The previous part of this series, Looking Inside NFC Security: Eavesdropping Attack, Part 1a, presented how easy it could be to eavesdrop into the NFC air interface. This second part continues digging into this subject by introducing SciLab and some basic digital signal processing (DSP) techniques.
NFC air interface signals can be decoded into data streams using several tools and approaches. It is not an excessively complex task using discrete analog and digital components, though interpreting the exchanged frames requires deep knowledge about several standards. There are a number of commercial products aimed at RFID standards compliance validation and RF debugging, but these tools are usually too expensive for the limited budget of one small startup. Some open source projects are also available.
It makes no sense to cover in depth the whole NFC-A air interface signals decoding process. I find more useful sharing a few, more generalized, thoughts and conclusions. These notes are taken partly from the procedure I used for debugging the air interface in a RFID emulator I worked on a few months ago.
Why SciLab? SciLab is an easy-to-learn free software package with a comprehensive set of documents and sample code. SciLab’s scripting language is mostly compatible with MatLab. With relatively little effort you can get up and running in just a few minutes.
My proposal in the previous post was starting with one DSO for the data acquisition system, but I have to admit that it was not fair play. I used one LeCroy WaveRunner 6050A which is still a beautiful and powerful 4 Channel, 5.0 GSample/sec, 500.0 MHz Digital Oscilloscope. This DSO is an expensive instrument, definitively out of reach for most experimenters and small startups. It is built on top of Windows XP Embedded and supports the installation of custom-made signal processing modules using COM objects and MatLab scripts. A few years ago we installed VisualStudio on it and developed several modules using C#.
Just before starting experimentation
Signals-decoding in the digital domain constitutes one typical DSP application. For this and any DSP application we must start characterizing the input signal. This characterization provides essential information for designing the analog front end, the signal digitizing parameters, and the signal processing strategy.
The ISO/IEC-14443-2 standard constitutes the reference document for the NFC air interface. Recalling from the first part, in NFC-A mode PCD-to-PICC data transmission uses ASK with a carrier frequency of 13.56 MHz and PICC-to-PCD data transmission uses Manchester coded OOK, for the fc/128 bit rate, and BPSK NRZL for the higher bit rates. The relevant information comes modulating the carrier envelope. The drawing below depicts the theoretical spectrum at the reader antenna resulting from the Tag modulation.
Parts 2b and 2c will follow.