♣️ 🤛🏼 🕺🏾 RFID emulator 🕦 👨‍👩‍👦 🎅🏾

EM Marine card emulator

Surely each of us who has ever been to ordinary offices was interested in how these contactless passes function. In this article, we will deal with the principle of operation of contactless cards and make an emulator from literally three radio components.

RFID technology

The appearance of RFID tags

RFID (English Radio Frequency IDentification, radio frequency identification) - has a fairly wide frequency range and a fairly large number of different standards that are somehow applicable to this technology. For reference: the frequencies used are: 125-135 kHz, 400 kHz, 6.78 MHz, 13.56 MHz (metro cards and bank cards), 27.125 MHz, 40.68 MHz, 433.29 MHz, 869 MHz, 915 MHz, 2.45 GHz, 5.8 GHz and 24.125 GHz. As you can see, the frequency range is very wide.

We will talk about the most widespread and least protected cards of the 125 kHz frequency range. I will analyze the EM Marine 4102 standard, as this is what I am most familiar with. However, the emulator code allows you to work with other standards operating at 125 kHz.

So that we can delve further into the theory, a few words should be said about how RFID works. Further in the text, information related to the 125 kHz EM Marine standard will be given, other RFID solutions are arranged in a similar way.

The reader, in addition to information exchange, supplies power. The tag is a ROM that is powered by an electromagnetic field, and after power is applied, it simply gives the recorded information.

This diagram clearly shows how the transmitter and receiver are arranged. Both oscillatory circuits are tuned to resonance and are used for data transmission and energy transmission, for powering a passive tag, which is our card.

More details about the principle of operation can be found in [1]

The insides of the disassembled card

If you disassemble the card, you can see an antenna in the form of a coil and a chip filled with a compound, which contains a ROM and a 75 pF capacitor.

Description of the EM4102 protocol

Before we go any further, let's understand the EM4102 standard that we will emulate. The EM4102 compliant RFID tag contains 64 bits of read-only memory. In fact, this is the ROM, that is, information can be read from it, but cannot be changed or written, in other words, this chip is stitched once at the factory. The memory structure of the tag can be seen in the figure below.

When the tag enters an electromagnetic field emitted by an RFID reader, it receives energy from the field (power) and starts transmitting data. The first 9 bits are logical ones. These bits are used as a sequence of tokens to indicate the start of transmission. Since all other data uses parity, this nine-bit sequence of ones will no longer occur anywhere else. Then there are 10 groups of 4 data bits and 1 parity bit for each group. Finally, there are 4 bits of the checksum and the last stop bit, which is always zero.

The tag repeats the data transfer cycle while it receives power. Therefore, we observe the constant reading of the tag on the reader.

I will give an example of the data transmitted by the label with the number: 0x06Is the version number, and 0x001259E3 is the data.

By the way, the number printed on the card can be translated into a hex number that the reader will receive. For example, the number is written on the card: 116,23152

116 in decimal notation is 0x74 in hexadecimal;
23152 in decimal is 0x5A70 in hex;

By combining them, we get the serial number of the card, which the reader will give us: 0x00745A70 .

Signal modulation

Data transmission from the tag to the reader is carried out by modulating the reader's carrier signal (in our case, the carrier frequency is 125 kHz). Please note that power is supplied from this carrier frequency and the signal is modulated by it. To begin with, let's consider a simplified scheme of interaction between a reader and a tag. Remember this picture, we will refer to it later.

As you can see, the tag has an LC oscillatory circuit, a diode that serves to rectify the alternating current, a capacitor for smoothing ripple (this is part of the tag's power supply), and a transistor, by controlling which we can modulate the signal. On the reader, this will be reflected in a change in the current flowing in the coil. Simply put, when it enters the field of the reader, the tag consumes an electric current (approximately constantly), when transmitting information, it changes the value of the consumed current by a transistor, and thus the reader can receive a signal by measuring the consumed power.

The reader generates a magnetic field using a modulator and a coil and picks up the modulated signal, then decodes it.

An example of modulation of a carrier signal

If I have not completely confused you, then let's go further. In order to transmit data, we need to modulate the signal. That is, it will superimpose the bits of the transmitted information on the carrier frequency.

There are three popular modulation schemes according to the RFID standard:

Manchester code
Two Phase Manchester Code
Phase Shift Coding

Since the EM4102 standard uses the Manchester coding scheme, we will consider it. When modulating for the EM4102 protocol, the transmission time of one bit can be 64, 32 or 16 periods of the carrier frequency (125 kHz).

With this coding, the mark changes the signal transmission level exactly in the middle of the transmission period of one bit. The transition from low to high level at these moments means the state of logical "1", and the transition from high level to low, represents the state of logical "0".

Real modulated signal captured on the coil of the reader.

Making an RFID emulator

Well, if you are still here and your head is not swollen from such calculations, then it's time to make an RFID emulator, from just two parts. In this simplicity lies genius. I assembled the device, borrowing the idea and code from Micah Dowty , photos are mine.

Here is such a miniature cockroach that may well emulate the

Project site tag . The code is very interesting, one might say brilliant and laconic (assembler is used). Let's dwell on it in detail. We will analyze it. You can see the code here .

To begin with, let's figure out how this thing generally functions, although by definition it shouldn't work, since it contradicts the usual microcontroller wiring diagram. The device diagram is taken from the source code.

An inductor of about 1 μH and an ATtiny85 microcontroller

This, ladies and gentlemen, is real Hacking, when the level of understanding of the features of the operation of the equipment allows you to create technical solutions that go beyond the limits indicated by the manufacturer! And it works, personally verified. This is the true meaning of the word "hacker", this is not about hacking and theft.

Looking ahead, I will say that this coil is not enough for normal operation, and yet I had to make a normal antenna, hang up the power supply capacitors, and a resonant capacitor. But for demonstrating the principles of work, it is quite suitable.

How does it work:

AVR /. /, . , . , . , . , . , .

AVR. , , , ( 0,1 ). AVR. , , 125!

. ATtiny85 2,5 . 1,8 . AVR , ...

, ! , , . Clock ! 125 , RFID. , !

? -, . . EM4102 32 . HID FSK 4 . RFID- . « » , RFID -.

Before we go to parse the code of this emulator, let's make it a normal antenna. My experiments with the current circuitry revealed extreme instability in its operation. It works only very close to the reader, and even then not always. Therefore, at first I soldered a 0.1 uF capacitor to the controller's power legs, and then I decided to make a real large oscillatory circuit, as in a real label.

The first modification is a 0.1 uF capacitor for power supply

Antenna creation

There are no tricks in creating a coil antenna, but you still need to familiarize yourself with the documentation and understand the physics of the process ... It's not difficult, and even a schoolboy can handle it, just a little patience and perseverance is required.

It is very easy to assemble and configure the antenna, just like in the picture from [1] .

To calculate the antenna, you need to remember a little theory. We need to make an oscillating circuit that will be tuned to a frequency of 125 kHz. Let's open the course of Theoretical Foundations of Electrical Engineering and read what an oscillatory circuit is:

An oscillating circuit, an electrical circuit containing an inductor and a capacitor in which electrical oscillations can be excited.

Parallel oscillatory circuit

If we leave all the mathematics and go to the point, the oscillatory circuit has such a parameter as the resonant frequency, which is determined by the formula.

f = \frac{1}{2 π \sqrt{L C}}

$f=\frac{1}{2\pi \sqrt{LC}}$

Where f is the oscillation frequency, L is the inductance of the coil, C is the capacitance of the capacitor.

In this case, we have a fixed parameter - the frequency, and we can play with the capacitance and inductance. In order to calculate the coil, we will use the document [2] . Everyone who is somehow going to make antennas for RFID tags (of any frequency) must familiarize themselves with it!

Many craftsmen, both for readers and emulators (the point is not important), make round coils. They are easier to count and manufacture, but they have a significant drawback - their linear dimensions are larger than the card. I want to make an inductor in the shape of a rectangle, with linear dimensions smaller than the dimensions of a standard card and so that the resulting device is the size of a standard RFID card. As a result, I choose the size of the future inductor practically the same as in the present mark, that is, about 70x40 mm... If the capacitor is selected 10 nF, then the inductance of the coil (from the formula above) should be 162 μH for us. Now let's look at the documentation for calculating a rectangular coil. For winding the coil, I chose a wire with a cross section of 0.2 mm. As a result, we open the corresponding section of the documentation, and the following glorious formula appears to our eyes.

As you can see, the parameters of the thickness and width of the coil are unknown and variable (they rest against the wire thickness of 0.2 mm), but general estimates gave me a figure of 42 turns. It would be possible to make several iterations, and make a straightforward accurate calculation, but in our piece case, it will do.

After that, it is necessary to make a frame 70x40 mm for winding the coil. I made it from PCB and wound a coil around it.

PCB frame

Winding and finished coil

Unfortunately, I don't have an inductance meter, so I had to proceed further using the scientific poke method. Since I probably made a mistake in the calculations, and in the number of turns when I wound the coil, as I did them approximately and by eye, I decided to select the resonant capacitance manually. To do this, I fixed the coil on the card reader, stuck its ends into the breadboard (“mattress with holes”), then began to connect the containers one by one, while registering the signal on the oscilloscope.

Getting Started with the Resonant Capacitor

First I checked the 10nF capacitor, which should be resonant. But the signal amplitude immediately dipped compared to the empty coil. Then I took a smaller capacitor. And so I went through the capacitors until I caught the resonance. Thus, the resonant capacitance of the capacitor was 3.2 nF.

Signal without capacitor, empty coil

10 nF signal

1 nF, 2 nF

3 nF, 4 nF, 2.2 nF

3.2 nF

It can be seen that I tried different options, and it was clear that the maximum lies somewhere between 3 and 4 nF and the result was a 3.2 nF capacitor (consisting of two capacitors in parallel). That's it, our reel is ready for further experiments.

In general, I want to note that a coil can generally be made in the form of tracks on a printed circuit board, and with a small series of products, this should be done. Here is an example of such a board, at 125 kHz from Alexander Guthmann . Unfortunately, the site has practically died, and the author has not been in touch for a long time, so we are content with only my photos. If anyone can help find it, I would be grateful! I don't know what happened to him.

Thus, making the emulator immediately in the form of a printed circuit board is no problem. I think having the manual [2] , you can calculate this yourself, since a fourteen-year-old German schoolboy could do it.

Let's go through the code

Let's take a quick look at the code, which you can see here . There is an example of emulation of two types of cards, I will analyze only the EM4102.

First of all, as the code says, when flashing the microcontroller, we need to flash the fuse bits to the value lfuse to 0xC0 : so that the controller is clocked from an external generator. I draw your attention to the fact that any controller flashing will be associated with the fact that it will need to be clocked from an external source, since we are setting fuse bits with generation from an external generator!

All code is based on macros. Let me remind you what macros are - a program that prepares code for compilation. Our program consists of just a few assembler instructions: rjmp, call (2 clocks), nop, ldi, out and ret (all 1 clock)! Everything, all the rest of the code is generated by macros depending on the serial number macro (define). The peculiarity of the work is that we have enough few clock cycles for normal work. Try to do something in 32 clock cycles, considering that the jump instructions in the AVR controller take 2 clock cycles. Therefore, all the code is generated by macros depending on the ID-card.

#define FORMAT_IS_EM4102
#define EM4102_MFR_ID		0x12
#define EM4102_UNIQUE_ID	0x3456789A

Define what type of card we are emulating and set ID cards. This is the main macro, on the basis of which the rest of the code is formed. And, tadam, his majesty macros.

    .macro	delay cycles
    .if \cycles > 1
    rjmp	.+0
    delay	(\cycles - 2)
    .elseif \cycles > 0
    nop
    delay	(\cycles - 1)
    .endif
    .endm

Delay macro, accepts the number of delay ticks as input. A fairly obvious recursive macro that performs the delay using the nop command (no operation, 1 clock cycle) and the rjmp. + 0 command (move to the next line, 2 clock cycles). By combining these commands with each other, you can make the delay of the desired length in measures. In fact, the code does nothing, it just wastes machine time.

If you are still thinking, then I will completely rape your brain, but the code is so ingenious that you will have to endure.

Recursive macro encoding by Manchester code.

    .macro	manchester bit, count=1
    .if		\count
    manchester (\bit >> 1), (\count - 1)
    .if		\bit & 1
    baseband_1
    baseband_0
    .else
    baseband_0
    baseband_1
    .endif
    .endif
    .endm

    .macro	stop_bit
    baseband_0
    baseband_1_last
    .endm

Actually, all the logic is implemented here. Accepts a bit mask and a bit counter as input. If the counter is not zero, then we call ourselves again, decrementing the counter (recursive macro, yeah). Further in the body itself there are calls to the baseband_0, baseband_1 and baseband_1_last macros. Depending on which bit we have “1” or “0”, we modulate the Manchester code signal from zero to one or from one to zero.

Remember above I gave a table in the article, how the contents of the card are encoded, where the parity bits go, and the stop bits at the end. So, our task now is to encode ID-tags with this method, for this we have two macros.

#define ROW_PARITY(n)  ( (((n) & 0xF) << 1) | \
                         (((n) ^ ((n) >> 1) ^ ((n) >> 2) ^ ((n) >> 3)) & 1) )

#define COLUMN_PARITY  ( (EM4102_MFR_ID >> 4) ^        \
                         (EM4102_MFR_ID) ^             \
                         (EM4102_UNIQUE_ID >> 28) ^    \
                         (EM4102_UNIQUE_ID >> 24) ^    \
                         (EM4102_UNIQUE_ID >> 20) ^    \
                         (EM4102_UNIQUE_ID >> 16) ^    \
                         (EM4102_UNIQUE_ID >> 12) ^    \
                         (EM4102_UNIQUE_ID >> 8) ^     \
                         (EM4102_UNIQUE_ID >> 4) ^     \
                         (EM4102_UNIQUE_ID) )

ROW_PARITY - calculating the parity bit in a four-bit string, COLUMN_PARITY - calculating the checksum of the entire message.

All the logic of our work is described in a macro in .main

        header
        manchester	ROW_PARITY(EM4102_MFR_ID >> 4), 5
        manchester	ROW_PARITY(EM4102_MFR_ID >> 0), 5
        manchester	ROW_PARITY(EM4102_UNIQUE_ID >> 28), 5
        manchester	ROW_PARITY(EM4102_UNIQUE_ID >> 24), 5
        manchester	ROW_PARITY(EM4102_UNIQUE_ID >> 20), 5
        manchester	ROW_PARITY(EM4102_UNIQUE_ID >> 16), 5
        manchester	ROW_PARITY(EM4102_UNIQUE_ID >> 12), 5
        manchester	ROW_PARITY(EM4102_UNIQUE_ID >> 8), 5
        manchester	ROW_PARITY(EM4102_UNIQUE_ID >> 4), 5
        manchester	ROW_PARITY(EM4102_UNIQUE_ID >> 0), 5
        manchester	COLUMN_PARITY, 4
        stop_bit

Well, that is, we just transfer the header 9 bits in the same way, then Manchester coding, calculating the parity bit for every 4 bits, at the end a checksum and a stop bit.

It remains to figure out what the baseband is. For this, we have one more wrapper macros (yes, how many is possible, eh?).

        .macro baseband_0
        rcall	baseband30_0
        rjmp	.+0
        .endm

        .macro baseband_1
        rcall	baseband30_1
        rjmp	.+0
        .endm
        
        .macro baseband_1_last
        rcall	baseband30_1
        rjmp	main
        .endm

        .macro header
        manchester 0x1FF, 9
        .endm

Baseband * macros - execute assembly code: call the appropriate functions, and then make a transition to another instruction. The baseband_1_last macro is similar to the baseband_1 macro, except that it makes an unconditional jump not to the command below, but to the beginning of the main function. Macro header - serves to display the header of nine bits of the same type equal to one, and calls the Manchester macro with the transmission of the number and number of transmitted bits.

The last thing left to parse is the baseband30_0 and baseband30_1 functions. They are described by the following code.

baseband30_0:
        ldi	r16, OUT_PINS		// 1
        rjmp	baseband30		// 2

        /*
         * Emit a 1 at the baseband layer.
         * Takes a total of 30 clock cycles, including call overhead.
         */
baseband30_1:
        ldi	r16, 0			// 1
        rjmp	baseband30		// 2
        
        /*
         * Internal routine for baseband32_0 and _1. Must use
         * a total of 24 clock cycles. (32 - 1 ldi - 2 rjmp - 3 rcall)
         */ 
baseband30:
        out	_SFR_IO_ADDR(DDRB), r16		// 1
        delay	19				// 19
        ret					// 4

Depending on which function is called baseband30_0 or baseband30_1, the value of what should be on the I / O pin is written to register r16: 1 or 0. After that, there is an unconditional transition to baseband30, output is carried out and a delay of 19 clock cycles, after which there is a return.

The greatest magic of this code is that it is calculated exactly before each clock cycle, each clock of transmission of the Manchester code takes exactly as many periods as allowed by the standard, namely 32 processor clock cycles! This is fantastically ingenious, you have to remember how many bars each command takes.

Let's compile it rather and see what it looks like, how all these macros expand. We compile with the make command (after installing avr-gcc) and disassemble the resulting elf file

00000000 __vectors:
   0:	0e c0       	rjmp	.+28     	; 0x1e __ctors_end
   2:	15 c0       	rjmp	.+42     	; 0x2e __bad_interrupt
...

First, we have interrupt vectors, but we are only interested in the first jump. Since the rest of the vectors do not lead anywhere.

0000001e __ctors_end:
  1e:	11 24       	eor	r1, r1
  20:	1f be       	out	0x3f, r1	; 63
  22:	cf e5       	ldi	r28, 0x5F	; 95
  24:	d2 e0       	ldi	r29, 0x02	; 2
  26:	de bf       	out	0x3e, r29	; 62
  28:	cd bf       	out	0x3d, r28	; 61
  2a:	02 d0       	rcall	.+4      	; 0x30 main
  2c:	11 c1       	rjmp	.+546    	; 0x250 _exit

Here we set up the I / O ports and call the main function. A main consists of an insane amount of calls to the baseband30 * and jump functions (this is how our hellish circus of macros unfolded).

00000030 main:
  30:	01 d1       	rcall	.+514    	; 0x234 baseband30_1
  32:	00 c0       	rjmp	.+0      	; 0x34 main+0x4
  34:	fd d0       	rcall	.+506    	; 0x230 baseband30_0
  36:	00 c0       	rjmp	.+0      	; 0x38 main+0x8
  38:	fd d0       	rcall	.+506    	; 0x234 baseband30_1
  3a:	00 c0       	rjmp	.+0      	; 0x3c main+0xc
  3c:	f9 d0       	rcall	.+498    	; 0x230 baseband30_0
  3e:	00 c0       	rjmp	.+0      	; 0x40 main+0x10
  40:	f9 d0       	rcall	.+498    	; 0x234 baseband30_1
  42:	00 c0       	rjmp	.+0      	; 0x44 main+0x14
  44:	f5 d0       	rcall	.+490    	; 0x230 baseband30_0
  46:	00 c0       	rjmp	.+0      	; 0x48 main+0x18
  48:	f5 d0       	rcall	.+490    	; 0x234 baseband30_1
  4a:	00 c0       	rjmp	.+0      	; 0x4c main+0x1c
  4c:	f1 d0       	rcall	.+482    	; 0x230 baseband30_0
...
 22e:	00 cf       	rjmp	.-512    	; 0x30 main

And so on ... until we jump back to main

Well, let's see how our baseband module looks like.

00000230 baseband30_0:
 230:	08 e1       	ldi	r16, 0x18	; 24
 232:	02 c0       	rjmp	.+4      	; 0x238 baseband30

00000234 baseband30_1:
 234:	00 e0       	ldi	r16, 0x00	; 0
 236:	00 c0       	rjmp	.+0      	; 0x238 baseband30

00000238 baseband30:
 238:	07 bb       	out	0x17, r16	; 23
 23a:	00 c0       	rjmp	.+0      	; 0x23c baseband30+0x4
 23c:	00 c0       	rjmp	.+0      	; 0x23e baseband30+0x6
 23e:	00 c0       	rjmp	.+0      	; 0x240 baseband30+0x8
 240:	00 c0       	rjmp	.+0      	; 0x242 baseband30+0xa
 242:	00 c0       	rjmp	.+0      	; 0x244 baseband30+0xc
 244:	00 c0       	rjmp	.+0      	; 0x246 baseband30+0xe
 246:	00 c0       	rjmp	.+0      	; 0x248 baseband30+0x10
 248:	00 c0       	rjmp	.+0      	; 0x24a baseband30+0x12
 24a:	00 c0       	rjmp	.+0      	; 0x24c baseband30+0x14
 24c:	00 00       	nop
 24e:	08 95       	ret

At the end, you can see how delay has expanded into a list of jump and nop for the delay. This is such beautiful magic.

Well, we figured out the code. Collect the drained brain from the ears, we proceed to the tests.

Tests

We will apply all the knowledge gained and conduct tests. We compile the firmware, flash the controller, remembering to set the Fuse bits correctly.

A scarf for firmware We

connect our oscillatory circuit and test it on a real industrial reader, no half measures, fair combat conditions.

Test bench

And, lo and behold! It works, reads correctly and gives the correct ID in a loop! Without external power supply, with operation only from the field. It remains to put all this in order and make a real RFID tag.

The final “laminated” version of the label

Total

I can honestly admit that I did not fully believe that it would work. Power supply from the field, non-standard operating modes of the controller, work strictly according to clock cycles, homemade inductor. Plus the work of RFID itself. And now, it seems like a trifling piece of work spreads for a couple of months of reading the documentation and debriefing. But it works, and this thing is really brilliant. So guys, this kind of thing is real hacking. Go for it!

Homework

Since you still read this cool article, I wrote it, tried it, did it, now it's time for you to try to do something. The emulator code contains a section that emulates HID Proximity cards with phase shift encoding. You should understand the HID standard and this coding for fun and better assimilation. Send the solution in the comments. Good luck.

RFID emulator