392 DEAR HACKER
392 DEAR HACKER
I/Q decoder input would have to be put on a receiver, scanner, satellite radio, etc. device so you can tinker with the data being spit out.
Either way the wind blows, I’m willing to work with people on hard- ware issues and designing some circuits for use, which means I’ll have to order some books.
In 21:4, jjr wrote in concerning more info needing to be written con- cerning RFID. I agree. RFID is trampling into a territory that most in the community have not explored: RF (Radio Frequencies). Some have dabbled in cellular technology, pagers, and WiFi, which are all RF- based. Learning the basics of RF is not hard. Many websites explaining radio theory will get one schooled in the foundations of RF.
RFID is pretty simple technology that is radio-based. At a simplis- tic level, RFID is just a very simple radio transmitter and receiver (transceiver) with a memory chip. When it receives a signal from a transmitter with proper query sequence, the RFID will spit back an ID code or other info with its transmitter. It has no internal power and thus must take a little bit of the querying transmitter power and convert it to usable power to transmit its information. This part is pretty much basic electronics.
RFID in a product is pretty easy to kill. Tossing it in the microwave should either kill the silicon chip by plasma arc or overwhelm the circuits and burn them out. Of course, there is a potential fire hazard. Static electricity is also another potential killer of RFID. As computer guys, we all know the potential problems with zapping our boxes. Those old static guns to remove static from records may generate enough to kill an RFID chip. Doubtful, but a cell phone up at full power with the tip of the antenna against the chip may kill it. A ham radio walkie talkie at full power may also kill it. A high powered ham transmitter will definitely do it, but not something you carry around.
A stun gun will definitely do the job, as will taking a hammer to it. Exploits? I’m not sure if RFID uses spread spectrum or not. If it does
not, a DoS attack is very plausible. If memory serves, some of the fre- quencies I’ve seen are 13.56MHz, 403MHz, 915MHz, and the 2.4GHz band. The latter would be interesting if WiFi cards could be tricked to operate on the same frequency as RFID. Then you’d be able to query RFID chips and spoof your own queries if you were close enough.
BEHIND THE WALLS
Some of the ham radio transceivers can be easily modified to operate on frequencies outside of the ham radio bands. Of course, transmit- ting inside or outside of the ham radio frequencies without an FCC license is a federal offense.
There may be other frequencies in use by RFID. You can find these by surfing the manufacturers’ websites. Out in the field tinkering, you’ll need a decent frequency counter. OptoElectronics makes a handheld frequency counter (The Digital Scout) that should be fast enough to capture the frequencies in use by RFID. They make another version (The Scout), but I don’t think it has a fast enough “lookup” time to accurately capture the frequency in use by RFID. Anyhow, simply holding the frequency counter next to an RFID scanner while it is scanning an item should give you the frequency of the device.
Digging around the cell, I found specs on the Em Electronics ( www .emelectronics.co.uk ) EM4223 RFID chip. It is in compliance with the ISO IEC 18000-6. It carries a 128 bit ROM user memory, operates in the 862-870MHz, 902-950MHz, and 2.45GHz bands, and has no apparent security. Of similar spec is the EM4222 which uses 64 bits of ROM. One version of it has an additional 1024 bits of read/write memory.
In the 13.56MHz frequency range, the EM4006 has 64 bits of ROM while the EM4035 and EM4135 have 64 bits of ROM, and have 3200 bits and 2304 bits of read/write memory respectively. Security is done via lock bits or mutual authentication.
Most of the Loompanics products appear to be a series of RFID chips in the 125kHz range, with 48-128 bits of ROM and 256-2048 bits of read/ write memory. Some of these follow ISO 11784 or 11785 standard, and use lock bits and password, password, or mutual authentication secu- rity. Some versions have no security at all in the read only versions.
Being that I’m in a prison cell, I’m taking a stab at the data encod- ing method over RF, and will say it is simply FSK (Frequency Shift Keying) to query and parrot back information. For costs and sim- plicity, I doubt they are using any more exotic modulation schems to transmit the data.
FSK is easily decoded on a scanner with slight modifications and an