OpenPCD Passive RFID Project

From OpenPCD

Jump to: navigation, search
Bootable RFID & NFC Live Hacking system with libnfc and OpenPCD 2 RFID Reader/Writer/Emulator support
New OpenPCD 2 design - a 13.56MHz RFID Reader & Writer with NFC protocol and Tag Emulation support
OpenPICC SnifferOnly frontend for sniffing 13.56MHz RFID card transactions using a PicoScope 3204A.

Sniffing ISO15693 RFID iCLASS SE transactions on a 13.56MHz carrier using a PicoScope 3204A and an OpenPICC SnifferOnly frontend.


OpenPCD is an open source and open hardware project around Near Field Communication (NFC), RFID reader, writer & emulator hardware for 13,56MHz. Our devices are able to sniff data from HF RFID cards (13.56Mhz Proximity Integrated Circuit Cards, PICC) conforming to vendor-independent standards such as ISO 14443 (DESfire, new electronic passports etc.), ISO 15693 as well as undocumented and proprietary protocols such as Mifare Classic and iCLASS.

The intention of the OpenPCD project is to offer the users full hardware control of the RFID signal and to provide various output signals for screening the communication. With already existing Free Software from the libNFC project for implementing the PCD side protocol stack of various RFID protocols, this project will happily extend the free toolchain around RFID security research & verification.

Latest News in Montreal on June 11-18th, 2012

Meet Milosch and Brita of the OpenPCD hardware team on in Montreal, Canada! We will give a comprehensive 2 day training session about exploiting RFID systems Holistic NFC hacking - emulating the guts out of RFID with lots of practical real world examples, how recent RFID hacking tools are used and have a hands-on-workshop of a new RFID libnfc enabled hacking/emulation tool based on OpenPCD 2.

HID iCLASS demystified

In our talk at the 27C3 in Berlin we disclosed our security research on HID iCLASS RFID cards. This cards were not publicly documented yet, so we describe our approach in analyzing an unknown RFID system. Our most important discovery was that iCLASS Standard Security cards can be easily read and copied with low cost consumer USB RFID readers due to the fact that the same two keys were used world-wide for all iCLASS Standard Security installations. An in-depth description of our security analysis can be found at our HID iClass demystified page and in our white paper Heart of Darkness - exploring the uncharted backwaters of HID iCLASS security.

New Call a Bike RFID System in Berlin

Since May 2011 Deutsche Bahn is deploying a new RFID based bike rental system in Berlin. We will evaluate the security of this system during next few months.

Our open RFID hardware projects

You can support our project by buying RFID hardware in our shop.

Further reading on OpenPCD 2

Further reading on OpenPCD 1

OpenPCD 1 release

First OpenPCD 1 hardware release

The OpenPCD hardware design is based on the CL RC632 Multiple Protocol Contactless Reader IC from Philips, which supports ISO 14443 A&B, ISO 15693, Mifare and ICODE protocols. This reader IC is connected via SPI to an ARM Microcontroller. We chose the AT91SAM7S128 with a 32-bit RISC processor architecture, 128 kbytes Flash and 32 kbytes SRAM. The Microcontroller is accessible via USB-B-MINI plug and optionally via a 20-pin JTAG header. The design provides several interesting interfaces for monitoring and studying the RFID signal:

  • serial RS232/TTL interface on 1x5 header
  • two-wire I2C interface on 1x4 header
  • SAM-BA reset control on 1x4 header
  • 4 analog inputs on a 1x5 header
  • bootloader reset via push-button
  • HF output of the trigger signal on U.FL connector
  • HF output of the AUX signal (intermediate demodulated steps) on U.FL connector
  • HF output of the MFOUT signal (demodulated digital signals) on U.FL connector
  • optional 1x3 header for an external antenna


The hardware design has been released under a CC attribution share-alike license, the reader firmware and drivers (librfid glue code, plus some extras) have been released under GNU/GPL. You can find both at our download page. Your participation is welcomed in our OpenPCD Subversion repository and our Wiki.

Design and SDK are available under non-open license types upon request alternatively to the OpenSource licenses provided here.


The projects prehistory started in May 2005 with Harald and Milosch working in the lab of the CCC-Berlin on different ways to passive receive and demodulate RFID signals. The RFID tag responds to the RFID reader by using the transmitted 13,56MHz carrier signal as a power supply and modulates the carrier with a 847.5kHz subcarrier by load modulation according to its contained informations. With further knowledge of how to downmix the incoming signal to make filtering with common filter possible before amplify the signal, a hardware ( was designed to simulate the RFID transponder. Brita got involved with the HF PCB layout for the RFID Mini Sniffer and trials with different antennas.

In a one hour presentation at the 22C3 (Chaos Communication Congress December 2005 in Berlin) Harald and Milosch first public announced the project. Harald covered the technical background about the RFID technology, the ICAO MRTD specification, and his efforts to develop a free software protocol stack. Milosch described the current progress in developing hardware and software defined radio based passive sniffing of the RFID radio interface.

Meanwhile Harald launched the project OpenMRTD, which provides a free (GPL) toolset for reading and verifying various RFID protocols from MRTDs (Machine Readable Travel Documents). As part of this project the Free Software RFID library 'librfid' implements the RFID reader side protocol stack of ISO 14443 A, ISO 14443 B, ISO 15693, Mifare Ultralight and Mifare Classic. In order to use these free tools, users still have to rely on commercial and closed hardware readers with their limitations and faults.

To fill this gap in the free toolchain for verifying RFID protocols, this project tries to develop a free hardware design of an RFID reader with free firmware (which either works with librfid on the host PC, or runs librfid in the reader). The first prototype of the OpenPCD free RFID reader is still under testing but already offers the basic functionality of reading different RFID cards/transponder and transmitting freely modulated signals.


From left to right: Milosch Meriac, Brita Meriac, Harald Welte

Harald Welte is a long-term supporter and active member of the Free Software community. His expertise in Linux Kernel development and networking security made him Chairman of the netfilter coreteam. He's one of the principal authors of the Linux 2.4+Kernel Packetfilter, securing virtually every linux installation. As manager of hmw-consulting in Berlin Harald Welte is offering professional consulting, development and training in the fields of networking security, Linux kernel development and embedded Linux.

Milosch Meriac is a freelance hard & software developer/consultant with a broad range of experience in software engineering and hardware development. His focus is on deeply embedded systems, hardware development, embedded linux, lowlevel programming, realtime, IT-security and reverse engineering. He was part of the coreteam at the Xbox Linux project which did the GNU/Linux porting process to the Xbox gaming system. Milosch Meriac provides custom-tailored hard- and software developments and consulting through Bitmanufaktur GmbH in Berlin.

Brita Meriac (formerly known as Brita Rausch ;-)) is working in the field of electronic design. At Bitmanufaktur GmbH she is creating electronic designs and PCB layouts.

Further help on this project is very much appriciated. Please feel free to contact us via email.

OpenPCD in the press