Arduino RFID Emulator

Forum 2005-2010 (read only) Software Syntax & Programs
1

I'm trying to build an Arduino based RFID emulator. I found this project that uses an AVR to do exactly what I want http://www.alexanderguthmann.de/en/emulator.html . From what I understand I need to generate a 125KHz wave with that uses amplitude modulation to transmit the data (which is manchester encoded). So, as a real beginner with this stuff, I have some pretty basic questions.

  1. Can I generate the sine wave by turning the pin off and on at the correct rate (125KHz)?
  2. If that's how I do it, how to I emulate amplitude modulation?

From what I understand from his C code, he's using one of the built in timers and messing with the amplitude based on if the bit is a one or a 0. Here's what looks like a relevant C code (and some non-relevant serial stuff).

#include <avr/io.h>
#include <avr/sfr_defs.h>
#include <compat/ina90.h>
#include <avr/interrupt.h>
#include <stdlib.h>
#include <avr/sleep.h>
#include <inttypes.h>



#ifndef F_CPU


#define F_CPU 8000000UL    // Systemtakt in Hz - Definition als unsigned long beachten >> Ohne ergeben Fehler in der Berechnung
#endif
 
#define BAUD 9600UL          // Baudrate
 
// Berechnungen
#define UBRR_VAL ((F_CPU+BAUD*8)/(BAUD*16)-1)   // clever runden
#define BAUD_REAL (F_CPU/(16*(UBRR_VAL+1)))     // Reale Baudrate
#define BAUD_ERROR ((BAUD_REAL*1000)/BAUD) // Fehler in Promille, 1000 = kein Fehler.
 
#if ((BAUD_ERROR<990) || (BAUD_ERROR>1010))
  #error Systematischer Fehler der Baudrate grösser 1% und damit zu hoch! 
#endif
/* Zusaetzlich zur Baudrateneinstellung und der weiteren Initialisierung: */


 uint8_t getc()
{
  while (!(UCSRA & (1<<RXC)))   // warten bis Zeichen verfuegbar
  {
  }
  return UDR;
}

   unsigned char zeichen,z1,z2,z3;
   
   
   #ifndef cbi
#define cbi(sfr, bit) (_SFR_BYTE(sfr) &= ~_BV(bit))
#endif
#ifndef sbi
#define sbi(sfr, bit) (_SFR_BYTE(sfr) |= _BV(bit))
#endif

volatile int bit_counter=0;
volatile int byte_counter=0;
volatile int half=0;
   


#define ZEILEN 5
#define SPALTEN 8

unsigned char card_ID[ZEILEN][SPALTEN] =            //Die ID des zu emulierenden 
   {{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},      //RFID tags
    {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},   
    {0x00,0x00,0x00,0x00,0x44,0x00,0x00,0x00},  
    {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},   
    {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}  
   }; 
 
 
 unsigned char data[8];

void delay_ms(int ms) {              // 1.000 MHz
  int m;
  for (m=0; m < ms; m++) {
      TCNT0=0;
      while (TCNT0 <  125);
  }
}

ISR(SIG_OUTPUT_COMPARE1A){
    TCNT1=0;



      if (((data[byte_counter] << bit_counter)&0x80)==0x00) {
          if (half==0) cbi(PORTB,PB1);
          if (half==1) sbi(PORTB,PB1);
      }
      else {
          if (half==0) sbi(PORTB,PB1);
          if (half==1) cbi(PORTB,PB1);
      }
    
      half++;
      if (half==2) {
          half=0;
          bit_counter++;
          if (bit_counter==8) {
              bit_counter=0;
              byte_counter=(byte_counter+1)%8;
            }
      }
}
 
 
 
 int main(void)
{

  int k;
  DDRB=0xFF;
  DDRD=0x00;
  PORTC=0x00;
  DDRC  = 0xff;

    UCSRB |= (1<<TXEN);                // UART TX einschalten
    UCSRC |= (1<<URSEL)|(3<<UCSZ0);    // Asynchron 8N1 
      UCSRB |= ( 1 << RXEN );
 
    UBRRH = UBRR_VAL >> 8;
    UBRRL = UBRR_VAL & 0xFF;
      
      int i, j, l, u;
      
z1 = 0xFF;
i = 0;
j = 0;
u = 0;

while (1)
{
z3 = getc();

if(z3 == 0x73) //Warten bis ASCII S auf der seriellen schnittstelle liegt
{


while (1)
{

z1 = getc();

//  z1 = 0x43;

if (z1 == 0x65) //65 = ASCII E  E = Exit
{
break; //Schleife verlassen
}



  if (j == 8) {
  j = 0;
  i++;
  }
  
   card_ID[i][j] = z1;
 j++;

u = 1;  

}

      
}

if (u == 1)
{
break;
}

}

      
PORTC ^= ( 1 << PC0 ); //Control LED anschalten

        TCCR0 = 2;             

  TCCR1B = 3;

          

  unsigned char sel = (PINC >> 1) & 0x07;
  OCR1A = 30 + sel;
  

  for (k=0;k<8;k++) data[k]=card_ID[2][k];   //Eine Zeile des Arrays emulieren
  
  sbi(TIMSK, OCIE1A);       

  sei();

  while (1) {

  }
    return 0;  
      
      
}

Thanks

2

Does this program work?

Does this program do exactly what you want?

3
  1. Can I generate the sine wave by turning the pin off and on at the correct rate (125KHz)?

If you want the arduino to emulate an RFID tag then you do not make the arduino generate the signal. You use a coil to pick up the signal from the reader and make it generate an interrupt every cycle. Then you use an interrupt service routine to modulate a load on the coil. You can do this by switching a resistor across it. The simplest way is to connect the coil to a pin through a resistor. Then for no load make the pin an input and for load make it an output and write low to it.

4

I've heard the program works, and it does do what I'm trying to do. I actually got this already though. I didn't try to use an interrupt, I should try that though, it may work better than what I have. Right now I have the base of a transistor connected to a pin on my Arduino with the collector and emitter connected to the antenna. I also have a tuning capacitor and a connection to ground. When I set the pin to high then it de-tunes the antenna, and when set it to low I don't then the antenna is tuned. I'm able to broadcast data I'd like to the reader.

Thanks for your help.

5

I've heard the program works,

yes the internet is full of stuff like that.

and it does do what I'm trying to do

Is that by any chance trying to emulate a tag to fool the reader into thinking one with a certain ID has been presented and then cycling through the combinations until you hit one that opens a door?

I'm able to broadcast data I'd like to the reader.

No not if you supply the clock you can't. There is a chance you could swamp the reader with a signal that it has not generated but that is not going to work with any decent reader electronics. The way the signal is decoded normally relays on the reference signal given by the clock generating the field.

6

I'm sorry about saying I heard the program works, it been used by several other people and it sounds like it works. As far as uses, it was mostly just to learn more about how it all works. Since it does work it could be used to brute force tag IDs or rebroadcast a known good ID, or be used for fuzzing, or whatever you want to do with it.

As far as it working or not and with what type of reader, all I know is that it works with the Parallax LF RFID reader http://www.parallax.com/Store/Microcontrollers/BASICStampModules/tabid/134/ProductID/114/Default.aspx?SortField=ProductName%2CProductName (it was on sale for $29.99 at Radioshack when I was there over the weekend, so I picked one up). I don't know how well this compares to other readers as far as quality, and I don't know how well my design would work with other readers. It sounds like you have more experience with this than me so maybe you can give your opinion or that reader, I've basically just started on all this on Saturday. With that reader I can broadcast whatever ID I want to it.

I agree with you on supplying the clock, I'm kind of guessing the reason it does work is because I'm looping through and sending the same ID over and over again, and since I'm not waiting at all between sending the loop, every now and then the clocks sync up good enough to for the reader. This would make sense because sometimes it can take a second or two before it reads the ID. Obviously this design isn't great for brute forcing IDs since you don't have a high level of assurance that the ID is being recieved by the reader (unless you broadcast the same one many times). I'll post the schematic and sketch somewhere and link to them here (both are really simple).

7

To see schematics and code go to http://www.instructables.com/id/Stupid-Simple-Arduino-LF-RFID-Tag-Spoofer/