Skip to content

plotting

Jump to bottom
Adam Laurie edited this page Jun 20, 2014 · 5 revisions

Visual plotting of tag data

The first step in understanding a new tag format is to determine what modulation scheme it's using. This can best be done visually, as there are only three major branches of modulation that you will encounter, and they are visually very different. Namely:

  • ASK - Amplitude Shift Keying, also known as OOK or On/Off Keying
  • FSK - Frequency Shift Keying
  • PSK - Phase Shift Keying

These formats are described in detail elsewhere [to be copied across from kickstarter], but for the purposes of initial recognition, they look like this:

ASK

RFIDler ASK Plot

ASK has the appearance of a simple square wave. Sub-formats such as Manchester and Bi-Phase can be applied to ASK (and, indeed, any modulation scheme).

FSK

RFIDler FSK Plot

FSK distinguishes itself by having two different wave sizes, and peak counts. In this image, we can see the two central groups of 5 and 7 peaks, representing a 0 and a 1. The larger groups represent two or more of the same digit.

PSK

RFIDler PSK Plot

PSK has a central 'bar' of data, with individual spikes alternately issuing up or down.

That's it. Your tag should be one of these three.

For the purpose of this howto, we're going to look at an unknown tag and work through the process of figuring out how to read it "properly".

The first step is to produce a plot like the one above. To do this, we use the python helper app 'rfidler.py'. Regardless of what type of tag we think it is, we are going to tell RFIDler to read it as 'Raw ASK'. This is because all we are doing is energising the tag and capturing a waveform from the coil. We are not trying to interpret any data yet, so it doesn't matter what modulation scheme RFIDler thinks we're using.

The command is as follows:

rfidler.py /dev/RFIDler 'set tag askraw' 'potset h 255' plot 500

Which translates as 'set the tag to ASKRAW, set the High Potentiometer to max, and plot 500 samples.

Setting the High Pot prevents the digital logic circuit from detecting any data which would only clutter the plot at this stage, and 500 samples is plenty to see what it is we're dealing with.

So, placing our mystery tag on the coil, we get:

RFIDler plot - mystery tag step1

This is clearly ASK. We will determine later if it is also Manchester or Bi-Phase.

The next step is to determine the data rate or 'Bit Period'. RFIDler measures these in 'Field Clocks'. A Field Clock is a single cycle of the carrier that is energising the tag - usually 125KHz, so 1 second divided by 125,000 gives us 8 microseconds. A Field Clock is therefore 8us, but you don't really need to know that since everything is referenced in FCs, including most datasheets.

For now we can simply take a guess at a rate (we will add measuring tools in due course!), and see if it matches:

rfidler.py /dev/RFIDler 'set tag askraw' 'potset h 75' 'set rate 16' plot 2000

This time we've set the High Pot to somewhere near the middle of the spike in order to detect the data, as well as asking for a larger sample group so we have more data to check our bit period against:

RFIDler plot - mystery tag step2

This shows us some interesting things:

Firstly, the square waves come in only two sizes, one double the size of the other. This is indicative of Manchester or Bi-Phase encoding. The reason for this is explained in detail here [ADD KICKSTARTER CONTENT]. It's very hard to tell the two apart visually, but we can do so later when we move on to the data processing stage.

Secondly, as you can see, pink stripes have appeared. These show not only the bit period, but also exactly when the processor 'sees' them in relation to the waveform. In this case they are deliberately skewed to straddle the transition from HIGH to LOW or vice-versa, and this is done to ensure detection of that change (or lack of it), which might be missed if the start or end of the bit period was too close to the event.

Finally, a green line has also appeared, which shows the state of the Reader Logic. This shows that we are correctly detecting when there is a HIGH or a LOW signal.

Now for some analysis...

Note that the pink stripes are an exact match in size for the smallest of the two wave forms, but as we have determined that we are dealing with Manchester Encoded data, this means that we've set our bit period too small - it is only half a bit as a full Manchester Encoded bit will always contain a transition. We therefore need to try again with double the Bit Period:

rfidler.py /dev/RFIDler 'set tag askraw' 'potset h 75' 'set rate 32' plot 2000

RFIDler plot - mystery tag step3

Now we can see that the pink strip almost exactly overlays some of the pairs of smaller waveforms. For example, just to the left of the 500 sample mark. Also, most importantly, it does not go out of sync as we see the same effect on the far right at the 2000 sample mark.

That's it for this stage! We've determined:

  • Modulation Scheme: ASK
  • Sub-Modulation: Manchester/Bi-Phase
  • Bit Period: FC * 32

For the next stage, we move on to data analysis using the RFIDler menu. [TO BE COMPLETED]

Now let's do the same for FSK and PSK...

Repeating the process for another tag, we get:

rfidler.py /dev/RFIDler 'set tag askraw' 'potset h 255' plot 500

RFIDler plot - mystery tag 2 step1

Now this looks like FSK, but it's not very well defined. There's not a huge amount of difference between the pulse sizes, so this is likely to cause demodulation problems. This can be caused by using the wrong frequency of carrier (e.g. 125KHz instead of 134KHz), but is more likely to be a simple positioning problem. The coils need to be closely coupled, but sometimes 'over-coupling' can cause as much of a problem as 'under-coupling', so try moving the tag around on the coil and/or standing it away a few millimetres on a block of plastic or some other non-conductive material. You should be able to achieve something more like:

RFIDler plot - mystery tag 2 step2

This is pretty perfect, and we can see well defined thick and thin pulses, so demodulation should work fine.

Again, we need to also determine the Bit Period so we can start demodulating. From experience, we know that it's likely to be 50 Field Clocks as that is the standard for FSK1 and FSK2, as well as what HID use, which is probably the most common FSK tag you'll find.

rfidler.py /dev/RFIDler 'set tag fskraw' 'potset h 100' 'set rate 50' plot 500

RFIDler plot - mystery tag 2 step3

Note that we've changed it to FSKRAW even though we're not actually demodulating, but we do this in order to see that the Bit Period alignment is correct. Again, we would expect to see the period overlap the transition between large and small pulses at about the mid-point, and not to drift. We've only read 500 samples again as FSK is a very 'busy' graph, so at this stage it's easier to check with more room on the screen, but you can read more samples to be absolutely sure once you think you've got the parameters right.

This is looking pretty good - we can see our Reader Logic is mirroring the thick/thin spikes quite well, but looking closely there is a problem: about mid-way between samples 400 and 500 two spikes have merged together in the Reader Logic output. This is because the gap at the pot setting we used wasn't quite big enough to be detected (there is a small hardware delay in the detection circuit), so we must correct this by moving the detection point higher up:

rfidler.py /dev/RFIDler 'set tag fskraw' 'potset h 110' 'set rate 50' plot 500

RFIDler plot - mystery tag 2 step4

and now we only have good signal so should have no problems demodulating.

In the case of FSK, we also need to know the sub-carrier frequencies for the 0 and 1 signals. This can be easily calculated by counting the spikes for each type. In this case we have 5 fat and 6 or 7 thin. We know the Bit Period is 50, so all we need to do is divide 50 by the number of spikes and that will give us approximately the sub-carriers. I say approximately because it may not work out to an exact number, but it will be close enough that you can make an educated guess. In this case 50 / 5 is 10 and 50 / 6 is 8.3 and 50 / 7 is 7.1. FSK1 has sub-carriers of 10 and 5, whereas FSK2 has sub-carriers of 10 and 8 so clearly this is FSK2. Job done:

  • Modulation Scheme: FSK2
  • Sub-Modulation: Unknown
  • Bit Period: FC * 50
  • Sub-carrier 0: FC * 8
  • Sub-carrier 1: FC * 10

And finally, let's look at a PSK tag.

RFIDler plot - mystery tag 3 step1

This is instantly recognisable as PSK, so all we need to do is figure out the Bit Period. Again, we can simply guess:

rfidler.py /dev/RFIDler 'set tag psk1raw' 'potset h 150' 'potset l 100' 'set rate 16' plot 500

RFIDler plot - mystery tag 3 step2

Note that in this case we've set both the High and Low Pots as we need the Reader Logic to capture both the UP and DOWN spikes. The High pot captures anything that goes above it, and the Low anything that goes below it.

The way PSK demodulation works is that whenever a spike is encountered the bit value changes. If a Bit Period passes with no spike then the current bit value is repeated. The way we calculate the Bit Period is to look for the smallest gap between two spikes. This will be a 0 followed immediately by a 1, or vice-versa. You may need to look at a larger sample set to be sure, but having done so I can see that we have once again made our period too small. Looking above the 100 sample mark, the pink stripe exactly cuts the gap in half. PSK timing is such that the Bit Period should start pretty much where the spike starts, and you can see from the green trace that it is detected almost immediately. On the plus side, the green traces occur for all the UP and DOWN spikes, so we know data capture is good. All we need to do is fix the data rate and we're done:

rfidler.py /dev/RFIDler 'set tag psk1raw' 'potset h 150' 'potset l 100' 'set rate 32' plot 500

RFIDler plot - mystery tag 3 step3

and now we have our pink stripes exactly filling the smallest gaps, so we're good:

  • Modulation Scheme: PSK
  • Sub-Modulation: Unknown
  • Bit Period: FC * 32

PSK comes in various varieties, but again, there is no easy way to tell them apart until we start demodulation.

Frequency

There is one more thing we can do nicely with aid of visualisation, and that is to check the frequency. Most tags operate at 125KHz or 134.2KHz, but how do you tell which?

The difference between tags operating at different frequencies is that their coils are tuned specifically to the frequency they want to operate at. This means that the signals we get will be 'cleaner' the closer we get to the tuned frequency. Our coil is tuned to a particular fixed frequency, but we can still adjust the carrier to try to match that of the tag, and that should make a noticeable difference. For example, HID Prox tags are widely reported to operate in the 125KHz range, and this is how one looks if we energise it at that frequency:

rfidler.py /dev/RFIDler 'set tag askraw' 'potset h 255' plot 500

RFIDler plot - HID Prox 125KHz

However, look at it when we energise at 134.2KHz:

rfidler.py /dev/RFIDler 'set tag askraw' 'potset h 255' 'set fc 745' plot 500

RFIDler plot - HID Prox 134.2KHz

Notice that the fat spikes have got fatter, and the thin spikes thinner? In other words we have much better definition and consequently will have a much better chance of reading the data. The conclusion, therefore, is that HID Prox tags are actually 134.2KHz and not 125KHz.

The command to change the clock frequency on RFIDler was 'set fc 745' which is changing the Frame Clock period in 1/100 microseconds of the carrier. The calculation for any frequency is simply to divide 1 by the frequency - e.g. 1 / 134200 = 0.00000745

Similarly, but conversely, here is an EM4x02 at 125KHz:

RFIDler plot - EM4x02 125KHz

and at 134.2KHz:

RFIDler plot - EM4x02 134.2KHz

and here we can see that the 134.2KHz read is somewhat 'ragged', so the conclusion is that EM4x02 is a 125KHz tag.

Clone this wiki locally