RFID

From Noisebridge
(Difference between revisions)
Jump to: navigation, search
(33 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
= 950 MHz UHF RFID system =
 +
 +
This RFID reader is installed near the entry door of Noisebridge (at the top of the stairs).  If it can be made to work properly, we can put RFID tags in any items we want (private or public) and program our computer systems to react if and when those items go near or through the door (or elevator room).  This could be useful in deterring or preventing theft, so that Noisebridge CAN Have Nice Things.
 +
 +
current state of things:  the reader works, we talk to it through serial, and it detects tags, but all the tags we have result in the same line of text from the reader.  We need to figure out what command to send to the reader to get it to tell us the full data of the tags, or at least their unique serial number.  We have over 100 tags, but they aren't readable until a piece of wire is soldered onto them as an antenna, which can be tailor made for the article they are being fixed onto.  The PDF for the tags we have is linked to below, uploaded to the wiki as rfid.pdf  If you want to help with this project, contact me. -jake
 +
 
* We got this reader:  SAMSys MP9320 2.8
 
* We got this reader:  SAMSys MP9320 2.8
 
Various files related to this device:
 
Various files related to this device:
Line 4: Line 10:
  
 
the protocol the reader talks is detailed at:
 
the protocol the reader talks is detailed at:
http://www.sirit.com/Tech_Support_Downloads/CHUMP_Prot_Ref_Gd_v7.0[1].pdf
+
[http://www.sirit.com/Tech_Support_Downloads/CHUMP_Prot_Ref_Gd_v7.0%5B1%5D.pdf CHUMP Protocol Reference Guide v7.0]
 +
 
 +
[http://itech.fgcu.edu/faculty/zalewski/projects/files/RFID_Zabala_final2.pdf The MP9320 cannot be made to work on ethernet, even though it has a port.]
 +
 
 +
The reader is connected to Minotaur through a USB to Serial adaptor which comes up as /dev/ttyUSB2 (this time) BUT
 +
<br>
 +
you should talk to it through its reliable pathname which is:<br>
 +
<tt>/dev/serial/by-path/pci-0000:02:02.3-usb-0:1.1.4:1.0-port0</tt>
 +
<br>
 +
try the following command (as root on minotaur)<br>
 +
<tt># screen /dev/serial/by-path/pci-0000:02:02.3-usb-0:1.1.4:1.0-port0 57600</tt><br>
 +
(press control-A and then k to "kill" or exit screen when you're done)
  
 
the reader is now configured and it works.  when it detects a tag, the windows software tells you  
 
the reader is now configured and it works.  when it detects a tag, the windows software tells you  
Line 28: Line 45:
 
; Disabling the audio beep
 
; Disabling the audio beep
 
: }Cw,d:PCW,b:00000200!
 
: }Cw,d:PCW,b:00000200!
 +
 +
; Permanently disable the beep
 +
: }Cw,d:PCW,b:00000200,F:01!
  
  
 
* Tags:
 
* Tags:
 +
[[File:Rfid-SL3ICS1002_1202.pdf]] finally!  we have the PDF for these tags.
  
we got these 900mhz band RFID tags available from mouser.com as part number SL3S1202AC0,118 they cost 8 cents each.
+
[[File:AN173211.pdf]] frequently asked questions about these RFID tags.
http://www.mouser.com/ProductDetail/NXP-Semiconductors/SL3S1202AC0118/?qs=sGAEpiMZZMvQHWqrh58LgXtw8BZ1psdi%252bSfsWYs2XZg%3d
+
  
the picture on the mouser site is wrong for these parts, they do not look anything like a 1206 capacitor.
+
we got these 900mhz band RFID tags available from mouser.com as part number SL3S1202AC0,118 they cost 7.4 cents each.<br>
 +
[http://www.mouser.com/ProductDetail/NXP-Semiconductors/SL3S1202AC0118/?qs=sGAEpiMZZMvQHWqrh58LgXtw8BZ1psdi%252bSfsWYs2XZg%3d mouser.com link to buy these tags]<br>
 +
(the picture on the mouser site is wrong for these parts, they do not look anything like a 1206 capacitor)
 +
 
 +
[http://spaz.org/~jake/r/rfid-SL3S1202AC0.zip zipfile containing many PDFs relating to these RFID tags including the NXP app notes]
  
 
these tags do not have an antenna - they are a grain of sand in the middle of a 3mm x 9mm piece of plastic.  On either side of the grain of sand is a copper contact that you can solder to if you're careful.  don't melt the plastic backing!  the whole thing will probably stick to whatever it was resting on when you soldered it, so prepare.  Make your antenna (a loop of wire probably, we are trying to figure out what works best) and solder it to the two contacts and then protect the thing with some hard (hitemp) hotglue or epoxy or something.
 
these tags do not have an antenna - they are a grain of sand in the middle of a 3mm x 9mm piece of plastic.  On either side of the grain of sand is a copper contact that you can solder to if you're careful.  don't melt the plastic backing!  the whole thing will probably stick to whatever it was resting on when you soldered it, so prepare.  Make your antenna (a loop of wire probably, we are trying to figure out what works best) and solder it to the two contacts and then protect the thing with some hard (hitemp) hotglue or epoxy or something.
Line 47: Line 71:
 
* Antennas:  From the NXP app notes:
 
* Antennas:  From the NXP app notes:
 
** AN1523 has a reference design for a mid-range less than one meter read distance antenna. The antenna is 34 mm x 15 mm.
 
** AN1523 has a reference design for a mid-range less than one meter read distance antenna. The antenna is 34 mm x 15 mm.
** AN0972 has a reference design for a "general purpose" antenna with an optimal read range of 2.5 meters. The antenna is 1.25" x 0.875"
+
** [AN0972|http://www.nxp.com/documents/application_note/097211.zip] has a reference design for a "general purpose" antenna with an optimal read range of 2.5 meters. The antenna is 1.25" x 0.875"
 
** AN0969 has a 98 mm long antenna design, with a read range of 1 m to 6 m depending on the substrate you use. Teflon and polystyrene are best; Rogers TMM6 is the worst but has the least variation across the frequency range.
 
** AN0969 has a 98 mm long antenna design, with a read range of 1 m to 6 m depending on the substrate you use. Teflon and polystyrene are best; Rogers TMM6 is the worst but has the least variation across the frequency range.
 
** AN1615 has a short range ring antenna design. 8.3mm diameter ring. Read range of 2 cm.
 
** AN1615 has a short range ring antenna design. 8.3mm diameter ring. Read range of 2 cm.
Line 55: Line 79:
 
http://www.alibaba.com/product-gs/572423327/RFID_reader_900MHz.html?s=p
 
http://www.alibaba.com/product-gs/572423327/RFID_reader_900MHz.html?s=p
 
http://www.alibaba.com/product-gs/608914064/long_range_900mhz_rfid_reader_from.html?s=p
 
http://www.alibaba.com/product-gs/608914064/long_range_900mhz_rfid_reader_from.html?s=p
 +
 +
* if we can figure out the protocol or find a driver, these PC card-based 900Mhz RFID readers are very inexpensive
 +
http://www.ebay.com/sch/i.html?_nkw=INTERMEC+IM4
 +
== Some General Commands==
 +
<pre>
 +
Show reader and software version info:
 +
 +
}:01,Rv,f:0!
 +
 +
Show config:
 +
 +
}Cr!
 +
 +
Quiet a given tag from the output:
 +
 +
}Ht,d:[ID]!
 +
 +
Read any tag in field
 +
 +
}Ra,a:[block],s:[offset](,l:[length])!
 +
 +
</pre>
 +
 +
== Setting Tag EPCs ==
 +
[[Image:Rfidmem.jpg|thumb|right|Memory map for cheap NXP RFID tags. We need to change the EPC in bank 01]]
 +
 +
GEN2 (aka ISO 18000-6C) tags contain a unique, factory set tag ID (TID) and a user configurable EPC. Per the datasheet the EPC is the same for all our tags until configured otherwise
 +
 +
<pre>
 +
The ICs are delivered by NXP with a default 96 bit EPC number:
 +
 +
UCODE G2XM: 3005 FB63 AC1F 3681 EC88 0468
 +
 +
UCODE G2XL: 3005 FB63 AC1F 3841 EC88 0467
 +
</pre>
 +
 +
 +
Our reader appears to display some form of the EPC when a tag is in range. It's possible the query tags in the field for TID, but I'm not sure if we can display TID by default when a tag is in range (the EPC appears to be read by default) -- but we can reprogram the EPC to some arbitrary value!
 +
 +
* [http://www.sirit.com/Tech_Support_Downloads/CHUMP_Prot_Ref_Gd_v7.0 Chump Reference Guide]
 +
* [http://www.sirit.com/Tech_Support_Downloads/MP9311_Users_Guide_V2.0.pdf User Guide] - Though for a different model, pg 52-56 provide some good examples on writing to gen2 tags
 +
* [https://github.com/danasf/noise-rfid code] - script to read/write to a serial port, to filter out duplicate output]
 +
 +
Some example commands (note: wa command will write to any unlocked tag in the field):
 +
<pre>
 +
To write an EPC ID value of 332233445566778899aabbcc onto a tag with the Protocol Control field set for a 96 bit tag, enter:
 +
 +
}wa,a:01,s:02,b:332233445566778899aabbcc!
 +
 +
To add the length field, enter:
 +
 +
}wa,a:01,s:02,b:332233445566778899aabbcc,l:6!
 +
 +
To request a read/verify cycle following the write operation, enter:
 +
 +
}wa,a:01,s:02,b:332233445566778899aabbcc,l:6,f:1!
 +
 +
In order to write an EPC ID to a blank tag, the Protocol Control bits must also be
 +
set. This can be accomplished in a single write command since the Protocol Control
 +
bits are contained in the same memory bank as the EPC ID. Following the previous
 +
example, the command would include setting the Protocol Control to 3000 as follows:
 +
 +
}wa,a:01,s:01,b:3000332233445566778899aabbcc!
 +
</pre>
 +
 +
=== Changing Registers ===
 +
This reader has a number of config registers we can modify. Use the following CHUMP command to read the current registers:
 +
 +
<pre>
 +
}Cr!
 +
</pre>
 +
 +
To make changes to a setting you'll need to generate a hex value for the 32 bit register. Refer to section 4 and 5 in the CHUMP reference guide for bit positions and usage. This [http://calc.50x.eu/|nifty calculator] can make the process easier. Of particular interest is P2I, the GEN2 identification layer control register, which maybe will allow us to change the default memory read location (from EPC to TID).
 +
 +
When you're done you can write your register as follows:
 +
 +
<pre>
 +
}Cw,d:REGISTER,b:10100!
 +
</pre>
 +
 +
add ",f:1" to save to NVM, otherwise the setting will revert upon restart.
 +
 +
= 125KHz and 13.56MHz card-style and fob-style and implant-style RFID systems =
 +
 +
Please bring RFID tags and readers to Noisebridge! We currently have very few tag samples. We're also looking for readers and ways to interface with RFID.
 +
 +
The current tag types (as detected by RFIDIOt) we have are:
 +
* MASTERCARD - a0 00 00 00 04 10 10 (HSBC MASTERCARD)
 +
 +
The current readers we have are:
 +
* Jake A. has a CardMan 5321 in his backpack, Noisebridge could use one if someone wants to donate one.
 +
* chris paget brought a small stack of parallax (grand idea studios) units to the  [[RFID_Hacking|2009-04-11 talk]].
 +
 +
== Software ==
 +
We're using [http://rfidiot.org/ RFIDIOt].

Revision as of 21:30, 15 July 2013

Contents

950 MHz UHF RFID system

This RFID reader is installed near the entry door of Noisebridge (at the top of the stairs). If it can be made to work properly, we can put RFID tags in any items we want (private or public) and program our computer systems to react if and when those items go near or through the door (or elevator room). This could be useful in deterring or preventing theft, so that Noisebridge CAN Have Nice Things.

current state of things: the reader works, we talk to it through serial, and it detects tags, but all the tags we have result in the same line of text from the reader. We need to figure out what command to send to the reader to get it to tell us the full data of the tags, or at least their unique serial number. We have over 100 tags, but they aren't readable until a piece of wire is soldered onto them as an antenna, which can be tailor made for the article they are being fixed onto. The PDF for the tags we have is linked to below, uploaded to the wiki as rfid.pdf If you want to help with this project, contact me. -jake

  • We got this reader: SAMSys MP9320 2.8

Various files related to this device: http://techsupweb.satoamerica.com/public/06_RFID/Software/RF%20Command%20Suite/

the protocol the reader talks is detailed at: CHUMP Protocol Reference Guide v7.0

The MP9320 cannot be made to work on ethernet, even though it has a port.

The reader is connected to Minotaur through a USB to Serial adaptor which comes up as /dev/ttyUSB2 (this time) BUT
you should talk to it through its reliable pathname which is:
/dev/serial/by-path/pci-0000:02:02.3-usb-0:1.1.4:1.0-port0
try the following command (as root on minotaur)
# screen /dev/serial/by-path/pci-0000:02:02.3-usb-0:1.1.4:1.0-port0 57600
(press control-A and then k to "kill" or exit screen when you're done)

the reader is now configured and it works. when it detects a tag, the windows software tells you
Tag ID,Tag Name,Tag Type, Total Reads, Rate, Antenna, Date/Time
3005FB63AC1F3841EC880467,,EPC1G2,1648,0.0,0,1/21/2013 11:04:06 PM

this is what the serial data looks like, 57600 baud: (it repeats constantly while the tag is nearby)
{Rd,d:3005FB63AC1F3841EC880467,t:EPC1G2,e:28;14

this reader has four antenna ports. The windows software seems to tell you which antenna the tag was seen on, but we will need to find that information in the serial data, which should be easy. The reason this matters is because we will end up having antennas in different locations (door at the top of the stairs, elevator room door, bottom of the steps) and we will want to react differently depending on where a tag is detected.

Getting status of the beep
}Cr,d:PCW!
Enabling the audio beep
}Cw,d:PCW,b:00000300!
Disabling the audio beep
}Cw,d:PCW,b:00000200!
Permanently disable the beep
}Cw,d:PCW,b:00000200,F:01!


  • Tags:

File:Rfid-SL3ICS1002 1202.pdf finally! we have the PDF for these tags.

File:AN173211.pdf frequently asked questions about these RFID tags.

we got these 900mhz band RFID tags available from mouser.com as part number SL3S1202AC0,118 they cost 7.4 cents each.
mouser.com link to buy these tags
(the picture on the mouser site is wrong for these parts, they do not look anything like a 1206 capacitor)

zipfile containing many PDFs relating to these RFID tags including the NXP app notes

these tags do not have an antenna - they are a grain of sand in the middle of a 3mm x 9mm piece of plastic. On either side of the grain of sand is a copper contact that you can solder to if you're careful. don't melt the plastic backing! the whole thing will probably stick to whatever it was resting on when you soldered it, so prepare. Make your antenna (a loop of wire probably, we are trying to figure out what works best) and solder it to the two contacts and then protect the thing with some hard (hitemp) hotglue or epoxy or something.

the PDF for the RFID tags above File:Rfid.pdf

similar to this from TI: http://elcodis.com/parts/1758620/RI-UHF-STRAP-08.html#datasheet

  • Antennas: From the NXP app notes:
    • AN1523 has a reference design for a mid-range less than one meter read distance antenna. The antenna is 34 mm x 15 mm.
    • [AN0972|http://www.nxp.com/documents/application_note/097211.zip] has a reference design for a "general purpose" antenna with an optimal read range of 2.5 meters. The antenna is 1.25" x 0.875"
    • AN0969 has a 98 mm long antenna design, with a read range of 1 m to 6 m depending on the substrate you use. Teflon and polystyrene are best; Rogers TMM6 is the worst but has the least variation across the frequency range.
    • AN1615 has a short range ring antenna design. 8.3mm diameter ring. Read range of 2 cm.
    • AN1685 has an 80mm x 35mm antenna design, with a 6 meter read range.
  • we did not get this reader:

http://www.alibaba.com/product-gs/572423327/RFID_reader_900MHz.html?s=p http://www.alibaba.com/product-gs/608914064/long_range_900mhz_rfid_reader_from.html?s=p

  • if we can figure out the protocol or find a driver, these PC card-based 900Mhz RFID readers are very inexpensive

http://www.ebay.com/sch/i.html?_nkw=INTERMEC+IM4

Some General Commands

Show reader and software version info:

}:01,Rv,f:0!

Show config:

}Cr!

Quiet a given tag from the output:

}Ht,d:[ID]!

Read any tag in field

}Ra,a:[block],s:[offset](,l:[length])!

Setting Tag EPCs

Memory map for cheap NXP RFID tags. We need to change the EPC in bank 01

GEN2 (aka ISO 18000-6C) tags contain a unique, factory set tag ID (TID) and a user configurable EPC. Per the datasheet the EPC is the same for all our tags until configured otherwise

The ICs are delivered by NXP with a default 96 bit EPC number:

UCODE G2XM: 3005 FB63 AC1F 3681 EC88 0468

UCODE G2XL: 3005 FB63 AC1F 3841 EC88 0467 


Our reader appears to display some form of the EPC when a tag is in range. It's possible the query tags in the field for TID, but I'm not sure if we can display TID by default when a tag is in range (the EPC appears to be read by default) -- but we can reprogram the EPC to some arbitrary value!

  • Chump Reference Guide
  • User Guide - Though for a different model, pg 52-56 provide some good examples on writing to gen2 tags
  • code - script to read/write to a serial port, to filter out duplicate output]

Some example commands (note: wa command will write to any unlocked tag in the field):

To write an EPC ID value of 332233445566778899aabbcc onto a tag with the Protocol Control field set for a 96 bit tag, enter:

}wa,a:01,s:02,b:332233445566778899aabbcc!

To add the length field, enter:

}wa,a:01,s:02,b:332233445566778899aabbcc,l:6!

To request a read/verify cycle following the write operation, enter:

}wa,a:01,s:02,b:332233445566778899aabbcc,l:6,f:1!

In order to write an EPC ID to a blank tag, the Protocol Control bits must also be
set. This can be accomplished in a single write command since the Protocol Control
bits are contained in the same memory bank as the EPC ID. Following the previous
example, the command would include setting the Protocol Control to 3000 as follows:

}wa,a:01,s:01,b:3000332233445566778899aabbcc!

Changing Registers

This reader has a number of config registers we can modify. Use the following CHUMP command to read the current registers:

}Cr!

To make changes to a setting you'll need to generate a hex value for the 32 bit register. Refer to section 4 and 5 in the CHUMP reference guide for bit positions and usage. This calculator can make the process easier. Of particular interest is P2I, the GEN2 identification layer control register, which maybe will allow us to change the default memory read location (from EPC to TID).

When you're done you can write your register as follows:

}Cw,d:REGISTER,b:10100!

add ",f:1" to save to NVM, otherwise the setting will revert upon restart.

125KHz and 13.56MHz card-style and fob-style and implant-style RFID systems

Please bring RFID tags and readers to Noisebridge! We currently have very few tag samples. We're also looking for readers and ways to interface with RFID.

The current tag types (as detected by RFIDIOt) we have are:

* MASTERCARD - a0 00 00 00 04 10 10 (HSBC MASTERCARD)

The current readers we have are:

* Jake A. has a CardMan 5321 in his backpack, Noisebridge could use one if someone wants to donate one.
* chris paget brought a small stack of parallax (grand idea studios) units to the  2009-04-11 talk. 

Software

We're using RFIDIOt.

Personal tools