Barebones PIC RFID tag

An inductor and 8-pin microcontroller are all that make up this barebones RFID tag. You might have done a double-take when first seeing the image above. After all, there’s nothing hooked up to the power and ground pins on the chip. As [Ramiro Pareja] explains in his post, the power is actually supplied via the I/O pins to which the inductor is soldered. It seems that each I/O pin has a parasite capacitor and a pair of clamping diodes inside the chip. When the AC current that is induced by the magnetic field of the RFID reader hits those pins, the capacitors charge and the clamping diodes form a bridge rectifier. This results in power being injected into the chip, which turns around and sends the RFID code back through the inductor.

This isn’t the first time that we’ve seen this concept. We featured a hack that is exactly the same except it used an AVR chip. This one uses a PIC 12F683 but should work with just about any 12F or 16F model. The code is written in Assembly and shouldn’t need any changes for different hardware. [Ramiro] does talk a bit about adding a decoupling capacitor to Vss and Vdd, as well as a tuning capacitor to the two I/O pins used above to help make the device a little more robust. But, as you can see in the video after the break, it works just fine without them.

[Thanks Conundrum]

33 thoughts on “Barebones PIC RFID tag

  1. I wonder what the minimum PIC you can do this with is… 10F200 at 256 words is probably not going to cut it once the macro is unrolled. But that’s not to say you can’t do this programmatically on the micro.

    1. Nope, it’s a little choke (a type of inductor). You can often tell by the color; they might make green through-hole resistors somewhere, but it’s much more common to see green chokes instead.

    2. Looks like a resistor to me. Perhaps it’s a wire-wound resistor? :-)

      The only value I can see in the linked doc is 54.04 Mh, and the ‘inductor’ looks awfully like 10,000 so….

      FWIW, I’ve seen lots of green / aqua resistors and can’t ever remember seeing an inductor in that package, but again, you never know..

      B

    3. Is there any cheap way (with basic testing equipment) to tell a resistor from that kind of inductor besides the color? here in mexico a parts provider named “Steren” has been providing their resistors in that color, I suspect they buy chinese parts.

  2. It’s worth noting that all RFIDs are like this, getting their power over the air from the reader. It’s neat having this illustrated so plainly here, and that a micro-controller can run on this power.

    1. Of even more interest is the fact that they get their power on a separate wave. One radiowave is for power, another frequency for the actual data. Or at least that’s what I was told.

      1. Marcus,
        not exactly true. Active RFID tags use a power source… generally for longer range reading.

        http://www.rfidjournal.com/faq/18/68

        In my experience, however, passive tags are much more common. This hack is a great example of how a ‘normal’ passive tag works (without the fancy antenna)

        tulcod,
        kinda true, kinda not. The data is modulated on a carrier. That carrier wave provides power to the transceiver. When you hear about 125khz or 13.56Mhz RFID, they’re talking about the carrier frequency.

  3. I live in the San Francisco Bay Area and was wondering if anyone’s been successful at executing a replay type attack on the clipper rfid system.

  4. @Lee All you need to do is have a recorder playback the BEEP sound. There are no validation lights and the bus/train driver doesn’t have any indicator that I’ve noticed.
    This won’t work in BART though…

  5. I’m really impressed that it can be done with so few components. I could suggest two modifications: 1) add a little capacitor (maybe 1nF?) between GND and VCC on the PIC to provide a little bit more reserve power.
    2) for improved range use an external Schottky diode rectifier, which will waste less energy than the internal CMOS protection diodes.

  6. Temperature sensor anyone?

    You could use one of the spare outputs to charge up an ORB cell (basically a posh supercapacitor) that then runs the PIC at minimal clock rate.
    This could then run the A-D, take a sample and store it to working memory until the chip is scanned.

    I think it is possible to use the 10F20x but the code would also need to synchronise to the incoming clock (perhaps use OSCCAL?) to get it to read.

    Another interesting idea, use a reverse biased LED driven via a second inductor from one of the spare outputs to tune the circuit in order to make it work more reliably at extreme range.

  7. “The code is written in Assembly and shouldn’t need any changes for different hardware”

    Yea thats why we choose to deal with slowdown and wordy high level languages, cause ASM is totally portable…

    1. “The code is written in Assembly and shouldn’t need any changes for different hardware”
      For different hardware .. from PIC, that’s what I understand of it. Other than that, thank you for stating the obvious, I’m sure you are really smart…

  8. I would never use RFID for anything it is weak nobody out there had ever convinced me that the system could be secure using physical or in code i keep my passport and bank cards in shielded wallets i admire the effort to refine it but it is more of a challenge to create a system that cannot be compromised (cloned).

  9. This has given me a couple of ideas, firstly how compact could it be made? Incorporating this into a wrist strap would save me getting my wallet out when I’m working late and I invariably forget i need to use 3 times to get to my desk. So cloning my access card would be good.

    Also a digital key ring could possibly made add a push button to cycle through different cards, very handy, if the chip has the headroom.

    1. Well, this was a DIP chip so I guess you could use a surface mount instead. I’m not sure if the inductor has to be that long capture the radio signal or something else could act as the antenna.

    2. Anyone know if the TI MSP430 chips has a similar parasite capacitor on the IO pins? I’m on the MSP430 GCC list and that question came up.

  10. Does this PIC not have a master clear pin (MCLR) that needs to be held high? Or maybe that was disabled in software. Pretty cool little trick.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s