low power sniffing techniques used in 13.56mhz rfid reader systems
TRANSCRIPT
![Page 1: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/1.jpg)
Low power sniffing techniques used in 13.56MHz RFID reader systems
Using TRF7960 and MSP430F2370
Johannes Sturz
Juergen Mayer-Zintel
![Page 2: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/2.jpg)
12/16/2010 2
HF RFID reader sniffing techniques
⢠Scope - Problem descriptionâ Application example
⢠13.56MHz RFID system overviewâ ISO standard / RF regulationâ Typ. System components
⢠Potential sniffing solutionsâ Mechanical, optical â Ceramic Resonator approachâ Capacitive Sensorâ TRF796x RSSI check
⢠Proposed solution â best cost/pwr. budget â Principle / basic idea / limitationâ Schematicâ MSP430 Softwareâ Power consumption estimation
⢠Summary, outlook, further improvements
âTI Proprietary Information â Selective Disclosure
![Page 3: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/3.jpg)
12/16/2010 3
⢠Scope
â Many 13.56MHz RFID reader terminals are battery poweredâ Battery size and capacity as
small as possible (cost).â Typ. 3.6V supply voltage.â Use affordable battery technology.â No additional components.â Polling intervals up to max. 1sâ ISO 15693 and ISO 14443A/B Cardsâ Most critical applications:
Car2Go, Door Lock, âcar toll readerâ
Ultra low power HF RFID card sniffer needed !
HF RFID reader sniffing techniques
âTI Proprietary Information â Selective Disclosure
![Page 4: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/4.jpg)
12/16/2010 4
HF RFID reader sniffing techniques⢠13.56MHz RFID system overview â RF regulation
Spectrum mask for the European HF RFID frequency band 6,78MHz and 13,56MHz
Source: EN300330-1
+60 dBÂľA/m for 13,56 MHz
f0
(6,78 MHz13,56 MHz)
+900 kHz
-16 dBÂľA/m
ISM band
-10 dBÂľA/m
+9 dBÂľA/m
-1 dBÂľA/m at 6,78 MHz-3,5 dBÂľA/m at 13,56 MHz
+42 dBÂľA/m for 6,78 MHz and 13,56 MHz
-900 kHz
-450 kHz +450 kHz
-150 kHz +150 kHz
Carrier accuracy @13.56MHz Âą7kHz (~500ppm)
âTI Proprietary Information â Selective Disclosure
![Page 5: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/5.jpg)
12/16/2010 5
HF RFID reader sniffing techniques⢠13.56MHz RFID system overview â ISO standards
ISO 15693 / ISO18000-3 â HF-I Product Line â Vicinity cards ⢠Most widespread HF card â no/very limited security.
ISO 14443A â Wireless Payment/Secure â Proximity cards⢠Defines the physical layer and some communications layer.
ISO 14443B â Wireless Payment/Secure â Proximity cards⢠Defines the physical layer and some communications layer.
Felica (ISO 14443C) â Near Filed Communication â Proximity cards⢠Reader manufacturer will need licensing agreement with Sony.
NFC (ongoing) â Near Filed Communication â Proximity cards⢠Defines the physical layer and some communications layer.
âTI Proprietary Information â Selective Disclosure
![Page 6: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/6.jpg)
A battery-less tag gets its energy from the radio waves generated
by the readerâs antenna
Antenna
Reader
Downlink (Reader Inlay)ASK Modulation
Pulse Position Coding Datarate 1.6 or 26 kbits/sec
Inlay
HF RFID reader sniffing techniques⢠13.56MHz RFID system overview
âTI Proprietary Information â Selective Disclosure
![Page 7: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/7.jpg)
Downlink uses ASK Modulation
ISO 15693 Inlays operate with 100% or 10% modulation;using 10% modulation lowers the spurious emissions.
Carrier Modulation
100% 10%
HF RFID reader sniffing techniques⢠13.56MHz RFID system overview
âTI Proprietary Information â Selective Disclosure
![Page 8: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/8.jpg)
Uplink (Inlay Reader)FSK or ASK modulation
(Load-modulation)Manchester coding
Datarate 6 or 26 kbits/sec
Communication from Inlay to Reader
HF RFID reader sniffing techniques⢠13.56MHz RFID system overview
âTI Proprietary Information â Selective Disclosure
Inlay
![Page 9: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/9.jpg)
Digital Bits
H L H L L L H H L
Manchester Bits
RF Bits FSK
423.7kHz484.2kHz
RF Bits ASK
Communication from Inlay to Reader
â ASK @423.7kHz sub-carrier orâ FSK with 423.7kHz / 484.2kHz
HF RFID reader sniffing techniques⢠13.56MHz RFID system overview
![Page 10: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/10.jpg)
A 13.56MHz RF-Field on its own, does not automatically generate a response from the Inlay.
â The Inlay only sends back a signal if:⢠the inlay is in the reading field of a readerâs antenna
⢠the complete downlink protocol has been understood
⢠the inlay keeps within the RF-Field while sending back information
â The inlay can be seen as a slave, whilst the reader is
the master.
Because all ISO inlays work the same way, different technologies can beused simultaneously without interference problems between the inlays
Note:
HF RFID reader sniffing techniques⢠13.56MHz RFID system overview
âTI Proprietary Information â Selective Disclosure
![Page 11: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/11.jpg)
12/16/2010 11
HF RFID reader sniffing techniques⢠RFID card sniffing solutions
âMechanical design ⢠Design flexibility / degree of freedom⢠Mechanical robustness
âCost ⢠production⢠Installation ⢠Maintenance free battery lifetime
âUser friendlyâProtection against vandalism / fraudâWorld wide usage / no country specific designs
Decision Criteria
âTI Proprietary Information â Selective Disclosure
![Page 12: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/12.jpg)
12/16/2010 12
HF RFID reader sniffing techniques
A card slot is equipped with a mechanical switch or an light barrier; acting as a âmechanical sensorâ to trigger the RFID card reader.
Proâ Very low powerâ Familiar handling (magnetic card)
Conâ Mechanics required
⢠Form factor limitations⢠Reliability / robustness
â Not for harsh environmentâ Limited protection against vandalism / fraud
Mechanical / Optical
⢠RFID card sniffing solutions
âTI Proprietary Information â Selective Disclosure
![Page 13: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/13.jpg)
12/16/2010 13
HF RFID reader sniffing techniques⢠RFID card sniffing solutions
Resonator approach
The reader is equipped with an additional resonator osc. and sensor antenna. The ÎźC generates a short 13.56MHz power burst (20âŚ200Îźs) and detects the antenna damping.
Proâ Low powerâ No mechanics required
⢠Form factor limitations⢠Reliability / robustness ⢠Protection against vandalism / fraud
Conâ Additional electrical components required
⢠2 Antennas (RFID / Card sniffer) or switch (high voltage)⢠2nd low pwr., fast run-in osc.
â Regulation frequency accuracyâ Detection Distance
âTI Proprietary Information â Selective Disclosure
![Page 14: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/14.jpg)
12/16/2010 14
HF RFID reader sniffing techniques⢠RFID card sniffing solutions
Capacitive proximity Sensor
The reader antenna also comprises areas used for a capacitive sensor. Capacitive proximity sensors sense "target" objects (RFID cards) due to their ability to be electrically charged. Since even non-conductors can hold charges, this means that just about any object can be detected with this type of sensor.
The reader sends an inventory command each time the sensor detects any change.
Proâ Flexible SW solutionâ Detection rangeâ Good protection against vandalismâ For all card types
⢠ISO-15693 and ISO-14443A/B⢠NFC / Felica
Conâ Many additional componentsâ High power consumptionâ Detector is measuring E-Field,
13.56MHz card is using H-Fieldfalse wake-up
âTI Proprietary Information â Selective Disclosure
![Page 15: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/15.jpg)
12/16/2010 15
HF RFID reader sniffing techniques⢠RFID card sniffing solutions
TRF796x RSSI check
The reader issues an Inventory Requ. cmd.; with each cmd. The RSSI value is transmitted to the ÎźC. Dependent on the RSSI value, additional commands are issued.
Proâ No additional componentsâ Flexible SW solutionâ Good detection rangeâ For all card types
⢠ISO-15693 and ISO-14443A/B⢠NFC / Felica
Conâ High power consumption
⢠Long Run-in times TRF7960⢠High peak current
â Detection resolution
TRF7960A MSP430
Crystal13.56MHz
Matching
VDD_X VDD_I/OTX_out
RX_IN1
RX_IN2 VSS VIN
Serial or Parallel
Supply: 2.7V â 5.5V
VDD
âTI Proprietary Information â Selective Disclosure
![Page 16: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/16.jpg)
12/16/2010 16
HF RFID reader sniffing techniques
Proposed solution â Principle & Basic Idea 1/2⢠Initialize the Reader system
â TRF7960 initialization of the voltage regulators â MSP430 initialization use high frequency Osc. @ 13.56MHz to shorten
system run in times.
⢠Generate a short 13.56MHz TX power pulse (10 ⌠15Οs) through the TRF7960 reader antenna. Use shielded (magnetic) antenna to desensitize the reader against parasitic E-Field damping.
⢠Sense the damping of the reader antenna circuit with / without card.
⢠Rectify the antenna voltage, store it and measure the decay timing after the TX_off.
⢠RFID card sniffing solutions
âTI Proprietary Information â Selective Disclosure
![Page 17: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/17.jpg)
12/16/2010 17
HF RFID reader sniffing techniques
Proposed solution â Principle & Basic Idea 2/2
Use slope A/D technique on MSP430 to measure the C1 charge voltage.
Dependent of the decay timing, initialize the system for a âcard_readâ or go back to stand-by.
⢠RFID card sniffing solutions
âTI Proprietary Information â Selective Disclosure
![Page 18: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/18.jpg)
12/16/2010 âTI Proprietary Information â Selective Disclosure 18
HF RFID reader sniffing techniques
Crystal13.56MHz
10kΊ
Vcc 2.7V â 5.5V
VDD_A
VIN
VDD_RF
VDD_PA
TX_OUT
VSS_PA
VSS_RX
RX_IN1
I/O_7
I/O_6
I/O_5
I/O_4
I/O_3
I/O_2
I/O_1
I/O_0
VD
D_I/O
VSS_A
MO
D
IRQ
ASK
/OO
K
BA
ND
_GA
P
VSS
RX
_IN2
24
23
22
21
20
19
18
17
1
2
3
4
5
6
7
8
161514131211109
EN2
DA
TA_C
LK
SYS_C
LK
ENVSS_D
OSC
_OU
T
OSC
_IN
VD
D_X
2526272829303132
PAD
TRF7960A
MSP430Fxxxx
1kΊ1kΊ2.2ΟF 10nF
2.2ÎźF 10nF
2.2ÎźF 10nF
2.2ÎźF 10nF
27pF
100Ί
2.2ÎźF 10nF 0.1ÎźF
3nF150nH
330nH
10pF
1.2nF
1.2nF
680pF
220pF
680pF
100pF
27pF
TRF_CLK out (GPIO)
Reader Pwr. Enable
DATACLK (GPIO)
XIN
XOUT
DVcc
PX.7
PX.6
PX.5
PX.4
PX.3
PX.2
PX.1
PX.0
IRQ capable GPIO
PX.0
PX.01MΊ100pF
470kΊ
BAV17
Antenna
⢠RFID card sniffing solutionsProposed solution â schematic
27pF
10kΊ
![Page 19: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/19.jpg)
RF (divided, C7/C8)
DEMOD (no card)
DEMOD (card distance = 0cm)
Comp. OUT (card distance = 0cm)
Comp. OUT (card distance = 5cm)
Comp. OUT (no card)
Voltage differenceDelta Pulse Length (Bx â Ax)
HF RFID reader sniffing techniques
Proposed solution â System measurement
TX pulse = 15Îźs
⢠RFID card sniffing solutions
![Page 20: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/20.jpg)
12/16/2010 20
HF RFID reader sniffing techniques
Proposed solution â Power consumption MSP/TRF 1/5
â Phase 1⢠Standby: MSP430 / TRF7060
â Phase 2⢠13.56MHz Osc. Startup⢠MSP430 initialization 2msec.⢠TRF7960 programming
â Phase 3⢠TRF7960 regulator start-up 800Îźsec.
â Phase 4⢠13.56MHz TX on 15Îźsec.
â Phase 5⢠Comparator count 2âŚ10Îźsec
â Phase 6⢠MSP430 calculation/Status change 5Îźsec
⢠RFID card sniffing solutions
âTI Proprietary Information â Selective Disclosure
![Page 21: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/21.jpg)
12/16/2010 21
HF RFID reader sniffing techniques
Proposed solution - Power consumption card read 2/5
Power consumption per 500ms Card polling interval @3.3V
Polling sequence
1 ÎźAs<1ÎźA<1ÎźA500msStandby MSP430/TRF (only RC Osc. Running)Phase 1
<1ÎźA
<1ÎźA
60mA
3.5mA
1.5mA
TRF7960
1.5mA
1mA
1mA
1mA
1mA
MSP430
Average Current
5Îźsec
<10Îźsec
15 Îźsec.
800 Îźsec.
2msec.
Time
Phase 6
Phase 5
Phase 4
Phase 3
Phase 2
9.59 ÎźAsTotal0.08 ÎźAsMSP430 calculation / status change
0.01 ÎźAsMSP430 Comparator count
0.9 ÎźAs13.56MHz TX_ON @ TRF7960 (half power)
3.6 ÎźAsTRF7960 regulator start-up
5 ÎźAs13.56MHZ Osc. Stsart up / MSP430 init. / TRF7960 programming
EnergyDescription
Each ISO-15693 card polling requires about 9.6 ÎźAs @3.3V
⢠RFID card sniffing solutions
âTI Proprietary Information â Selective Disclosure
![Page 22: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/22.jpg)
12/16/2010 22
HF RFID reader sniffing techniques
TRF7960 energy consumption per ISO-15693 card read â 415ÎźAs.
37.76Transmit Next Slot CommandPhase G
309.2Additional Wait TimePhase F
1510.4Inventory Request CommandPhase A
68mA
TRF7960
1.5mA
MSP430
Average Current
5918.90
3624.96
323.3
37.76
75.52
Time (Îźsec)
Total
Phase E
Phase D
Phase C
Phase B
411.3 ÎźAsTotal411.3 ÎźAs
Tag response (with UID)
Tag wait time for response
EOF
SOF
Energy(ÎźAs)
Description
Proposed solution - Power consumption card read 3/5
Power consumption per Card read @3.3V
⢠RFID card sniffing solutions
âTI Proprietary Information â Selective Disclosure
![Page 23: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/23.jpg)
12/16/2010 23
HF RFID reader sniffing techniques
Proposed solution - Power consumption summary 4/5
⢠RFID card sniffing solutions
Power consumption stand-by (0.5s interval; MSP and TRF)1ÎźAs
Power consumption per polling Interval (3ms, MSP and TRF)9.6ÎźAs
Power consumption per UID Card read (6ms, MSP and TRF)415ÎźAs
âTI Proprietary Information â Selective Disclosure
![Page 24: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/24.jpg)
12/16/2010 24
HF RFID reader sniffing techniques
â Assumptions ⢠Supply 3.3V⢠typ. Battery capacity 2500mAh⢠self discharge < 4% per year (linear)⢠Polling interval 500ms⢠1x ISO-15693 card read per hour (includes false wake-up and power consumption doe to additional
ISO-15693 commands).
â Energy consumption per hour (7200 x polling & 1 x card read) :Stand-by = 7.2mAsPolling = 69.1mAs Card read = 0.415mAs
â Energy consumption per year (8760h):IOS -15693 reader 187mAh
Battery self discharge 100mAh
â Total Battery lifetimeAssuming a linear battery selfdischarge over the lifetime.
Proposed solution - Power consumption summary 5/5⢠RFID card sniffing solutions
Total: 76.715mAs = 21.3ÎźAh
Total: 287mAh
> 8.7 yearsâTI Proprietary Information â Selective Disclosure
![Page 25: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/25.jpg)
12/16/2010 25
HF RFID reader sniffing techniques⢠Summary
âTI Proprietary Information â Selective Disclosure
- Local RF regulation needsto be checked.
- Potential detection rangeissue.
- Low power consumption due to fast run in of the resonator.
- Additional components required=> PA / Antenna Switch
- No special mechanicsrequired
- Good protection against vandalism / fraud
Resonator approach
Misc. CommentsPower consumptionCost Mechanical Design
- Flexible SW solution- Good and accurate
detection range.- pure H-filed sensing possible
- Low power consumption due to well timed run in procedure.
-Reasonable as only a few additionalcomponents are required
-No special mechanicsrequired
- Good protection against vandalism / fraud
TRF/MSP H-Field sensor
- Very flexible SW solution- Good and accurate
detection range.- No additional read cycle
required
- Quite high due to long system run-in times to measure the RSSI.
- High pek current
- No additional components/ cost
-No special mechanicsrequired
- Good protection against vandalism / fraud
TRF796x RSSI check
- Several additionalcomponents
- Sensor measures E-Field; Card is using H-Field.
=> This may result in fault wake-ups.
- Reasonable power consumption due toadditional cap. sensordevice
- Quite expensive as several additionalcomponents required
- No special mechanicsrequired
- Good protection against vandalism / fraud
Capacitive proximity Sensor
- Potential reliability issues due to mechanical parts.
- Extreme low powerconsumption
-Reasonable
=> mechanical design/components may generate additional cost.
- Form factor limitation- Not for harsh
environment- No/Limited protection
against vandalism/fraud
Mechnical/ Optical
![Page 26: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/26.jpg)
12/16/2010 26
HF RFID reader sniffing techniques
â Ultra Low power, high resolution 13.56MHz ISO-15693 Card sniffer supporting a battery lifetime up to 8.7years @ 2500mAh/3.3V
â Flexible solution, completely SW controlled e.g. sensing rangecan be adjusted by using different supply and power (Half/Full) settings.
â Optimize detection range and timings which may further reduce the system power consumption.
â Extend to ISO14443A/B card read by connecting to TRF7960 RX_IN2 PIN => matching required.
⢠Summary and further improvements
âTI Proprietary Information â Selective Disclosure
![Page 27: Low power sniffing techniques used in 13.56MHz RFID reader systems](https://reader031.vdocuments.mx/reader031/viewer/2022020703/61fb34062e268c58cd5b6189/html5/thumbnails/27.jpg)
Thank you for your attention
HF RFID reader sniffing techniques