[HH] RFID hacking

Tom Metro tmetro+hhacking at gmail.com
Sat Dec 29 15:39:12 EST 2012 

I wrote:
> The author has some equally detailed project descriptions on her site:
> 
> http://scanlime.org/
> 
> covering things such as...an RFID tag made with a hand-wound antenna
> and duct tape...

The posting I ran across mentioning the hand-made RFID tag antenna
talked about some small feature or enhancement to the project and didn't
explain the big picture of what the author was trying to do. I had
assumed the small 8-pin chip shown in the photo with virtually no
support components was an IC made specifically to be an RFID tag.

A tweet today talking about how the firmware for this DIY tag has been
rewritten pointed to an earlier posting explaining the overall project:

http://scanlime.org/2008/09/using-an-avr-as-an-rfid-tag/

  ...building an RFID tag using no application-specific parts.  I used
  an Atmel AVR microcontroller (the ATtiny85) and a coil. That's it. You
  can optionally add a couple of capacitors to improve performance with
  some types of coils, but with this method it's possible to build a
  working RFID tag just by soldering a small inductor to an AVR chip.

  The coil actually powers the AVR through two of its I/O pins. Nearly
  every chip out there has clamping diodes on its I/O pins... These
  diodes are useful for arresting static discharge. When you first hold
  the RFID tag up to a reader, the chip has no power - the supply
  voltage is zero. When the coil starts to pick up power from the RFID
  reader, these two I/O pins are presented with a sine wave, a few volts
  in amplitude. Anywhere that sine wave exceeds the supply voltage, some
  energy is diverted from the coil to the chip's supply rails, via the
  clamping diode. The end result is that the chip is powered, and the
  coil's sine wave is truncated.

  Power filtering using the AVR's die capacitance. In the smaller
  prototype, there is no power filtering capacitor at all. In fact, the
  power is filtered by the internal capacitance of the power planes in
  the AVR's silicon die. This isn't much, but it makes the power supply
  stable enough that we can execute code even though the supply is
  pulsing at 125 kHz.

  The coil is the AVR's clock source. The inductor isn't just hooked up
  to any I/O pin: it's actually connected to the AVR's clock input.
  Remember the square-ish wave we're left with after the clamping diodes
  suck away some power? That waveform is now our clock input. The
  microcontroller is executing code at 125 kHz, in lockstep with the
  RFID reader's carrier wave.


That's amazing that it works. The author mentions how the AVR is rated
to run on 2.5V, but she is operating it "at barely over 1 volt." Seems
one would need to be a bit crazy to theorize this method of operation
and have enough expectation of it working to bother building it.

The author has a prior posting on building an RFID reader similarly
using no RFID-specific ICs. (I haven't read it, but I'm sure the
challenges were far less insane there.)

The most recent posting alludes to one of the more interesting
applications for this tech:

http://scanlime.org/2012/12/avr-rfid-optimized-and-ported-to-c/

  Trammell Hudson recently took a big step in this direction, in the
  name of creating a "multipass" card which could stay in his pocket and
  pretend to be any number of other cards.

This posting also mentions how the original firmware was structured (the
author is quoting Trammell Hudson here):

  ...the AVR's RCALL and RET instructions are quite slow -- 3 and 4
  clocks respectively -- so making a function call and returning from it
  requires seven clocks and would cause errors in the RF waveform. To
  get around this, Beth expanded all of the code inline to produce a
  single function that bit-bangs the coil loading with NOP's between
  each cycle. The 20-bit manufacturer ID (0x01002), 8-bit facility code
  and 16-bit unique ID, all Manchester encoded, required 80 instructions
  per bit for a total of 3700 instructions out of the Tiny85´s maximum
  of 4096. Supporting 34-bit cards would not be possible with this
  design, much less multiple card IDs!

Hudson goes on to explain how he used IJMP instruction, which executes
in only 2 clock cycles, instead and was able to make use of more space
efficient loops.

 -Tom

More information about the Hardwarehacking mailing list