OpenPICC RFID Emulator Project

From OpenPCD

OpenPICC 1 board

Breaking into a Mifare Classic protected key vault that uses only anti collision as a security feature - no cryptography is used by that vault.

Introduction

This device is obsolete - please use OpenPICC SnifferOnly 13.56MHz instead for sniffing

The OpenPICC project for Proximity Integrated Circuit Cards (PICC) is the counterpart to OpenPCD. It is a device that emulates 13.56MHz based RFID transponders / smartcards. OpenPICC can be used to e.g. simulate ISO 14443 or ISO 15693 transponders, such as those being used in biometric passports and FIFA worldcup tickets.

Like OpenPCD, the hardware design and software are available under Free Licenses.

Please refer our to our OpenPICC Development pages as well.

Our open RFID hardware projects

DB Call a Bike

HID iClass demystified

Holistic NFC hacking 2012

Live RFID Hacking System

OpenBeacon Active RFID Project

OpenBeacon Sensor

OpenPCD 2 RFID Reader for 13.56MHz

OpenPCD Passive RFID Project

OpenPICC RFID Emulator Project

OpenPICC SnifferOnly 13.56MHz

RFID Sniffer Hardware

Design Files

Schematics (pdf)
PCB layout (pdf)
Bill of materials (pdf)
Gerber files (zip)

How to sniff RFID reader to ISO 14443 tag data transmission using OpenPICC

configure OpenPCD to send data continuously

connect USB debug cable to RS232_CMOS connector on OpenPCD - black wire is Pin 1
cu -l/dev/ttyUSB0 -s115200 (debug terminal - where ttyUSB0 is the debug cable. You can find 'cu' in the uucp packet. Make sure that your current user is also in the group 'uucp' to use this software )
power cycle OpenPCD again - OpenPCD boot message appear
press 'A' on debug terminal to enable continuous long packet transmission by OpenPCD - green LED turns on continuously in return

compile openpcd_test

mkdir openpicc
cd openpicc
svn co http://svn.openpcd.org/trunk/host/
svn co http://svn.openpcd.org/trunk/firmware/
cd host
make opcd_test
mv opcd_test opicc_test
plug OpenPICC into USB port
sudo ./opicc_test -L

Configure OpenPICC via USB debug cable

plug the debug cable into OpenPICC - black wire towards jumper socket in top right
press '}` several times to decrease the sampling clock divider to the lowest value
press 'd' till SSC-Mode is set to '5'
press 's' to start sampling
press 'a' to stop sampling
analyse /tmp/opcd_samples for sampled data (see example file)

Decode the sniffed data

wget http://www.openpcd.org/dl/openpicc/decode_openpicc.c
gcc -O2 -o decode decode_openpicc.c
./decode /tmp/opcd_samples
Example output:

Y Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[00]0 [11]1 ==0x00 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 ==0xFF X[07]1 X[11]0 Z[07]0 Z[00]0 [11]1 X[11]0 Z[07]0 Z[00]0 [12]1 ==0x11 X[00]0 [14]1 X[11]0 Z[07]0 Z[00]0 [11]1 X[11]0 Z[00]0 [11]1 ==0x22 X[07]1 X[07]1 X[11]0 Z[00]0 [11]1 X[07]1 X[11]0 Z[00]0 [11]1 ==0x33 X[12]0 Z[00]0 [10]1 X[11]0 Z[07]0 Z[00]0 [11]1 X[00]0 [16]1 ==0x44 X[06]1 X[00]0 [15]1 X[00]0 [16]1 X[00]0 [14]1 X[00]0 [15]1 ==0x55 X[00]0 [16]1 X[06]1 X[12]0 Z[00]0 [11]1 X[06]1 X[00]0 [15]1 ==0x66 X[00]0 [16]1 X[00]0 [14]1 X[11]0 Z[00]0 [12]1 X[10]0 Z[08]0 ==0x4A Z[07]0 Z[00]0 [11]1 X[07]1 X[11]0 Z[00]0 [11]1 X[10]0 Z[08]0 ==0x4C CRC OK