More RFID tags to the god of RFID tags!
Almost 7 years have passed since the publication of the
article about RFID tags . Over the
years of traveling and staying in different countries , a huge number of RFID tags and smart cards have accumulated in your pockets: secure cards (for example, permits or bank cards), ski passes, public transport tickets, without which in some Netherlands it’s absolutely nothing, then something else.
In general, it's time to figure out all this menagerie, which is presented at the
KDPV . In a new series of articles about RFID and smart cards, I will continue the protracted narrative about the market, technologies and the internal structure of really
micro- chips, without which our everyday life is no longer conceivable, from controlling the circulation of goods (for example,
fur coats ) to building skyscrapers . In addition, during this time, new players (for example, Chinese) pulled themselves in addition to the
NXP , which got a sore point, which are worth talking about.
As usual, the narrative will be divided into thematic parts, which I will post as far as possible, opportunities and access to equipment.
Foreword
So, it’s probably worth recalling that opening the labels for me was a continuation of the hobby of working with electron microscopy and cutting the
chip from nVidia back in 2012. In
that article , the theory of the functioning of RFID tags was briefly reviewed, and several of the most common and available tags at that time were opened and disassembled.
There is perhaps little that can be added to this article today: all the same 3 (4) most common standards are
LF (120-150 kHz),
HF (13.65 MHz - the vast majority of labels work in this range),
UHF (actually here two frequency ranges 433 and 866 MHz), followed
by a couple more less known ; the same principles of operation - the radio wave induction of the chip power and the processing of the incoming signal with the output of information back to the receiver.
In general, an RFID tag looks something like this: substrate, antenna, and the chip itself.
Tag-it tag from Texas Instruments
However, the “landscape” of applying these marks in everyday life has seriously changed.
If in 2012 NFC (
Near-Field Communication ) was a strange thing in a smartphone, it is not clear how and where to use it. And such giants as, for example, Sony, actively promoted NFC and RFID as a way to connect devices (a speaker from the first Sony Xperia, which connects magically by touching the phone -
Wow! Shock content! ) And change states (for example, they came home, We ran the tag, the phone turned on the sound, connected to WiFi, etc.), which, in my opinion, was not very popular.
Then in 2019, only the lazy one does not use wireless cards (all the same NFC by and large), phones with virtual cards (the sister urgently required NFC in it when changing the phone) and other “simplifiers” of life based on this technology. RFIDs have become an integral part of our daily lives: one-time bus tickets, cards for access to many office and not only buildings, mini-wallets inside organizations (such as
CamiPro in EPFL ) “and so on and so on.”
Actually, that is why such a huge number of tags were accumulated, each of which I want to open and see what is hidden inside: whose chip is installed? Is he protected? What kind of antenna is it?
But first things first…
It was these tiny pieces of silicon that made our world the way we know it today
A few words about tampering
Let me remind you that in order to get to the chip itself it is necessary to carry out the deprocessing of the product using some chemical reagents. For example, remove the shell (usually a card or a round mark from the plastic inside which the antenna is located), carefully disconnect the chip from the antenna, wash the chip itself from the glue / insulator, sometimes remove the parts of the antenna that are firmly soldered to the contact pads, and only then see chip and its layout.
Deprocessing is a complicated feeling
In recent years, the materials used to mount the chips have been incredibly improved. On the one hand, this increased the reliability of fastening the chip and reduced the number of defects; on the other hand, simply boiling in acetone or concentrated sulfuric acid to dissolve or burn organics will now fail to wash the chip. One has to refine oneself, select a mixture of acids in order to remove unnecessary layers, but at the same time not damage the flame motor metallization of the chip.
Difficulties of deprocessing: when glue is not washed off the chip under any conditions ... Hereinafter, LM - laser microscopy, OM - optical microscopy
Or so ...
Sometimes, of course, a little more luck and the chip even with an insulating layer turns out to be relatively clean, which does not greatly affect the picture quality:
NB: handling concentrated acids and solvents should be carried out in a well-ventilated area, and preferably outdoors! Do not try to repeat this at home, in the kitchen!
The practical part
As I already noted at the very beginning of the article, in each part there will be presented separate types or several labels: transport (public transport and ski passes), secure (mainly smart cards), "everyday" and so on.
Let's start today with the simplest tags that can be found almost everywhere. We will call them “everyday tags,” because you can meet them almost everywhere: from the number at the marathon to the conference and delivery of goods.
Labels covered in this article are highlighted in blue.
Long Range UHF Tags
Many readers of Habr are engaged and love sports. The last few years there has been a pronounced tendency to participate in various races, half marathons and even marathons. For the sake of a medal, sometimes it’s
not a sin to run 10 km .
Usually, before the start of the event, a participant number is issued with small foam inserts on the sides, behind which, horrified, is the notorious RFID tag. Paranoid people definitely need to be on their guard when participating in such events! Not really. Since a mass start is used in such competitions, it is required to record the time of each participant from the moment they cross the starting line to the finish line. Running through a special frame in the form of start and finish gates, each participant starts and, accordingly, stops the invisible stopwatch.
The labels look something like this:
As practice has shown, even in Switzerland there are at least two tags that are used in this kind of public events. They differ both in antennas (conditionally, narrow and wide), and in the device of the chip. True, in both cases this is the most common chip, without protection, without any bells and whistles and, apparently, with a small memory. And, as practice has shown, also from that manufacturer -
IMPINJ .
It’s hard for me to judge whether something is written to the chip, most likely it just serves to identify. If you know more - write in the comments!
IMPINJ chip and wide antenna
This mark has already hit the
cuts to the craftsmen . More information about the Monza R6 tag from the American manufacturer IMPINJ can be found
here (pdf) .
LM (left) and OM (right) images at 50x magnification.
HD picture can be downloaded here
Another time tracking looks a bit more complicated than the Monza R6 chip, while there is no marking on the chip, so it is difficult to compare them.
Chip "UFO" from the "unknown" manufacturer
As it turned out during the dances with a tambourine around this chip: the manufacturer is the same - IMPINJ, and the code name of the chip is Monza 4. More can be found
here (pdf)
LM (left) and OM (right) images at 50x magnification.
HD picture can be downloaded here
Near field labels in transportation and logistics
Let's go further, RFID tags are successfully used in transportation and logistics for automated / semi-automated goods accounting.
So, for example, when I ordered RayBan glasses, a similar RFID tag was installed inside the box. The chip is marked as SL3S1204V1D from 2014 and manufactured by NXP.
One of the difficulties of working with modern RFID is to wash the chip from glue and insulation ...
Information on the label can be found
here (pdf) . Class / Label Standard -
EPC Gen2 RFID. By the way, at the end of the document it’s fun to watch the change log, which partly demonstrates the process of putting a tag to the market. Applications include inventory management in retail and fashion. Therefore, the next time you buy relatively expensive items (200 $ +), take a closer look, maybe you will also find a similar tag.
LM (left) and OM (right) images at 50x magnification.
HD decided not to do ...
Another example is another box (though I don’t remember where I got it from), on which such a “commodity” tag was pasted on the inside.
Unfortunately, I did not find the documentation for this particular chip, however, on the NXP website there is a pdf for the
SL3S1203_1213 twin chip . The chip is manufactured within the framework of the EPC G2iL (+) standard and appears to have tamper alarm protection. It works primitively just breaking the OUT-VDD jumper causes the flag to fire and the label becomes not working.
Got something to add? Write in the comments!
LM (left) and OM (right) images at 50x magnification.
HD picture can be downloaded here
Conferences and Exhibitions
A typical case of using RFID for quick identification of a person is various badges at conferences, exhibitions and other events. In this case, the participant does not have to leave his business card or exchange contacts in the traditional way, just bring the badge to the reader and all the contact information has already migrated to the counter-agent. And this is in addition to the traditional registration and entrance to the exhibition.
Inside the label that I got after the IMAC industry exhibition was a round antenna with a chip from NXP MF0UL1VOC, in other words, new generation MIFARE. Detailed information can be found
here (pdf) .
One of the typical examples of the use of smart badges at IMAC
LM (left) and OM (right) images at 50x magnification.
HD picture can be downloaded here
By the way, for fans to see not only the hardware, but also the software part of the tag - below I will present screenshots from the NFC-Reader program, where you can also see the tag type and class, memory size, encryption, etc.
Unexpectedly protected chip
In conclusion, I would like to note the last tag that got into parsing in the first cohort of “everyday” tags. I got it from the time of cooperation with Prestigio. The main purpose of the label is to perform some predefined action, for example, in the ecosystem of a smart home (turn on the light, start playing music, etc.). What was my surprise that, firstly, opening it was still that entertainment, and, secondly, inside of me there were surprise surprises in the form of a fully protected chip.
Well, you have to postpone it until better times, when it comes to protected chips - we will return to it. By the way, who is interested in a little more familiar with the possibilities of protection and application of RFID in various fields of activity - I recommend this
relatively recent presentation .
Instead of a conclusion
We have not finished this with “everyday” tags, in the second part we are waiting for the wonderful world of Chinese RFID and even with Chinese chips.
Stay tuned!
Do not forget to subscribe to the
blog : it’s not difficult for you - I am pleased!
And yes, please write about the shortcomings noted in the text in the PM.