A RFID Collision Avoidance Framework using SDR

by

Bruno Fernando Espinoza Amaya

Department of Electrical and Computer Engineering, University of Queensland

Submitted for the Degree of

Master of Computer Science

June, 2015

i

Bruno Fernando Espinoza Amaya

43388116

89 Zetland Street, Upper Mount Gravatt, QLD, Australia

15/06/2015

Prof Paul Strooper Head of School School of Information Technology and Electrical Engineering The University of Queensland St Lucia QLD 4072

Dear Professor Strooper,

In accordance with the requirement of the Degree of Master of Computer Science in the School of Information Technology and Electrical Engineering, I submit the following thesis entitled

“A RFID Collision Avoidance Framework using SDR”

The thesis was performed under the supervisor of Dr. Konstanty Bialkowski. I declare that the work submitted in thesis is my own, except as acknowledged in the text and footnotes, and has not been previously submitted for a degree at The University of Queensland or any other institution.

Yours sincerely

_____________________________

Bruno Fernando Espinoza Amaya

ii

Acknowledgements

First, I would like to express my thanks to my supervisor, Dr. Konstanty Bialkowski, for the guidance and support he provided during the course of this project. He always answers my questions and helped to made things clear, so this thesis would not have been possible without his continuous guidance.

Second, I would like to acknowledge the Peruvian Government for the scholarship award and its support for getting certain materials for this project.

Last but not least, I would like to thank my family for the continuous support during the entire degree at the University of Queensland.

iii

Abstract

This proposed project is to implement a RFID Framework for testing collision recovery in the ISO 1800-6C Standard. According to this standard, tags reply to a RFID reader which then decodes the replied information to access information of the tag. However, in high throughput RFID systems, there is a need of reading a large number of tags in a short amount of time. When more than one tag replies to a reader at any given time, a situation called Collision is caused. Because the collision consists on multiple tags replying, the encoding of the standard is violated, and the RFID reader cannot decode it. Therefore the reader fails to read the tags and must restart the process, degrading the overall performance of the entire RFID system. Although the standard implements collision avoidance, to lower the probability of collisions happening, they cannot be avoided completely and currently, according to the standard, there is no way of recover information once the collision actually happens.

This research focuses on developing a framework to test collision resolution, which is a technique that uses advance signal processing for trying to recover a valid Tag signal from the collision. To implement this technique, a simulation model based on Software Defined Radio (SDR) was developed. The developed framework implements a RFID Listener, a RFID Signal Generator and a RFID Collision Model. The RFID Listener decodes signals according to the standard and its implementation along with the RFID Signal Generator was based on an existing open-source RFID SDR Reader. The implementation was done in MATLAB, with compatibility with Octave software. The Collision Model used the developed components from the Listener and Signal Generator to simulate tag collision under a variety of scenarios, such as SNR, amplitude and phase shift.

As for the SDR model, experiments were done with real RFID tags that complies with the ISO 1800-6C standard. The experiments were done with the USRP1 device and the RFID SDR Reader based on the open source stack GNU Radio.

It was found that from the four standardized encoding schemes for ISO 1800-6C RFID, the one which perform best with FastICA based recovery was Miller M=2, while FM0 was the one which perform worst with a bad recovery rate even at high SNR. The results were validated with experiments done with real tags that comply with the simulated scenarios.

iv

Contents

Acknowledgements ........................................................................................................................ ii

Abstract ......................................................................................................................................... iii

List of Figures ................................................................................................................................ 1

List of Tables ................................................................................................................................. 2

1. Introduction ................................................................................................................................ 3

1.1 Background: ........................................................................................................................ 3

1.2 Goals, Aims and Advantages: ............................................................................................. 4

2. Background ............................................................................................................................... 5

2.1 RFID: ................................................................................................................................... 5

2.1.1 Types of RFID: ............................................................................................................. 5

2.1.2 Privacy and Security Issues with RFID: ....................................................................... 6

2.1.3 The EPC Standard: ...................................................................................................... 6

2.1.4 Tag/Reader Collision: ................................................................................................... 8

2.1.5 Anti-Collision Algorithms: ............................................................................................. 8

2.2 The ISO 18000-6C Standard:.............................................................................................. 9

2.2.1 The Tag: ..................................................................................................................... 10

2.2.2 Tag States and Commands: ....................................................................................... 11

2.2.3 Q-Protocol: ................................................................................................................. 15

2.2.4 EPC Gen2 Timing Constraints: .................................................................................. 17

2.3 Blind Source Separation: ................................................................................................... 17

2.3.1 Independent Component Analysis (ICA): ................................................................... 18

2.3.2 FastICA Algorithm: ..................................................................................................... 20

3. Literature Review .................................................................................................................... 21

3.1 Model Research: ............................................................................................................... 21

3.2 Collision Avoidance Research:.......................................................................................... 21

3.3 Blind Signal Separation Research: ................................................................................... 22

3.4 SDR Research: ................................................................................................................. 23

4. System Design, Methods and Procedures .............................................................................. 25

4.1 Overall Design: .................................................................................................................. 25

4.2 SDR RFID Reader: ............................................................................................................ 25

4.2.1 RFID Reader Components: ........................................................................................ 26

4.2.2 Parameterizing the RFID Reader: .............................................................................. 26

4.2.3 The Issue of Latency: ................................................................................................. 27

4.3 RFID Signal Generation: ................................................................................................... 28

4.3.1 Reader Signals: .......................................................................................................... 28

4.3.2 Tag Commands: ......................................................................................................... 30

v

4.4 RFID Listener: ................................................................................................................... 31

4.4.1 RFID Reader Decoding (PIE Decoding): ................................................................... 32

4.4.2 RFID Tag Decoding (Backscattering Decoding): ....................................................... 33

4.4.3 Command Parsing: ..................................................................................................... 36

4.5 RFID Collision and Recovery Model: ................................................................................ 37

4.6 Collision Detection Model: ................................................................................................. 44

4.7 SDR Considerations: ......................................................................................................... 46

5. Testing, Results and Discussions ........................................................................................... 48

5.1 Testing and Verification: .................................................................................................... 48

5.1.1 Encode/Decode a 16 bits number into a Tag: ............................................................ 48

5.1.2 Generate a RFID Signal and its Decoding: ................................................................ 49

5.1.3 Decoding a Real RFID Signal: ................................................................................... 49

5.1.4 Generate a model for FastICA collisions recover: ...................................................... 49

5.1.5 Validate the model by doing real life recovery of signals: .......................................... 50

5.2 Results: .............................................................................................................................. 50

5.2.1 Encoding / Decoding of RN16 Numbers: ................................................................... 50

5.2.2 Generate an RFID Signal: .......................................................................................... 51

5.2.3 Decoding a Real RFID Signal: ................................................................................... 53

5.2.4 Generate a FastICA Model Collision Recovery: ......................................................... 55

5.2.5 Recovery of Real Life Collision Signals: .................................................................... 57

6. Conclusions and Future Recommendations ........................................................................... 61

6.1 Future Recommendations: ................................................................................................ 61

6.1.1 Using Amplifiers to extend range: .............................................................................. 61

6.1.2 Use of different SDR Devices and More Antennas: ................................................... 61

6.1.3 Real Time FastICA Recovery: .................................................................................... 61

6.1.3 Future Applications: .................................................................................................... 61

6.2 Conclusions: ...................................................................................................................... 62

Appendices .................................................................................................................................. 63

Appendix A .................................................................................................................................. 63

Appendix B .................................................................................................................................. 64

Appendix C .................................................................................................................................. 65

Bibliography ................................................................................................................................. 66

1

List of Figures:

Figure 1: Overview of an RFID system. ........................................................................................ 5

Figure 2: The Collision Problem .................................................................................................... 8

Figure 3: Tag Status Flow Chart. ................................................................................................ 12

Figure 4: SELECT Command Architecture. ................................................................................ 15

Figure 5: Slot selection for tags upon a QUERY command. ....................................................... 16

Figure 6: Tag response to a QUERY command. ........................................................................ 16

Figure 7: Buettner’s SDR RFID Reader Block Diagram ............................................................. 27

Figure 8: RFID Reader Preamble and Sync Frame. ................................................................... 29

Figure 9: FM0 and Miller Baseband basic functions and State Diagrams. ................................. 31

Figure 10: Finite State Machine for PIE Decoding. ..................................................................... 32

Figure 11: Finite State Machine for Tag Decoding...................................................................... 34

Figure 12: Finite State Machine for the RFID Listener. ............................................................... 37

Figure 13: Collision between two tags without time and amplitude shift. .................................... 38

Figure 14: Collision between two tags with amplitude shift but without time shift. ...................... 39

Figure 15: Collision between two tags with amplitude and time shift .......................................... 40

Figure 16: FastICA recovery of a RFID Tag signal with a collision between 2 tags. .................. 41

Figure 17: FastICA recovery of a RFID tag signal without collision. (1 tag was present). .......... 43

Figure 18: FastICA recovery of a RFID tag signal with a collision between 3 tags. ................... 43

Figure 19: Output of the absolute value of the Derivative after a Median Filter on the former

RFID signals from Figure 16. ...................................................................................................... 45

Figure 20: Generated RN16 value using FM0 Encoding, SNR of 26 and a RN16 value of 59845.

(0xE9C5). .................................................................................................................................... 50

Figure 21: Generated RFID Signal with a Tag backscatter and the ACK command. (No EPC

reply was modelled). Tari value was 24 uS. ................................................................................ 51

Figure 22: Real RFID signal recorded from the USRP1 device. (Only 1 tag was present). ....... 53

Figure 23: Generated collision and recovered RN16 signals. ..................................................... 56

Figure 24: Tag Error Rate results from the generated FastICA Collision Recovery over all the

available modulation types of ISO1800-6C under different SNR levels...................................... 56

Figure 25: Collision on the two RX antennas and recovery after the FastICA algorithm on a real

life signal recorded from a USRP1 device. Two tags were present. ........................................... 57

Figure 26: Collision on the two RX antennas and recovery after the FastICA algorithm on a real

life signal recorded from a USRP1 device. Four tags were present. .......................................... 60

Figure 27: Distribution of the Tags, RX and TX antennas and the SDR device used for this

project. ......................................................................................................................................... 65

2

List of Tables:

Table 1: Types of RFID with some characteristics. ....................................................................... 6

Table 2: RFID UHF overview. ....................................................................................................... 7

Table 3: Differences between EPC Gen1 and EPC Gen 2. .......................................................... 7

Table 4: Minimum distance across antennas. ............................................................................... 8

Table 5: FastICA basic algorithm. ............................................................................................... 20

Table 6: Implemented RFID command for the framework. ......................................................... 29

Table 7: RFID Reader Decoding. ................................................................................................ 33

Table 8: Pseudocode for the RFID Tag Decoding. ..................................................................... 36

Table 9: Outcome of the logical levels on RFID Backscattering in a collision of 2 tags. ............ 37

Table 10: Pseudocode for the FastICA recovery based on correlation scores. .......................... 43

Table 11: Pseudocode for the Collision Checking. ..................................................................... 45

3

Chapter 1

Introduction

1.1 Background:

RFID (Radio Frequency Identification) is a technology that allows little chips to be interrogated for data or identifiers from distance. Those little chips are relatively cheap to produce and because of that, RFID technology has been extended into many areas of modern life, such as contactless payments, transport fares, products tracking, security and many more. [1]

An interesting and demanded application of RFID is management of a supply chain, in where it was considered to replace barcode identification systems. EPC Gen2, later standardized as ISO 18000-6C was specifically develop to replace optical bar codes in supply chain scenarios, although it also found some use toll systems and many others areas.

During the development of ISO 18000-6C, a problem that could happen in high use scenarios, called Collision, was identified and some measures were developed to avoid it. We define Collision as the response of many tags at a reader at the same time, producing that the reader cannot identify any of them, resulting on unreliably on the system. The way on how the RFID standard deals with collision is called collision avoidance.

Although, there are algorithms that perform collision avoidance [2], most of them cannot resolve a collision once it happened, requiring the reader to resend the read query to the interested tags. Approaches based on time slots have been developed to handle collision; however these can impact negatively on the system performance when many tags are present, so exploring new approaches to resolve the collision problem is needed.

Some new research have been done in the area that shows that based on how the RFID signals on each tag are generated and based on impossibility of two tags to generate the same exact signals plus the environmental constraints during its propagation, that it is possible to separate two colluded signals, provided some requirements are meet. This is a new approach, as no commercially available RFID reader provides such characteristics. [3]

Software Defined Radio (SDR), a way to implement a radio communication system completely in software, would be a useful technology to simulate this new approach on dealing with colluded RFID signals, without the needing of designing physical devices and by capturing the required signals from real RFID devices.

This thesis project is focused on implementing the FastICA (Independent Component Analysis) algorithm to resolve collisions by developing a framework that implements the RFID standard to simulate those signals, and then try to perform the recovery on them. Also via Software Defined Radio, validate the model, by capturing the needed signals from an actual ISO 18000-6C reader and the performing the decoding and collision

4

handling via SDR, allowing testing to further improve ISO 18000-6C on tag intensive scenarios, opening the door to future improvements on ISO 1800-6C and RFID technology in general.

1.2 Goals, Aims and Advantages:

The aim of this project is to create a framework that allows testing on the collision recovery by using FastICA.

In order to achieve a successful project and meet all the deadlines specified, clear goals must be defined to avoid working out of the scope of this research.

The goals for this thesis project are as follows:

• Develop an ISO 18000-6C RFID software defined radio listener system which can decode RFID signals in the environment.

• Evaluate the suitability of ICA to resolve collision on RFID signals. • Implement an RFID software defined radio listener with support of ICA to allow

real time collision resolution. • Evaluate the implementation performance versus a commercial RFID reader to

see how well this approach performs.

5

Chapter 2

Background

2.1 RFID:

RFID stands for Radio-Frequency Identification and consist in the use of radio frequencies to identify a certain object. RFID is not a technology on itself, but a group of them, because of the way different types of radio signals behave and also due to the different approaches that are considered in the design of such systems. RFID systems consist of an interrogator or reader, a transponder or tag and antennas. (Figure 1) Normally most RFID systems do not operate on it own, but instead are part of a more large system, such a Enterprise Resource Planning (ERP) or a Warehouse Management System (WRP), altough there is need of a system that integrate RFID into these systems, that is called Middleware. [1]

Figure 1: Overview of an RFID system. [1]

2.1.1 Types of RFID:

RFID system uses frequencies bands from the range of 100 kHz to 6 GHz. [1] The actual frequencies are not arbitrary and are based on a mix of regulations and the actual needs for the system. The most common used frequencies are the following:

• 125/134 kHz (LF) • 13.56 MHz (HF) • 860 – 960 MHz (UHF) • 2.4 – 2.5 GHz (UHF)

The classes of the RFID are mostly divided on the frequency, so we can talk about LF, HF and UHF RFID. Each type of RFID has a different performance based on the limitations and performance of the radio signals at a given spectrum. A summary is below:

Type of RFID Base Frequency

Observations

LF RFID 125/134 kHz Water and skin does not have any effect on RFID operation due to the wavelength. / Lower bandwidth. / Larger antennas. / Lower range.

6

HF RFID 13.56 MHz Thin metals can stop signal propagation. Water and skin have some effect on the signals. / Lower bandwidth. / Smaller antennas. / Lower range.

UHF RFID

860 – 960 MHz Minimal propagation through water and skin act as a barrier. / Higher bandwidth. / Smaller antennas. / Large range.

2.4 – 2.5 GHz

Table 1: Types of RFID with some characteristics. [4]

Another way of classifying the RFID systems is by how the RFID tags are implemented. We can talk about Passive RFID tags, which are the ones with no battery or external energy source on them and work by using only the reader signal to activate themselves. Semi-passive tags are the one which works with both the reader signal and an external energy source on them. Finally, Active tags are tags that work exclusively with an external energy sources, and therefore they can be considered complete radio devices. [5]

2.1.2 Privacy and Security Issues with RFID:

RFID technology is practically everywhere, with applications in broad areas such as tolling, transport, inventory control, security and many others. [5] However, there are some issues with the technology that a present challenge to its implementation.

First problem is the “Ghost Read”, that is noise that can be mistaken by a legitimate RFID signal. This is a serious issue in inventory and security systems, because of the nature of the problem. (It can allow unlocking a door or miscount an item in a warehouse). Newest standards, such as ISO 18000-6C have been developed for resistant to ghost read but this are highly dependent on the environment. [6]

Second problem is the cryptographic encryption and eavesdropping of the communication. This is not an easy task to solve; as many RFID tags (Mostly passive ones) depend on low power consumption and implementation of such security measures have a direct impact on such constraints. Because of this reason, cryptographic algorithms for RFID tags are weak and still able to be intercepted, unless the switch to Active Tags is performed. However this also limits the time span of the tags, as it is not easy to replace batteries on certain scenarios. [7]

Third issue with RFID is the privacy and ethical concerns that it have arisen. As many tags are writable, it is easy to track an item or a person, an while this have been used to legitimate reasons (Military applications, kidnap avoidance and so on), some users claims RFID is a threat to privacy and that allow many ways of tracking a person without their consent.. Such claims are not a fault on the technology itself, but in the way the information is used. [4] [5]

2.1.3 The EPC Standard:

RFID is just a data carrier, but the information that is able to convey it is also in need of standardization. As RFID started as a way to replace the optical barcodes, and EPC class structure was developed for it. EPC is a universal identifier for any physical object.

Within the EPC RFID Class Structure, the following classes exist:

7

• Class 01: Purest passive tags with minimal functionality for identification. • Class 02: Passive tags with support of read/write memory. • Class 03: Semi passive tags that work on the presence of a reader signal. • Class 04: Active tags that initiate communication with other readers or tags. • Class 05: Active tags that can communicate with any other one.

For this project, we will focus on EPC Class 02, which with some modifications is now a standard known as ISO 18000-6C. This standard was initially developed by EPCglobal and consists on RFID tags and readers that work on the UHF frequency, between 860 and 960 MHz. The actual frequency used depends on the country. Table 2 shows the distribution of the frequencies.

North America

Europe Singapore Japan Korea Australia Argentina, Brazil and

Peru

New Zealand

Band Size (MHz)

902 – 928

866 – 868

866 – 869 923 – 925

950 – 956

908.5 – 914

918 - 926 902 – 928 864 – 929

Power 4 W 2 W 0.5 W 4 W 2 W 4 W 4 W 0.5 – 4 W

Channel Number

50 10 10 12 20 16 50 Varied.

Table 2: RFID UHF overview. [5]

The first version of the EPC specification: EPC Gen1, was a proprietary monopoly of few companies. In 2003, due to the lack of standardization, an UHF RFID standard started to be developed and in 2004 it was completed and called Class 01 Generation 2 EPC Standard. Sometime later this EPC standard was extended and approved by ISO, creating a global standard for UHF RFID. However, not all UHF RFID systems are standardized, as China does not recognize the EPC or the ISO standards and hoping to develop its own one. [8]

A table with some differences from the both EPC Gen specifications is below:

Description EPC Gen1 EPC Gen2 Acceptance Level Proprietary Specification ISO standard. Arbitration Binary Tree Probabilistic Slotted Anti-Collision Algorithm Binary Tree. Q Algorithm. Air Interface Modulation PWM (Pulse Width

Modulation) PIE (Pulse Interval Encoding), Miller and FM0.

Data Rate 40 / 80 Kbps. 40 to 640 Kbps. Distance < 10 m < 10 m Frequency Range 850 – 930 MHz 860 – 960 MHz Security Password 8 bits 32 bits Ghost Reads 1.3 per 1000 None Write Speed 3 tags per second > 5 tags per second. Sessions None 4 Sessions

Table 3: Differences between EPC Gen1 and EPC Gen 2. [8]

8

2.1.4 Tag/Reader Collision:

As much of the original interest on the development of RFID, especially UHF RFID, is related to supply chain management, it is not uncommon that a reader operates in a dense tag environment, such as warehouses, where multiple tags exists on the same place. In the ISO 18000-6C and in passive systems, the reader necessarily starts the communication and when if multiple tags reply to this signal at the same time, they interfere with each other and the reader cannot decode them both. This is called “tag collision. Also, when multiple readers issue a read command to a tag, they interference with each other and the tag cannot decode the original command. This is called “reader collision” and it is relatively unimportant and easy to avoid. Tag collision on the other hand is one of the challenges on RFID in general. [7]

Figure 2: The Collision Problem

Reader Collision can be avoided if certain rules about minimum distance, orientation and position of the antennas are followed. Table 3 summarizes the minimum distance recommended based on the number of channels that readers are able to switch.

Channel Difference

Antenna Projecting Horizontally Front (m) Side (m) Back (m)

0 1400 350 210 1 180 45 30 2 130 25 15 3 95 20 10

Table 4: Minimum distance across antennas. [7]

The management and causes of the collision depends on the standard used. For ISO 18000-6C, the main cause of collision is a lower Q value during the inventory commands performed by readers. This will be detailed later in this document.

2.1.5 Anti-Collision Algorithms:

Because of the problem of tag collision, major developers for RFID have developed different types of algorithms to try to deal and reduce this problem to the minimum. This type of Tag Anti-Collision algorithms can be divided in two broad groups: ALOHA Algorithms and Tree Algorithms.

ALOHA algorithms are based on reduce the probability of the collisions, by issuing each tag a random slot in time when it may transmit. However, ALOHA does not

9

prevent collisions happening, as when the number of slots is smaller than the number of tags, collision will occur. Also, if a tag never responds to a query of allocation, the slot will remain assigned and the algorithm will run out of spaces. This is called “tag starvation problem” and it is one of the main causes of collisions when using ALOHA algorithms. [7]

On the other hand, Tree Algorithms exist, which treat the tags as a node of a tree. This approach orders the tags on a binary tree according to certain conditions and then proceeds to explore the tree. These algorithms do not have the tag starvation problem of ALOHA, however they are relatively slower to complete than ALOHA. Two main implementations of the Tree Algorithm approach exist: Binary Tree and Query Tree Algorithm. [7]

Generally speaking, an Anti-Collision Algorithm must provide the following features:

• The reader must be able to identify all the tags inside its own reading range. • The reader must recognize the tags as quickly as possible. • The recognition must be performed using the minimum amount of energy, since

most tags are passive ones.

As for the ISO 18000-6C standard, it uses a variation of ALOHA called Q Protocol. [1] More detailed explanation of the anti-collision protocol for ISO 18000-6C is in the next section.

2.2 The ISO 18000-6C Standard:

ISO 18000-6C, also called EPC Class 1 Generation 2 before its standardization [1], is a standard that details the communications between RFID tags and RFID readers. It is based on a “reader talk first” architecture, in where the reader issue commands to a single or group of tags and then collect responses. This standard was developed with mind on multiple tag environments, such as warehouses. The frequency bands for this standard are as follows:

• Region 01 (Europe and Africa): 865 – 868 MHz. • Region 02 (United States and Canada): 902 – 928 MHz. • Region 03 (Asia): Some countries follow Region 01 and others Region 02

regulations.

Usually, the frequency spectrum on each of the bands is divided in channels or sub bands. This sub bands bandwidth varies on the region. In Region 01, the bandwidth is about 500 KHz per each one and in Region 02 the bandwidth is about 200 KHz. Due to regulations on the RFID frequency use, the reader has a limit of 400 ms to use a certain channel and then switch to another random one. Also, readers must follow a Listen before Talk scheme, in which the readers will only use a single channel if no transmissions are detected below a certain threshold. [7]

The tags must understand at least 3 types of modulation schemes, because the readers will select one of them, based on the current country of operation, the noise in the channel and the own preferences established by the user. The three modulations schemes are:

10

• DSB-ASK (Double Sideband Amplitude Shift Keying) • SSB-ASK (Single Sideband Amplitude Shift Keying) • PR-ASK (Phase Reversal Amplitude Shift Keying)

Tags usually reply to the reader with coding scheme called PIE (Pulse Interval Encoding) in which the duration of a 0 bit pulse is established as Tari Frequency. The duration of the 1 bit pulse is at least 50% longer than Tari frequency. The use of Tari frequency allows the reader to set a data rate for the tag. (By changing Tari value). This data rates varies between 40 to 640 Kbps, depending on the reader and in the tags design. [7]

Tags must follow the Q Protocol, in which the reader sends an special signal to the tags, then the tag choose a random value and is dependent on the Q value originally sent by the reader, with a maximum number of 2^Q – 1 states. Tags provide identification using a random 16 bits value, called RN16. This can also be used for encrypting the tag response, but depends on the reader to do so. [7]

Tags also accept some commands that the reader can issue for enquiring, to access certain memory positions on the tag memory map, to write the tag and even to deactivate the tag if requested. Tags support up to 4 sessions and have some internal memory that keeps constant even if the RF power is absent. [7]

Complete coverage on the standard is outside the scope of this report, so we will focus only on the Tags internals, the protocol State and Commands and the Q Protocol for anti-collision.

2.2.1 The Tag:

ISO 18000-6C describes an advanced tag, with the capabilities of write multiple cycles on an internal memory, enforcing some restrictions on the read and writing and the capability of being permanently disabled. For implementing the security measures, two 32 bits password are used, one for reading privileged sectors of the memory and other to kill the tag.

Memory in ISO 18000-6C tags is divided into Banks. 2 Memory tags is the compulsory capacity that a tag may have, with the possibility of implementing up to 4 banks.

Bank 00 includes the killing and I/O passwords and Bank 01 includes the EPC value, as well as some information about the tag. As opposed to other standards, the CRC value for the EPC code is now computed by the tag, instead of being saved in the memory. As for the memory locations, the default word used is 8 bits. However, by the using of EBV (Extensible Byte Vector), the address can be arbitrarily large: Every bit is divided into 1 bit of control and 7 bits of address. If the control bit is 0, then the next 7 bits possess the entire address. If the control bit is 1, then the 7 bits are part of the address and an additional byte is append. The next byte follows the same rules until the control bit is 0.

By default, the EPC code inside the tag is a 96 bits one, with a word size of 16 bits. The maximum value for 16 bits words that are part of an EPC code is 31, however only

11

up to 29 words can be used in practice. This provides up to 10139 different EPC identifiers.

As for the protocol used for interfacing with the reader, the tag works by using PIE (Pulse Interval Encoded) symbols, which are issued by the reader using a base value knows a Tari Frequency. The encoding is similar to PWM, with the difference on the duty cycle and period varies for each symbol. For bits values of 0, the power on interval is 0.5 Tari, followed by a 0.5 Tari power off interval. For bit values of 1, the duration of the power on interval could be from 1.5 to 2 Tari, followed by a 0.5 Tari power off interval. Standard values used for Tari are 6.25, 12.5 and 25 µS, corresponding to data rates of 160, 80 and 40 Kbps respectively. [1]

2.2.2 Tag States and Commands:

The following are the valid states for a communication session on ISO 18000-6C : [1]

• Ready: Initial state at power up. • Arbitrate: The tag is getting a slot into the inventory process. • Reply: The tag reply to the reader. • Acknowledge: The tag has received data. • Open: The reader has opened a channel with the tag for I/O operations. • Secured: A secure channel with the tag has been established. • Killed: The tag will not reply to any command.

The Ready state is the first state in which a tag enters, when it got power from the reader. The transfer to any state depends on the commands issued by the reader.

12

Figure 3: Tag Status Flow Chart. [1]

Figure 03: ISO 18000-6C Tag Status Flow Chart. (Taken from: Dobkin [1])

The commands defined as Mandatory are the following: [9]

QUERY Command: As ISO 18000-6C was designed for supply chain environments, this command launches a complete inventory round. The following parameters are used: [9]

• DR (TRCal Divide Radio): A factor to configure the Tari frequency and data rate. • M (Cycles per Symbol): Miller factor, related to the data rate and modulation used. • TRExt: Sets the presence or absence of a pilot tone at the beginning of the packets. • Sel: Indicates which tags will respond to the command. (Based on the status of the

SELECT status flag on the tags). • Session: Indicate to which session the inventory round will correspond. (A tag can

be accessed by up to 4 different inventory rounds, each of them in a different session).

• Target: Select which tags will respond based on the session value of them. (The values for each session could be: A, inventoried or B, non-inventoried).

• Q: Specify the number of slots available for the inventory round. • CRC-5: A 5-CRC to ensure that tags will only process a correct command.

QUERY-REP Command: This command indicates to the tags to decrement their slot counter. If the slot value is already 0, this will make the tag to generate a RN16 number

13

again. It only parameter is Session, which indicates to which session the reconfiguration will correspond. [9]

QUERY-ADJUST Command: This command performs a new inventory round, preserving all the values given by a former QUERY command, except for the Q value. [9] It has the following parameters:

• Session: Indicate to which session the inventory round will correspond. • UpDn: Indicates how the Q value on the tag is adjusted. Could be incremented by

one, decremented by one or no change at all.

ACK Command: This command confirms that a certain tag has been acknowledged by the reader. The ACK command will reply to the tag with a RN16 number or the tag handle, depending if the reader is acknowledging an inventory status or secure state (For reading or writing on the tag memory), respectively. [9]

NAK Command: This command makes a tag to return to the Arbitrate State. The Inventoried value of the Session in the tag will not be changed. This command is normally issued when the reader received an invalid EPC code from a tag. [9]

REQRN Command: This command request a new RN16 number to the tag. The RN16 or handle value of the tag must be included. Depending on the Tag current state, the reply will vary. If the tag receives this packet during the Acknowledge State, it will check if the attached RN16 correspond to the one generated by the tag and then will reply with a Handle value. If the packet is received during the Open or Secure State, it will generate a new RN16 value. This is used to ensure a secure channel based on a XOR encryption based on that reply. [9]

READ Command: This command allows a reader to access to any memory address into the tag, provided if it is not password protected or locked. [9] It has the following parameters:

• MemBank: Specify to which memory bank the READ command will apply. • WordPtr: Specify the starting address for the reading, given a 16 bits address

format. • WordCount: Specify the number of 16 bit words that will be read. If the value

given is 00, the tag will reply with the contents from the WordPtr address to the end of that Memory bank.

• RN16: Specify the tag handle value. • CRC-16: A 16-CRC to ensue only a correct command will be processed.

WRITE Command: This command is similar to READ command, but allows writing on the tag memory, provided the address to be written is not locked or password protected. [9] It has the following parameters:

• MemBank: Specify to which Memory Bank, the WRITE command will apply. • WordPtr: Specify the destination address for the writing, given 16 bits address

format. • Data: Specify a 16 bits word that will be written in the WordPtr address. • RN16: Specify the tag handle value.

14

• CRC-16: A 16-CRC to ensue only a correct command will be processed.

ACCESS Command: This command is used to request a secure access to the tag. This command is used to allow READ and WRITE commands, to access protected areas. This will cause the tag to switch to the Secure state. For security reasons, each ACCESS command will net a different tag Handle value, and each ACCESS command will only send a 16 bits block of the 32 bits tag password, so to access a tag, 2 ACCESS commands will be needed. [9] It has the following parameters:

• Password: 16 bits block of the 32 bits tag password. • RN16: Specify the tag handle value. • CRC-16: A 16-CRC to ensue only a correct command will be processed.

SELECT Command: This command allows accessing to the tag memory and executing some memory manipulation based on Union, Intersection and Negation operators, depending on certain flag values on the tag. [9] It has the following parameters:

• Target: Indicates if a specific Session flag will be modified or not. • Action: Specify how the Session flag will be modified. • MemBank: Specify the memory bank to be read. • Pointer: Specify the start bit address for reading. This is not the same format

as the 16 bit address format of READ and WRITE commands. This is a bit addressing.

• Length: Specify how many bits from the Pointer address will be read. It allows only 0 to 255 bits to be reader per command.

• Mask: Specify a mask to match within the read value indicated in Pointer and Length.

• Truncate: Specify is the result of the mask should be truncated to the mask length.

• CRC-16: A 16-CRC to ensue only a correct command will be processed.

Logical operations like AND, OR and XOR can be implemented using a sequence of SELECT commands with various Target and Action parameters. However, the possibility of failure during transmission is high, so it is recommended to perform only simplest operations.

15

Figure 4: SELECT Command Architecture. [1]

KILL Command: This command will completely disable a tag. Depending on the tag, it could be a non-password kill or a password kill, which needs that the reader uses the ACCESS command first to authenticate itself with the tag and to send 2 KILL commands due to the 32 bits password used. [9] It has the following parameters:

• Password: A 16 bits block that could be half a password for protected kills or just random values for a non-password kill.

• RFU: 3 bits that must be 000. Reserved for future functionality of the standard. • RN: Specify the tag handle value. • CRC-16: A 16-CRC to ensue only a correct command will be processed.

LOCK Command: This command allows editing the permissions on the memory of the tags, enabling or disabling passwords, EPC edits or making such locking permanent. [9] It has the following parameters:

• Payload: A 20 bit mask that specify which areas of the tag will be modified and how. The exactly details are referenced on [9].

• RN: Specify the tag handle value. • CRC-16: A 16-CRC to ensue only a correct command will be processed.

2.2.3 Q-Protocol:

As opposed to former standards, ISO 18000-6C uses an ALOHA variant called Q Protocol. [1] The basic scheme of how it works is as follows:

• The reader defines a number of slots, in an inventory: round. • Each tag chooses a random slot within the round. • The reader starts issuing each slot query. • If the tag has the reader’s slot, it replies with a random number. • If the reader can decode the number, it sent acknowledge to the tag. • The tag replies with its EPC code. • With the random number and the EPC code, the reader can issue other

commands to the tag. (Write, Kill, etc).

16

When a tag receives a QUERY command, it read the Q value that it’s included. Q is the value for defining how many slots the reader can handle and once received the tag will allocate a number between 0 and 2^Q -1 . The reader generates this Q number based on input from the user and own heuristics. A complete set of 2^Q slots it’s called a round. [1]

Figure 5: Slot selection for tags upon a QUERY command. [1]

If the random value generated by the tag is equal to 0, it replies immediately. If the value is different than 0, the tag saves the value in a special register, slot counter, and waits to QueryREP commands which will instruct it to decrease by one its slot counter. When a tag hits 0 at the slot counter, it generates a random 16 bits number, called RN16 to the reader, and the reader will just send an ACK command with the RN16 number of it. If there is no collision, the tag will receive the ACK command with the RN16 number and then it will reply with its EPC code. The RN16 number will be used by the reader as identification to establish a communication with the tag, for sending other type of commands. [1]

Figure 6: Tag response to a QUERY command. [1]

17

If the reader just queries the tag for its EPC, it will need to free the slot that the tag is allocating and it will send a QUERY-REP command that signalizes end of the session. The tag then will wait for another QUERY command again. [1]

In the case that 2 tags got the same RN16 number, a collision will happen and the output will be impossible to decipher. Getting the same RN16 is mostly caused because the Q value on QUERY command is too short to allocate all the possible tags. Upon the detection of a collision, the reader will select another value of Q and restart the protocol. [1]

Notice that unless the user sets a minimum Q value or some record of past Q values will remain on the reader, it will have no knowledge of what an appropriate Q value will be. Also, the reader will reduce Q if it notices that only 20 – 30% of the slots were allocated. [1]

It is important to notice that we are not guaranteed to be in a collision free environment even if we increase Q value. Because ISO 18000-6C tags have 4 states, it is possible that electrical interference would change the state value of a tag and reply to an unrelated QUERY command. Also, depending on how the tags are distributed, some of them could not receive enough energy to even process the signals and in a later point in time, they will reply to another QUERY command. [1]

2.2.4 EPC Gen2 Timing Constraints:

In order to guarantee an acceptable performance in high throughput scenarios, EPC Gen2 standard defines a series of constraint s in respect to the time that Tags and Readers had to reply to each other. [9] The most important and relevant for this project are listed below:

• T1, is defined as the maximum time that the tag has to reply to the reader after the last rising edge of a command was received. It’s defined as 10 times the backscattering frequency selected by the reader.

• T2, is defined as the maximum time allowed for the reader to reply after receiving the last raising edge of a tag. It’s defined as 20 times the backscattering frequency selected by the reader.

• T4, is defined as the minimum time that the reader has to wait before issuing another command. It’s defined as 2 times the RTCal value choose by the reader.

Value T2 is important as the Tag will ignore any message from the reader after this value has expired. In order to allow the reader more time for processing, the smallest value of the backscattering frequency must choose. The smallest value according to the specification is 40 KHz. (And the maximum is 640 KHz).

2.3 Blind Source Separation:

The basic idea of Blind Source Separation is to separate a series of mixed signals into the original source signals. This process is done knowing few or nothing about the source signals. [10]

18

Normally this is a probabilistic problem, as usually the unknowns exceed the equations of the model.

A simple way of visualizing this problem is the so called “cocktail party problem”. Imagine two microphones set in different places on a room. Those microphones will record their own signal of two speakers which are inside the room. So, by denoting the recording signals x1 and x2 and knowing that the signal from the two speakers will have different amplitude at each microphone, we could write:

����� = ����� + ���

���� = ���� + ��

So given a set of at least two mixed signals, they can be estimated if we know the aij matrix which provides the amplitudes of both signals at the specific receiver. This is called a Mixing Matrix. However, in real scenarios we would not know the mixing matrix, as the factors which generate this mixing matrix are outside of our control (Reflections, unwanted echoes, etc.) and thus, the problem becomes more difficult to solve.

However, the problem becomes easy to solve as soon as we assume that both signals are statistically independent in time, being this property found in many real life signals in which this type of signal separation is desired. There are many approaches for blind signal separation, but the most used ones are PCA and ICA.

2.3.1 Independent Component Analysis (ICA):

ICA is a generalization to the cocktail party problem based on the assumption that the signals are independent over time and mixed in a linear way. [10]

Assume a series of original signals Z, mixed with the A mixing matrix, producing the XT observation matrix.

�� = ��

The goal of ICA is to find an approximation of the original values found in XT in a new matrix ZT, based on a de-mixing matrix W.

�� = ���

According to the Central Limit Theorem, the summation of two independent random variables tends to the Gaussian distribution. This property is exploited by ICA by the attempts of finding a W matrix that maximizes the non gausianity of each source. Because of this property, it’s recommended that the number of observations used should be equal to the number of sources, as the algorithm would not be able to maximize the non gausianity of the signal if the mixing matrix is not big enough for all the signals, which would end in just some signals being identified and others keep mixed.

ICA needs to evaluate the non gausianity of each component in order to generate a good de-mixing matrix. There are many different types of non-Gaussian estimation. In order to improve this process, the signals are assumed to have zero mean.

19

Kurtosis Measurement:

Kurtosis on a y signal is defined as:

������� = ����� − 3�����

Where E is the cumulant of the probabilistic distribution of the signal. Kurtosis could be positive or negative, but for the purposes of ICA, the absolute value is used as a measurement of non gausianity. However, Kurtosis is sensitive to outliers and if not enough observations are provided it will lead to false results.

Negentropy Measurement:

Negentropy is a measurement based in the differential of the entropy. Entropy is defined as the degree of information that a variable conveys, so the larger the randomness of the variable, the larger the entropy. Because of this property, we could said that the Gaussian variables have the largest entropy and the one which concentrate information on certain values, has lower entropy.

Negentropy of a signal y is defined as:

���� = ���� !""# − ����

Where H() is the entropy measurement and ygauss, a Gaussian distribution with the same covariance matrix of y. The negentropy value is set to be non-negative due to this and only 0 if the y variable follows a Gaussian distribution.

Minimization of Mutual Information:

Other approach used on ICA instead of non gausianity measure is to the minimization of information by taking the Kullback-Leibler divergence between two variables. This value is defined to be non-negative and 0 if the variables are statistically independent.

ICA Pre-processing:

In order to guarantee converge on its operations, ICA needs to apply to the data some pre-processing schemes:

• Centering, by subtracting the mean, so each observation had zero mean. • Whitening, by transforming the vectors into a new uncorrelated vector with 1 of

variance. • Band Pass Filtering: Higher frequency components could hurt the non-gaussian

estimation, so it’s recommended to filter them out before processing the signals.

ICA Limitations:

Due to the assumptions made by ICA, there are some limitations on the output:

• There would be amplitude ambiguity, as any amplitude would solve the ICA relationship of non gausianity.

• There would be sign ambiguity, as both positive and negative values would solve the ICA relationship of non gausianity.

20

• The order of the components is not guaranteed to be the same as the signals. • ICA only holds if the mixing matrix is time invariant. If the mixing matrix is

changing, then the data must be split and processed accordingly.

2.3.2 FastICA Algorithm:

FastICA is a fixed point implementation of ICA, developed by Hyvärinen [11], which uses Nonentropy measurements to calculate the non gausianity of the signals being reconstructed. A fixed point approach is used, which gives the following properties:

• Convergence time is cubic (Or at least quadratic), if the signals are independent. • No step size parameters, as opposed to other gradient descent

implementations. • Being able to find independent components of any non-Gaussian distribution,

without the need of knowing the probability density function. • Each independent component is estimated individually. • Fixed Point algorithms allow FastICA to be parallel, distributed and consume

low memory.

choose an initial random weight value W W_plus = E{xg(W Tx)} - E{g'(W Tx)}W w = w + / ||w +|| if (w not converged) loop

Table 5: FastICA basic algorithm.

21

Chapter 3

Literature Review

We said earlier in this document that the main problem of RFID tags on high use scenarios is the collision, which is the reply of 2 or more tags at the same time which causes a failure on the RFID reader due to its inability of decoding a mixed signal. Although the RFID standard have considered and developed some methods to counter the collision problem [9], this is still an open area on the RFID research.

3.1 Model Research:

In order to approach the collision problem properly, some models on how collisions are created are needed. There is previous research on UHF RFID that proposes certain approaches to model collision data:

Ayer [12] research’s on RFID signals it is focused on which factors influence on the tag antenna response. The factors studied were the power of the transmission, the silicon of 4 different types of tags that were evaluated, the frequency of the RFID reader command and the width of the pulses of the reader commands. This research showed that UHF RFID tags resist some degree of change between the parameters and because of that it is possible to implement some kind of dynamic RFID readers.

A PhD thesis by Zhu [13], provide information on a model that tries to conform with the four general approaches to anti-collision: ALOHA, Q Protocol, Interval and Hybrid Model and proposes a general function to optimize the reading order of tags to avoid collisions.

Also, the PhD thesis by Sun [14], provide insight into a collision model for EPC Gen2, but focused on an additive model, in which the summation of two or more RFID tag signals, will create a new signal with different amplitude levels which are related to the logical levels of each of the tags that colluded together.

Research by Angerer, et al. [15], provides insight in a method of modelling collisions based on the I/Q components, stating that due to phase and amplitude shift, each tag will lie in a different part of the I/Q graph, and that this position is dependent on the channel and SNR.

3.2 Collision Avoidance Research:

There is research that is focused on avoiding future collisions, by making either detecting them easily or by improving the way on how the algorithms that assign slots to the tags (The ALOHA one for EPC Gen2) works.

The work of Lei, et al. [16], focuses on the way on how a reader can detect collision. The traditional approach of decoding the CRC and finding a non-match is considered slow, as requires the entire tag to be decoded, so the proposed solution is to use Boolean operations, which are faster than normal CRC decoding. The main disadvantage is that this work requires modifications on the EPC Gen2 standard. No current implementation of this algorithm exists yet.

22

Also, improving the overall algorithm used (ALOHA) could be useful, so the reader can actually predict how many tags are present and update parameters accordingly. The research by Cha and Kim [17], is focused on improving ALOHA prediction of the population of tags, by implementing a dynamic slot allocation scheme, based on the probability of a certain slot to be given to a tag. Another research, done by Cheng, et al. [18] analyses how well ALOHA performs at different SNR levels, showing that underperforms when the SNR levels are below 3 dB.

A different approach on collision avoidance that requires personalized commands, is proposed by Hong Gang, et al. [19], which proposes the use of a ‘silent space’ between tag preamble and actual data, to be able to detect a collision and to it, only the tags which are estimated to be on this silent space will be required to reply again via a personalized command.

Methods based on proposing a completely different collision avoidance algorithm exists, such as the one by Yeh, et al. [20], called ASPS. This algorithm works by estimating how many collisions are in a signal by splitting the signal and then using a probabilistic approach to estimate tag population.

Another important piece of analysis in EPC Gen2 is the Q Protocol [8], which is used to assign the slots for the tag reply. The work of Jianwei, et al. [21], proposes an algorithm that divides the collision in 2 steps, and by using jumping reading ensures that the next nodes in the tree are collision free, thus performing fewer calls to read colluded tags and improving the speed of the anti-collision process in general, as there are less nodes to explore.

A proposed protocol by Ji Hwan, et al. [22] called RN16QTA exists, which is based on the Q Protocol. This algorithm depends on the random 16 bit number generated by each tag (RTN16) which is used to construct a query tree that keeps track of which tags have been already called in order to reduce time for exploring the whole Tree. However, this is only a proposed protocol and it has not been implemented on real tags. A related approach is proposed by Liang-Chin and Hsin-Chin [23], which analyses the tag signal at each reply and then updates the Q value accordingly, based on the detected logical levels of the signal.

Other approach, such as the estimation of number of tags from the I/Q components of the signal, is proposed by Khasgiwale, et al. [24], which analyses the clusters of points in the I/Q space and determines the number of tags to issue a correct Q Value update.

Finally, a literature review on many anti-collision algorithms for the ISO 18000-6C standard was done by Quan, et al. [25] in which it concludes that memory less algorithms, such as Q Protocol and its variants are similar or more effective than more complex and probabilistic approaches such as ALOHA and its variants: STAC, I-Code and Bit-Slot. Some further description on such algorithms can be found on Azambuja, et al. [2]

3.3 Blind Signal Separation Research:

This kind of techniques try to recover signals from more than one RX signal, based on the idea proposed by Yuan and He [26] which considers that collision is basically

23

various superimposed signals with some phase shift and delay instead of just a one colluded signal. This could make possible to separate the two mixed signals using multiple antennas, in order to capture each phase shift and then performing the Independent Component Algorithm (ICA) to separate the signals. However, this research is done from a completely simulation perspective. A similar work that proposes a blind estimation channel with multiple antennas, based on a model of delay and phase shift its proposed by Duangsuwan and Promwong [27].

Although not based on Yuan and He [26] research, a practical implementation of the ICA approach, was developed by Sun, et al. [3] considering that the mixed signals from collision follows an additive model and that provided multiple antennas it is possible to separate 2 mixed signals and performing successful decoding on each of them. This project was implemented using FPGA and with Labview NI software, making it the only one which was actually tested on real hardware. A more detailed description of the process is on the PhD thesis by Sun [14] in which this approach work with both static and moving tags.

Related to the ICA algorithm, the research of [28], shows the use for the blind signal separation to remove unwanted components from EEG signals. The algorithm was also used to separate and analyse other biological signals from the EEG, such as the blink rate of the user. More details can be found in the main report by Jung, et al. [29].

Other approaches rather than ICA, are tried both in the thesis of Sun [14], by using a rising edge analysis on the colluded tag, and trying to identify which bits correspond to a given multi-level signal, and also in the research by Mindikoglu and van der Veen [30], in which the zero crossings of the signal are analysed in the different antennas in which the signal is captured and according to the eigenvalues of the captured signals, estimate the original RFID signals.

A single antenna approach is examined by Angerer, et al. [15], which uses the I/Q property described by Khasgiwale, et al. [24], to try to separate the RFID signals based on the cluster that they form in the I/Q space.

3.4 SDR Research:

The possibility of Software Defined Radio (SDR) has opened the door for researching on the own signals of an RFID signal. For achieving this goal, some research has been done from the development of a RFID listener to an actual study on the Collision Resolution using SDR approach.

In 2010, Donno, et al. [31] have initially developed an EPC Gen2 implementation of a decoder, using a “listener based scenario”, originally for building an low cost RFID protocol analyser. Its approach consists on capturing signals via the Universal Software Radio Peripheral (USRP) and then performing the decoding of such signals using the GNU Radio subsystem. The accuracy of the listener is dependent on the distance from the antennas to the actual tags, but the reader performed fairly well until 7 m. This implementation is open sourced an available in the CGRAN Archive. (https://www.cgran.org/wiki/Gen2Listener)

24

At almost in the same time, in the same year, Buettner and Wetherall [32] developed a Gen2 Listener, but this research was more focused on the creation of an RFID tester for performing compliance tests. The approach used is exactly the same as the work of Donno, et al. [31], which means that the Universal Software Radio Peripheral (USRP), but in this research it was the USRP2 instead of the USRP1, was used to capture signals from a physical RFID reader and then perform the decoding completely using the GNU Radio subsystem. The research focuses on some delays caused by the software processing which can make difficult to make a completely SDR compliance tester. Like the Donno’s reader, this one is also open source and available in the CGRAN Archive. (https://www.cgran.org/wiki/Gen2)

The next year, in 2011, Buettner and Wetherall [33] presented a complete implementation of the Gen2 protocol with both a reader and a listener developed entirely with Software Define Radio, that can successfully read tags up to 6 m. But this research was more focused on using this complete SDR Gen2 Protocol to experiment with the implementation itself, by using the WISP (A programmable RFID tag from Intel Research) to develop some additions to the Gen2 protocol, both in tag and reader side.

The development of this two readers was used some time later to perform more research and experimentation on UHF RFID in general, as demonstrated by Briand, et al. [34], which extend Buettner’s implementation for cryptography. The main difference with Buettner’s research is that in this one some experimentation was done with a complete SDR tag, instead of the WISP tag that was user by Buettner. This project does not release any code nor is it accessible in the CGRAN Archive.

Although not related to UHF RFID, there is a work by Dawei, et al. [35] which focuses on separating colluded signals for ISO 1443-A (125 KHz) based on the amplitude and phase differences between signals. The interesting part of this research is that they claim to be able to separate signals using only one antenna by using 4QAM modulations and a likelihood estimator. This approach was implemented with the USRP device and GNU Radio, although no source code is released nor it is accessible in the CGRAN Archive.

The PhD thesis by [Sun [14]] has a complete implementation of SDR-like collision resolution based on FPGA and Labview NI platform. Because this was implemented as code for the FPGA, it can be said that this is a complete implementation of collision resolution related to the SDR approach. No source code it is available from the document.

A related research done by De Donno, et al. [36] uses a SDR RFID Reader an WISP tags in order to analyse a collision detection algorithm, but with a fixed number tags, so the population of tags could be estimated depending in where the collision have been occurred, such as in the preamble or inside the bits. As they were using SDR, they propose modification to the signal layer of EPC Gen2 to allow these detections.

25

Chapter 4

System Design, Methods and Procedures

4.1 Overall Design:

The developed framework will have the following components:

• SDR RFID Reader • RFID Signal Generator • RFID Listener • RFID Collision and Recovery Model • RFID Collision Detection Model • SDR Considerations

In order to successfully design this system, a series of requirements also have to be followed.

• Efficient algorithms, as RFID runs in really constrained hardware. • Fast parsing speed. • Have to operate even if unwanted components are present in the signal. • Highly adaptive. • Has to be programmed as close as possible to a Real-Time approach.

Because of time limits during the development of this research, the following aspects of the design are not implemented, although they are discussed:

• Real Time implementation of Collision Recovery on the fly. • Clock recovery for RFID Signals.

All this components and requirements will be discussed in the next parts of this section.

4.2 SDR RFID Reader:

This project uses an open source RFID Reader implementation, specifically the one developed by Buettner and Wetherall [33]. This reader was originally developed to work with the Intel WISP tags, which are active RFID tags implementing the Gen2 RFID protocol in software.

The RFID Reader used was developed for GNU Radio, an open source framework to perform SDR, which handles all the process of capturing from a supported SDR device and recording the samples in a computer for further processing. Also a variety of primitives are provided such as modulation, demodulation, filtering, etc.

The use of the SDR approach allows to develop the reader completely by software and also to control all the aspects related to the RFID protocol.

26

4.2.1 RFID Reader Components:

In order to control the reader, we need to identify its part and how it operates. A description of each stage on the SDR Reader software is provided:

• USRP RX: This software uses the USRP1 device, manufactured by Ettus Research as the input device. The USRP1 by itself is just an ADC/DAC, so an external transceiver which can tune the frequencies of Gen2 RFID (915 MHz for this case) is needed. This external device is the RFX-900 Daughterboard which is mounted on top of the USRP1 and allows it to receive and transmit on the 850 to 1050 MHz range. For this application, a sampling rate of 4 MS/s is used.

• Matched Filter: Due to the own nature of backscatter signals, these usually present low SNR values. In order to improve the recovery and decoding, a Matched Filter is used. The filter is implemented as a FIR Decimating one, which sets the decimation value to 5 and with an order corresponding to the number of samples for the backscatter frequency. The backscatter frequency defined is 40 KHz, and after the decimation, the number of taps is set to 25.

• Command Gate: The reader will only process backscatter signals, so this component will analyse the signals and filter out all the Reader commands (Which are higher in amplitude in comparison with the tags), allowing only to pass sections of the signal when a Tag response is expected to happen.

• ACG: The signal is amplified to an acceptable level to ensure detection. • Normalization: The tag backscatter signal is a BPSK one, with only 2 logical

levels. However, the signal has a significant DC offset due to be modulated on top of the RFID Reader wave, so this is filtered out.

• Clock Recovery: The signal is processed using a Muller & Mueller Clock recovery scheme, to guarantee that all the symbols are of the same size, to improve the decoding procedure.

• RFID Tag Decoder: The signal is decoded by using a correlation approach in which the preamble and one and zero bit symbols are correlated.

• RFID Reader: According to the result of the tag decoding, the reader will reply to tags using an ACK command or start another query cycle. The signal from the reader is generated at a sampling rate of 800 KS/s.

• Amplifier: It just ensures that the signal is outputted with the highest possible energy from the USRP1 to energize the tag.

• USRP TX: The signal is back transmitted to the tag.

4.2.2 Parameterizing the RFID Reader:

This RFID reader has most of the operation parameters, such as Tari value, modulation type for tags and backscattering frequency, set as hardcoded values. Most sections of the reader, especially the Tari values are limited due to restrictions in the sampling rate from the USRP1 device, but other ones could be modified by the user and does not need to be set as hardcoded. Those functions, including the modulation type and the number of cycles per read were exposed to the user.

Values such as a Tari and RTCal, are left with the original values to the way on how other components are tuned into the system.

27

Finally, this reader was developed for an old version of GNU Radio, which limits the application, as it relies in old hardware. A porting to the latest stable GNU Radio version at the time of this report (3.7) was done, in order to analyse the data. The upgrade includes the capability of capturing from other devices supported by GNU Radio and the capability of capturing from many antennas.

Figure 7: Buettner’s SDR RFID Reader Block Diagram

4.2.3 The Issue of Latency:

SDR has the flexibility of being able to control all the stages of RFID decoding, but also has the problem of latency. The most time consuming process is to actually move the captured samples from the USRP device. Timeout is a serious issue on RFID systems, as the Gen2 RFID specification specifies a Reader -> Tag responding time to be less than 20 times the backscatter frequency. Considering that the backscatter frequency on the reader is set to 40 KHz, the time that is needed to do the tag decoding and processing is less than 500 µS. (Assuming the sampling rate at 800 KS/).

The used SDR reader relies on the use of Intel WISP in order to bypass those timeout restrictions, as the WISP tag implements RFID by software and the timeout can be increased. However, in our case, as we are using real life tags, we are only able to get the Tags backscatter, but not to actually get the EPC Values from the ACK responses, as they happen after the timeout defined by the specification. For this reason, the next stages will operate on captured data instead of real life data.

A way of solving this problem is to implement the model into a high speed device, such as a FPGA. However, FPGA development is usually complex, so a prototype developed in Matlab/Octave would be the first step into a real time solution. It’s interesting to notice that most SDR devices in the market offer a FPGA in the capture board to speed certain types of DSP operations, so if the algorithm is efficient enough it can be included in the device’s own FPGA board, being able to operate without the need of a computer.

28

4.3 RFID Signal Generation:

As RFID consist on both Readers and Tags, the details on signal generation will be divided into two main parts: Reader Signals and Tag Signals.

4.3.1 Reader Signals:

As mentioned in Section 2, because RFID systems use the power of the reader to energize the tag, only Pulse Modulation schemes are used for the reader, as we must ensure that the tags will get energized and avoid any unexpected turnoff of the energy and interrupt the process. Because of these reasons, RFID Readers use simple modulation schemes based on PWM. The name of the Reader encoding is PIE (Pulse Interval Encoding).

The following parameters are needed for configure the Reader Signals:

• Tari Value: A value in uS that specify the period of the base pulse. • PW Value: A value that is 0.5 Tari Value and specify the part of the cycle were the

signal is set to off. • Zero Bit Value: Is set to 1 Tari value (Including the PW Value). • One Bit Value: Could be 1.5 to 2 Tari value (Including the PW Value) • RTCal: Is the summation of the One Bit and Zero Bit Value (Including the PW

Value). Used to determine a pivot value, which is the average of RTCal, used by the tags to decode PIE commands.

• TRCal: Could be between 1.1 or 3 RTCal (Including the PW Value) and its used by the tag to calculate its backscatter frequency.

Also, in order to facilitate synchronization for tags, there is a Reader preamble. The preamble has to classes:

• Reader Preamble, used at the beginning of the inventory process. • Reader Frame Sync, used as a preamble for the Reader commands.

29

Figure 8: RFID Reader Preamble and Sync Frame.

So, for the Reader Preamble, the reader must turn off for at least 12.5 uS and then send a Zero-Bit, followed by the RTCal pulse and end with the TRCal pulse. After this, it can send the first command to the tags. All the future commands from this point shall begin with the Reader Frame Sync, which is the same as the Reader Preamble, except for the absence of the TRCal pulse.

In addition, at the beginning of each inventory process, the tags must be energized enough so they can operate, so at the beginning a large pulse is sent, which last approximately 1500 uS, to allow the tags to get energy. Then, this initial pulse is followed by the Reader Preamble to configure the tags.

The next stage on generating RFID Reader signals is to generate the signals corresponding to the different commands. These signals can be represented with just the zeros and ones bits explained before. For this project, the commands defined as Mandatory in the ISO 1800-6C standard are implemented. (The commands are explained in Section 2).

Command Bit Code Length (Bits) Description

QueryRep 00 4 Decrement the Tags slot counter

ACK 01 18 Acknowledge the received RN16 from a tag.

Query 1000 22 Starts the inventory process.

QueryAdjust 1001 9 Adjust the Q value of the tags.

NAK 11000000 8 Tells the tag that the EPC was not received successfully.

Table 6: Implemented RFID command for the framework.

30

4.3.2 Tag Commands:

The tag has the capability of being energized when the reader radiates power near to it and then, by reading an internal memory, replies to the reader. However, it does not reply by sending a new signal over a certain frequency, but it replies by backscattering. (It drives a load into its internal received antenna to create a low frequency component signal on top of the RFID Reader envelope).

Because of the way on how the Tag replies, only modulation schemes based on pulses can be used, as the tag can turn on and off its load into the antenna according to certain times to convey information. The rate on how the Tag switches the load is dependent on the information sent by the reader on the QUERY command, which uses the TRCal value sent to the tag as a reference and also two values from the QUERY command: DR which specifies a frequency divisor on top of the TRCal value and M which specify the modulation scheme used.

There are two main modulations schemes available for RFID Tags:

• FM0. (Manchester-like). • Miller (Clock based scheme, which can be M=2, M=4 or M=8).

The main difference between them is the way on how they communicate information: FM0 is based on the Differential Manchester Code, so a middle transition on the symbol period will occur depending if the transmitted symbol is a zero or a one, while Miller modulates the information into the phase of the number of square waves used for the specific Miller type. (For example, Miller M=2 will transmit 2 square waves per symbol). If the symbol is 0, Miller does not change the phase of the symbol, while if the symbol is a one, the phase of the symbol is switched by 180 degrees.

Both encodings can be implemented easily by using PWM-like generators. For FM0, the 0 symbol is represented by a duty cycle of 50% while the 1 symbol is represented with a 100% duty cycle. Also, at the end of each cycle there must be a transition. This allows the reader to recover the clock rate of the Tag and decode accordingly.

For Miller, a baseband representation can be generated that follows the same rules of FM0, but using 100% duty cycle for 0 symbol and 50% for the 1 symbol. But, as opposed to FM0, Miller requires a 180 degrees phase shift at the end of each symbol and not a necessarily a transition. After that, each symbol is multiplied with a carrier wave which consists in a specific number of square waves which depends on the type of Miller Encoding used.

31

Figure 9: FM0 and Miller Baseband basic functions and State Diagrams. Like the PIE Encoding, FM0 and Miller have preambles and in addition an EOS (End of Signal) bit. The preambles can be of two types: Simple and Extended. Usually the preambles do not follow the same rules of encoding described before. (As they must be unique, they rely on invalid transitions, so the Readers are able detect them).

An important issue here is the symbol rate. The symbol rate is given by the TRCal value and the D value on the QUERY command. For this project, and for the used D and TRCal values, the symbol rate is 40 KHz. For FM0 encodings, as these are just one PWM-like signal with or without transition, the rate for generating the signals is exactly 40 KHz. However, for Miller Encoding, a number of square waves must fit into the specified symbol rate, so in order to generate the signals; a different rate must be used. For example, at 40 KHz and 800 KS/s, there will be 40 samples per FM0 symbol, but we will need 20 samples per each square wave to represent a Miller M=2 and 5 samples per square wave to represent a Miller M=8. So this must be taken into consideration when selecting a sampling rate when generating the signals.

4.4 RFID Listener:

This part is directly related to the signal generation, as we need to ensure that we can not only decode our own generated signals, but also real life signals which are not generated into the perfect conditions. For this reason we need to consider how decoding RFID signals and also how to interpret them. Also, as we are interested on approaching to a real time implementation, we must rely on decoding the reader samples one by one, instead of waiting for an entire block to arrive and then process

32

such block. (As RFID tags are constrained at memory). RFID Readers have more hardware, so the Tag Decoding could use more sophisticated techniques.

The details will be divided into 3 parts: Decoding Reader, Decoding Tag and Parsing Commands.

4.4.1 RFID Reader Decoding (PIE Decoding):

For decoding RFID Reader signals, the own ISO 1800-6C specification gives us a solution when specifying the RTCal value and a pivot value (Which is half the RTCal) to compare the width of the pulses and determining if is a 0 or a 1 depending on if it exceeds the pivot or not. Also, there must be a way for us to know that a given signal is an invalid RFID Reader signal, and this is done by using a second pivot based on 4 times RTCal. If a pulse exceeds this second threshold, then the signal is an invalid reader signal.

But before decoding PIE commands, we must know how to determine the actual duty cycle of a given pulse. A simple and effective way of doing so is by Rising Edge and sample counting. We start counting samples as soon we exceed a threshold that is denoted as the rising edge and stop counting samples as soon as we are below that threshold. Then, according to the pivot value we output a 0 or a 1 or an invalid symbol. Then, we wait for the next rising edge before starting the process again.

Figure 10: Finite State Machine for PIE Decoding.

The next problem is to define how to tell the end of an RFID Cycle. For telling the end, the simplest way is to start counting samples when we are below the threshold for edge detection and if they exceed 4 times RTCal, we can know for sure that the tags lost the energy and that the RFID Cycle has ended. Also, because SDR devices are not perfect, temporal power outs could happen. In this case, we can establish to ignore samples below threshold which are less than Tari.

Because we heavily depend on the rising edge threshold, we must devise a way on how to get the threshold value (And by that, detecting the beginning of the RFID cycle).

33

That could be by taking the difference between the last value and the current value. By defining a specific value that must be exceed (In real life tags, it must be enough voltage difference to power up the internal chip on the device), we can tell that a RFID cycle have started. We tend to ignore the first pulse width, as the ISO 1800-6C standard specifies 1500 uS of pulse width at the beginning to allow the tag to initialize and power up the internal chip. Then, in the next rising edge, we can start counting samples above and below the threshold to get the parameters of operation.

current_sample = 0 threshold_reader = get_rfid_threshold() pivot = get_rtcal_value() / 2; pos_thres_count = 0 neg_thres_count = 0 no_deco_bits = 0 deco_bits[] = 0 while (is_more_samples_to_read()) sample = get_samples() if (sample < threshold_reader && pos_thres_count = = 0) continue if (sample > threshold) pos_thres_count++ if (pos_thres_count > 8 * pivot) //invalid symbol pos_thres_count = 0 continue if (samples < threshold_reader && pos_thres_count > 0) if (pos_thres_count > pivot) deco_bits[no_deco_bits] = 1 else deco_bits[no_deco_bits] = 0 no_deco_bits++ pos_thres_count = 0 if (samples < threshold_reader) neg_thres_count++ if (neg_thres_count > 8 * pivot) break //end of cycle

Table 7: RFID Reader Decoding.

4.4.2 RFID Tag Decoding (Backscattering Decoding):

The tag decoding is done by the RFID Reader. The RFID specification does not include any recommended solution for decoding tags, as the modulation is not based on just pulse width, but also in phase shift. Also, as the backscatter energy is really low in comparison with the energy sent by the reader, threshold based algorithms are not the best option for decoding.

34

RFID Readers do not have the same hardware constraints as the Tags, so we could use other algorithms which perform better even with low SNR signals, such as correlation.

Figure 11: Finite State Machine for Tag Decoding.

RFID Tag Decoding should be fast as the Reader has only a limited amount of time to send a command to the tag after the tag finished transmitting. If we can assume that the Reader is faster enough, then an approach based on correlation of symbols can be used. First of all, because the reader knows the type of modulation for the Tag, it tries to correlate the preamble of the specific encoding method. A timeout is also defined and if no preamble is detected after the preamble, it declares that the specific slot was empty of tag responses.

However, if the preamble word is detected, then the next samples will correspond to one or zero bit symbols, so the reader can correlate both the base one and zero symbols to the incoming signal and picking up the one which has the greater score. As the number of symbols on a RN16 Tag reply are known (Number of 16 bits + end of signal), the reader can know how many bits to decode and then produce its answer to the tag. (This response is typically the ACK command).

Correlation decoding approach allows recovering the signal even in low SNRs, which is interesting due to the nature of the backscatter signal, as it is a really weak signal that goes on top of the envelope sent by the reader. However the accuracy of the decoding will depend on how well the time synchronization of the incoming signal is done. As the RFID standard defines a specific frequency tolerance that each tag must comply, this is generally not an issue. However, if precision is needed, a method based on zero crossings could be used to detect symbols based on the rising and falling edges and counting the samples between each zero cross and round them to the nearest valid symbol length. Then, correlation is more able to succeed in the detection of the symbols of the tag. This method can be also used for decoding, but it has the main issue that in bad SNR, not only the signal but unwanted components also zero cross.

tag_samples = get_stored_tag_samples() samples_per_cycle = get_backscatter_frequency() encode_type = get_tag_encode_type()

35

tag_counter = 0 tag_length = length(tag_samples) no_deco_bits = 0 decoded_bits[] = 0 preamble_mask = generate_preamble(encode_type, samp les_per_cycle) one_symbol_mask = generate_bit(1, encode_type, samp les_per_cycle) zero_symbol_mask = generate_bit(0, encode_type, sam ples_per_cycle) for i=1 to tag_length step=length(preamble_mask) preamble_samples = tag_samples[i:i + length(preamb le_mask)] //correlate for preamble for j = 1 to length(preamble_mask) score_data = score_data + (preamble_mask[j] * preamble_samples[j]) sum_vals = sum_vals + tag_samples[j] score_pream = score_data / sum_vals if ((score_pream < 0.8) && (i < tag_samples - length(preamble_mask))) continue else if ((score_pream < 0.8) && (i > tag_samples + length(preamble_mask)))) return -1 //no signal detected if (score > 0.8) break //correlate for signals for i = 1 to tag_length step=length(one_symbol_mask ) data_samples = tag_samples[i: i + length(one_symbo l_mask)] score_data = 0 sum_vals = 0 //correlate with the one symbol for j = 1 to length(one_symbol_mask) score_data = score_data + (one _symbol_mask[j] * data_samples[j]) sum_vals = sum_vals + tag_samples[j] score_one = score_data / sum_vals score_data = 0 sum_vals = 0 for j = 1 to length(zero_symbol_mask) score_data = score_data + (zero_symbol_mask[j] * data_samples[j]) sum_vals = sum_vals + tag_samples[j] score_zero = score_data / sum_vals if (score_zero > score_one) decoded_bits[no_deco_bits] = 0 else decoded_bits[no_deco_bits] = 1 no_deco_bits++

36

Table 8: Pseudocode for the RFID Tag Decoding.

4.4.3 Command Parsing:

So far, we have deal with how to decode the signals. But also we need to interpret them and to maintain a kind of logic flow between the different stages. We must be able to tell when we need to start searching for a preamble or to keep decoding Reader commands. For this reason, the developed listener is divided into states of a Finite State Machine. The states are described as follow:

• State 0: Looking for an initial threshold. • State 1: Detecting valid configuration: Power Sync and Sync Word. • State 2: Decoding PIE Commands. • State 3: Holding samples for the Tag. • State 4: Decoding Tag. • State 5: Decoding PIE after the tag.

State 0: This state is focused on looking for the initial threshold which powers up the tags. The threshold is calculated by taking the difference between the current and the last symbol. If an already pre-established value is exceeded, then 75% of the difference is used as the threshold to detect rising and falling edges. If the value is not exceeded it keeps in the same state, if the value is exceeded, it goes to State 1.

State 1: This state validate that the signal is a RFID signal by counting the samples between to rising edges and comparing them to the expected values of Tari, RTCal and TRCal. If this checking fails, it goes back to State 0, if the check succeed, it goes to State 2.

State 2: This state output 0 or 1 bits, depending it the pulse width between rising edges is less or greater than the pivot value. (0.5 RTCal). It also counts samples below the threshold. If any of this sample count is greater than 4 RTCal, then it goes back to State 0. This state will also check if the received command requires Tag response and if it needed it, it will go to State 3. If not, it will keep on the same state.

State 3: This state will store samples until the given values are less than the established threshold and then it will go to State 4.

State 4: This stage will decode the tags by using cross-correlation between the tag symbols and the stored samples. If no tag is detected and the Q Value of QUERY is set to 0, it will go back to State 0. If not, it will go to State 5.

State 5: If a tag is decoded, then this stage will check for the next PIE symbols. If no PIE Sync-Word is detected, it will go back to State 2, to decode the PIE symbols. If a new Sync-Word is detected it will go back to State 1 to update the configuration.

37

Figure 12: Finite State Machine for the RFID Listener.

4.5 RFID Collision and Recovery Model:

In order to recover the collisions, we must determine if such recovery is possible and also a way to detect if certain signal is a collision, to avoid unnecessary signal processing, as the RFID protocol has to comply with certain time constraints. Because we are using Blind Source Separation, we do not need to use this information for the decoding, but this will also help us to understand the limitations of our approach.

Interference in RFID is generally additive with the presence of time shift. This means that in the receiver, the signals of the colluded signals add together. Also signals present time shift, as they arrive at different times at the receiver, due to multipath.

Knowing that the tags reply using 2 different logical levels (-A and A), we can construct a table of the outcome of such levels when add together:

Tag 1 Tag 2 Result A A 2A A -A 0 -A -A -2A -A A 0

Table 9: Outcome of the logical levels on RFID Backscattering in a collision of 2 tags.

As we can see in the table below, when the tags are have the same logical level and collision, the resulting is a multiple of the original logical level, but when they have different logical level, both cancel out. This would mean that in a collision which happen without time shift, no recovery would be possible, as opposite states would end in a zero-level, in which the decoder would not be able to tell which logical level the signal had.

38

Figure 13: Collision between two tags without time and amplitude shift.

However, collisions also carry amplitude shift which is helpful, as the amplitude shift will not put the signals into a level zero, but at least will show the logic level of the strongest signal. Because of this, there are two probabilities on this signal, one in which Tag 1 will have the strongest amplitude, so the collision levels will shift to Tag 1 logical level, and other in which Tag 2 will have the strongest amplitude, and so the logical levels will shift to Tag 2 logical level. In those conditions, recovery will be possible. However this is not enough to guarantee recovering, as there is a possibility that the noise on the environment will shift logic levels.

But in real life, RFID tags have also time shift, due to the multipath, so the possibility of getting zero levels on the signal is minimum due to the influence of amplitude, time shift and noise. However is important to establish that recovery of collisions is not guaranteed at 100% due to these characteristics.

0 100 200 300 400-2

-1

0

1

2Tag 1: 42551

0 100 200 300 400-2

-1

0

1

2Tag 2: 60436

0 50 100 150 200 250 300 350-4

-2

0

2

4Collision Result

39

Figure 14: Collision between two tags with amplitude shift but without time shift.

Until know, we have discussed how the signal would appear on a single received. Research such as the one by [Sun [14]], show that by using the logic levels produced by the collisions, is possible to recover collisions from one single antenna. These methods usually get rid of the ambiguity on the logical levels produced by the noise by applying a Median Filter to the signal. (The order of the median filter is set to 4, although the maximum level to avoid truncating the signal is cycle_rate – 1, where cycle_rate is the number of samples of the backscatter frequency).

A series of rules can be constructed based on analysing the rising and falling edge of colluded signals which has the logical ambiguity fixed using the median filter and because of the property of the time shift, if an additional transition occurs before the number of samples corresponding on the backscatter frequency, the algorithm could tell that two symbols are present on that range and separate them by defining sub-logical levels. However, these techniques only tend to work on 2 tags and tend to fail as the SNR decreases.

The advantage of these methods is that they are not computationally expensive, so they can be implemented for analysis on real time, which makes them interesting for collision recovery. However, the problem is that they only can solve specific collision patterns, specifically those which amplitudes have several magnitudes of difference and will fail with closer amplitude values. Another problem is that they do not take in advantage the use of different antennas which are available in high throughput RFID scenarios, but instead rely on a single antenna. The proximity of the antenna to the conflicting tags will also influence on the success of the recovery, as if a given tag is weak enough to get equal to the logic values of another one, logic ambiguity will occur.

0 100 200 300 400-1

-0.5

0

0.5

1Tag 1: 64751

0 100 200 300 400-1

-0.5

0

0.5

1Tag 2: 28043

0 50 100 150 200 250 300 350-2

-1

0

1

2Collision Result

40

Figure 15: Collision between two tags with amplitude and time shift

The method analysed in this thesis is the ICA one, which as stated in Section 2 of this report, assumes that signals are Gaussian distributed ones and also statistically independent. As the RN16 signals are generated by each tag random number generator, they are statistically independent, and also the signals itself are Gaussian as only 2 logic states are allowed on the data.

There are many implementations of ICA, but the one chosen for this project is FastICA, which is a fixed point implementation of ICA. Its main advantage is that is 10 to 100 factors faster than other implementations that use gradient descent approaches. This is important as RFID has time constraints and ICA by nature is an iterative algorithm, which could take some time to converge, although for this project, a value of 1000 iterations is set as the maximum of iterations.

For the recovery of collisions, the main requirement is to have at least two different readings of the signal. Due to the position of the antennas and the multipath effects, each antenna will receive a different amplitude and timing shift version of the signal. Then, those signals will be used as input into the FastICA algorithm which then will output a similar number of independent components. We are not interested on the mixing matrix, so it would not be used in this project.

One interesting feature of FastICA is that is also used to separate noise from signals, which can be useful not for recovering collisions, but to increase SNR in certain scenarios.

For real life scenarios, we need to consider the capability of the devices used for capture signals and how the antennas are placed. Generally we would not like to have samples in which the signal is undetectable, as they will only make FastICA slower to converge. A basic rule of thumb is to choose antennas which are closer to the collision signals of interest. For this project, due to the limitations of the USRP1 device, only 2 antennas can be used to capture signals.

0 100 200 300 400-0.5

0

0.5Tag 1: 33331

0 100 200 300 400-0.4

-0.2

0

0.2

0.4Tag 2: 21360

0 50 100 150 200 250 300 350-1

-0.5

0

0.5

1Collision Result

41

This means that if the collision has more than 2 tags, we could not guarantee that all of the recovered signals are collision free, as we need at least the same number of sources to guarantee a correct recovery. An additional stage of picking the ‘best’ signal, based on a metric is needed. Also, as the FastICA algorithm is iterative, we must ensure that only low SNR and collided signals are processed with it, so a way of telling if a signal is a collision is needed.

Figure 16: FastICA recovery of a RFID Tag signal with a collision between 2 tags.

sample_cycle = get_backscatter_frequency() samples_1 = get_samples_rx(1) samples_2 = get_samples_rx(2) preamble_mask = generate_preamble(encode_type, samp les_per_cycle) one_symbol_mask = generate_bit(1, encode_type, samp les_per_cycle) zero_symbol_mask = generate_bit(0, encode_type, sam ples_per_cycle) samples_1 = median_filter(samples_1, sample_cycle - 1) samples_2 = median_filter(samples_2 sample_cycle - 1) rx_ica = [samples_1 ; samples_2] y_ica = fast_ica(rx_ica) //FastICA algorithm //check for the best signal by correlation score_ica = create_array(length(y_ica)) for iscore = 1 to length(score_ica) tag_samples = get_stored_tag_samples() samples_per_cycle = get_backscatter_frequency() encode_type = get_tag_encode_type() tag_counter = 0 tag_length = length(y_ica(iscore)) no_deco_bits = 0 decoded_bits[] = 0

42

//search preamble for i=1 to tag_length step=length(preamble_mask) preamble_samples = tag_samples[i:i + length(preamble_mask)] //correlate for preamble for j = 1 to length(preamble_mask) score_data = score_data + (preamble_mask[j] * preamble_samples[j]) sum_vals = sum_vals + tag_samples[j] score_pream = score_data / sum_vals if ((score_pream < 0.8) && (i < tag_samples - length(preamble_mask))) continue else if ((score_pream < 0.8) && (i > tag_samples + length(preamble_mask)))) score_ica[iscore] = -999 //no preamble, no signal break if (score > 0.8) break if (score_ica[iscore] == -999) continue //do not decode if no preamble //correlate for signals for i = 1 to tag_length step=length(one_symbol_mas k) data_samples = tag_samples[i: i + length(one_symbol_mask)] score_data = 0 sum_vals = 0 //correlate with the one symbol for j = 1 to length(one_symbol_mask) score_data = score_data + (one_symbol_mask[j] * data_samples[j]) sum_vals = sum_vals + tag_samples[j] score_one = score_data / sum_vals score_data = 0 sum_vals = 0 for j = 1 to length(zero_symbol_mask) score_data = score_data + (zero_symbol_mask[j] * data_samples[j]) sum_vals = sum_vals + tag_samples[j] score_zero = score_data / sum_vals if (score_zero > score_one) score_ica[iscore] = score_ica[iscore] + score_zero else score_ica[iscore] = score_ica[iscore] + score_one

43

best_ica_idx = max(score_ica, 'find_idx') if (score_ica[best_ica_idx] == -999) return 1 //no decodable signal possible else return y_ica(best_ica_idx) //return the best signa l

Table 10: Pseudocode for the FastICA recovery based on correlation scores.

Figure 17: FastICA recovery of a RFID tag signal without collision. (1 tag was present).

Figure 18: FastICA recovery of a RFID tag signal with a collision between 3 tags.

44

4.6 Collision Detection Model:

As discussed before, FastICA is not guaranteed to converge at a certain number of iterations. As RFID has specific timing constraints, it would be useful to limit its application to actual RFID collisions and low SNR signals, to avoid unnecessary signal processing. Because of this, a method to tell that a collision exists is needed.

Based on the model described before, we know that a RFID tag signal would only have two logic levels. A collision happens when additional levels which are multiples of those original levels are created by the summation of two signals transmitted at the same time.

So for detecting a collision, we would try to find a signal which has more than 2 logical levels spaced at different times than the specified for the specific modulation type of the captured RFID signal. A way of doing this is by taking the derivative of the entire RFID tag signal and analysing the peaks, which should be spaced at regular intervals.

Backscatter signals could also have noise of the environment, which means that the levels of the different peaks are not guaranteed to be at the same levels in low SNR scenarios. Thus, this method will also help to identify low SNR signals which could be de-noised with information for multiple antennas.

In order to ensure that only low SNR signals are being processed, a median filter will be applied to the signal before the derivative calculations. Then, peaks will be detected. A peak is defined as a sample ���� in which the samples ��� − $� and ��� + $� follow the condition of: ���� > ��� − $�⋀ ���� > ��� + $�, where n is a window value which is at maximum half of the sample rate of the defined backscatter frequency.

After finding the peaks, the maximum value of the signal is taken, and then each peak is compared to this maximum value. If there is no collision, most of the peaks will have a value closer to the maximum value. In order to deal with the –A logic levels, the absolute value is taken. Also, these peak signals must match with the sampling rate of the backscatter signal. If the space between peaks is less or more than the expected backscatter frequency, then that signal will be classified as a non-matching one, because it is highly probable that represents a collision.

If the number of matching peaks with the maximum value and correct spacing is greater than the non-matching ones, then the signal is declared to be collision free. (This is done in order to avoid false positives due to noise).

This method is non computationally expensive and it will identify not only RFID collision signals, but also signals with low SNR, which could also benefit from FastICA, while avoiding the unnecessary process of signals which have a good SNR.

sample_cycle = get_backscatter_frequency() tag_samples = get_stored_tag_samples() wnd_peaks = 3 thres_peaks = max(tag_samples) * 0.4 symbol_zero_distance = get_distance_symbols(0) symbol_one_distance = get_distance_symbols(1) match_peaks = 0

45

non_match_peaks = 0 last_peak_idx = 0 tag_samples = median_filter(tag_samples, sample_cyc le -1) tag_diff = abs(diff(tag_samples)) for i=wnd_peaks to length(tag_diff)-wnd_peaks cpeak = tag_diff(i) npeak = tag_diff(i + wnd_peaks) lpeak = tag_diff(i - wnd_peaks) if (cpeak > npeak && cpeak > lpeak && cpeak > thre s) if ((i - last_peak_idx <> symbol_zero_distance) || (i - last_peak_idx <> symbol_one_distance) match_peaks++ else non_match_peaks++ last_peak_idx = i if (non_match_peaks > match_peaks) return 1 //collision detected else return 0 //no collision

Table 11: Pseudocode for the Collision Checking.

Figure 19: Output of the absolute value of the Derivative after a Median Filter on the former RFID signals from Figure 16.

As explained in the section on FastICA recovery, as we are only using a fixed number of antennas, we cannot guarantee that all the signals are collision free. Also, because of the time constraints of RFID, only one signal could be processed, as the other tags

0 50 100 150 200 250 300 3500

0.5

1

1.5

2Derivative of a Clean RFID signal

0 50 100 150 200 250 300 3500

1

2

3

4Derivative of a RFID Collision signal

46

will timeout after that specific signal is processed, so the requirement here is to pick the signal with least probability of being a collision. Such signal is found by defining a metric which tell how good the signal is. There are two ways of calculate this metric:

• Taking the ratio of matching signals over the complete amount of peaks detected of the recovered signal.

• Decode the signal and keep all the correlation scores for each one of the symbols, then take the average as a metric.

The first method is faster, as this method also ensures that the signal is collision free. However, it’s important to mention that FastICA does not guarantee the same amplitude on the signal recovery, so we can actually loss decodable signals due to this. For this case, we could use the second method, which has the disadvantage of being slower or just evaluate the spacing between peaks instead of also evaluate the amplitude. The use of one or other method will depend on the SNR. In low SNR scenarios, it would be better to use the correlation method as random spikes of noise could be counted as legitimate peaks in the derivative and peak finding method.

4.7 SDR Considerations:

As discussed in Section 4.1, one issue with SDR for this application is the latency, as the most time consuming process is to send the samples from the device to the computer. However, other considerations about the use of SDR remain:

First of all, that SDR devices output low energy, mainly due to legal concerns due to its capability of broadcasting at a broad variety of frequencies.

The SDR devices used in this project were the USRP1 device by Ettus Research and the bladeRF by Nuand. Both of them happen to be un-calibrated outputs, so there is no way to tell the exact power output used by those devices, unless a Network Analyser is used. According to the manufacturers, USRP1 with the RFX-900 daughterboard (Which provides 750 to 1050 MHz), outputs up to 200 mW (23 dBm), while the bladeRF which uses a single transceiver chip, outputs up to 4 mW (6 dBm).

These power figures mean that in all the experiment the tags must be located as closest as possible to the SDR devices, being the USRP1 the one which provides more range of operation. However at such low values, the range of operation is pretty poor, with signals having problems to be detected by the developed algorithms at 28 cm and completely invisible up to 33 cm from the RX antennas.

The use of amplifiers was considered, by using the ZFL-1000LN manufactured by MiniCircuits, as it was a low noise amplifier. The amplifier was used in the output of the TX connector on the SDR devices as a way to increase the radiated energy and extending range of the tags. However the performance was not as expected, with signals being barely visible up to 40 cm and undetectable at 45 cm.

The second issue is the sampling rate, as a higher sampling rate within the same bandwidth will improve the SNR after the Matched Filter, but at the cost of introducing more delay. As the system is not performing real time analysis, the sampling rate was

47

set to default as in the reader, capturing 4 MS/s, and after the decimating matched filter, the all the developed components will use a signal of 800 KS/s.

The third issue is the DC Offset and I/Q imbalance that could happen in SDR devices. Because RFID is a BPSK based system, I/Q imbalance do not come out as big problem. However the DC Offset could manifest itself as overshoot or undershoot in the reader signal and discontinuities into the tag signal, so an initial calibration of the device may be needed.

48

Chapter 5

Testing, Results and Discussions

5.1 Testing and Verification:

Initially, to validate the framework, multiple tests were conducted. These include:

• Encode/Decode a 16 bits number into a Tag modulation scheme. • Generate an entire RFID process signal and decode it with the listener. • Validate the listener by decoding real life RFID Signals. • Generate a model for FastICA collision recovery and try to recover data. • Validate the model by doing real life recovery of signals.

The setup of each of these stages will be discussed below:

5.1.1 Encode/Decode a 16 bits number into a Tag:

For this first test, a random number inside the range from 0 to 65 536 (216) was generated and then converted to binary. The binary value used was MSB, according to the Gen2 RFID specification. The parameters used for the generation were:

• Sampling rate of 10 samples per cycle for all the modulation schemes. • Each of the 4 modulation schemes for RFID Tags: FM0, Miller M=2, M=4 and

M=8. • With the Preamble for each type of modulation and the End of Signal. • With and without the Extended Preamble. • Different values for AWGN noise are modelled going from 1 to 30.

Phase Inversion was not modelled for this stage, as all the modulation schemes for Tags are BPSK based ones, so the phase shift is not used.

After the generation, the decoding of the signal was done and evaluated. The decoding of the RFID signals requires the sampling rate per cycle. This value is obtained from the generation, as well as the modulation used. This is done this way instead of detecting from the signal, because in RFID signals, the QUERY command specifies to the tag all the parameters for its reply.

The decoding was approached by using correlation between the already know bit masks for 0 and 1. The following validations are used:

• The preamble must match with at least 0.7 in the correlation score in the normalized scale. (Extended Preamble is not used).

• From the preamble, 17 symbols are decoded. (16 bits + signal end symbol). • For each symbol, both the bit one and bit zero correlation score is calculated

and then normalized. The bit chosen for the decoding is the bit corresponding to the maximum score of the two.

49

This test is validated by using the average of the summation of the correlation score of all the decoded symbols in the tag. (This value should approach to 1 if all the symbols were decoded correctly).

5.1.2 Generate a RFID Signal and its Decoding:

This second test aims to validate the performance of the developed signal generator as well as the listener, in the entire scope of the standard, by first decoding the PIE commands from the reader and then decode the tags using the parameters specified at the reader. The parameters used for this test are:

• Fixed sample rate for both the tags. (By defining the Tari, RTCal and TRCal values in the signal generator).

• Fixed number of cycles, even if the number of slots is higher. • Fixed parameters on the QUERY command. • Each of the 4 modulation types for the tags used. • Different levels of AWGN noise are modelled, going from 1 to 30.

In order to detect that the generated signal is a valid RFID signal is a valid one, the following validations are used:

• The signal must start at a Low level and the RFID Signal should begin with a change from low to high.

• A zero-symbol should appear after the high transition. • Then, the following symbols widths are validated using the zero-symbol width. • Each cycle should end with a high to low transition.

5.1.3 Decoding a Real RFID Signal:

The third test aims to validate the developer listener and its performance with some real data recorded from a SDR device. When the tag replies to the SDR reader, this decodes the tag and outputs a number in an ACK command. The developed listener decodes the tag and then compares its decoding result with the ACK result from the signal to validate if the decoding was correct.

Please notice that as this a real life decoding, some parameters such as clock drift and SNR cannot be controlled. However, the tags and the antennas were placed close together to minimize any interference.

5.1.4 Generate a model for FastICA collisions recover:

The fourth test aims to validate how FastICA performs on recover RFID tag signals. To avoid overhead, only the tag backscatter signal is generated. The parameters for this simulation are as follows:

• Fixed Number of Tags: 2. • Random Time delay between the tags. (For modelling the collision) • Random amplitude scaling for each tag and antenna. • Random Phase Shift for each tag and antenna. • Each of the 4 modulation types for tags used.

50

• Run over 10,000 simulations.

5.1.5 Validate the model by doing real life recovery of signals:

The final test aims to validate the FastICA by performing analysis on real RFID signals. As this test is done offline, the success rate is evaluated by amount of valid and able to decode Tag recovered signals. The following parameters were considered:

• Number of Tags (1, 2, 3 and 4). • Position of the tags in relation to the antennas. • Modulation type is fixed to Miller M=2.

Notice that as this is done in a real world scenario, some parameters cannot be controlled, such as SNR present in the area, frequency shift and clock drift. However, the antennas and the tags were placed close together in order to minimize any interference.

5.2 Results:

5.2.1 Encoding / Decoding of RN16 Numbers:

For this test, a random number was generated as well as a random value between 0 and 1 for the Extended Preamble, a random value between 1 and 30 for the SNR and a random value between 0 and 3 for the modulation type. The function then proceed to modulate a Tag RN16 signal based on those parameters and adds the AWGN noise level to match the generated SNR. Then, the signal is demodulated.

The Matlab script outputs its results if those decoding matches into the console.

* Generating a RN16 Tag: 50395 with Extended Preamb le and Miller M=2 Encoding and SNR of 27... [rfid_listener]: Tag preamble detected at 171 with score 1.000000... * Decoded data is 50395 and matched with the RN16 g enerated value!!!

Figure 20: Generated RN16 value using FM0 Encoding, SNR of 26 and a RN16 value of 59845. (0xE9C5).

0 50 100 150 200 250 300 350 400 450-1.5

-1

-0.5

0

0.5

1

1.5RN16 Tag: 59845 with Extended Preamble and FM0 Encoding and SNR of 26

51

The function success rate was of 100% even in low SNR levels (Less than 10). This is because the signal was just corrupted with AWGN level and no other channel fading effects (No such effects as Amplitude, Clock or Phase Shift was considered).

5.2.2 Generate an RFID Signal:

For this test, the RFID Signal Generator and the RFID Listener were used. The user specifies the configuration parameters for the RFID Reader in the generator script. The values used for this test are as follows:

• Sampling Rate = 800 KS/sec. • Tari Value = 24 uS. • Tari for One-Bit: 2 • T1 Value: 200 uS • Tag Modulation Type: Miller M=2 • Tag Preamble Type: Extended Preamble • Backscatter Frequency: 40 KHz. • Q Value: 0. • Emulated Tags: 1.

Figure 21: Generated RFID Signal with a Tag backscatter and the ACK command. (No EPC reply was modelled). Tari value was 24 uS.

Because the Q Value is 0, the system will only process 1 tag. If more than 1 tag is defined, then a Collision will be simulated by the model.

The output from the RFID Signal Generator was:

[rfid-generator]: Tari samples: 19 / PW samples: 10 * RTCAL samples: 48 / TRCAL Samples: 150 * T1 samples: 160... [rfid-generator]: Tari uS: 24.00 / PW uS: 12.00 * RTCAL uS: 72.00 / TRCAL uS: 200.00

52

* T1 uS: 200.00... [rfid-generator]: Base Frequency for Tags will be o f 40.00 Khz and use Miller M=2 modulation... [rfid-generator]: Samples per Tag cycle: 40 samples ... [rfid-generator]: Simulating RFID envirionment with 1 slots and 1 tags... Written the file as: rx_gen_signal.out!!! RN16 values created are: 60112

The generated output is written to a binary file (rx_gen_signal.out) and then is used as input for the RFID Listener. The following output from the RFID Listener was produced:

[rfid_listener]: Possible RFID Threshold set at 50. 329578 at position 961... [rfid_listener]: RFID configuration found! -> Tari: 20 ; RTCAL: 58; TRCAL: 160 ; PIE Pivot: 2 9 [rfid_listener]: RFID configuration passed! Now dec oding... [rfid_listener]: QUERY command detected... -> Tag frequency at 40.000000 KHz... -> Using pilot tone (Extended preamble)... -> Modulation Miller M=2 used for tags... -> Q Value of 0, so 1 slots for tags... [rfid_listener]: Tag Encoding detected to be Miller M=2 encoding... [rfid_listener]: Tag decodal... sample rate estimat ed at 40 samples... [rfid_listener]: Collisison NOT detected!!! [rfid_listener]: Tag preamble detected at 919 with score 0.995099... [rfid_listener]: Raw Tag bits: 0 0 0 0 1 0 1 1 0 1 0 1 0 1 1 1 1 -> Decoded bits: [0 0 0 0 1 0 1 1 0 1 0 1 0 1 1 1] ... [rfid_listener]: Tag Backscatter decoded. RN16 is 6 0112... Detected values: Tari: 20 / RTCAL: 58 / 3rd Symbol: 20 [rfid_listener]: PIE Frame-Sync detected...!! [rfid_listener]: ACK command detected... -> ACK RN16 value: 60112 -> ACK RN16 bits value: 0000101101010111 [rfid_listener]: ACK validation successful. Now dec oding EPC-Code... [rfid-listener]: Unexpected silence of the reader!! ! Finished parsing the file!!! ****** RFID Listener Statitics ********* - No. of Decoded QUERY: 1 - No. of Decoded Tags: 1 - No. of Undecodable Tags: 0 - No. of ACK: 1 - No. of Bad ACKs: 0 - No. of FastICA Recoveries: 0 Total Runtime: 0.229454 seconds...

53

Notice how the developed Listener provides detailed information about each RFID Reader commands and also detail information about the Tag reply. At the end, a summary of the findings is provided.

5.2.3 Decoding a Real RFID Signal:

For this test, a real RFID signal from a RFID Tag is recorded using the USRP1 device1. The parameters are generated by the Michael Buettner RFID Reader, but the developed RFID Listener is able to extract them anyway. The only parameter need is to provide the Sampling Rate, which for this capture is 800 KS/s. Only 1 tag was present for this recording.

Figure 22: Real RFID signal recorded from the USRP1 device. (Only 1 tag was present).

The output of the developed RFID Listener is provided below: [rfid_listener]: Possible RFID Threshold set at 12. 416842 at position 2633... [rfid-listener]: Warning!!! Unknown bits detected, but skipped... [rfid_listener]: RFID configuration found! -> Tari: 19 ; RTCAL: 58; TRCAL: 160 ; PIE Pivot: 2 9 [rfid_listener]: RFID configuration passed! Now dec oding... [rfid_listener]: QUERY command detected... -> Tag frequency at 40.000000 KHz... -> Using pilot tone (Extended preamble)... -> Modulation Miller M=2 used for tags... -> Q Value of 0, so 1 slots for tags... [rfid_listener]: Tag Encoding detected to be Miller M=2 encoding... [rfid_listener]: Tag decodal... sample rate estimat ed at 40 samples... [rfid_listener]: Collisison detected!!! [rfid_listener]: Tag preamble detected at 791 with score 0.933803... [rfid_listener]: Raw Tag bits: 0 1 0 0 1 0 1 0 0 1 1 1 1 0 0 1 1 -> Decoded bits: [0 1 0 0 1 0 1 0 0 1 1 1 1 0 0 1] ...

1 See Appendix C for the physical distribution of the SDR device and the antennas used to capture data.

54

[rfid_listener]: Tag Backscatter decoded. RN16 is 4 0530... Detected values: Tari: 19 / RTCAL: 58 / 3rd Symbol: 160 [rfid_listener]: Unexpected start of another PIE Pr eamble...!!! [rfid_listener]: RFID configuration found! -> Tari: 19 ; RTCAL: 58; TRCAL: 160 ; PIE Pivot: 2 9 [rfid_listener]: RFID configuration passed! Now dec oding... [rfid_listener]: QUERY command detected... -> Tag frequency at 40.000000 KHz... -> Using pilot tone (Extended preamble)... -> Modulation Miller M=2 used for tags... -> Q Value of 0, so 1 slots for tags... [rfid_listener]: Tag Encoding detected to be Miller M=2 encoding... [rfid_listener]: Tag decodal... sample rate estimat ed at 40 samples... [rfid-listener]: Empty block... ending cycle... Detected values: Tari: 19 / RTCAL: 58 / 3rd Symbol: 160 [rfid_listener]: Unexpected start of another PIE Pr eamble...!!! [rfid_listener]: RFID configuration found! -> Tari: 19 ; RTCAL: 58; TRCAL: 160 ; PIE Pivot: 2 9 [rfid_listener]: RFID configuration passed! Now dec oding... [rfid_listener]: QUERY command detected... -> Tag frequency at 40.000000 KHz... -> Using pilot tone (Extended preamble)... -> Modulation Miller M=2 used for tags... -> Q Value of 0, so 1 slots for tags... [rfid_listener]: Tag Encoding detected to be Miller M=2 encoding... [rfid_listener]: Tag decodal... sample rate estimat ed at 40 samples... [rfid_listener]: Collisison detected!!! [rfid_listener]: Tag preamble detected at 791 with score 0.923149... [rfid_listener]: Raw Tag bits: 0 0 0 0 0 1 1 0 1 1 1 1 1 0 0 1 1 -> Decoded bits: [0 0 0 0 0 1 1 0 1 1 1 1 1 0 0 1] ... [rfid_listener]: Tag Backscatter decoded. RN16 is 4 0800... Detected values: Tari: 19 / RTCAL: 57 / 3rd Symbol: 20 [rfid_listener]: PIE Frame-Sync detected...!! [rfid_listener]: ACK command detected... -> ACK RN16 value: 56008 -> ACK RN16 bits value: 0001001101011011 [rfid_listener]: Unexpected ACK! Listener Decodal d o not match with the Reader... [rfid_listener: No PIE Commands. Ending cycle... Finished parsing the file!!! ****** RFID Listener Statitics ********* - No. of Decoded QUERY: 3 - No. of Decoded Tags: 3

55

- No. of Undecodable Tags: 0 - No. of ACK: 0 - No. of Bad ACKs: 1 - No. of FastICA Recoveries: 0 Total Runtime: 0.217429 seconds…

Notice how the RFID reader is able to extract the parameters and perform the decoding accordingly. In this case, it even provides its own decodal of the RN16 signal send by the tag and then checks the decoded value with the ACK value sent by the reader. (As the reader also decodes the RN16 and sends an ACK accordingly).

In this test, the decoded value from the reader and the decoded value from the Listener do not match, meaning that some channel issue happen. (Such as Clock Drift or a Collision).

5.2.4 Generate a FastICA Model Collision Recovery:

For this test, a sample collision signal is generated by creating 2 Tag RN16 signals and delays both of them by some random value. Then the receiving antennas are simulated by creating random amplitude shift values and each tag is applied with one of these shifts and the results are added together.

Once we got this different ‘readings’ of the signal, the result is used as input to the FastICA algorithm, which performs the Blind Source Separation and returns the recovered sources. Then, the signals are decoded and compared to the generated values. If they match, then we state that the recovery was done successfully.

An important thing to mention for the FastICA recovery is that the amplitude of the recovered signals is not guaranteed to be the same as the original input signals, so methods based on rising edges and thresholds are not guaranteed to work with FastICA recovered signals, as the recovered signal could probably have components of different amplitudes.

For this project, all the decoding procedures work by correlation to avoid this issue.

The generator script gives the following output:

* Generating 2 tags… * RN16 values for tags: [7456, 65156] * Generating Collision [rfid_decoder]: Unexpected end of the Tag signal!! ! Recovered RN16 from this signal is: 7456 and this m atch the generated RN16 values... [rfid_decoder]: Unexpected end of the Tag signal!!! Recovered RN16 from this signal is: 65159 and this match the generated RN16 values...

One interesting finding is that even if the FastICA recovers correctly the RN16 number, the last

bit of the RN16, which signals the end of the RN16 stream, should be a 1 according to the RFID

standard is not necessarily so. This is important, as for example Michael Buettner’s RFID

56

Reader will interpret a RN16 decoding that does not end in 1 as a collision and throw the data

away, even if it is correct.

Figure 23: Generated collision and recovered RN16 signals.

Finally, in order to examine how different encoding types perform, a model that takes in consideration SNR, Phase Shift and amplitude changes is constructed. The model tests all the modulations types under SNRs that goes from 0 to 30. The amplitude and time shifts to generate the collision are random. The aim is to measure the Tag Error Rate, which should decrease faster than the one of a decoder without FastICA.

Figure 24: Tag Error Rate results from the generated FastICA Collision Recovery over all the available modulation types of ISO1800-6C under different SNR levels.

57

5.2.5 Recovery of Real Life Collision Signals:

For this test, a real RFID signal is recorded using the USRP1 device2. In order to produce a collision, the RFID Reader is configuring with a Q Value of 0, and then 2 tags are put in front of the reader antennas. Two RX antennas capture the session in order to use this data for FastICA recovering. The sampling rate was set at 800 KS/s.

Figure 25: Collision on the two RX antennas and recovery after the FastICA algorithm on a real life signal recorded from a USRP1 device. Two tags were present.

After capture, the dump files generated by the two antennas are used as input into the developed RFID Listener. The output provided by the RFID Listener is provided:

Multiple RX mode activared... * Loading file for RX1: E:\rfid_rx2\rfid_2tags\f_r xout_ch1.out... * Loading file for RX2: E:\rfid_rx2\rfid_2tags\f_r xout_ch2.out... [rfid_listener]: Possible RFID Threshold set at 12. 432615 at position 845... [rfid-listener]: Warning!!! Unknown bits detected, but skipped... [rfid_listener]: RFID configuration found! -> Tari: 19 ; RTCAL: 58; TRCAL: 160 ; PIE Pivot: 2 9 [rfid_listener]: RFID configuration passed! Now dec oding... [rfid_listener]: QUERY command detected... -> Tag frequency at 40.000000 KHz... -> Using pilot tone (Extended preamble)... -> Modulation Miller M=2 used for tags... -> Q Value of 0, so 1 slots for tags... [rfid_listener]: Tag Encoding detected to be Miller M=2 encoding... [rfid_listener]: Tag decodal... sample rate estimat ed at 40 samples... [rfid_listener]: Collisison NOT detected!!!

2 See Appendix C for the physical distribution of the SDR device and the antennas used to capture data.

58

[rfid_listener]: Tag preamble detected at 791 with score 0.902746... [rfid_listener]: Raw Tag bits: 1 0 0 1 0 0 0 0 1 1 0 0 1 1 0 0 1 -> Decoded bits: [1 0 0 1 0 0 0 0 1 1 0 0 1 1 0 0] ... [rfid_listener]: Tag Backscatter decoded. RN16 is 1 3065... Detected values: Tari: 19 / RTCAL: 57 / 3rd Symbol: 160 [rfid_listener]: Unexpected start of another PIE Pr eamble...!!! [rfid_listener]: RFID configuration found! -> Tari: 19 ; RTCAL: 57; TRCAL: 160 ; PIE Pivot: 2 9 [rfid_listener]: RFID configuration passed! Now dec oding... [rfid_listener]: QUERY command detected... -> Tag frequency at 40.000000 KHz... -> Using pilot tone (Extended preamble)... -> Modulation Miller M=2 used for tags... -> Q Value of 0, so 1 slots for tags... [rfid_listener]: Tag Encoding detected to be Miller M=2 encoding... [rfid_listener]: Tag decodal... sample rate estimat ed at 40 samples... [rfid_listener]: Collisison detected!!! [rfid_listener]: Tag preamble detected at 791 with score 0.929365... [rfid_listener]: Scores from the ICA recovered Sign als...: 0.5513 [rfid_listener]: Best ICA score match for the signa l is Ch. 1 RX antenna... [rfid_listener]: Tag preamble detected at 772 with score 0.929365... [rfid_listener]: Raw Tag bits: 1 1 0 1 1 0 0 0 0 1 1 0 0 1 0 1 1 -> Decoded bits: [1 1 0 1 1 0 0 0 0 1 1 0 0 1 0 1] ... [rfid_listener]: Tag Backscatter decoded. RN16 is 4 2523... [rfid-listener]: Unexpected silence of the reader!! ! Detected values: Tari: 19 / RTCAL: 58 / 3rd Symbol: 160 [rfid_listener]: Unexpected start of another PIE Pr eamble...!!! [rfid_listener]: RFID configuration found! -> Tari: 19 ; RTCAL: 58; TRCAL: 160 ; PIE Pivot: 2 9 [rfid_listener]: RFID configuration passed! Now dec oding... [rfid_listener]: QUERY command detected... -> Tag frequency at 40.000000 KHz... -> Using pilot tone (Extended preamble)... -> Modulation Miller M=2 used for tags... -> Q Value of 0, so 1 slots for tags... [rfid_listener]: Tag Encoding detected to be Miller M=2 encoding... [rfid_listener]: Tag decodal... sample rate estimat ed at 40 samples... [rfid_listener]: Collisison NOT detected!!! [rfid_listener]: Tag preamble detected at 792 with score 0.935777... [rfid_listener]: Raw Tag bits: 1 1 0 1 1 1 1 0 1 0 0 1 0 0 1 0 1 -> Decoded bits: [1 1 0 1 1 1 1 0 1 0 0 1 0 0 1 0] ...

59

[rfid_listener]: Tag Backscatter decoded. RN16 is 1 8811... Detected values: Tari: 19 / RTCAL: 58 / 3rd Symbol: 19 [rfid_listener]: PIE Frame-Sync detected...!! [rfid_listener]: ACK command detected... -> ACK RN16 value: 42523 -> ACK RN16 bits value: 1101100001100101 [rfid_listener]: Unexpected ACK! Listener Decodal d o not match with the Reader... [rfid-listener]: Unexpected silence of the reader!! ! Finished parsing the file!!! ****** RFID Listener Statitics ********* - No. of Decoded QUERY: 3 - No. of Decoded Tags: 3 - No. of Undecodable Tags: 0 - No. of ACK: 0 - No. of Bad ACKs: 1 - No. of FastICA Recoveries: 1 Total Runtime: 0.392838 seconds...

After doing the FastICA recovering, we need to pick one of the signals and use that signal as the one received, as we cannot send back all the recovered values to the reader. For example, is a collision happens when a Q Value is set to 0, the reader will only read one tag and after processing it, the inventory process is finished. In the case of Q value set to more than 1, those tag which collision will not respond anymore, as their slot counter is already set to 0. In addition, the Timing constraints of RFID specify a maximum time for the reader to reply to the tag.

For this reason, and as a way to maximize the probability of picking a right recovery, a metric described in Section 4, was used to pick the best recovered signal and proceed with the decoding using such signal. The use of a score, allows the recovery of one tag even in multiple collision scenarios, provided certain conditions (Which were explained in Section 4), are met.

60

Figure 26: Collision on the two RX antennas and recovery after the FastICA algorithm on a real life signal recorded from a USRP1 device. Four tags were present.

However as this is a RFID Listener, we cannot send back the recovered RN16 value as an ACK to the tag to get the EPC code. This is the most important limitation of this model, requiring a real time implementation on a SDR RFID Reader in order to do FastICA recovery on the fly. Nevertheless, it proves that FastICA recovery is possible and feasible in real life RFID systems, validating the simulation model explained before.

61

Chapter 6

Conclusions and Future Recommendations

6.1 Future Recommendations:

The developed framework for this system was designed with the idea of testing collision recovery. Although this objective was achieved, there are other aspects of the design that could be extended to further improve performance of this recovering scheme.

6.1.1 Using Amplifiers to extend range:

As stated in Chapter 5, all the testing with real life signals was done with the antennas and the tags really close to each other (Less than 6 cm) in order to increase SNR and avoid channel fading issues, such as frequency shift and so. In the future, the use of high gain amplifiers for UHF ranges could be used to extend this design and allow further testing on large distance collision recovery. Furthermore, analog band pass filters could be used to increase SNR.

6.1.2 Use of different SDR Devices and More Antennas:

FastICA and Blind Signal separation in general can reconstruct a signal if enough recordings of mixed signals are provided. Although providing more signals to the algorithm would increase the processing time and increase the amount of resources needed for the recovery, this would also improve the success rate and allow approaching more challenging RFID scenarios. In the future, the use of SDR devices with more than two RX antennas could be considered to increase the recovery rate of collisions. For this specific scenario, two RX antennas were deemed enough, as the approach is to recover only one of the signals.

6.1.3 Real Time FastICA Recovery:

All the code for this framework was developed into Matlab/Octave language, being this a severe obstacle to test the system in real time, as those languages are interpreted ones. As the FastICA algorithm is an iterative one, speed into its execution is critical for a real time application. In the future, using this developed framework as a model, an application programmed in C language or even a FPGA model could be developed in order to increase speed of execution and make this model feasible to real time testing and RFID collision recovery on the fly. By doing this, the system could be evaluated with a Round Success Rate, which would determine if the FastICA recovered signals manage to get the EPC of any given tag.

6.1.3 Future Applications:

Although this is a framework related work, the capability of successful collision recovery opens the door to many applications in RFID. Some of them are listed below:

• Reduce the time on warehousing inventorying process. • Checking out many items at once in shopping scenarios.

62

• Improve the SNR of a tag in lo w SNR scenarios. • Toll collecting scenarios in highways. • Extend this model to other RFID standards, such as the low frequency ones.

(The same scenarios as above, for example NFC payments).

6.2 Conclusions:

As stated in the Section 5 of this report, the developed FastICA model was able to recover collisions from both simulation and real life signals. By providing two recordings of the same signal (Two RX antennas are the maximum which can be used on the USRP1 SDR device) it is possible to recover information from up to three tags in a collision. Please notice that this is only possible as we only care about the best possible decodable signal from the recovered ones. This is due to the fact that tags have a timeout period after which they lost the generated RN16 value. We still need as many antennas as signals to recover all the possible generated replies.

We have found that Miller M=2 is the modulation scheme that best performs on FastICA recovery, even decreasing its Tag Error Rate as the SNR tends to improve. Miller M=4 and M=8 have similar performance, although the last ones show slightly worst performance. In contrast to the results obtained by Miller schemes, the FM0 scheme is the one which performs worst, with its Tag Error Rate decreasing initially as the SNR tends to improve, but then suddenly and slowly increasing from the value of 15 in SNR.

Also is important to notice that not all the collisions are able to be recovered, due to the destructive interference and also due to a lack of enough received mixed signals to reconstruct the actual original signals. In order to maximize the possibility of recover a correct tag response, two methods based on the spacing of the rising edges and in the correlation scores were developed in order to pick the best signal from the recovery.

In conclusion, a framework compliant to the ISO 1800-6C RFID standard was developed, which will allow RFID debugging and also further testing and simulation of scenarios for designing solutions to collision and to improve the performance of high throughput RFID systems.

63

Appendices

Appendix A

Companion Disk:

All the folders contain a README file describing files and programs:

• Thesis Folder: o A copy of this document in .docx and .pdf is provided for convenience. o A copy of the Conference paper in .docx and .pdf is provided for

convenience. o A copy of the Demo Poster in .pptx and .pdf is provided for convenience.

• Reference Folder: o A copy of all the papers and references used for this project is provided.

• Framework Folder: o A copy of all the developed software for Matlab / Octave is provided.

The folder Is divided in three sub-folders: � rfid-listener: Implementation of the RFID Listener. � rfid-generator: Implementation of the RFID Signal Generator. � rfid-model: Implementation of the FastICA model.

• SDR Folder: o A copy of the referenced open source SDR RFID Reader is provided.

• RFID Records Folder: o A copy with some of the used tag recordings from the SDR device is

provided.

64

Appendix B

rfid-gen2 GitHub Repository:

The Michael Buettner’s RFID SDR Reader, was ported from GNU Radio 3.3 to the 3.7 version and new functionality was implemented, such as:

• Capability of capture from 2 boards on the USRP1 device. • Capability of using other SDR devices rather than USRP1 device.

Because of the use of open source components and the requirements of the open source licenses, those modifications are released back to the community, as well as the source code for the developed framework.

The source code for both the framework and the RFID SDR Reader is available at the author’s GitHub: https://github.com/brunoprog64/rfid-gen2

The GitHub repository has the following branches:

• master: Contain the original source code from the RFID Gen2 Reader. • gr3.7: Contain the ported source code to GNU Radio 3.7 and the Framework.

The GitHub repository does not contain the recorded tag sessions (Due to file size). Users are encouraged to record their own RFID sessions.

65

Appendix C

Physical Distribution for the Capture of Signals:

The following image shows how the components were located during the capture procedure mentioned in Section 5.

Figure 27: Distribution of the Tags, RX and TX antennas and the SDR device used for this project.

66

Bibliography

[1] D. M. Dobkin, The RF in RFID: UHF RFID in Practice: Newnes, 2012.

[2] M. Azambuja, C. A. Marcon, and F. P. Hessel, "Survey of Standardized ISO 18000-6 RFID

Anti-collision Protocols," in Sensor Technologies and Applications, 2008.

SENSORCOMM '08. Second International Conference on, 2008, pp. 468-473.

[3] Y. Sun, P. J. Hawrylak, and M. H. Mickle, "Application of ICA in collision resolution for

passive RFID communication," in Proceedings of the World Congress on Engineering

and Computer Science, 2009.

[4] R. Want, "RFID Explained: A Primer on Radio Frequency Identification Technologies,"

Synthesis Lectures on Mobile and Pervasive Computing, vol. 1, pp. 1-94, 2006/01/01

2006.

[5] H. Lehpamer, RFID design principles: Artech House, 2012.

[6] A. Razaq, W. T. Luk, and L. M. Cheng, "Privacy and Security Problems in RFID," in Anti-

counterfeiting, Security, Identification, 2007 IEEE International Workshop on, 2007, pp.

402-405.

[7] S. A. Ahson and M. Ilyas. (2008). RFID Handbook : Applications, Technology, Security,

and Privacy. Available: http://UQL.eblib.com.au/patron/FullRecord.aspx?p=332409

[8] A. Razaq, L. Wai Tong, S. Karn Man, C. Lee Ming, and Y. Kai Ning, "Second-Generation

RFID," Security & Privacy, IEEE, vol. 6, pp. 21-27, 2008.

[9] E. Global, "UHF Class 1 Gen 2 Standard v. 2.0.0," ed, 2013.

[10] A. Hyvärinen and E. Oja, "Independent component analysis: algorithms and

applications," Neural networks, vol. 13, pp. 411-430, 2000.

[11] A. Hyvärinen, "Fast and robust fixed-point algorithms for independent component

analysis," Neural Networks, IEEE Transactions on, vol. 10, pp. 626-634, 1999.

[12] N. Ayer, "Evaluation of ISO 18000-6 Type C Class 1 Generation 2 RFID protocol

artifacts," 1460677 M.S., The University of Texas at Arlington, Ann Arbor, 2008.

[13] L. Zhu, "A Theory of RFID Anti-collision Mechanisms," 3484743 Ph.D., The Chinese

University of Hong Kong (Hong Kong), Ann Arbor, 2010.

[14] Y. Sun, "Collision Resolution in ISO 18000-6C Passive RFID Communication," University

of Pittsburgh, 2011.

[15] C. Angerer, R. Langwieser, and M. Rupp, "RFID Reader Receivers for Physical Layer

Collision Recovery," Communications, IEEE Transactions on, vol. 58, pp. 3526-3537,

2010.

[16] Y. Lei, H. Jinsong, Q. Yong, W. Cheng, L. Yunhao, C. Ying, et al., "Revisting Tag Collision

Problem in RFID Systems," in Parallel Processing (ICPP), 2010 39th International

Conference on, 2010, pp. 178-187.

[17] J.-R. Cha and J.-H. Kim, "Novel anti-collision algorithms for fast object identification in

RFID system," in Parallel and Distributed Systems, 2005. Proceedings. 11th

International Conference on, 2005, pp. 63-67.

[18] J. Cheng, C. Sung Ho, and J. Ki Yong, "Performance Evaluation of RFID EPC Gen2 Anti-

collision Algorithm in AWGN Environment," in Mechatronics and Automation, 2007.

ICMA 2007. International Conference on, 2007, pp. 2066-2070.

[19] W. Hong Gang, P. Chang xing, and Z. Feng, "Pulse Detection Based Anti-Collision

Protocol for Passive RFID System," in Wireless Communications, Networking and

Mobile Computing, 2009. WiCom '09. 5th International Conference on, 2009, pp. 1-5.

[20] M.-K. Yeh, J.-R. Jiang, and S.-T. Huang, "Adaptive splitting and pre-signaling for RFID tag

anti-collision," Computer Communications, vol. 32, pp. 1862-1870, 11/15/ 2009.

[21] W. Jianwei, W. Dong, Z. Yuping, and T. Korhonen, "Fast Anti-Collision Algorithms in

RFID Systems," in Mobile Ubiquitous Computing, Systems, Services and Technologies,

2007. UBICOMM '07. International Conference on, 2007, pp. 75-80.

67

[22] C. Ji Hwan, L. Dongwook, and L. Hyuckjae, "Query tree-based reservation for efficient

RFID tag anti-collision," Communications Letters, IEEE, vol. 11, pp. 85-87, 2007.

[23] W. Liang-Chin and L. Hsin-Chin, "A Novel Anti-Collision Algorithm for EPC Gen2 RFID

Systems," in Wireless Communication Systems, 2006. ISWCS '06. 3rd International

Symposium on, 2006, pp. 761-765.

[24] R. S. Khasgiwale, R. U. Adyanthaya, and D. W. Engels, "Extracting information from tag

collisions," in RFID, 2009 IEEE International Conference on, 2009, pp. 131-138.

[25] C.-H. Quan, W.-K. Hong, and H.-C. Kim, "Performance Analysis of Tag Anti-collision

Algorithms for RFID Systems," in Emerging Directions in Embedded and Ubiquitous

Computing. vol. 4097, X. Zhou, O. Sokolsky, L. Yan, E.-S. Jung, Z. Shao, Y. Mu, et al., Eds.,

ed: Springer Berlin Heidelberg, 2006, pp. 382-391.

[26] L. Yuan and Y. He, "Application of ICA-based anti-collision algorithm in RFID system,"

Analog Integrated Circuits and Signal Processing, vol. 63, pp. 169-175, 2010/05/01

2010.

[27] S. Duangsuwan and S. Promwong, "RFID Reader Receiver Using Blind Signal Estimation

for Multiuser Detection," International Journal of Information and Electronics

Engineering, vol. 4, pp. 153-157, 2014.

[28] T.-P. Jung, C. Humphries, T.-W. Lee, S. Makeig, M. J. McKeown, V. Iragui, et al.,

"Extended ICA removes artifacts from electroencephalographic recordings," Advances

in neural information processing systems, pp. 894-900, 1998.

[29] T.-P. Jung, S. Makeig, C. Humphries, T.-W. Lee, M. J. Mckeown, V. Iragui, et al.,

"Removing electroencephalographic artifacts by blind source separation,"

Psychophysiology, vol. 37, pp. 163-178, 2000.

[30] A. F. Mindikoglu and A. J. van der Veen, "Separation of overlapping RFID signals by

antenna arrays," in Acoustics, Speech and Signal Processing, 2008. ICASSP 2008. IEEE

International Conference on, 2008, pp. 2737-2740.

[31] D. D. Donno, F. Ricciato, L. Catarinucci, A. Coluccia, and L. Tarricone, "Challenge:

towards distributed RFID sensing with software-defined radio," presented at the

Proceedings of the sixteenth annual international conference on Mobile computing

and networking, Chicago, Illinois, USA, 2010.

[32] M. Buettner and D. Wetherall, "A "Gen 2" RFID monitor based on the USRP,"

SIGCOMM Comput. Commun. Rev., vol. 40, pp. 41-47, 2010.

[33] M. Buettner and D. Wetherall, "A software radio-based UHF RFID reader for PHY/MAC

experimentation," in RFID (RFID), 2011 IEEE International Conference on, 2011, pp.

134-141.

[34] A. Briand, B. B. Albert, and E. C. Gurjao, "Complete software defined RFID system using

GNU radio," in RFID-Technologies and Applications (RFID-TA), 2012 IEEE International

Conference on, 2012, pp. 287-291.

[35] S. Dawei, G. Woo, D. P. Reed, A. B. Lippman, and W. Junyu, "Separation of multiple

passive RFID signals using Software Defined Radio," in RFID, 2009 IEEE International

Conference on, 2009, pp. 139-146.

[36] D. De Donno, L. Tarricone, L. Catarinucci, V. Lakafosis, and M. M. Tentzeris,

"Performance enhancement of the RFID epc gen2 protocol by exploiting collision

recovery," Progress In Electromagnetics Research B, vol. 43, pp. 53-72, 2012.