0% found this document useful (0 votes)
35 views3 pages

Working With RFID Tags - An Introduction To The Proxmark3: Jonathan Westhues User Jwesthues, at Host CQ - CX

The document provides an introduction to the proxmark3 hardware and describes the signal processing it performs to read RFID tags. It explains that the proxmark3 can read, emulate, or eavesdrop on RFID tags. It then describes how RFID readers detect tags by looking for changes in the amplitude of the carrier signal transmitted by the reader when modulated by the tag. The document outlines several approaches the proxmark3 and other readers can take to process the signal and filter out the strong carrier signal in order to detect the weaker modulated signal from the tag, including using separate transmit and receive antennas or coils, notch filters, mixing frequencies, and high-pass filters.

Uploaded by

MDG Electronica
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
35 views3 pages

Working With RFID Tags - An Introduction To The Proxmark3: Jonathan Westhues User Jwesthues, at Host CQ - CX

The document provides an introduction to the proxmark3 hardware and describes the signal processing it performs to read RFID tags. It explains that the proxmark3 can read, emulate, or eavesdrop on RFID tags. It then describes how RFID readers detect tags by looking for changes in the amplitude of the carrier signal transmitted by the reader when modulated by the tag. The document outlines several approaches the proxmark3 and other readers can take to process the signal and filter out the strong carrier signal in order to detect the weaker modulated signal from the tag, including using separate transmit and receive antennas or coils, notch filters, mixing frequencies, and high-pass filters.

Uploaded by

MDG Electronica
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Working with RFID Tags—

An Introduction to the proxmark3

Jonathan Westhues
user jwesthues, at host cq.cx

1 Overview
I intend this document as a brief introduction to my proxmark3 hardware. In
addition to this, I will try to describe the signal processing that this device must
perform. In concept this is the same correlation that any digital radio receiver
performs; some details are fundamentally specific to the kinds of signals involved
in an RFID system, and some are specific to my implementation.
The proxmark3 is a test instrument capable of manipulating RFID tags in
a number of different ways. For example, a proxmark3 can:
read almost any low-frequency (∼100 kHz) or high-frequency (13.56 MHz)
tag, including the ISO-standard tags;
emulate a low- or high-frequency tag, appearing almost indistinguishable
from a real tag; or
eavesdrop on the signals exchanged between another reader and tag
When the reader wants to receive a signal from the tag (whether we are read-
ing an ID-only tag, like a prox card, or whether we are expecting some response
that is a function of some message that we previously sent to a 13.56 MHz ISO-
standard tag), it transmits only the unmodulated carrier that powers the tag.
The tag transmits its message by alternately making the circuit across its an-
tenna look more like an open, or more like a short (or, equivalently, by changing
the resonant frequency of its antenna circuit, by disconnecting or reconnecting
some inductance or capacitance to the antenna; the reader ‘sees the tag more’
when the tag’s antenna resonates closer to the frequency of the energizing car-
rier).
The reader sees a lower voltage at its antenna when the tag’s antenna is
‘more shorted.’ This means that the tag can amplitude-modulate a subcarrier
onto the carrier transmitted by the reader, by varying the
It looks at the received signal on its antenna—possibly, but not necessarily,
the same antenna used to transmit—and demodulates this signal

1
In a sense, the circuit that interprets the signal returned from the tag is a
radio receiver like any other. The major peculiarity in this application is that
our transmitted carrier will always bleed through, because it is so much more
powerful than the information-bearing signal returned from the tag. We can
consider the signal at the reader’s antenna as having the form

v(t) = (Ac + vs (t))(cos ωc t) = Ac cos ωc t + vs (t) cos ωc t = vtx (t) + vrx (t)

where Ac is the amplitude of the transmitted carrier, ωc is the carrier frequency


(125 kHz or 13.56 MHz), and vr (t) is the subcarrier amplitude-modulated onto
the transmitted carrier by the tag. Only the signal vr (t) carries information; the
Ac cos ωc t term serves only to power the tag, but it still appears at our antenna.
The subcarrier frequencies used in typical RFID standards are small compared
to the carrier frequency.1 This means that the vs (t) cos ωc t term is a relatively
narrow bandpass signal centred at ωc .
Unfortunately, the Ac cos ωc t term is much more powerful than vrx . This
must be so; only a fraction of the power that the reader transmits will make it
to the tag, and only a fraction of the power the tag reflects back towards the
reader will be receiverd by the reader’s antenna. In radio terms, this means that
we will always have to deal with a powerful in-band interferer. Our receiver must
therefore have very high dynamic range. This is difficult for a software radio,
because the resolution of the A/D fundamentally limits the radio’s dynamic
range.
This problem starts at the antenna. If a single antenna is used for both
receive and transmit, then there is nothing to be done—we will always see the
full transmit strength of the carrier that powers the tag.2 It is possible to use two
antennae, one for receive and one for transmit, and attempt to design these so
that the receive antenna gets as little of the transmitted carrier as possible. At
UHF or microwave frequencies, this is a particularly useful technique, because it
is practical to construct a directional antenna. A similar approach can be taken
at HF or LF: consider what happens if you have separate receive and transmit
coils, at ninety degrees to each other (with the tag at 45 degrees to both of
them).
Given a particular choice of antenna, this problem may now be addressed
by analog signal processing in front of the A/D. Considering the problem in the
frequency domain, it is obvious that what is needed is a tight notch filter at
the carrier frequency—the vtx (t) = Ac cos ωc t has energy at only one frequency,
and we know that frequency exactly, because we are the ones (at the reader)
generating it. As long the signal vrx (t) has no energy very close to ωc (or as
long as we can still demodulate vrx (t) after losing any components close to ωc ),
the notch filter will not affect our information-bearing signal.3
1 With some exceptions; for example, Motorola/Indala’s FlexPass cards do BPSK on a
62.5 kHz subcarrier, with a 125 kHz carrier. I don’t know of any 13.56 MHz standards that
use wide modulation, though.
2 Unless we try an isolator or other non-reciprocal device.
3 And if v (t) did have important components near ω , then the situation would be hope-
rx c

2
(a) A ceramic or crystal filter is one practical implementation of this. The
filter could either be applied directly, at the carrier frequency, or at at some
IF after mixing the signal up or down. The frequency tolerance is tight enough
that passive RLC, switched-capacitor, or active (R, C, and opamp) filters are not
practical; but if the received signal is (b) mixed down by the carrier frequency,
then the carrier is translated to DC, and the notch filter becomes a low-pass,
which might be easier to implement. At that point only the dynamic range of
the mixer is an issue, and that is likely an easier problem to solve.
(c) Equivalently, we could try to measure Ac , and add in

−Ac cos ωc t

to try to cancel out the


Ac cos ωc t
Even if we didn’t do a perfect job, we would still be able to reduce the amplitude
of the carrier term considerably, and perhaps reduce the dynamic range of the
signal to the point that it was practical to handle it digitally from there on.
(d) Considering the problem in the time domain, the signal returned from the
tag is an information-bearing subcarrier that amplitude-modulates the carrier.
We wish to measure the amplitude of the received signal, which gives us

va (t) = Ac + vs (t)

This is the subcarrier (that we want), plus a DC offset corresponding to the


amplitude of the bled-through carrier. We can high-pass filter va (t) with a very
slow time constant to reject the DC offset, leaving only the subcarrier. It is
necessary that vs (t) not carry any important information near DC, because those
frequency components are rejected by the high-pass filter. This is equivalent to
the previous requirement that vrx (t) not carry any important information near
ωc .
This device uses a single antenna for both receive and transmit, followed
by a peak detector and simple analog filters. No frequency-domain attempt
is made to reject our transmitted carrier. Since this device is intended as a
test instrument, and not a long-range reader where the receiver sensitivity is
critical, I consider this to be acceptable, but much better RF performance in
the presence of noise (and our own transmitted carrier) could be achieved.

less, because Ac depends on a number of factors, including things like the proximity of metal
objects to the reader.

You might also like