Hack an animal RFID tag reader

[coldraven]

This may be a long shot but here goes..
I just bought one of these
http://dthinkrfid.en.ec21.com/Low_Fr...4_6571155.html

The software it comes with is for Windows but I would like to be able to use it with Ubuntu.
When plugged in dmesg shows the following ouput

Code:

[ 6501.960088] usb 3-1: new full-speed USB device number 3 using ohci-pci
[ 6502.129136] usb 3-1: New USB device found, idVendor=10c4, idProduct=ea60
[ 6502.129151] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 6502.129158] usb 3-1: Product: CP2102 USB to UART Bridge Controller
[ 6502.129165] usb 3-1: Manufacturer: Silicon Labs
[ 6502.129171] usb 3-1: SerialNumber: 0001
[ 6502.206384] usbcore: registered new interface driver usbserial
[ 6502.206434] usbcore: registered new interface driver usbserial_generic
[ 6502.206477] usbserial: USB Serial support registered for generic
[ 6502.235978] usbcore: registered new interface driver cp210x
[ 6502.236097] usbserial: USB Serial support registered for cp210x
[ 6502.236196] cp210x 3-1:1.0: cp210x converter detected
[ 6502.372162] usb 3-1: reset full-speed USB device number 3 using ohci-pci
[ 6502.535470] usb 3-1: cp210x converter now attached to ttyUSB0

A friend who has Windows managed to sniff some data and sent me this:

As an example, without the serial negotiation etc

If you want to retrieve the stored tags

AA BB 06 00 00 00 02 03 02 03 AA is sent

BB 06 02 77 77 02 03 00 is returned (77 77) is the scanner ID

then

022BD0B361130085010100008538
022BD0B36113008501016113854A
022BD0B361130085010100008538
022BD0B361130085010100008538
022BD0B361130085010100008538
022BD0B361130085010100008538
022BD0B361130085010100008538
022BD0B361130085010100008538
022BD0B361130085010100008538
022BD0B361130085010100008538

is spat back - these are the 10 stored tags all the same but there is an offset or XOR happening on the second entry.

I cannot afford to pay him to develop a Linux version so I thought that I may try myself. I opened the case but the chips have been sanded, no identification is possible.
I added myself to group dialout.
I tried using gtkterm via /dev/ttyUSB0 to send the string that would retrieve the stored tags but I think that the interface needs to be initialized to make it work.
I extracted the Windows executables and dlls, browsed through them with a hex editor but did not find anything that looked like initialization strings.

Has anybody tried this before? Any links would be appreciated, thanks.
I'll tag your pet for free if you bring it around here. It might register as a cow but at least you won't be able to lose it

[QIII]

Hello!

Sounds like quite the project!

If your intent is to actually use it, it would simply be easier to use Windows.

If your intent is to see if it can be done, it will likely be quite a chore. Best wishes with that! It might be useful for others!

[sffvba[e0rt]

Best of luck with the project, I am sure that you may find some clued up people on this forum but I would also suggest trying the Arch community as well (and as a final note I have found that things designed for Windows often work best in... Windows )

[coldraven]

Sorry but I've been busy all day.
I did not want to get all functionality, just to be able to extract the stored tags.
I'm new to Wireshark and sniffing but I did not think that it would be too difficult. Searching the web I've seen Python scripts that interrogate similar devices. I just need to learn Python now I have done some programming in the past so it's not entirely infeasible.

[oldfred]

Quick search found this:

http://rfidiot.org/
RFIDIOt is an open source python library for exploring RFID devices

And it mentions this:

The EM4x05 range implement the animal tagging standard ISO-11784 'Radio-frequency identification of
animals - Code structure' and ISO-11785 'Radio-frequency identification of animals - Technical concept' (also known as FDX-B). These chips are ID-only transponders, operating at 134.2kHz and storing 128 bits of data, 64 bits of which are the ID:

Bit 1: 'Animal Flag' - Animal or Non-Animal application indicator
Bits 2 - 15: Reserved Field - RFU
Bit 16: Data Block Flag - Indicates if more detailed data is also stored on this chip
Bits 17 - 26: Country Code - 3 digit country code as defined by ISO-3166, or manufacturer code by icar.org
Bits 27 - 64: National ID - Unique ID assigned by manufacturer / supplier

[coldraven]

Thanks oldfred, I found this python utility that will interrogate a CP2102 chip but I had some problems getting to work (error: module util not found).
http://cp210x-program.sourceforge.net/

I have given the project to a friend who is much better at these sort of things and I will report back if he comes up with the goodies.

[tgalati4]

Remember the cuecat? It was a bar code scanner that you scanned magazine articles that had a cuecat barcode. This was before smartphones and QR codes. I would bet that the RF-reader is based on a simple barcode reader. So I would search for the bar code reader libraries that work with linux and use that as a basis for coding.

Sanding the chips makes it harder to reverse engineer, which means it uses standard logic chips. If it was a custom ASIC, then there would be no need to sand it because it would be a proprietary design. Sanding == Off-the-Shelf components.

[coldraven]

Sanding the chips makes it harder to reverse engineer, which means it uses standard logic chips. If it was a custom ASIC, then there would be no need to sand it because it would be a proprietary design. Sanding == Off-the-Shelf components.

That is interesting, I would not have thought of that.

P.S. Sorry Mods if this thread is in the wrong place, feel free to move it. Maybe we need an RFID subsection

[oldfred]

Since it now is more support than discussion, moving to hardware sub forum.

[tgalati4]

I bought a no-name metal detector. Being curious, I opened it up and found a foreign school of electrical engineering printed on the circuit board. All the chips were socketed (which is both rare, and nice) and all of the chips were sanded. It seemed to be a class (reverse) engineering project that was turned into a commercial product. I presume that the chips were sanded to avoid revealing where the design came from. It had features of some really high-end metal detectors.

So I conclude that sanded chips == off-the-shelf. With a logic probe and some patience, you can usually figure out the design. If you are dealing with a black epoxy blob covering a custom chip, then your chances of revealing the design is more difficult.

Why don't you post a detailed picture of both sides of the circuit board? That is if you don't mind voiding your warranty.