Difference between revisions of "RFID"

From Noisebridge
Jump to: navigation, search
(blank out of date info and add simple edit to reflect current state of the rfid system)
Line 1: Line 1:
= 950 MHz UHF RFID system =
Noisebridge uses RFID for some access control systems [https://github.com/noisebridge/rfid-access-control].
This RFID reader is installed near the entry door of Noisebridge (at the top of the stairs).  If it can be made to work properly, we can put RFID tags in any items we want (private or public) and program our computer systems to react if and when those items go near or through the door (or elevator room).  This could be useful in deterring or preventing theft, so that Noisebridge CAN Have Nice Things.
The system is based on RFID-RC522 devices using tags that work at 13.56Mhz.
current state of things:  the reader works, we talk to it through serial, and it detects tags, but all the tags we have result in the same line of text from the reader.  We need to figure out what command to send to the reader to get it to tell us the full data of the tags, or at least their unique serial number.  We have over 100 tags, but they aren't readable until a piece of wire is soldered onto them as an antenna, which can be tailor made for the article they are being fixed onto.  The PDF for the tags we have is linked to below, uploaded to the wiki as rfid.pdf  If you want to help with this project, contact me. -jake
* We got this reader:  SAMSys MP9320 2.8
Various files related to this device:
the protocol the reader talks is detailed at:
[http://www.sirit.com/Tech_Support_Downloads/CHUMP_Prot_Ref_Gd_v7.0%5B1%5D.pdf CHUMP Protocol Reference Guide v7.0]
[http://itech.fgcu.edu/faculty/zalewski/projects/files/RFID_Zabala_final2.pdf The MP9320 cannot be made to work on ethernet, even though it has a port.]
The reader is connected to Minotaur through a USB to Serial adaptor which comes up as /dev/ttyUSB2 (this time) BUT
you should talk to it through its reliable pathname which is:<br>
try the following command (as root on minotaur)<br>
<tt># screen /dev/serial/by-path/pci-0000:02:02.3-usb-0:1.1.4:1.0-port0 57600</tt><br>
(press control-A and then k to "kill" or exit screen when you're done)
the reader is now configured and it works.  when it detects a tag, the windows software tells you
Tag ID,Tag Name,Tag Type, Total Reads, Rate, Antenna, Date/Time               
3005FB63AC1F3841EC880467,,EPC1G2,1648,0.0,0,1/21/2013 11:04:06 PM                                                                                             
this is what the serial data looks like, 57600 baud: (it repeats constantly while the tag is nearby)                               
this reader has four antenna ports.  The windows software seems to tell you which antenna the tag was seen on, but we will need to find that information in the serial data, which should be easy.  The reason this matters is because we will end up having antennas in different locations (door at the top of the stairs, elevator room door, bottom of the steps) and we will want to react differently depending on where a tag is detected.
; Getting status of the beep:
: }Cr,d:PCW!
; Enabling the audio beep:
: }Cw,d:PCW,b:00000300!
; Disabling the audio beep
: }Cw,d:PCW,b:00000200!
; Permanently disable the beep
: }Cw,d:PCW,b:00000200,F:01!
* Tags:
[[File:Rfid-SL3ICS1002_1202.pdf]] finally!  we have the PDF for these tags.
[[File:AN173211.pdf]] frequently asked questions about these RFID tags.
we got these 900mhz band RFID tags available from mouser.com as part number SL3S1202AC0,118 they cost 7.4 cents each.<br>
[http://www.mouser.com/ProductDetail/NXP-Semiconductors/SL3S1202AC0118/?qs=sGAEpiMZZMvQHWqrh58LgXtw8BZ1psdi%252bSfsWYs2XZg%3d mouser.com link to buy these tags]<br>
(the picture on the mouser site is wrong for these parts, they do not look anything like a 1206 capacitor)
[http://spaz.org/~jake/r/rfid-SL3S1202AC0.zip zipfile containing many PDFs relating to these RFID tags including the NXP app notes]
these tags do not have an antenna - they are a grain of sand in the middle of a 3mm x 9mm piece of plastic.  On either side of the grain of sand is a copper contact that you can solder to if you're careful.  don't melt the plastic backing!  the whole thing will probably stick to whatever it was resting on when you soldered it, so prepare.  Make your antenna (a loop of wire probably, we are trying to figure out what works best) and solder it to the two contacts and then protect the thing with some hard (hitemp) hotglue or epoxy or something.
the PDF for the RFID tags above
similar to this from TI:
* Antennas:  From the NXP app notes:
** AN1523 has a reference design for a mid-range less than one meter read distance antenna. The antenna is 34 mm x 15 mm.
** [AN0972|http://www.nxp.com/documents/application_note/097211.zip] has a reference design for a "general purpose" antenna with an optimal read range of 2.5 meters. The antenna is 1.25" x 0.875"
** AN0969 has a 98 mm long antenna design, with a read range of 1 m to 6 m depending on the substrate you use. Teflon and polystyrene are best; Rogers TMM6 is the worst but has the least variation across the frequency range.
** AN1615 has a short range ring antenna design. 8.3mm diameter ring. Read range of 2 cm.
** AN1685 has an 80mm x 35mm antenna design, with a 6 meter read range.
* we did not get this reader:
* if we can figure out the protocol or find a driver, these PC card-based 900Mhz RFID readers are very inexpensive
== Some General Commands==
Show reader and software version info:
Show config:
Quiet a given tag from the output:
Read any tag in field
== Setting Tag EPCs ==
[[Image:Rfidmem.jpg|thumb|right|Memory map for cheap NXP RFID tags. We can change the EPC in bank 01. We want to read the TID in bank 02]]
GEN2 (aka ISO 18000-6C) tags contain a unique, factory set tag ID (TID) and a user configurable EPC. Per the datasheet the EPC is the same for all our tags until configured otherwise
The ICs are delivered by NXP with a default 96 bit EPC number:
UCODE G2XM: 3005 FB63 AC1F 3681 EC88 0468
UCODE G2XL: 3005 FB63 AC1F 3841 EC88 0467
Our reader appears to display some form of the EPC when a tag is in range. It's possible the query tags in the field for TID, but I'm not sure if we can display TID by default when a tag is in range (the EPC appears to be read by default) -- but we can reprogram the EPC to some arbitrary value!
* [http://www.sirit.com/Tech_Support_Downloads/CHUMP_Prot_Ref_Gd_v7.0 Chump Reference Guide]
* [http://www.sirit.com/Tech_Support_Downloads/MP9311_Users_Guide_V2.0.pdf User Guide] - Though for a different model, pg 52-56 provide some good examples on writing to gen2 tags
* [https://github.com/danasf/noise- code] - script to read/write to a serial port, to filter out duplicate output]
Some example commands (note: wa command will write to any unlocked tag in the field):
To write an EPC ID value of 332233445566778899aabbcc onto a tag with the Protocol Control field set for a 96 bit tag, enter:
To add the length field, enter:
To request a read/verify cycle following the write operation, enter:
In order to write an EPC ID to a blank tag, the Protocol Control bits must also be
set. This can be accomplished in a single write command since the Protocol Control
bits are contained in the same memory bank as the EPC ID. Following the previous
example, the command would include setting the Protocol Control to 3000 as follows:
=== Changing Registers ===
[[Image:P2Iregister.jpg|thumb|right|Example bits of the P2I register, which controls the identification layer for gen2 tags (source: CHUMP guide)]]
This reader has a number of config registers we can modify. Use the following CHUMP command to read the current registers:
To make changes to a setting you'll need to generate a hex value for the 32 bit register. Refer to section 4 and 5 in the CHUMP reference guide for bit positions and usage. This [http://calc.50x.eu/|nifty calculator] can make the process easier. Of particular interest is P2I, the GEN2 identification layer control register, which maybe will allow us to change the default memory read location (from EPC to TID).
When you're done you can write your register as follows:
add ",f:1" to save to NVM, otherwise the setting will revert upon restart.
= 125KHz and 13.56MHz card-style and fob-style and implant-style RFID systems =
Please bring RFID tags and readers to Noisebridge! We currently have very few tag samples. We're also looking for readers and ways to interface with RFID.
The current tag types (as detected by RFIDIOt) we have are:
* MASTERCARD - a0 00 00 00 04 10 10 (HSBC MASTERCARD)
The current readers we have are:
* Jake A. has a CardMan 5321 in his backpack, Noisebridge could use one if someone wants to donate one.
* chris paget brought a small stack of parallax (grand idea studios) units to the  [[RFID_Hacking|2009-04-11 talk]].
== Software ==
We're using [http://rfidiot.org/ RFIDIOt].

Revision as of 02:41, 26 January 2017

Noisebridge uses RFID for some access control systems [1].

The system is based on RFID-RC522 devices using tags that work at 13.56Mhz.