RF communication analasys

[Griffin]

Hi Every1

Ok so here is the deal: I'm working for a company that maintains a collision avoidance system on a mine. The system makes use of tags and RF readers to warn someone if you come to close to a moving vehicle or dangerous machinery.

My problem is the aforementioned tags. Every person has one (1140 to be precise excluding spares). Now when new tags or replacements arrive it takes us 5min to replace them but 30min to wait for the current system to show the tag ID because it is read by the same readers that monitor travel underground. This is time consuming and the manufacturers of the system aren’t willing to change anything to make it easier.

So I'm looking at designing a wand or mini station that simply reads the tag ID but for this I need to reverse engineer the 2 way commutation between the current tags and RF readers (Both custom systems, no standard RDID readers).

I have no idea where to start since the tags are sealed and you can’t access the hardware directly. Is there anyway this can be done over the air in some way and where do I start?

[w2aew]

Without knowing anything about the readers and tags, it will difficult to design anything that can read the tags.  There are more than a dozen RFID standards that are in widespread use - all of them are different.  Some of the various parameters are:  operating frequency, passive or active tags, reader/interrogator modulation type and data format, tag response (active or passive backscatter), tag modulation and data format, transaction protocol, etc. 

Operating frequency can be anything from 130kHz to 2.4GHz or more.  Modulation types can be simple ASK, or more complex. Data encoding could be simple NRZ or some Miller, Manchester, etc. type encoding.

Reverse engineering your system is possible with the right equipment - but very time consuming.  Unless the manufacturer can provide you with the system's details, it's really not practical to build your own reader.

If the tags are hard-coded (as opposed to being programmable), then it's possible that the unique ID of the tag might be etched or printed somewhere on the tag itself...

[Griffin]

I had a check and after some effort I managed to open one of the RFID reader enclosures so I now have access to that board and since this is a mine I could probably get the operating frequency since it must be cleared for use. Will this make things easier or not really?

About the ID's printed on the tags: Well it turns out the actual product (reader + tags) are manufactured by Selectronic Funk- und Sicherheitstechnik GmbH in Germany. The pcb's are then sent to South Africa where the other company that supply’s us pot the tags in a sold little red enclosure. In this entire process no one thinks of reading the ID first and then printing the correct number on the tag. The company over here prints their serial number on the enclosure but that has no traceable reference to the original tag ID.

I know this is a long shot but it would be nice if I could figure this out somehow.

[amspire]

It may be possible or it may be impossible.

If the tags are designed for high security and are using state-of-the-art encryption, then you will not be able to identify a tag without finding the decrypting algorithms and keys in one of their receivers. You cannot break it any other way, and the Tag data will just look like pure random noise.

If it is really insecure, the tag may just be sending out a fixed code sequence, and then you have a chance of making your own TAG ID circuit.

The tag probably has a separate microcontroller IC and one pin will be a data output pin to the transmitter IC. You would have to capture the waveform on that data out pin and look for a repetitive pattern. If there is no repetitive pattern, then this will probably be an extremely difficult to impossible project.

Richard.

Edit:  If you were able to decode the data stream, then you could also capture it easily and make your own duplicate transmissions. In other words, you could design a box that could capture the ID of all the tags on site, and it could then mimic any tag.

I would expect the company that makes these tags are not dumb enough to allow you to make such a box, so I would guess that they have used proper encryption.

[jgbena]

Sounds like a job for an arduino and some assorted hardware.

Check out Jeremy's video here and it might give you some ideas.
http://www.jeremyblum.com/2011/07/08/tutorial-12-for-arduino-rfid-card-reading/


Regards
Jon