RFID Transplantation

November 6th, 2010

One of the nice things about living in Singapore is its comprehensive mass-transit system. The SMRT blankets the 26-mile by 14-mile island nation with a network of 78 stations and an extensive bus system. This is in stark contrast to San Diego county, which is over 15 times the land area in size but has only 2/3rds the population and is covered by a trolley system with 53 stops. Needless to say, it’s impossible to live in San Diego without a car; while driving is a privilege, it’s a burden when you are required to do it. So, I’m quite happy now to have the option of taking the SMRT, safely answering emails and playing video games while the train takes me to my destination.

However, one small irritation I’ve encountered with the SMRT is that the “EZlink” RFID card system used in Singapore conflicts with the two other RFID subway cards in my wallet (the Shenzhen Tong and the Hong Kong Octopus card), so as I pass through the busy turnstyles, about half the time I get an invalid card error, causing much irritation among the people behind me as I sort through my RFID card collection to pick out the EZlink card.

Having seen Japan’s Suica system integrated into mobile phones, I thought, why not stick the EZlink chip inside my phone? Since the EZlink card also serves as a payment card, I can get around the city with nothing but my phone, buying beverages at 7-11, and paying taxi, bus and train fares while texting my buddies without carrying a scrap of cash.

As a general note, transplanting RFID chips is a much cleaner solution from both the legal and technical perspective versus cracking the security and programming your own RFID to be compatible with the existing payment system. While many of the security systems used in RFID are already broken or have serious known vulnerabilities, I can’t think of any country where the authorities would take kindly to you doing it. And, while the 3DES system used in the EZlink’s security isn’t the strongest out there, it’s still hard enough to crack that it’s just not worth the effort.

Transplanting the RFID chip ended up taking only a couple hours in the end; I think it’s a handy enough hack that I’m sharing the details on how to do it. Unfortunately, few of my American readers would have an immediate use for it, since RFID payment and subway transportation technology really hasn’t reached most of the US population…I must remark at this point that living overseas really highlights how behind the US is in some areas. I have 100 Mbit broadband service in my home for about US$60/month…and just a couple months ago they rolled out 1 Gbit fiber-to-the-home in my neighborhood, and I’m tempted to upgrade, although I’m not quite sure what, exactly, I’d do with a Gigabit connection. It’s also sad to find in the details of my Japanese mobile data plan that the US’s 3G service is classified in the same performance tier as Africa’s 3G services.

Note to locals: I picked the EZlink card (as opposed to the competing NETS system) because they have convenient top-up kiosks in the station where you just lay the card on a pedestal to recharge it. The NETS system requires you to put the card into a slot reader, or to give it to an agent, both of which are not an option when you’ve hacked the card into a mobile phone.

The EZlink card uses a 13.56 MHz contactless RFID system, so inside the card there’s an actual silicon chip, and an embedded antenna. Above is a photo of the card with the chip’s location (top right corner) revealed. The easiest way to locate the chip is to look at the reflection of a lightbulb off the surface and observe the slight bump underneath the surface where the chip is located. Outline the location with a marker and use a hobby knife to scrape away at the plastic.

Scraping away at the plastic on the opposing side as well makes the chip easier to release:

Lift the chip out very delicately, as there is a loop of copper wire bonded to the chip’s leadframe. If pulled too hard, the leadframe will be damaged — it must be kept intact, since an alternate antenna will be soldered to the leadframe later on. Below is a photo of the chip lifted up partially, revealing the copper wires.

Below is a photo of the chip’s leadframe, with arrows pointing to the solder points on the leadframe. Notice how the metal on the left and right side are not actually electrically connected to the metal paddle in the center, thus creating three electrically isolated regions. Take caution not to short them together.

Now that the chip is free, attach it to a suitable antenna. For this hack, I took a 13.56 MHz RFID bracelet and re-used the antenna from it. The bracelet is made by Precision Dynamics, a PDC Smart Superband 470. You can also make your own antenna, but RFIDs are so common it may be easier to scavenge an existing antenna out of any used 13.56 MHz RFID.

Cutting open the band is easily done with a pair of scissors:

Next, carefully cut the existing chip out of the antenna. Since it’s all printed on thin flexible plastic, this is easily done with a hobby knife.

Above is a photo of the partially-cut chip. When cutting the chip out, be sure to leave the antenna contacts on either side, as these will be used to solder to the EZlink RFID chip’s leadframe tabs. Below is a photo of the chip itself, after it has been freed of its bond to the antenna.

Next, lay some kapton tape down in the region of the RFID chip bonding area to protect the delicate antenna traces underneath. Slide the RFID chip in between the antenna contacts, and solder it down:

Soldering the chip takes a deft hand, since you’re soldering onto soft plastic that will melt if you apply too much heat. However, a bit of solder flux applied before the operation and a temperature-controlled iron set to the lowest temperature that will still melt solder makes things easier.

And that’s basically it! The final EZlink chip + grafted antenna assembly is very thin and flexible:

It’s thin enough to be taped inside the battery compartment of my local phone. Positioning of the antenna is important; it needs to clear the battery pack as much as possible, as the battery pack interferes with the RFID signal. Here’s a photo of the compartment with the back cover off:

I’m guessing the TSA would not be entertained if they found this on me given the recent use of mobile phones in cargo bombs…which is why I stuck it into my local-only feature phone, instead of my international-use Blackberry.

And, here it is, in my local SMRT station, showing the latest balance:

The final antenna+RFID assembly is thin and flexible enough to be hidden in a number of convenient locations; it could be put into the wristband of a watch, sewn into clothing (although, I wouldn’t put this through the wash), or integrated into jewelry.

Bounty on Microsoft Kinect

November 4th, 2010

Adafruit is hosting an “X-prize” style competition where they are offering a $2,000 bounty for anyone who can create an Open-Source driver for the Microsoft Kinect game peripheral (reminds me of MR’s Xbox Linux prize but on a smaller scale). Lots of details about the competition and what Kinect is at this link.

Sounds like a fun project, just wish I had the time!

Ponderings on “The Cargo Bomb” (and Winner of Name that Ware October 2010)

October 30th, 2010

The name that ware crowd does it again — guessed within the first few hours of being posted. Ryan Bavetta wins for being the first with the correct answer. email me to claim your prize!

Of course, I don’t have access to the ware itself so I must apply my judgment to the guesses, but I believe it’s fairly safe to say that it’s a Nokia 6120c or very closely related model (the entire 612x family has motherboards that are basically identical sans minor changes for specific regional or carrier variants; see the wikipedia page for the Nokia 6120 family).

I managed to dig up the original service manual schematics for the Nokia 6120c. There are some very curious features about the preparation of the cargo bomb package. First of all, the phone motherboard only has two wires (plus perhaps a ground strap) attached to it. I’m presuming at least one of the wires is for a battery voltage, assuming the return current is going through the metal case via the middle screw.

If this were, for example, a trigger mechanism for something, then presumably the other wire is for the trigger signal.

What makes this a little bit odd, then, is the lack of an antenna. If you look at the schematics for the device, there is a set of four leaf connectors at the top of the motherboard, X7550, X7551, X7552, and X7555 (would be on the rear right side in the photo taken by the press), which need to come in touch with an antenna for any reception worth a damn. I don’t see evidence of an antenna attached to these from the press photo, and if there was it would be pretty close to the large ground plane presented by the metal case. The sensitivity of the radio would be fairly bad, making it unreliable at best as a remotely activated trigger.

One may presume that this is simply because the creator of this package was not skilled in electronics; if that’s the case then I feel a little bit safer since the “bad guys” don’t know how to build a reliable remote bomb trigger out of a cell phone.

However, another possibility is that the motherboard didn’t even have a SIM card in it, and as a result this is just a cheeseball version of the “alarm clock” that you would see in, for example, a “movie bomb”. If they simply attached a wire to the vibrator motor terminals or the ringer/speaker connector, and set a wake-up alarm a couple days later, this would function fairly decently as a time-delay device to activate some mechanism. It’s not hard to find a used mobile phone that doesn’t work as a phone, but still works well enough to set an alarm, although if I were looking for a simple mechanism to just act as a trigger I wouldn’t pick something that has an IMEI (International Mobile Equipment Identity) or other serial numbers that can be traced through a supply chain. Then again, let’s hope that the “bad guys” aren’t smart enough to realize that mobile phones make poor event triggers if you were hoping for some kind of anonymity.

A little more browsing of the latest press releases note that there was a SIM card in the device, so presumably this was intended to receive a call to detonate the package. Glad to hear the sender of the package doesn’t know much about RF circuits and antennas. Granted, a phone can still receive a signal without an antenna, but the reliability would be poor; you’d need to be much closer to a base station so you have a high chance of failure in executing the plot. And SIM cards contain a wealth of traceable information. At the very least, someone has to call the phone to set off the trigger. If the phone is intercepted and the SIM card is put into a normal phone, the plotter would be unpleasantly surprised to find that it’s the FBI answering (and looking at your caller ID), instead of a bomb going off. Furthermore, scanning packages for suspicious devices becomes a lot easier, because you can just use a handheld RF scanner to look for radio waves in key frequency bands coming out of boxes that you would otherwise expect to be inert. In other words, a box with an active phone on the inside would advertise its presence in a detectable way to the outside world through its RF signature.

Of course, all wild speculation based on one low-res photo of a phone motherboard…

Name that Ware October 2010

October 29th, 2010

By popular demand, the Ware for October 2010 is shown below:

You may already be familiar with the image. This was the circuit board attached to the bottom of a toner cartridge found in a “suspicious package” on a UPS plane earlier today. I’ve had several people write-in to request that I make this device the ware for the month to see what opinions readers have on the identity of the circuit board. The ten-second look at the board places it pretty solidly as a cell phone motherboard; there is a vibrator motor at the top left, customary RF lids to cover the radios, and a size and connector layout consistent with a low-end feature phone.

I’m guessing some reader can probably ID this down to the make and model from this picture alone…

Winner, Name that Ware September 2010

October 29th, 2010

The wares for September 2010 were a zoom-in on a 1000baseT PHY circuit, and the trackball of a Blackberry phone. I think the zoom-in format worked fairly well, so I may try it again in the future.

Picking a single winner was hard, so I’ll name both Ben Hutchings and Garrett Kelly as winners, since they were each the first to guess a respective ware. Congrats, email me for your prize!