consumption, so another reason for not using the internal oscillator is to save energy. And less power means longer reading distance.

As firmware example, you can download this ASM source. It emulates a EM4100 RFID tag, a very common tag.

The EM4100 [datasheet] is a read-only tag with 64 bits of memory and is usually found configured to work at 64 clocks per bit and with Manchester encoding.

The Manchester encoding implies that a ’1′ encoded bit is transmitted “half-bit” (32 clocks) as ’0′ and “half-bit” (32 clocks) as a ’1′.

In this configuration, the ASM code for transmitting a ’1′ encoded bit is:

Note that between the execution of the BSF and the BCF instructions there are exactly 8 instruction cycles. Considering that the PIC architecture uses 4 system clocks for executing one instruction, it means that pass exactly 32 carrier clocks between the two instructions.

A ’0′ encoded bit is transmitted in a similar way.

Images

[TO DO: oscilloscope captures of the RFID carrier, the power signal (between VCC and GND) and the Manchester modulation]

Improving the emulator

In the previous emulator schematic no inductance value has been defined.

To improve the carrier reception – and therefore the reading distance -, the inductance and the capacitance should be tuned to resonate at the carrier frequency (125 KHz in this case).

Using the value of the parasite capacitor (around 30 pF) and a frequency of 125 KHz, we can calculate the value of the tuned inductance with the formula

f = 1/(2*pi*(L*C)^0.5)

The result is 54.04 mH.

However, the parasite capacitor value is an approximation. The real value differs from one device to other. It can even change due to external parameters (temperature, power voltage, clock frequency, etc). Using only the parasite capacitor makes almost impossible to tune correctly the LC circuit.

Adding an external capacitor in parallel to the coil makes much easier the tunning process.

The capacitor should be at least 1 nF, so the variations on the parasite capacitance does not bias the tunning too much.

But a tuned antenna is not the only factor to take into account in order to improve the reading range.

Working at 125 KHz (wavelength of 2400 meters) means that, given the short reading range, the electromagnetic field created by the RFID reader can be considered as an alternating magnetical field. A large antenna will receive more magnetic flux than a small one, and a higher voltage will be induced in its terminals.

A manufactured axial inductor – like the one used in the video – has physically a small area and will not pickup too much carrier. The reading range will be very short.

We can construct a better antenna. For example, a helicoidal coil can be constructed with a toiler paper cardboard and some wire. It is easier than you think! You can use a tool like this one to calculate the inductance of your handmade coil. Once you have calculated the inductace, don’t forget to tune the antenna with its corresponding capacitor.

A 150 uH coil and a 10 nF capacitor are good values to start with.

For reference, the antenna used in the video up there is a 10mH axial inductor. There is no tunning capacitor (besides the parasite capacitance), so the reading range is very short. Neither the small size of the inductor helps. In fact, as you can see in the video, the emulator only works in some points of the reader. To be more precise… it only works in the places where the magnetic field is maximum.

Another improvement is to use a decoupling capacitor between Vcc and Vss for stability reasons. 100 nF is enough.

The schematic with the cited improvements:

simplest emulator schematic with improvements

NOTES

The microcontroller used for this project is the PIC 12F683. However, any other PIC 12F (or even 16F) microcontroller is suitable for the emulator. The firmware should compile without any change.

Using a manufactured coil instead of homemade one can be tricky. Prepare yourself to do some try-outs.

Choose the biggest inductance possible because it will have a larger area. Be aware that some inductors can be covered with a conductive foil to isolate the coil from the EM noise.

The idea of creating a RFID emulator using just the microcontroller and a coil is not original mine. This post from the Scanwidget’s Journal gave me the idea. If you are a AVR fan instead of a PIC one, check that post.