Saturday, July 18, 2009

toorcamp badge hacking

The badges at Toorcamp were solder-yourself passive RFID detectors. With the jumper in one position, an LED lights up in the presence of 125 kHz signals (used by low frequency RFID tags). With the jumper in the other position, a second LED indicates the presence of 13.56 MHz signals (used by high frequency RFID tags and Near Field Communication).

The circuit is very simple. Each side consists of an inductive loop (of traces on the circuit board), a tuning capacitor (forming a tank circuit with the loop), and an LED. It is powered by the received signals (as are passive RFID tags). I've tested my badge by holding it up to both types of RFID readers, and it works perfectly. Unfortunately it only works at very close range, so it isn't the most useful device on its own. As a component in other circuits, however, the unit has great potential.

Thanks to some spare parts and excellent soldering equipment provided by my friends at the Dorkbot campsite, I was able not only to assemble the badge but to perform a simple modification that turned it into a low frequency RFID decoder (in conjunction with a laptop computer). All I had to do was attach a cable with an audio plug in place of the jumper. At the camp, I soldered the audio cable directly to the board, but I have since reworked it with a plug that can be removed or repositioned on the header.

125 kHz RFID tags (at least the ones I've had an opportunity to play with) use a double modulation scheme. The data signal is frequency modulated (FSK) in the neighborhood of 14 kHz, and then the resulting signal is amplitude modulated up to 125 kHz. One way to demodulate the over-the-air signal is to perform the whole process in reverse: undo the amplitude modulation to get back to 14 kHz FSK, and then FM demodulate back to the baseband signal.

The fist step can be done with a small analog circuit. The simplest way to demodulate an AM signal is to rectify the signal (only allowing current to pass in one direction) with a diode and then smooth the resulting signal with a low pass filter (which can be as simple as a single capacitor). This results in a waveform that represents the envelope, the amplitude variations over time, of the original signal. Lucky for me, the LED on the Toorcamp badge is a diode that rectifies the signal! With the badge plugged into a laptop's microphone jack, the sound card's anti-aliasing filter does the smoothing, and the resulting signal of approximately 14 kHz is within the range that the sound card can record.

The FSK demodulation can then be done in software, allowing the whole setup to act as a close-range RFID decoder. You could even plug the badge into a small audio recorder and decode recorded signals later on a computer.

This simple modification just scratches the surface of what can be done with the Toorcamp badges. Having RFID frequency tuned loops available to plug into your own circuits makes it easy to play with both reception and transmission of RFID and NFC signals. For example, at the camp I used a second badge plugged into a USRP in order to transmit the 125 kHz signal needed to excite an RFID tag for testing the decoder.

Thanks again to everyone who made Toorcamp possible and to all the new friends I made there, especially the Dorkbot campers. It was an incredible experience.