Range Extension of an ISO14443A RFID System with Actively ... · Range Extension of an ISO14443A RFID System with Actively Emulation Load Modulation Klaus Finkenzeller (Giesecke &

Range Extension of an ISO14443A RFID Systemwith Actively Emulation Load Modulation

Klaus Finkenzeller (Giesecke & Devrient)

Florian Pfeiffer (perisens / Fachgebiet Höchstfrequenztechnik – TUM)

Erwin Biebl (Fachgebiet Höchstfrequenztechnik – TUM)

17.05.2011

Range Extension – Florian Pfeiffer

17.05.2011 Page 2

Motivation

Gaining high reading distances with active load modulation could be used to attack an RFID reader

Accessing an ISO 14443 reader from much more distance, than the nominal 10 cm

No limitation in “tags” (PICC) antenna size Useful antenna sizes from 10 cm … 1.5 m in diameter

No limitation in “tags” (PICC) transmission power 100 W seems to be applicable with no problem Up to 1 kW seems to be possible with improved equipment


17.05.2011 Page 3

Limiting Factors of a Passive Tag System

PCD

(reader)

PCD

(reader) PICC

(Transponder)

PICC

(Transponder)

~

2. Data transmission PCD PICC

(Downlink)

3. Data transmission PICC PCD

(Uplink)

1. Energy

1. Power: The small PICC antenna accumulates not enough energy from the field.

2. Downlink: Coil voltage is too low for demodulation

3. Uplink: The load modulation effect with the small PICC antenna is too poor


17.05.2011 Page 4

Limiting Factors of an Active Tag System

PCD

(reader)

PCD

(reader) Tag

(Transponder)

Tag

(Transponder)

~

1. Data transmission PCD Tag

(Downlink)

2. Data transmission Tag PCD

(Uplink)

1. Downlink: Transponder coil voltage is too low for demodulation

2. Uplink: The load modulation effect with is too poor

Solution: improve receiver / noise limited!

Solution: increase magnetic field!


17.05.2011 Page 5

Prototype Implementation

Reader

Loop

ANTENNA PowerAmplif.

BPFilter

Modu-lator

SmartCardChip

Loop

ANTENNA

Pre-Amplif.

BPFilter

Downlink

Uplink

PreAmp.

Transmit

Receive

13.56 MHz

14.408 MHz


17.05.2011 Page 6

jkrL ekrjkrr

IkajH

2

2 1114

sin

jkrLr e

jkrrIkajH

112

cos2

2

Small circular loop antenna

.

0H

Magnetic fields:

H

rH

LI

a

Legend:

a… loop radius, … loop current, k… wavenumber

r… distanceLI

2k

m5.32


17.05.2011 Page 7

Loop Placement

r < 8.3m

Coaxial orientation

r >8.3m

Coplanar orientation

Tx Loop

Rx Loop

Tx Loop Rx Loop

Magnetic fields


17.05.2011 Page 8

28ln

baaL

rr L

PQI

2)(

Active tag in transmitting mode

Source Loop antenna

Loop

current

Resonance

frequencyInductance

Power

Circular loop antenna:

Bandwidth-3dB1

Q


17.05.2011 Page 9

Tx range (near field: )

Influencing Factors

A… Area enclosed by the loop

P… Transmit power

Q…Quality factor

43 /H~A

PH~

QH~

4max A~r

6max P~r

6max Q~r

31 rH~

Increase Tx range by 100%, requires...

Increase loop area by a factor of 16

Increase power by a factor of 64

(Increase quality factor by 64)

Increase Tx range by 100%, requires...

Increase loop area by a factor of 16

Increase power by a factor of 64

(Increase quality factor by 64)

Magnetic field


17.05.2011 Page 10

Maximizing Tx Power

U

f

fc

13.56 MHz

fc-fsub

12.712 MHz

fc+fsub

14.408

MHz

13.56 MHz Carrier

Subcarrier

Data

OSB

25%25%

50%

Without filtering:

75% of Tx power

will not contribute to

communication

Without filtering:

75% of Tx power

will not contribute to

communication


17.05.2011 Page 11

Maximizing Tx Power

U

ffc-fsub

12.712 MHz

fc+fsub

14.408

MHz

carrier

subcarrier

data

passband

USB

With filtering:

100% of power in the

Upper side band!

& smaller bandwidth >

higher Q!

With filtering:

100% of power in the

Upper side band!

& smaller bandwidth >

higher Q!

fc

13.56 MHz


17.05.2011 Page 12

Prototype Implementation

Antenna

14.408 MHz

Antenna

13.56 MHz

50W-power amplifier Bandpass-Filter

(upper side band)

Buffer

50 Ohm out

Preamplifier

+27dB

+50dB

Downlink

Uplink

Smart

Card

Chip

DSB-

modulator

Micro SD Testboard

Preamplifier


17.05.2011 Page 13

Measurement Setup

Receiver frontend Rectangular loop antenna 19 x 12.5 cm²

(f=13.56MHz / Q = 27) Amplifier with 27dB gain

Rx antenna

Rx Amplifier

Micro SD Testboard


17.05.2011 Page 14

Measurement Setup

Transmitter frontend Coupled resonator filter Preamplifier Commercial 50 Watt amplifier Rectangular copper tube loop

antenna 1 x 1 m²(f=14.408MHz / Q = 22)

“Active smart

card”

Tx Loop

“smart card

antenna”

“Tx amplifier


17.05.2011 Page 15

Measurement Setup

Tx antenna

Rx antenna

NXP Pegoda


17.05.2011 Page 16

Measurement Results and Extrapolation

Results: 2.8 m @ 50W Reading: 9 m

Extrapolation: Higher Tx power

4m@300W

2.8m@(50 W,1m²)

4m@(300 W,1m²)

Passive Tags (0.1m)


17.05.2011 Page 17

Results: 2.8 m @ 50W Reading: 9 m

Extrapolation: Tx power 300W & Antenna size

1.5m x 1.5m Calculated range

5.5m

Measurement Results and Extrapolation

2.8m@(50W,1m²)

3.5m@(50W,2.25m²)


17.05.2011 Page 18

Conclusion

Limiting factors of Rx range :

Signal-to-noise ratio (SNR) / man made noise Without any other readers close by we achieved a reading range of 9m With other readers: CW signal / signal interference additional filtering

Limiting factors of Rx range :

With a 1x1m² antenna and a 50 Watt amplifier we achieved a range of 2.8m

High Rx power and huge antennas quickly ending up with equipment like a “broadcast radio station”

An attack over several meters is difficult to install (no handy briefcase) and therefore limited to very few selected places

Documents

Range Extension of an ISO14443A RFID System with Actively ... · Range Extension of an ISO14443A RFID System with Actively Emulation Load Modulation Klaus Finkenzeller (Giesecke &