USRP NFC Post Part II
This is not what you think it is, unfortunately. It has nothing to do with the USRP, but is the second in a series of posts which should really be entitled “Alice’s Adventures in NFC-land”. Since the second post in this series was supposed to be about demodulation/decoding, I’ll continue the title with the hopes of eventually porting this to the USRP.
This past week I attended training at ReCon, taught by Milosch Meriac. Milosch designed the OpenPCD2 line of RFID hardware, as well as some kick-ass firmware to go along with it. The most important thing I learned? “You know nothing, Jon Snow.” The training, entitled “Holistic NFC Hacking”, covered RFID hardware hacking, including sniffing and emulation (both of which have been a constant thorn in my side while trying to explore the world of NFC). This post will cover sniffing, and a follow-up will cover emulation.
Corey and I have been giving an Intro to NFC Security talk at various venues, in which we have a brief introduction to RFID/NFC waves and hardware. One of our slides shows a 0×52 (wakeup all tags) command that we captured on an oscilloscope followed by the tag’s response, which is the beginning of the anti-collision routine. We point out that, while all communication is propagated on a 13.56 MHz carrier wave, the PCD to PICC (reader to tag) transmits data via Modified Miller encoding and modulates the wave at 100%. The PICC to PCD communication, however, uses Manchester encoding and modulates at only 10%. On top of that, the peaks of the 10% ASK modulation are mixed with an 848 KHz sub-carrier frequency. Here I’d say a picture is worth 10,000 words:
Keep in mind, this waveform has been run through Milosch’s RFID sniffer (more on that later) and is only the envelope of the signal. The envelope is what we care about; it is the top half of the signal, without the carrier wave (the 13.56 MHz part) that is really only useful for vibrating this data through space. In fact, compared to the waveform displayed above (which looks like it could almost be an ugly sine wave), the carrier is so fast that it would look like a solid blob sitting under the blue line. That is an important characteristic of RF communication: your carrier signal must be much faster than your data symbol rate or you will not be able to differentiate one from the other at your receiving end. For reference, here is the tag response *with* the carrier wave. Notice the bottom of the picture where we measure the frequency between the two dotted lines at 13.56 MHz. That part is taken out in the first picture.
Take a close look at the peaks of the tag’s response. What looks like noise or some strange form of clipping is actually another wave: the 848 KHz subcarrier wave we mentioned before. This is a really cool RF concept. 10% ASK is about all the tag can manage with the limited power provided to it. That can very easily look like noise on the signal, so the tag modulates the peaks of its response with a wave that is much faster than the data rate so that the response can be picked out by the receiver. By design, the 848 KHz wave is 1/16 of 13.56 MHz, which allows the sniffer to use a different register on the same counter for both waves (more on that in a later post, too). Here is a close-up of that wave (again, just the envelope):
I was looking for parts of this picture to crop, but I think every part here is important. The crosshairs in the upper right (within the box titled “Zoom Overview”) shows where we are within the whole wave. We are really zoomed in, looking directly at one of the peaks that we saw on the tag response before. Again, we can use the dotted lines to measure the frequency of the wave, or 1/(t2-t1) if we are looking at just 2 peaks. The calculation, on the bottom right, shows 800 KHz. While it’s not quite 848 KHz, we are just looking at one cycle and it’s pretty close.
As per Milosch’s explanation, when the entire wave is displayed on a Fast Fourier Transform (FFT), the 848 KHz wave just looks like 2 bumps at +800 KHz and -800 KHz from the main 13.56 MHz peak. If a sniffing antenna is tightly tuned to 13.56 MHz, it can miss the subcarrier and effectively act as a filter, removing the subcarrier from the waveform. In order to capture the whole wave, he suggested increasing the resistance of the antenna to increase the bandwidth of the signal it will receive. That way, the subcarrier property of the encoding from the PICC can be used to pick out the signal.
More adventures down the NFC rabbit hole soon – the next post will cover emulation; also, a big thank you to Milosch for the in-depth training.
Published date:  20 June 2012
Written by:  mxs