Protocol Analysis

ProxiSPY - Capture & Protocol Analyzer

13.56 MHz Protocol Analysis: Not as easy as it looks!

By Francis LAMOTTE (Raisonance), and Thierry THOMAS (CEA-LETI)

Analysing Contactless communication is important in order to solve interoperability issues, as well as to optimize the efficiency of the protocol handling or to debug embedded firmware. But protocol analysers seem to be much more complex for the ISO 14443 / ISO 15693 than for other contact or RF protocols. This is not because of the higher layers of the protocol, but because finding the information in the very complex near magnetic field is often tricky.

This article presents the difficulties for capturing contactless communication. It also explains the solutions developed by Raisonance and the LETI (a French research institute) to work around these problems.

 

The use of protocol analyzers is frequent and often considered as mandatory for embedded developers.  For most of the wire protocols (RS-232, USB, Ethernet, ISO 7816,...), the analyzers are as old as the protocols. Recording a voltage level - or a current - to decode a digital value is something quite well-known, easy and relatively not invasive.  For the radio-frequency communication, protocol analyzers are less frequent, often more expensive, but they also exist for most of the UHF protocols (Bluetooth, Wireless USB, ...).

Surprisingly, things become more difficult when analyzing the RF communication of either the Proximity (ISO 14443) or the Vicinity (ISO 15693) cards.  Although lower bit-rates are supported, the analyzers seem non-existent whilst the demand is obviously present and the constraints, as well as criticism, come with the very first available analyzers.

However, the need exists for analyzers that could allow the resolution of interoperability issues that are still often encountered with many "card-reader" couples.  At a first glance, it seems easy for a lab engineer to insert a field probe between the card and the reader and to connect it to his oscilloscope to visualize the modulation. So, why is it so hard to build a strong analyzer? What are the difficulties? How can they be solved?

Raisonance, a laboratory equipment manufacturer, and the LETI, a French public laboratory have worked together to design a strong protocol analyzer dedicated to the RF (13.56MHz) communication protocols.  This article summarizes this work, which has led to the design and the manufacturing of ProxiSPY, the Raisonance "proximity" protocol analyzer.

What are the difficulties?

Why is protocol analysis for contactless communication so hard? Certainly not because of the complexity of the protocol: the encoding (Manchester, BPSK,...) are well known and quite easy to handle. Nor the speed: 847 kbps is by far much lower than the Gigabit/s now commonly acheived by wire protocols.

The communication is performed at each end by modulating the magnetic field. Therefore, the information should be visible in the magnetic field. The simpler solution consists of looking at the magnetic field by inserting a probe between the reader and the card. For this purpose, a simple copper wire loop would be sufficient. The modulation of the field will generate a potential difference and connecting this probe to an oscilloscope would make the field modulation visible.

The following figures show what we could expect:

13.56 Mhz Signal Analysis
13.56 Mhz Signal Analysis

If you try experimenting with this, you will find that the quality of the measure depends mostly on the card, on the reader (sometimes on the couple) and -above all- on the position of the three elements: probe, reader and card.  Capturing the field modulation should be easy, but it is not. The quality of the result is highly random and hard to find.

1.  Interactivity and coupling of the antennas

A first issue arises from the fact that the probe is placed in the "Reactive Near Field Region" of both the antennas. The antennas interfere with each other and their impedance is changed by the presence of the other.  For each of them, the induced field modulation generates an induced modulation of the field generated by the other.  Therefore, the analysis probe will see not only the sum of two independent fields, but also a compound modulation that is made of the sum of the desired modulation and of the induced modulation. Moreover, this effect will depend on the position of the probes and of the antennas.

Antenna Field Intensity

2.  High variability of the magnetic field

The radius of the field curve is as small as the point is close to the conducting wire that produces the magnetic field. If it is located between the card and the reader, it is finally in the close proximity of both the antennas, where none of the magnetic field can be considered as uniform.

Consequently, placing the probe is quite delicate, and this can be easily experimented by connecting such a probe to your oscilloscope.

The magnetic field at a point of the space between the reader and the card matches with the sum of the two modulated fields, in other words the mixing of different modulations among a weighted distribution that depends on the location of the card, and of the reader.  A first magnetic field is voluntarily modulated, by either the reader or the card, and the second field is modulated by reactiveness (induced modulation) and this modulation depends on the load of the receiving antenna. Thus, the combination of the modulated fields is highly variable in the space, in intensity and in direction as shown in the illustration 1.

To summarize, there is a high space variability of the modulated field. We can understand that one of the first issues will be to place the probe properly accordingly to the position of both the reader and the card. A second difficulty will consist of separating (as much as possible) the part of the modulation due to the reader and the part generated by the card.  This split is mandatory to understand the communication better.

3.  Weakness of the card modulation

Another issue is caused by the weakness of the signal transmitted by the card. The modulation index for the reader is high, whilst the card will slightly modulate its load.  The card is powered by the magnetic field itself and it transmits data by changing the resistance value in the antenna circuit.  Feeling the fluctuations of the impedance is much easier for the reader that is coupled with the card antenna than for a non-invasive external probe.  In other words, the input signal of the reader consists of the electromotive force coupled by the card, the reaction of its circuits is a part of the transfer channel between this electromotive force and the input of the detecting function. From here,  the probe sees the combination of two emf that must be differentiated.

A good example of this would be the measurement of the tension of a fishing wire that links a fisherman to a fish. Both the fisherman and the fish feel each other through the tension of the wire, but an external observer looking at the wire would encounter huge difficulty understanding what is happening and who is generating the tension of the wire.

4.  Noisy environment

The electromagnetic noise has multiple sources, but the main cause comes from the card itself. Indeed, the card is powered by the magnetic field, and its consumption will change during its activity. The current is supposed to be filtered by a capacitor but some power consuming functions (such as cryptographic) will inevitably create some current peaks that impact on the magnetic field.  Too sensitive a reader could also have problems when listening to noisy cards.

Smart Card Activity Impact on Demodulation

Therefore, there are many unexpected variations of the magnetic fields, and this noise could easily look like a modulated signal sent by the card. Filtering this noise is often tricky for the spy.

5.  Various oddities

Analyzing the magnetic field will reveal some surprises...

For example, the mixing of the two modulations could match with an inverted overall modulation (for the amplitude). The load variation will increase the amplitude of the signal instead of creating an increase in attenuation.  The figure below shows what would be seen with an oscilloscope in such a situation.

6.  Need for a non-invasive probe

A basic principle for any analyzer consists of being as transparent as possible. A good probe must present very high impedance, without altering the signal.  In the same way, the contactless probe must preserve the communication between the reader and the card, even without improving it...  Two simple rules could be:

  • The spy tracks any successful communication, whatever the context (power, frequency, position of the card,..),
  • Its reports any communication error that would occurred when it is not present in the field.

Observing without altering is theoretically impossible, but any analyzer must try to be as close as possible to this goal.  For a field probe, it means:

  • a low reemission of the secondary field,
  • A low current consumption in the wire of the probe.
Note that these two items are linked together: a low consumption will induce a low secondary reemission.

Solutions!

Raisonance, in partnership with the LETI (a French public laboratory) has developed a protocol analyzer, ProxiSPY to solve the issues presented above. 

1.  Designing a probe

The partnership between the two teams has mainly consisted of the magnetic field analysis. The starting point was to consider that the signals transmitted by the card and by the reader are natively different: if the magnetic field is unique at any position, we can consider it as the combination of two fields that are generated by two different antennas. Therefore, we have considered that the probe must be optimized for tracking one of the two components, but not necessarily both simultaneously.

2.  and finally a double-probe

The first part of the solution was to focus on only one actor at a time: either the reader or the card.  For this purpose, the LETI has developed a double probe with two independent parts that simultaneously isolate one component and mask the other.  This double probe that performs the "field separation" method is connected to a "double acquisition channel" and the re-mixing of the information is performed only at the software level in order to obtain the best possible interpretation.

Ideal probe design

For the best reception - without alteration - of the data from the card, the probe must be positioned as close as possible to the card.

3.  Reduction of probe effect

The LETI has optimized the design of the probe to reduce its invasiveness.  The goal is of course to analyze without perturbation of the system.

A test procedure has been setup for the evaluation of the probe effect.  The measurements on the final Raisonance probe are the following:

 
Impact
Measurement
Test conditions

Reader

Variation of the field of the reader

DeltaH/H < 1%

Use of the ISO10373-6 PCD test, the probe 
is placed at the centre of the PCD antenna.

 

Card

Variation of card consumption

DeltaVdc/Vdc < 3%

Use of the PICC reference (ISO10376-6 , 
appendix D):  J1=1.8kOhms, HPCD=1.5A/m 
tuned for 13.56MHz

 

Resonance frequency tuning

Deltafo/fo < 1%

Use of the PICC reference (ISO10376-6 , 
appendix D): J1=1.8kOhms, HPCD=1.5A/m 
tuned for 13.56MHz 

 

4.  Filtering

Considering that the different supported protocols (ISO14443, ISO15693) are known, different digital filters are applied to discard some of the unexpected glitches.  Typically, both the low frequency and high frequency noises can be filtered without risk. However, the frequency of the noise could also match with the signal (according to Murphy's Law). In conclusion, only the high quality of the acquisition allows a reliable analysis: cleaning the signal by software cannot be sufficient, and it cannot handle all the possible cases.

5.  Probe Positioning support

Proper position and orientation are required to acquire the proper signal. Other equipment propose a hard mechanical apparatus to set a predefined position. An advantage of such a solution could be the reproducibility. However, this solution is often too restrictive:

  • Many different geometric forms are encountered for both the antenna of the cards (passports, RFID tags,) and the readers. The positioning must be flexible.
  • We have experienced that the best position will always be different depending on the reader/card couple. Predefining this position seems quite impossible.
ProxiSPY LEDs

The Raisonance analyzer takes a different approach: a dynamic indication of the quality of the signal. A few LEDs on the front panel provides this information and the aim is to make as many lightning LEDs come on as possible. The very first (red) LED indicates that the reader field exists, and the other shows the quality of the signal received from the card.

Such help corresponds to the "signal level" that is also reported on your GSM to inform you about the strength of the network. Within a few seconds you have a good overview of the proper positioning of the probe and you can feel increasingly confident to start the acquisition.

Note that this indication will also convince you that the positioning is sometimes very critical and very surprising: moving the probe by 1 mm in any direction could change the result dramatically!

Conclusion

The analysis of contactless communication is much more complex than it seems at first. It requires a comprehensive understanding of the interactions between the card and the reader and, finally, it requires performing two separate analysis of the signals from these two sources.

To solve the different issues Raisonance and the LETI laboratory have joined forces to develop  patented innovative solutions:

  • Differential double-probe,
  • Selective filtering,
  • Dynamic positioning support.

A high fidelity acquisition is the mandatory way to reach a powerful analyser. The measurements recorded by ProxiSPY can be then transferred to a computer through a High Speed (480Mbit/s) USB connection to be analysed and displayed by the RGPA software interface. The different protocols and their more specific variants (for ICAO, ...) are then taken into account to allow various statistic calculations or validation.