Gnu Radio
3.1.4 Converting to Raw Data to Packets
From the standard, we know that the start bits of PCD-to-PICC and PICC-to-PCD trans-missions are logical zero and one, respectively. The start bit is used to synchronize the data transmission. After the start bit is found, the data demodulation becomes simple.
Hence, the most important task is to find the start bit in the received signal.
Our signal processing block continuously scans the data buffer, trying to find syn-chronization points at which there are dramatic downward transitions from high to low in the signal. Starting at each of these synchronization points, our software captures about 18 subsequent samples to determine one bit. This number of sample points in one bit interval is decided by a simple formula: sampling rate/decimation rate/baud rate. The sampling rate is 64 MHz, the decimation rate is 32 sample per seconds, and the data baud rate is 106 kilobits per second, resulting in the aforementioned number. Concerning about physical transition, load modulation is very sensitive to the distance between the antenna and the source. Hence, PICC’s signal will disappear when the distance is larger than 10 centimeters. Although the distance affects load modulation, PCD’s signal is 100% ASK
1 0 1 1 0 0 1 0 NRZ
Manchester
Modified Miller
Figure 3.2: Signal coding by frequently changing line codes in RFID systems
modulation and hence is much stronger than that of PICC signal.
In our experiment, the PCD signal can be captured at a distance of at least two meters away. We show an example trace showing an REQA at the beginning of an anti-collision packet in Figure 3.4. While the sampled value of a low signal is approximately zero, the value of a high signal becomes smaller as the distance between PCD and antenna increases. The difference between the high and low signals keeps degrading as distance increases, to a point at which the level of background noise exceeds that of the high signal with a non-negligible probability. At this point, the packet error rate becomes too high, and the subsequent cryptanalyses becomes extremely challenging.
We scan from right to left to find synchronization points, as well as divide signal into bits. To convert raw samples in each of the intervals to bits and to merge bits into packets are the main tasks for our sniffer. In the following, we will explain how to convert a bit in an interval.
PCD ← PICC
An example of the captured load-modulated traffic from PICC to PCD is shown in Fig-ure 3.5. To decode Manchester coding, we divide one time quantum into two parts. In Manchester coding, a waveform change from high to low represents a logical “one”,
Figure 3.3: Normalized Raw Samples in an Oscilloscope
Normalize
Synchronization point
Figure 3.4: Normalized Raw Samples for REQA (0x26)
Figure 3.5: Raw Samples of ATQA (0x40)
carrier is sensitive to environment factors including distance, angle, and direction between PICC and antenna. If the antenna is not put on the right position, then the demodulation of the load modulated signal might fail.
In our software, the average of the samples in an interval is used as the base value that is used to determine whether the signals are low or high. Every sample in the interval is compared against this base value and declared a high if it is larger and low otherwise.
At the beginning, our software recursively compares the value between previous point Vpreand current point Vcurto decide the synchronization point. The condition of compar-ison is defined as the ratio R such that R × Vpre < Vcur. Assume there are 18 samples in an interval, v0, v1...., v17, the average of the samples is V , and the local maximum and minimum are localmax and localmin, respectively. If the lower bound of a logic zero is lower0, then
lower0 = V − |localmax− localmin| × 0.1, where the threshold ratio of 0.1 is determined experimentally.
Finally, we decide logical one and zero by counting low and high signal in an interval.
If the number of high samples in the first half exceeds 5, then we declare that the bit is a logical one. Otherwise, the bit is logical zero.
PCD → PICC
Another transmission code is modified Miller code. We apply the same method to decide synchronization points and base values as aforementioned. The PCD modulation is 100%
ASK, which is easier to demodulate than load modulation. We also determine one-bit sampling intervals by dividing the time into two parts. If we detect a low signal in the second part, then we declare a logical-one bit and otherwise, a logical zero. Figure 3.4 shows a sample signal captured by our sniffer, in which the data bits are calculated based low-voltage samples.
3.2 Proxmark3
The Proxmark3 is a general-purpose RFID tool that can disguise as a PCD or PICC, as well as monitor the communication between commercial PCD and PICC [19]. The Prox-mark3 works from low-frequency (125 kHz) to high-frequency (13.56 MHz). ProxProx-mark3 consists of several hardware units, including an Atmel AT91SAM7S256 CPU, an Xil-inx Spartan XC2S30 FPGA, as well asl analog-digital conversion circuitry, . . . , etc. The detailed description is given below for the sack of completeness of this thesis.
• CPU: ARM, 256 kB of flash memory, 64 kB of RAM
• FPGA: Xilinx Spartan II
• Two independent RF circuits, HF and LF
• Power: through USB port
• Connectivity: one mini-USB port
• User interface: one button, four LEDs
• Open-source design, both hardware and software
The hardware description and development can be found on the official website of Proxmark3 [19]. In this thesis, we utilize the Proxmark3 as PICC and PCD emulator.
In PCD-based attack, we program the ARM on Proxmark3 with ARMCC. First, the host PC tells Proxmark3 to emulate PCD. Before the Proxmark3 initiates the communication with PICC, it prepares the packets by pushing them to a stack in RAM. Secondly, it sets the FPGA to handle the appropriate signal channel. FPGA functions as a coprocessor that helps the ARM CPU transform the prepared data to the modulation circuit and takes the demodulated signal back to a buffer of the ARM CPU. We then need to decode the received packet and pass the relevant information to PICC.