12h trials of RFID sniffing with no success
Milosch and me were trying for the better part of last Saturday to passively receive and demodulate the ISO 14443 signal sent from a tag/icc to the reader on the 847,5kHz subcarrier that is load modulated onto the 13,56MHz main carrier.
This proves to be more difficult than we thought. Well, we both only have limited experience in practical RF design, so somebody with better skills would probably have helped a lot.
So what did we do? We've built a h-field magnetic loop antenna tuned to 13.56MHz, and tried to get hold of the subcarrier, either by hardware mixing/demodulation or software demodulation using USRP and Gnuradio.
The digital (software) demodulation seemed easy enough, but actually it is limited by the dynamic range of the A/D converter. The subcarrier is only 475kHz away from the main carrier, and it has at least 60 dB less signal. So by doing a FFT on the input signal, you can very nicely see the 13.56MHz carrier, but no subcarrier :(
We've then tried to put a impedance matcher (the opamp way) between the antenna and the USRP (which has roughly 50Ohms input impedance at the BasicRX board). However, apart from lots of distortion, the AD822 based solution didn't make any difference. The subcarrier just seems to be covered by noise.
Our hardware approach was to mix the input signal (especially the subcarrier's upper sideband) with a local oscillator of 3.8486MHz, which should result in an IF of exactly 10.7221MHz. This allows the usage of stock ceramical 10.7MHz IF filters with 280kHz bandwidth. However, we got no noticeable signal at the IF amplifier output of our SA615 based circuit.
So something went really wrong, and probably something that we didn't consider as much as we should have. Probably our test setup using a MTCOS based 14443A ICC and a RC632-based Omnikey CardMan 5121 reader was not a good choice. It was basically running an endless loop with the "Select MF" ISO 7816-4 command. Probably the response to that command was just too short (as compared wit the gap until the next command response is received), and thus we actually had a signal, but not long enough to show up in the FFT. or on the scope screen at the IF output.
Next step will be to build a 14443A card replica, basically a piece of hardware that does a constant load modulation at the right subcarrier frequency. This way we can eliminate too many variables. So when we run our next RFID playground session, we MUST be able to see the subcarrier...
The whole issue has one advantage: I've now actually modelled a 14443A signal (13.56MHz carrier with 847.5kHz AM subcarrier which is in turn ASK'd by a 106kHz signal) in gnuradio. I can TX that signal on the BasicTX output... we'll see if that simulated spectrum actually produces any reasonable result with the SA615based mixer..