The CREATE USB Interface - where art meets electronics

CUI version 1.0 Dan Overholt U.C. Santa Barbara Center for Research in Electronic Art Technology

	The need for the "CUI" In the Media Arts and Technology program, we explore new metaphors for artistic interactivity that connect the physical world with the virtual realm. We develop new techniques for computing that generate music and visual arts in a myriad of ways; but in order to put forth these techniques, we must create new sensors, and build interfaces that can better grasp their control and generation. The CUI allows us to bind physical processes or actions to corresponding digital expressions.  To simplify this process of connecting the real world to the virtual, the CUI provides the necessary electronics to capture sensor input or control actuator output. The CUI comes with a USB port, a power LED, a Reset switch, a Programming switch, and a prototyping area. At the heart of the board is the PIC18F4550, a versatile microcontroller made by Microchip Technologies, Inc. The PIC18F4550 features thirteen A/D inputs, eighteen general I/O ports, and an efficient RISC-like instruction set. The CUI only uses one of the PIC's general I/O ports; the remaining ports are available for user applications to be built in the prototyping area. The total cost of the CUI is around $30 US when built in small quantities.
	About this Document This document is written primarily for anyone who wants to create an interface using the CUI. It is also useful for anyone who wants to understand the process of developing applications for microcontrollers in general, and for Microchip PIC processors in particular.  Here's what you'll find in this document: Section 1 offers some ideas of the kinds of interfaces you could build using the CUI and gives an overview of the development process. Section 2 gives a guided tour of the CUI board, and includes the board layout, the schematic, and a detailed description of each major component on the board. Section 3 tells you everything you'll need to know to build your own CUI board, including purchasing components for the board and fabrication hints. Section 4 details the process of designing and programming the CUI board. Section 5 offers some debugging techniques and programming tips. Appendix A contains a few related web links.
	Acknowledgements The author gratefully acknowledges the support and inspiration from the following people. Curtis Roads, JoAnn Kuchera-Morin, Stephen Travis Pope, George Legrady, and other faculty members of the MAT, ART, and CS departments.  Wesley Smith and Rama Hoetzlein kept things moving through the formative stage of the CUI project. They volunteered many hours to help develop the code and teach other students about PICs and basic electronic circuitry. All of the students involved in the Media Interface Technology course have made this a fun project. And thanks to Robert Poor for the web page layout, taken from his iRX page.

1.0	Overview What you get out of the CUI depends on what you put into it. It's unlikely that there will be any "pre-canned" configurations that exactly suit your needs--you will generally need to add custom hardware on the board and create a PIC program specifically for your application. But that's the fun part of the process!  To give you a taste of what's possible with a PIC and CUI board, here are some projects that people could create using the CUI (or should be able to create):   A musical interface. The CUI board can be programmed to convert analog sensor inputs to a standard USB protocol, allowing you to control an interactive composition or performance setup. A novel visual interface. The PIC can measure input from a sensor such as an acceleromoter, and the host computer can run a visualization algorithm which interprets user input as gestural data to control different aspects of the visual output. An Ultrasonic Ranging device (for example, using devices such as the SRF04). The PIC is sufficiently fast to generate outgoing pulses and measure the results accurately. A game controller. The PIC can be programmed to behave as a joystick-type device by enumerating (telling the host computer about itself) as a game pad. The addition of sensors for input and actuators for force-feedback can provide an easy way of getting data in and out of various host applications (e.g. Max/MSP/Jitter, Pd, SuperCollider, Processing, etc). Using the standard game controller input method bypasses the need to write your own driver for the USB protocol by piggy-backing on the HID (Human Input Device) standard.
	Overview of the Development Process This section briefly describes the steps you'll need to take to create your very own CUI application.  Ready... The first step is to make sure you have all the materials at hand. You'll need both some hardware and some software:  Acquire one or more CUI boards. Section 3 gives you information on how to fabricate the CUI board, where to purchase the required components, and how to assemble your own boards.  Obtain a copy of MPLAB. MPLAB is an integrated development environment from Microchip. It includes a text editor, assembler, simulator, and programmer support. Best of all, you can download it from the WEB free of charge.  Obtain the PIC C18 C-compiler. Student Edition, version 2.4 or later. Install it in the default location--examples in this document presume that you're using the C18 compiler. This is also a free download from Microchip, but some functionality is limited after 60 days.  Acquire the CUI example code. Download the CUI examples based on Microchip's HID connectivity solutions. The CUI Example Code contains everything needed to get to the point of "Hello World" with the PIC. It should be extracted to the root directory of your hard disc, preserving the names and directory structures within.  Set... It's unlikely that you will find any pre-compiled firmware for the PIC and CUI that will do exactly what you want. Usually, you'll need to write a program for the PIC (or perhaps modify an existing one). In most cases, you'll also be adding extra components and wires to the CUI board.  The CUI was meant to be customized, so go for it!  Understand the fundamentals of the PIC architecture. Appendix A has pointers to the Microchip site, where you can find details such as the data sheet for the PIC18F4550.  Understand the fundamentals of the USB protocol. Appendix A also has pointers to useful documentation and software for developing USB HID devices.  Find related firmware. Perhaps someone has already created something similar to what you need. There are three rich sources of firmware: the Microchip Application Notes (but most of those are written in assembly), the C18 C Compiler examples, and other user's CUI firmware from previous projects (check the Sensors Wiki to see if there's anything similar to what you want to do). Consult these resources first; it can save you lots of time.  Decide on what modifications, if any, you must make to your CUI board. Section 4 details the features and differences of the various I/O pins available.  Go... Creating and downloading code for the PIC is a five step process, described in the picture and in the text below.   Figure 1: The development process Write your program using your favorite text editor or the editor included in Microchip's MPLAB. Generally, you'll write your program in C. In exceptional cases, you may write your program in assembly code.  Compile your program. Normally, you'll use the MPLAB environment to invoke the C18 C-compiler. C18 will compile your C code into a .hex file. If you've written assembly code, MPLAB will assemble your .asm file into a .hex file.  Program the PIC18F4550 by downloading the .hex file via bootloader using the PDFSUSB.EXE program (located at C:\CUI\Pdfsusb\ by default). In order to get the CUI to show up in the PDFSUSB.EXE menu, you must reset your board while holding down the "program" button. NOTE: if this is the first time you have ever programmed a newly built CUI board, you must first burn the bootloader code into the PIC. Section 5 details this one-time procedure that requires the use of a PIC programmer such as the ICD2.  Run your application. This is as simple as hitting the "execute" button in PDFSUSB.EXE, or hitting the reset button on your board, and watching it run. If it runs okay, hooray! If it doesn't, go to the next step.  (Oops.) Debug your application. Section 4 offers tips and techniques for debugging.

2.0	Guided Tour of the CUI "0.9" DIY approach This section describes the layout and schematic of the CUI 0.9. It will show you where each component is located, and describes what each component does. Figure 2 shows the layout of the components on the CUI 0.9 board, Figure 3 is the schematic for the board.   2.1 Layout of the CUI 0.9
	Figure 2: Layout of the CUI board Note that this layout is slightly out of date and needs to be corrected. The resistors above the ICSP (In-Circuit Serial Programming) Connector are not needed, and the pull-up resistors for the Reset and Program buttons values have changed. The 100uF capacitor is not shown, and you just barely see the 15pF capacitors next to the 20 MHz crystal. The bypass capacitors and VUSB capacitor are not labelled in the photo. 2.2 Schematic of the CUI 0.9  Figure 3: Schematic of the CUI 0.9 board 2.3 Component Description 2.3.1 USB Connector The USB Connector is a standard "type B" connector. You can plug any "A-to-B" type cable into it, with other end (the flat connector) going to your computer. There are four connections in a USB cable, two of which supply power to the CUI board, while the other two are the communications lines D+ and D-. This is how information is transferred between the host computer and the PIC both when it is being programmed, and while your firmware sends or receives data with the computer if it is a HID application.   2.3.2 Power indicator When USB power is applied, the LED is lit. Note that some CUI circuits may not be able to use USB power if they require more than 100mA of current (this is maximum amount of current that is allowed to be drawn from a single USB port). The alternative is to use a standard voltage regulator such as the LM7805, which then provides +5V at 1000mA (1Amp) from a 7-15VDC "wall wart" power supply. An LM7805 can also let you use a 9V battery connector and power the CUI 0.9 from a standard 9V battery for stand-alone applications.  2.3.4 Push buttons "Reset" and "Program" The two buttons on the CUI are used during the process of programming your application. They are labelled "Reset" and "Program" - pushing the Reset button is the equivalent of unplugging the USB cable and plugging it back in (which should cause your computer to recognize the CUI and initialize the corresponding driver). If you push the Reset button while holding down the Program button, the CUI will enter the bootloader mode, which will allow a new application to be loaded into the PIC (via the PDFSUSB.EXE program).   2.3.5 ICSP Connector The In-Circuit Serial Programming (ICSP) connector is only used one time for each new CUI board. It allows the bootloader to be burned into the PIC's memory via a standard PIC programmer such as Microchip's ICD2. Section 5 details the process of installing the bootloader.   2.3.6 PIC I/O Ports All of the unused pins of the PIC on the CUI board are user I/O ports that can be connected to custom circuit extensions along with power, ground, etc. You can solder some "Molex headers" into the board if you want a simple means to temporarily connect wires and components to your CUI board. The layout of the I/O ports follows the pinout of the PIC18F4550 as shown below. A description of the characteristics of each I/O is in Section 4.    Figure 5: PIC I/O Ports 2.3.7 PIC18F4550 The PIC is the heart of the board. It's a programmable microcontroller with 32Kbytes of flash program memory and 2kbytes of general purpose SRAM. It has 13 A/D inputs and 18 general purpose I/O ports. On the CUI board, one of the general purpose I/O pins is dedicated to the "program" button to enter bootloading mode. You can use the remaining ports for anything you wish.  2.3.8 20MHz Crystal oscillator This particular part has the job of providing a clock signal to the PIC, and it's corresponding 15pF capacitors and 1Mohm resistor are required to make it oscillate properly. Crystals with other frequencies are available, but 20MHz was chosen since it's the same as the evaluation board from Microchip.  2.3.9 PTC Fuse This part protects your computer and the CUI board from damage in the event of a short circuit or over-current condition. It is a Positive Temperature Coefficient (PTC) type fuse, which means that it is resettable, and will automatically allow your circuit to work again once the short circuit is fixed.

3.0	Building a CUI 0.9 This section details the process of building complete CUI 0.9 boards from scratch:  Purchase the components  Solder the components onto the board  3.1 Purchasing the components All of the components are included in the lab kit for class, or they are available from Digi-Key, Mouser, or other mail-order electronics parts suppliers. While those mentioned are not always the cheapest, they have most all of the compoents in stock, take online card orders, and will get you your parts however fast you want them (FedEx, etc). If you have more time than money on your hands, you may be able to shop around and get a better price on some of the parts shown here. Additional parts, such as a 7805 voltage regulator or special sensors you wish to use can also be acquired from Digi-Key, Mouser, etc., or possibly at a local store such as Marvac or Radio Shack if the component is not too esoteric.  The following lists details the parts required to build a single CUI board. The first column specifies component name, and the Mouser part # is shown in the second column (or other alternatives if Mouser does not stock them). When possible, I've shown Mouser's prices (as of April 2005), but these reflect pricing when purchasing supplies for more than just one CUI (10 or more). If you would like the list of parts in Excel format, this is the bill of materials spreadsheet.
	3.2 Soldering the components onto the board Soldering the components onto the CUI board isn't difficult. Assuming you've already had basic experience with soldering, here are some hints:  The only components that don't care which way they're inserted are the resistors, the ceramic capacitors (the 100uF is an electrolytic cap so it needs to be oriented with its minus leg to ground), and the crystal oscillator. For all others, use the schematic diagram as a guide. Note that for the LED, the longer wire is the positive '+' side.  There are a few components that should be placed as close as possible to the PIC, should you decide to change the layout on your board. These are the 0.1uF bypass capacitors, and the 20MHz crystal oscillator - the bypass capacitors help keep the power supply clean, and the crystal needs to be close to ensure a good clock signal is provided to the PIC (shorter traces provide lower inductance for this high frequency signal).  To keep components from falling out while you're soldering others (since you have to flip the board over to solder the leads) it may help to work from the "shortest" to the "tallest" components. Be careful not to overheat the sensitive components during soldering, especially the PTC, and the smaller capacitors.

4.0

Developing an Application The steps towards creating your PIC application are straightforward and have been outlined in Section 2. In this section, we jump into the details.     4.1 Not all I/O Ports are created Equal The PIC18F4550 has thirteen A/D ports: RA0 - RA3, RA5, RB0 - RB4, and RE0 - RE2. Among these, the order is somewhat random so be sure to look up the correct pin number in the data sheet. (Note: you can still use these pins as general purpose I/O pins if you're willing to give up A/D converter inputs). Some ports have particular traits that may make them more or less suited for your particular application. The following table summarizes the differences; for the full scoop, consult the Microchip data sheets.  Except as noted, all ports support TTL levels and are bi-directional under program control. Table 3. Summary of I/O ports on PIC18F4550 Port Other Functions Traits RA0 Analog input 0   RA1 Analog input 1   RA2 Analog input 2   RA3 Analog input 3   RA4 Digital I/O Schmitt Trigger input, can be programmed to be input to TMR0 clock RA5 Analog input 4   RB0 Analog input12 can be programmed for external interrupt (INT0) RB1 Analog input10 can be programmed for external interrupt (INT1) RB2 Analog input 8 can be programmed for external interrupt (INT2) RB3 Analog input 9   RB4 Analog input11 can be programmed for interrupt on change RB5 Digital I/O can be programmed for interrupt on change RB6 Digital I/O can be programmed for interrupt on change RB7 Digital I/O can be programmed for interrupt on change RC0 Digital I/O   RC1 Digital I/O can be programmed for PWM output RC2 Digital I/O can be programmed for PWM output RC6 Digital I/O can be programmed for UART TX line RC7 Digital I/O can be programmed for UART RX line RD0 Digital I/O   RD1 Digital I/O   RD2 Digital I/O   RD3 Digital I/O   RD4 Digital I/O   RD5 Digital I/O   RD6 Digital I/O   RD7 Digital I/O   RE0 Analog input5   RE1 Analog input6   RE2 Analog input7   The CUI 0.9 board leaves many of these pins entirely untouched. This makes it possible to build your own circuit around the microcontroller. Port B, when used as inputs, can be programmed in software for internal weak pull-ups (this is useful when connecting simple switches or buttons to the PIC).   4.2 C versus Assembly code Whenever possible, program in C instead of in assembly language. You'll find the development and maintenance of firmware programs to be much faster and easier. However, there are some times when you may still need to program in assembly (or put sections of assembly "in-line" using the #asm construct): Time critical applications, where you must be able to account for every cycle. In general, you can't rely on what code the C compiler will generate nor what run-time support code will be run in the course of execution. Code critical applications. The C compiler can't assume much about the state of ports and registers, so it generates some extra code in the name of saving and restoring state. The PIC18F4550 is a monster compared to some of the smaller devices, so most likely you won't have to worry about assembly though.   4.3 Compilers There are a number of different PIC C compilers available. Till now, we have stuck with C18 from Microchip, but there are also CCS, Hitech, and GCC compilers available. The C18 compiler comes with good examples, which is one benefit, but the 60 day student trial is possibly a hassle. However, we have yet to run into any real problems with this. As for assemblers, it's easiest just to use MPASM, the free PIC assembler from Microchip that's built into MPLAB.   4.4 Burning your program into the PIC The wonderful thing about a bootloader is that you don't need to have a device programmer to load new code into your PIC. In a few rare circumstances though, you may want one anyway. Though there are many PIC programmers available, we've settled on the ICD2 programmer from Olimex. If needed, it can purchased online via Spark Fun Electronics, and it has proven to be robust and reliable so far, with upgrades for the programmer after they introduce new chips a non-issue (it emulates a "real" ICD2 as far as MPLAB is concerned).  The easiest way to download your bootloader into the PIC is through the ICD2 programmer menus in MPLAB. 4.5 PIC Simulators A PIC simulator lets you step through your program, set breakpoints, examine registers; some of these things can be done with the real chip as well if you have the ICD2 (In-Circuit Debugger) hooked up to your CUI board. If you don't have an ICD2, the simulator built into MPLAB can give good results.

5.0

Debugging Tips & Techniques Following is a random collection of tips, techniques, art and lore. Your mileage may vary, but little things such as these can sometimes be the difference between success and complete lunacy.   5.1 First principles When you write your program, it is always a good idea to make an LED blink, just to indicate that the chip is alive and running. Obviously, this cannot be the power LED, but another LED wired up to a Digital I/O pin that is configured as an output.  So assume you've written your program, compiled and loaded the code, and powered up your CUI. And the LED doesn't blink. Now what? Are you getting power? Measure with a multimeter between the +5V and GND on your board. You should see a stable +5 volts. If not, make sure that the PIC is inserted correctly: the "dimple" (indicating pin 1) should be pointing towards the USB connector at the "top" of the board.  Is the PIC's oscillator running? Look between ground and pin 13 or 14 on the PIC using a 10x oscilliscope probe (the impedance of a 1x probe is sufficiently small to kill the oscillations.) If you don't see a 20MHz waveform, did you remember to configure the programming fuses for an "HS" oscillator type? 5.2 Debugging Program all unused I/O pins to be outputs. This way, you can set the state of a particular I/O pin to be TRUE when you enter a routine and FALSE when you leave it. At the very least, this practice, along with an oscilloscope, can give you confirmation that a particular piece of code is being executed.  Make the board do something visible or audible for help debugging. In the case of the CUI 0.9, consider adding different color LEDs for status indicators, and turning them on or off before or after the different parts of your program are executed.  5.3 Burning the bootloader As mentioned before, the very first time you program your CUI it has to be done with the ICD2 programmer instead of PDFSUSB.EXE. This is because the PIC is completely blank from the factory, and you must program the hex file for the bootloader into the PIC in order to enable future programming sessions to be done via PDFSUSB.EXE.  The bootloader hex file is located in the CUI Example Code that you downloaded earlier. In MPLAB, open the hex file C:\CUI\Boot\_output\MCHPUSB.hex, select the ICD2 as the programmer, and click program device. This bootloader is slightly different from the bootloader that can be downloaded directly from Microchip's website, so make sure to use this one (Microchip's will not work with the CUI circuit).  To enter bootloader mode, hold down the program button on the CUI while plugging in the USB cable, or resetting the board. Your computer will not recognize the bootloader firmware, so you must install the correct driver (only necessary this one time). When windows says "Found New Hardware", click "No, Not This Time", then choose "Install from List". Then click on "Browse..." and choose the directory "C:\CUI\MCHPUSB Driver\Release" - then "Next", "Continue Anyway", and "Finish". Well, that's it - you've got a working CREATE USB Interface now, to be modified and customized to do whatever you want!  Pre-made, ready-to-use CUI v1.0 Feel free to email me if you're interested in a getting a pre-built/bootloaded CUI v1.0 for $50. It comes ready to use with Max/MSP/Jitter, SuperCollider, or any other program that receives USB HID data - just hook up your own sensors to the 13 analog inputs (10-bit resolution) and buttons/switches to the digital inputs, etc... You can also get ready made sensors from the phidgets website, and of course you can re-program it using the bootloader (no need for a PIC programmer), and use the prototyping area to do whatever you want. NEW! CUI v1.0 can be custom-ordered with Bluetooth for wireless functionality (works with Max/MSP, same features as wired version), powered by rechargeable Li-Ion battery! Also, a forum has been started for those working with the CUI v1.0: CUI ideas and support forum Links to example Max/MSP/Jitter Patches: USB CUI for Macintosh USB CUI for Windows Bluetooth CUI for for Macintosh and Windows Bluetooth CUI for for PD Here are some new and useful tools for the CUI made by users! CUIOSC by MarkDavid Hosale - a stand alone OS X program that converts the CUI's USB input to OSC (Open Sound Control). Boot Down by Craig Schimmel - a CUI bootloader utility for OS X that allows firmware updates without a windows box (be careful not to overwrite the bootloader itself though).

App A	Related Links Microcontroller Info PIC18F4550 - information at Microchip.com (datasheet, help forums, etc). C18 User's Guide - Microchip's C18 C Compiler User's Guide. C18 Compiler Libraries - References specific C function calls to access on-chip hardware peripherals, etc. USB Info The USB specification - more info than you really need, chapter 9 is the most relevant.  HID Usage Tables - setting up a HID device, the gamepad example on page 141 is particularly useful.  HID Descriptor Tool - a useful GUI tool for constructing HID usage tables that enumerate correctly. The HID Page - a good resource with example code, etc. by Jan Axelson the author of USB Complete. Host Info USB Sniffer/Analyzer - USB debugging tool that lets you see bytes transfered between the host and the device. HID Explorer - if you use Mac OS X, this debugging tool allows you to examine device properties and data. USB Monitor - a useful utility for OS X; notifies you whenever a USB device is added or removed. Parts Supply Houses Digikey: Great online ordering. Fast, costs a little bit more. Mouser: About like Digikey. Fast, also costs a little bit more. Allied Electronics: Great service, slightly slower. Hosfelt: Great surplus supplier

---

...[Media Interface Technology]
...[Dan Overholt - email]

home | eyetracking | computing | aesthetics | research       software -- microcontrollers/breadboards -- generative algorithms   Microcontroller and Breadboard Prototypes: This section presents some examples using NetMedia's BX-24, the Parallax Basic Stamp, and PIC microcontrollers. (9) Linear-strip Panoramic Turntable Version 2 (BX-24) (8) Linear-strip Panoramic Turntable Version 1 (BX-24) (7) Networked Lamp (PIC) (6) Connecting a PIC 16F819 to a Cobox-Micro (PIC) (5) Serial Input to a Terminal (BX-24) (4) Driving a Bipolar Stepper Motor (BX-24) (3) Driving a Unipolar Stepper Motor (BX-24) (2) Memory, Variables and Edge Detection (BX-24) (1) Analog Input (BX-24)     click me   (9) LinearStrip Panoramic Turntable Version 2 (BX-24) This entry describes how to build a linear-strip panoramic turntable using a Vex Robotics gear kit, a Howard Industries (P/N 1-19-3801) 12 volt stepper motor, a BX-24 microcontroller, and a ULN2004A integrated circuit. This section also discusses the Mac OS X software used convert the video panorama into a single image panorama. The pan speed is slowed down to strip out one column of pixels every 30th of a second for each video frame. The column of pixels are written out to a raw binary file and eventually converted into a TIFF image.       click me   (8) LinearStrip Panoramic Turntable Version 1 (BX-24) This entry shows how to use an old Xerox WorkCentre 450c fax machine to make a turntable for linearstrip and panoramic imaging. For this project I hacked the stepper motor (and gear assembly) that moves the Xerox paper through the scanning array. Because the motor had 5 wires I identified it as a unipolar stepper motor. These motors can be driven with a ULN2003A integrated circuit and a low cost BX-24 microcontroller.       click me   (7) Networked Lamp (PIC) This entry describes how to connect a Lantronix Cobox-Micro to a Java server over a local area network. In this example we use a PIC 18F452 microcontroller, some blue superbright LEDs (http://www.superbrightleds.com Part# RL5-B2430) frosted plexiglass, three RadioShack project boards, and a Sharp GP2D120 proximity sensor to build a lamp that responds when viewers walk up to it.       click me   (6) Connecting a PIC 16F819 to a Cobox-Micro (PIC) This project describes the setup used to connect two Lantronix Cobox-Micro servers over the internet. The user pushes a button connected to a PIC 16F819 microcontroller and an LED lights up on the other, remote, Cobox and vise versa. The figures below show the breadboard layout. A hex inverter was used to amplify the signal coming from the PIC microcontroller.       click me   (5) Serial Input to a Terminal (BX-24) This circuit uses the BX to send bytes to the terminal. In this case I used a momentary pushbutton to put an ASCII character "1" on the screen. When the button is not pressed the ASCII character "0" is shown. To get these characters to display on screen, the BX actually sends out the ASCII numerical value. For example, when the button is not pressed we send the number 48 which corresponds to char "0". When the button is pressed we add 1 and get 49, which corresponds to the char "1".       click me   (4) Driving a Bipolar Stepper Motor (BX-24) This entry shows the configuration I used to make a NMB (Minebea Electronics Co.) PM35L-048, 24VDC, 9.4 Ohm bipolar stepper motor work. I salvaged several of these motors from some Xerox inkjet printers. The motor was well labeled and I found manufacture specifications on-line. I was not able to find a wire diagram so I defaulted to making a truth table as I had done for unipolar steppermotors. Most steppers with 4 wires can usually be identified as bipolar stepper motors, which can be driven with a dual H-bridge IC such as the SN754410 by Texas Instruments.       click me   (3) Driving a Unipolar Stepper Motor (BX-24) This entry shows the configuration I used to drive a unipolar AstroSync 12VDC, 130 Ohm stepper motor. I bought two of these motors somewhere off of Canal St. and had no idea about their specifications or even if they worked. I did know a few things based on some earlier reading. First, most steppers with more than 5 wires can usually be identified as a unipolar stepper motor, which can be driven with a ULN2003A.       click me   (2) Memory, Variables and Edge Detection (BX-24) The purpose of this circuit is to read input from a switch and illuminate five LEDs in a particular sequence based on the number of times the switch is pressed. Thus, the first time the switch is pressed the LED to the far right is illuminated. This sequence is repeated each time the switch is pressed until the 5th LED is illuminated. The fifth time the switch is pressed a buzzer sounds and all five LEDs are turned off. The user can then repeat this process.       click me   (1) Analog Input (BX-24) Inputs to microcontrollers can be in two forms. Analog or digital. Analog is most intuitive because this is the kind of input we get from our senses such as sound, light, touch etc. Analog is typically described as a continuous set of values instead of a single on/off response (digital). In this example I have wired up a 5kOhm potentiometer (pot) to pin 13 of a BX-24. Note that the black wire from the pot goes to ground, the yellow wire goes to 5VDC, and the red wire goes to pin 13 of the BX-24.       Copyright © 2006 Jason Babcock . All rights reserved. Valid CSS   Valid XHTML 1.0

Nubotics WW-02-Wheel Watcher Encoder   Nubotics WW-02-WheelWatcher Encoder   Ramps || Code   Product Manual || Frequently Asked Questions || Product Brief || Nubotics Code Examples || LS7084 Quadrature Decoder || Photomicrosensor   For an explanation of how encoders actually work visit John Schimmels encoder sensor report and also go to Wikipedia. For an overview of how this sensor was used in the project please go to the Ramps link. For the code on this wiki please go to RampsMouse     The Nubotics WW-02-WheelWatcher Encoder is an optical quadrature encoder that senses direction, distance, velocity and acceleration. It is manufactured by Nubotics and sold by Acroname for robotics for a single wheel for $21.95or as a two wheel set for $41.95. It comes in a small plastic bag with the following components:   Printed circuit board, preassembled Self-adhesive codewheel 6" four lead color-coded cable A direction booklet Two extra wires provided for use with raw-quadrature output Motor and wheel not included (its intended usage)     For my project I also ended up buying their CS-100 codewheel spacer also from acroname, a one eighth inch laser-cut plexiglas disc: It is designed to go an a gear motor to control robotic functions - the following is a picture of it's intended applicationon on a gear motor:     Timing Diagram The following diagram illustrates the behavior of the ChA, ChB, Dir, and Clk signals as the wheel slows down and changes direction, then speeds back up.     Specifications (PRELIMINARY) Supply Voltage (Vcc) +4.5v to +5.5v Supply Current (Icc) 30mA MAX (TBD) DC Output Voltage 0v to Vcc DC Output Current (pins 1, 3) +/- 50mA DC Output Current (pins 5, 7) +1.0mA (Vout 4.5v), -1.75mA (Vout 0.4v) Clock pulse width 25us Radial misalignment TBD Tangential misalignment TBD Angular misalignment TBD Codewheel tilt TBD Phase error TBD detector top to codewheel 0.8mm (0.031") - 1.1mm (0.043")   NOMINAL SPACING MIN 0.5mm (0.02") (TBD) MAX 2mm (0.08") (TBD)   BLOCK DIAGRAM     The LS7084 Datasheet   From the EE-SY125 datasheet:   Features of Photomicrosensors: The Photomicrosensor is a compact optical sensor that senses objects or object positions with an optical beam. The transmissive Photomicrosensor and reflective Photomicrosensor are typical Photomicrosensors. The transmissive Photomicrosensor incorporates an emitter and a transmissive that face each other as shown in Figure 1. When an object is located in the sensing position between the emitter and the detector, the object intercepts the optical beam of the emitter, thus reducing the amount of optical energy reaching the detector. The reflective Photomicrosensor incorporates an emitter and a detector as shown in Figure 2. When an object is located in the sensing area of the reflective Photomicrosensor, the object reflects the optical beam of the emitter, thus changing the amount of optical energy reaching the detector. “Photomicrosensor” is an OMRON product name. Generally, the Photomicrosensor is called a photointerrupter.   Reflective Photomicrosensor:   ChA and ChB are 50% duty cycle, 90° out of phase signals, created by having two Omron EE-SY125 (or equivalent) photodetector packages spaced at a very specific angle with respect to each other, at a specific radius from the center of the axis of rotation, and expect to be used with a 32 stripe codewheel with a 50% silver/50% black radial stripe pattern.     Product Manual || Frequently Asked Questions || Product Brief || Nubotics Code Examples || LS7084 Quadrature Decoder || Photomicrosensor   Ramps || Code

0 - PHOENIXstudios 230V 128 Kanal PC_DIMMER für Windows 98/98SE/ME/2000/XP/2003

---

 

Wofür ist der PC_DIMMER:

Hallo auf der offiziellen Website des PHOENIXstudios PC_DIMMER, dem 128 Kanal-Lichtmischpult für Windows lizenziert unter der GNU General Public Lizenz (GPL). Auf den folgenden Seiten finden Sie Informationen, Schaltpläne, Firmwares und Software, also kurz alles, was Sie zum Selbstbau eines eigenen 230V-Computer-Lichtmischpultes benötigen. Das Programm steuert über die serielle Schnittstelle einen Mikroprozessor von Atmel, welcher pro Platine 8 Phasenanschnittssteuerungen regelt. So kann in der maximalen Ausbaustufe von 16 Platinen á 8 Kanälen mit einem RS232-Port 128 230V Geräte gesteuert werden. Dazu bietet der PC_DIMMER Szenenmanagement, Sound-2-Light und vieles mehr an, damit umfangreichere Szenen und Effekte für Lichtshows, Theater und mehr leicht aufzubauen und anzuwenden sind. Zwar besitzt das Programm nicht die Möglichkeiten, die z.B. DMX-Ansteuerungen möglich machen (Unterstützung für Nebelmaschinen, Moving-Heads, usw.) aber die Schaltung zum PC_DIMMER ist weitaus günstiger und einfacher aufzubauen als viele Selbstbaulösungen, die im Internet angeboten werden.   Kurze Übersicht über die Möglichkeiten:   → RS232-Anschluss (jeder PC kann die Hardware ohne Interface direkt ansteuern) → Das Faden wird im Mikroprozessor mit 256 Schritten (8-Bit) durchgeführt, was jederzeit ein perfektes Einblenden garantiert → Die Hardware kann auch ohne PC mit einem günstigen Interface mit Display gesteuert werden → Leichtes Einprogrammierung von Zeitintervallen, Szenen und Effekten → Übersichtliche und intuitiv benutzbare Software (Vorteil gegenüber anderen Softwareprodukten) → Für jeden mit Programmierfähigkeiten ausbaubar, oder in eigenen Projekten einsetzbar (→ Hausautomation, etc.) → Es ist Freeware, Sie zahlen keinen Pfennig für diese Möglichkeiten   → Mit dem Hardware-Interface kann eine umfangreiche Hauslichtsteuerung mit und ohne PC realisiert werden. Ich wünsche viel Erfolg beim Nachbau der Schaltungen, Christian Nöding   >> in English

What is PC_DIMMER?

Hello to the official webpage of the PHOENIXstudios PC_DIMMER, the 128 channel light-controller for windows licensed under the GNU General Public License (GPL). .On the following pages you'll find informations, schematics, firmwares and software, in short everything you need for building up your own 230V-computerbased lightcontrol-system. With the serial-port the program controls a Atmel microprocessor, which controls 8 phaseshifting-circuits. In maximum extensionlevel you may control of 16 circuits á 8 channels you are able to control 128 230V devices with one RS232-port. Therefore the PC_DIMMER offers you scenemanagement, sound-2-light and much more, to use scenes and effetcts for lightingshows, theatre and more as easy as possible. The program lacks the possibilities of most DMX-controllers (support for foggers, moving-heads, etc.) but the PC_DIMMER-circuit is much cheaper and easier to build like many DMX-self-made-circuits out of the internet.   And now the possibilities:   → RS232-Connection (every computer is able to control the hardware without an interface) → The fading will be done by the µController in 256 steps (8-Bit) - so at all time you'll got a perfect fading (no PC-DMX System do have this) → The hardware can be controlled without a pc → Easy programming of timelists, scenes and effects → easy to use software → everybody can use the sources to enhance or use this product for it's own (→ Home improvement, etc.) → It's Freeware, you have nothing to pay for it   → You can build up a complex lightcontrol for your house together with the Hardware-Interface (with or without a computer)   good luck for your constructions, Christian Nöding   >> in Deutsch

 

 

Circuits for the Hobbyist by VA3AVR

---

Tony's Message Forum   Ask your questions here. Someone may answer them.

Active Power Zener Active Antenna for AM-FM-SW Active Antenna for HF-VHF-UHF Active FM Antenna Amplifier Aviation Band Receiver  Alternating On-Off Switch  PCB for Dan Fink's Anemometer (sold out!) Audio Booster with 1 Transistor Audio Pre-Amplifier #1 Automatic 9-Volt NiCad Battery Charger Auto-Fan, automatic temperature control AT-121 Basic Driving Circuit Basic IC MonoStable Multivibrator Basic RF Oscillator #1 Basic LM3909 Led Flasher Battery Monitor for 12V Lead-Acid Battery Tester for 1.5 & 9V Battery (NiCad) Rejuvenator Bench Top Power Supply, Part 1 Bench Top Power Supply, Part 2 Bench Top Power Supply, Part 3 Bench Top Power Supply, Part 4 Pics Bench Top Power Supply, Auto-Fan Bicycle Light with charger (soon) Birdie Doorbell Ringer Broadcast-Band RF Amplifier 'Bug' Detector with Beep Car Back-up Alarm Car Converter for 12V to 9V Car NiCad Charger Christmas Lights Tester Crystal Tester, #1   Crystal Tester, #2  Coin Tosser Compressor-Mate  Clock Generator Continuity Tester, Low-Voltage Continuity Tester, Smart Continuity Tester, Latching  Cut Phone Line Detector Dark/Light Activated Relay DC Motor Reversing Circuit DC Motor Control Circuit DCS 400 Multipurpose Connector  Dome Light Extender DSL Filter (phone-line) Dual 12V Power Supply Electronic Canary (Doorbell) Fluid-Level Detector Fox & Hound, wire tracer Gadgets for Radio Control Page Gel Cell Charger, I Gel Cell Charger, II Headlight Alarm Heat Sensor Glowplug Driver (a) Glowplug Panel (b) HotChek - Brent's website Hot Wire Foam Cutter, 1 - by Tom Weedom Hot Wire Foam Cutter, 2 - by Charles Wenzel Hot Wire Foam Cutter, 3 - by Steven Mohr Hot Wire Foam Cutter, 4 - by JoeBoy Hot Wire Foam Cutter, 5 - by The Hermit MachineShop Hot Wire Foam Cutter, 6 - by Al Schoepp Hot Wire Foam Cutter, 7 - by Rocket Team Vatsaas Hot Wire Foam Cutter, 8 - by Daniel Hartman Hot Wire Foam Cutter, 9 - by D.J.Kammo (pterodactylus) Hot-Wire Foam Cutter, 10 - by Tony van Roon High-Voltage Projects you can Build Lantern Flasher/Dimmer Latching Continuity Tester  Lead Acid Battery Charger with Float Lead Acid Battery Charger Lead Acid Charger (Gel Cell) Led Flasher, 2 transistor Leds Flasher, alternately LED Pilot Light (AC or DC) Light Sensor With Hysteresis Lithium-Ion Charger, Single cell Logic Probe(1), with pulse, TTL/CMOS Logic Probe(2), with pulse, TTL/CMOS Logic Probe(3), Audible, TTL/CMOS Main Fuse-Panel Emergency Light Micro-Spy with FET's Micro-Spy with USW Micro-Spy with TTL Miniature FM Transmitter #1 Miniature FM Transmitter #2 Miniature FM Transmitter #3 Miniature FM Transmitter #4 Miniature FM Transmitter #5 Miniature FM Transmitter #6 Miniature Tracking Transmitter  Mini-Drill variable Powersupply

Missing Pulse Detector (Basic) Morse Code Practice Keyer, I Morse Code Practice Keyer, II Motor Accu Lader  (Dutch language) Motorcycle Battery Charger Motorcycle Low Voltage Warning No-Hassle 3rd Brakelight hookup Power Supply Converted from a PC - by Andy Batts Practical, 2-wire Intercom Pulse Timer, 555 Pulse Width modulator, 555 Pulse Width modulator, 4093 Radio Shack Special - Transmitters by Patrick Cambre Relays - Sound Activated, #1 Relays - Sound Activated, #2 Relays - Transistor Boosted Relays - Dark Activated Relays - Delayed Turn-on Relays - Automatic Turn-off Relays - Long Duration Relays - 12 Sec to 90 min Relays - Long Duration--1 to 100 min Relays - Long Duration--1 min to 20 hrs Relays - Self Latching RF Transmitter, light sensing RJ45 Cable Tester by Bruce Marcus Subcarrier Adapter Listen to those hidden FM transmissions ScanMate Your (Radio) scanner buddy-pcb available! Servo Modification - For contineous rotation Simplest R/C Circuit Simplest RF Transmitter Simple Transistor Audio PreAmplifier Single IC Audio Preamplifier Single Cell Sealed Lead Acid Charger - by Søren  Solar Cell NiCad Charger Solid State Relay Telephone Transmitter (FM)  Thermo Alarm Thermostat Third Brake Light Pulser Touch Activated Alarm System Touch Switch using Transistors Two-Tone Trainhorn Universal Flasher Circuit Variable Power Supply, 1 - 30V @ 1.5A  1-04-2006 Wailing Alarm Water-level Sensing and Control Waterpump Safety Guard for Fish-pond Weller WLC100 Soldering Station Wireless Microphone Xmas Lights Tester Zap Adapter 1.5V Tracking Transmitter  (with Video Clip) 2 Transistor 2 LED Flasher 4 Transistor Tracking Transmitter 4 Transistor Transmitter  7.2V Field Charger (.pdf file) 9-V Stabilized Powersupply 9 to 9 pin (Female) Nullmodem Cable 12V to 9V with a LM317 30-Meter QRP Transmitter for Morse Code 555 DC-AC Inverter 555 Timer IC Tester 555 Go No/Go Tester More advanced Electronic Symbols Template Test Probes with retractable tips Voltage Detector (VoltAlert) Relays PCB's 4sale High-Voltage Projects you can Build 555 Timer/Oscillator 741 Op-Amp Capacitors Coils Crystal Oscillators (SOON) MosFet Test Piezo Education/Tutorial PLL Resistor Color Code Tutorial SCR Tester Triac Test UJT Test Toroids Relays, Relay Drivers, Solid-State "Green" means on-line, "Red" means off-line Bookmark this valuable page with 'Ctrl-D'.

Just in case you're gonna ask: All drawings are created with Paint Shop Pro

---

Circuits Archive - Older circuits. Most are working, some are not. Could be still useful.
Tony's Data Sheets - Data Sheet for common Semiconductors.
Data Sheets Archive - Link to tons of data sheets.
Filter Solutions - PC windows based filter synthesis and analysis software.
RP Electronics - Panel Meters, Analog/LCD.
Radio Shack Partnumbers - Most common order numbers for my circuits.
Resistor Value Calculator - By Danny Goodman, AE9F.
Transistor 'SM' marking codes by Philips BV.
TUP/TUN/DUS/DUG European transistor replacement system.
PN100/200 - Data Sheets for the PN100 and PN200.
LF13741 - Monolitic JFET Input OpAmp Data Sheet.
MC14069UB - CMOS Hex Inverter Data Sheet.
Toroids, RF/EMI Cores - Variety of commonly used toroids, colors, etc.
Guelph Amateur Radio Club - GARC--Official Homepage.
Jonathan's Electronics Message Forum - More help if you need it!

  Other Interesting Links - Links to other interesting and informative Electronics Websites

     

---

DISCLAIMER: The University of Guelph, host of Tony's Website! or Tony van Roon himself, take no responsibility whatsoever for the use and/or implementation thereof, or the misuse leading to damage to equipment, property, or life, caused by the above circuits. Check with local, provincial and federal laws before operating some of these devices. You may also check your life insurance policy and/or the fact if they cover death by electrocution if you intend to play with Micro-wave ovens and other possible lethal HV devices. Safety is a primary concern when working with high power circuits or con/inverters. Play it safe!

---

Copyright © 1995, Tony van Roon (VA3AVR). ALL RIGHTS RESERVED.
Last Updated July 31, 2006

Controlling LED Arrays on TCP/IP Networks Written by Owen Osborn, olde-tyme SFE Hardware Engineer owenosborn there-at gmail.com Open-Source methods for embedded TCP/IP networking. This tutorial will show you how to control a full color LED matrix from anywhere in the world using a Java script on the remote computer and an ARM development board connected to a tri-color serial LED matrix listening to a specific UDP port. Intro Connections, TCP/IP LED Matrix Server     Hardware     Software Java LED Client Expanding the system     Adding more LEDs     Internet Enabling the LED matrix server     Intro     The new Color LED matrix controllers from Spark Fun Electronics provide a fun way to control 8 x 8 color (RGB) LED matrices. Connecting directly onto a common cathode RGB 8 x 8 LED array, the controller "back pack" provides a simple serial interface to the LEDs. This eliminates the headaches of switching 192 discrete LEDs on and off.   RGB LED matrix controller board.  Check the datasheet for more info.       While this is all nice, we still need some way to control the LED controller; something that will send it the image data. This tutorial focuses on controlling one or more LED matrices over TCP/IP using an embedded ethernet board. The LED array becomes a server on the network and may be updated from any computer on the network running a simple JAVA client program. This is a versatile way to control the matrix and it allows for huge expansion. In this tutorial, one LED matrix is connected to the network. But using the same techniques, many LED matrices may be controlled over the network. And if this network is connected to the internet and properly set up, the LED matrices may be controlled from anywhere in the world!         This tutorial is also a good starting point for other projects involving embedded networked devices; the same principles may be applied to any device that needs network connectivity.         The whole project is open source, and does not rely on any proprietary components.  The schematics for all the hardware are freely available, as is the source code.     The LED matrix server setup:  an ethernet enabled microcontroller board connected to an LED matrix.   [TOP] Connections, TCP/IP     The most common set of protocols that computers use to communicate on networks is TCP/IP (or the Internet Protocol Suite).  The most common protocol in the suite is the Transmission Control Protocol (TCP) which allows two machines to establish a connection and pass data reliably. TCP is the protocol we use to establish a connection between the LED matrix server and the Java client program.     On a network, machines are identified by IP addresses.  This is the familiar 4 numbers separated by periods (192.168.1.1 for example).  In addition to the IP address, machines have a number of ports which they can establish connections on.  The machine is kind of like a large office building, the IP address is analogous to the street address of the building.  The individual offices are the ports, providing different services to incoming information.  On modern computer systems, many of these ports are standardized.  For example a web server application is always on port 80.     In this tutorial the LED matrix server is assigned a known IP address and waits for connections on a specific port (we'll see how to specify these later).  This is also called listening on a port.  It just hangs out on the network and waits for something to connect.  We use a Java program (the client) to connect to the LED matrix server and send it data for the LEDs.  The Java client can be run from any machine on the network.  Java has lots of functionality for opening and managing TCP connections, which is why we used it, but any programming language capable of opening TCP connections would work.  All that the client needs to know is the IP address of the LED matrix server and the port number.       TCP provides a reliable way to send data between machines, but dealing with the data is up to the software on each side of the connection.  Once a TCP connection is established, data is literally packets of raw bytes.  Further protocols must be written in software to deal with the bytes.  For the cause of simplicity, this tutorial has no special protocols on top of TCP.  Once the Java program connects to the LED matrix server, it sends packets of bytes that the embedded ethernet board pipes directly to the LED matrix.  There is no encoding or anything, the size of the packet is the number of pixels (64 in the case of a single matrix), one byte per pixel.  In the end, its as if the JAVA program is connected directly to the LED matrix controller(s); the network connection is completely transparent. [TOP] LED Matrix Server Hardware     The embedded ethernet board is responsible for connecting to the TCP/IP network, and sending data to the LED matrix controller(s).  To implement an open source embedded network project we need a board with a microcontroller and an ethernet interface.  The microcontroller handles all the TCP/IP tasks (known as the TCP/IP stack), and sends data to the LED matrix controller(s).  The ethernet interface is a chip that handles all the low level ethernet signaling (sending and receiving data frames).  It is usually connected to address and data lines of the microcontroller.     Many such boards are available, and we choose an Olimex LPC-E2124 .  This board has a Philips LPC 2124 ARM processor connected to a Cirrus CS8900 ethernet interface.  In addition it has a built in ethernet jack and isolation transformer.  It also has headers for the IO pins of the microcontroller which are used to connect to the LED matrix controller(s).     The Olimex LPC-E2124 ethernet board.  The USB connects to the LPC UART via an FTDI USB-UART bridge.  Using the Philips bootloader, the board can be programmed over USB.  Check out the schematic.   [TOP] Software     The source code for the LPC-E2124 is in the folder LPC-E2124_source of the source code folder.     TCP/IP is not a trivial protocol, and writing a TCP/IP stack for a small microcontroller is not an easy task.  Thankfully, there are a number open source TCP/IP stacks designed to run on small embedded processors.  We use the uIP (for micro IP) stack written by Adam Dunkle.  uIP is a great little piece of software, is very well documented, and may be easily ported to a number of controllers (it has been run successfully on 8 bit micros like the AVR, for example).  Anyone trying to work with these tools should really become familiar with the uIP documentation.  Check out the documentation for uIP here: html or pdf.     uIP requires a driver for whatever ethernet interface is being used.  This is the hardest part in porting uIP to different embedded ethernet boards.  Luckily someone has already ported uIP to the Olimex LPC-E2124.  Paul Curtis is to thank for this effort, his port of uIP allows TCP/IP functionality on the LPC-E2124 without any driver level coding.  The port is available on the Rowley website.     In addition to the TCP/IP stack, uIP provides a bunch of application level functionality: telnet services, an http server with some basic CGI functionality, and even SMTP email.  The example above from Paul Curtis is a http web server, allowing any web browser on the network to connect and view some simple web pages.  Its worth looking at the web server example to see how an application level protocol like http is coded, although the LED matrix server is actually much simpler than an http server.       uIP provides an event driven API in which an application function is called when a TCP event takes place, such as the reception of new data.   So to write a TCP/IP application, all the programmer needs to do is implement a single application function.  This function is defined with the macro UIP_APPCALL in the uIP options file uipopt.h  (near the bottom).  All our TCP/IP application needs to do is pipe the received TCP packet to the LED matrix controller(s), so the function is very simple:     void ledcontrol_appcall(void) {       if(uip_newdata()) {  // if new data arrived         uip_send("Packet Received OK\n", 19); // sends this back to client         send_led_64(uip_appdata);   // send data to LED matrix controller       }       if (uip_rexmit()){    // if a re-transmission is required         uip_send("Packet Received OK\n", 19);       }     }         Thats it! Thats the whole application, not very complex, but a good start.  In addition to piping the received data packet to the LED matrix controller(s), the function also sends the string "Packet Received OK"  back to the client.  This function is in the file ledcontrol.c, which also contains the hardware level functions for communicating with an LED matrix controller  (such as send_led_64).     You might be wondering about the IP address and port number for the application.  This is taken care of during the initialization sequence in the function main(), in file main.c.  The IP address, netmask, and address of the default router are set statically as part of the initialization sequence.  The IP address must be set so that it doesn't conflict with any other devices on the network that may already have that IP.  Remember that uIP does not support DHCP by default, and conflicting IP addresses might cause network problems.  Bring up the configuration page for your router (or talk to the network administrator) to see what the DHCP range is set to, and then choose an IP address that is not in that range.  For a router IP and netmask, 192.168.1.1 and 255.255.255.0 are common, but double check for your network.       The Port is set in the application initialization function, ledcontrol_init().  The application init function for the LED matrix server just sets uIP to listen on port 3333:     void ledcontrol_init(void) {       uip_listen(HTONS(3333));     }     After initialization, main() enters a loop in which it maintains uIP related tasks like checking for received data.  Other general purpose functionality could be put in this loop as well.  The yellow status LED on the LPC-E2124 should flash on and off periodically, indicating that the system is running ok.       The source code for this example was compiled using Rowley's Crossstudio for ARM compiler.  In the source code folder, there is a project file that you can use if you have Crossstudio (there is a demo version of Crossstudio that will fun for 30 days).  The precompiled hex file is in the ARM Flash Debug folder.  There is nothing particular to the Crosstudio compiler in the code, so its possible to use the GNU toolchain (or another compiler), although a makefile, linker script, and startup file will still be needed. [TOP] Java LED Client     The Java code for this tutorial is in folder Java_Client in the source code folder.     The main purpose of the Java program is to attempt a connection to the IP address and port number of the  LED matrix server and, after a connection is established, pass it image data.  The example program also provides a graphical front end for controlling a single LED matrix:         The program is divided into 3 classes:  BoardDriver.java, DrawBoard.java, and TCPSend.java. The main() function is in BoardDriver.java.  It creates a window and adds some mouse listeners.  It also creates a DrawBoard object which is like a virtual representation of the LED matrix.  The DrawBoard object responds to mouse events that turn individual LEDs on and off, draws the current LED matrix to the screen, and also establishes a TCP connection and sends data out.  To establish a TCP connection it creates an object from the TCPSend class.  The constructor for this class attempts to open a TCP connection to the given IP address and port.  If a connection is not possible, it shows a warning message, but then runs the graphical part of the program anyway.  TCPSend also has a small method writeLED() for sending data out.     The IP address and port number are in the TCPSend class, so it must be recompiled every time these need changing.  This is a pain, but could be easily improved so that they can be adjusted at runtime.     To compile the java program, open a terminal if your using Linux or Mac OSX, or a command prompt if using Windows.  Move to the directory of the java program and type:    javac BoardDriver.java     Then to run the program type:     java BoardDriver     (note Java must be installed to run the commands javac and java)     You can run the program without an LED matrix server on the network (or even without a network connection) to try out the graphical part.  Clicking the mouse on LEDs will turn them on.  The color cycles through with each click.  Dragging the mouse will set any LED its dragged over to the current color.  This behavior can be changed easily in the DrawBoard class.        This java program is provided as an example, and may be changed to suit different needs.  For instance, functionality could be added for animation, displaying text, etc. [TOP] Expanding the System Adding More LED Matrix Controllers     The example code with this tutorial is for controlling a single LED matrix controller over the network, but it is very easy to add more LED matrix controllers to the same embedded ethernet board.  Each controller needs 3 lines for the serial interface:  clock, data in, and chip select.  All of the LED matrix controllers may share the clock and data in lines, and all that is needed is an individual chip select line for each matrix controller.  There are plenty of extra IO pins on the Easy Web 3 board that may be used for chip select lines to multiple matrix controllers.     Next, the firmware for the Easy Web 3 will have to be updated to accommodate the extra matrix controllers.  The same code that sends 64 bytes to the single matrix can be used, all that needs changing is the chip select pin.       The Java program will also have to be updated to send a larger packet (in the method writeLED() in TCPSend), and to display more LEDs in DrawBoard.  Keep in mind that there is a maximum TCP packet size, so for a large number of LEDs (more than say 500), multiple packets will have to be used.  Then there will have to be some kind of protocol for indicating which packet is for which part of the LED array. [TOP] Internet Enabling the LED Matrix Server         Getting the LED matrix server on the internet will depend on how the network is setup, but here are some hints if you are on a small LAN (home or small office).      The easiest way to get the LED matrix server on the internet is to use port forwarding.  Most routers can be set up to forward a request for a port from outside the network to a specific IP address behind the router.  If the router is connected directly to the internet (via cable, DSL, or some other) the router will have an IP address assigned by the ISP (or you might have a static IP).  In either case you can go to some site like www.whatsmyip.org to see what the IP of your router is.  If a machine over the internet tries to open a connection to the IP address of your router and the port number of the LED matrix server, the machine will be directed right to the LED matrix server.  So the machine thinks its talking right to LED matrix server, as the router forwards the data there:     IP address of router:port 3333 ---->  IP address of LED matrix server:port 3333     To use this method, you have to configure your router to do so.  This depends on what kind of router you have, but usually it just entails going to the router's configuration page.

How to Build a Low-Cost, Extended-Range RFID Skimmer

Abstract:

1 Introduction

1.1 Background

Radio Frequency Identification (RFID) technology, using the ISO-14443 standard [ISO00], is rapidly becoming widely adopted by many governmental, industrial and commercial bodies. Typical applications include contactless credit-cards, national-ID cards, E-passports, and physical access control (cf. [Fin03], [GSA04]). The security of such applications is clearly critical.

A key security feature of RFID-based systems is their very short range: ISO-14443 systems are designed to operate at a range of 5-10cm. Thus, the perception is that the RFID tag (or smartcard) must almost touch the RFID reader, which should imply that the tag's owner is physically present and holding the tag. Unfortunately, this perception is incorrect. Recently, Kfir and Wool [KW05] described a relay-attack on RFID systems, that violates the implication that the tag being read is in fact near the RFID reader. Their system architecture involves two devices, a ``leech'' and a ``ghost'', that communicate with each other (see Figure 1). Such a system would, for instance, allow an attacker to make purchases using a victim's RFID-enhanced credit card--despite any cryptographic protocols that may be used.

As part of their work, [KW05] predicted that the rogue ``leech'' device can communicate with an ISO-14443 RFID tag from a distance of 40-50cm, based on modeling and simulations. Moreover, they claimed that such a device can be made portable, with low power requirements, and can be built very cheaply. However, beyond acting as a component in a relay-attack, a ``leech'' can also be used as a stand-alone RFID skimmer, to surreptitiously read the contents of simple RFID tags. Our goal in this work was to actually build such a skimmer.

1.2 Related work

1.2.1 Attacks on RFID Systems Using the ISO-14443 Standard

The starting point of our work is [KW05]. Their analysis predicts that an RFID tag can be read by the ``leech'' from a range of tens of centimeters, much further than the nominal ISO-14443 range of 5-10 cm. They also claimed that the ``ghost'' device can communicate with the reader from distance of tens of meters. [KW05] presented several variants of possible relay-attack implementations, with different costs and required personnel skills. In this work we validate their claims about the practically of the leech device.

Another part of the relay attack against ISO 14443A RFID systems was implemented by Hancke [Han05]: He implemented the fast digital communication between the leech and the ghost (see Figure 1), while using standard (nominal range) devices for the leech and ghost themselves. His system used cheap radios, and achieved a range of 50 meters between the reader+ghost and the leech+tag. His work demonstrates that the range between the victim tag and the reader is limited only by the technology used for leech-ghost communication. To counter the relay attack, [HK05] have designed a distance-bounding protocol, which requires ultra-wide-band communication.

In a widely reported work, Finke and Kelter [FK05]) managed to eavesdrop on the communication between an ISO-14443 RFID reader and a tag. They attached the tag directly to a reader (at zero distance), and showed that the combined communication between the reader and tag can be read from 1-2 meters by large loop antenna located on the same plane of the reader and the tag. Note that this is quite different from the challenges facing a skimmer: (a) The skimmer must be close enough to the tag, and produce a strong enough magnetic field, to power the tag (i.e., the tag must be within ``activation range''); (b) A skimmer cannot rely on a legitimate reader's strong signal being modulated by the tag. Nevertheless, [FK05] shows that the eavesdropping range on RFID communication is a much greater than skimming range--and we show that skimming range is much greater than the nominal read range.

1.2.2 Attacks on RFID Systems Using Other Standards

There are many RFID systems that do not use the ISO-14443 standard. Typically, such systems are designed for larger read-ranges, but provide much more limited capabilities than ISO-14443: they are unable to power a programmable smartcard processor, and usually only contain fixed logic circuitry or even just a short piece of data, much like a magnetic-stripe card. Over the last 2 years, several attacks have been reported against some of these systems.

In a very widely reported event [Kre05,Sch05], a group from Flexilis claimed to set new world record of passively reading an RFID tag from 69 feet at DefCon'05. However, the RFID technology used for this experiment was not ISO-14443, but a UHF-based technology in the frequency range of 800 MHz to 2.5 GHz which is designed for a much larger read range.

A German hacker ([Hes04]) used a simple PDA, equipped with an RFID read/write device, and changed product prices in a grocery shop using a software he wrote. He managed to reduce the Shampoo price from $7 to $3 and go through the cashier without incident. Supermarket checkout trials held by NCR corporation showed that some clients standing at the cashier paid for groceries held by clients standing behind them in the queue [Whi05].

A research team in Johns Hopkins University ([BGS⁺05]) managed to build a system that sniffs information from RFID-based car keys and immobilizers, and were able to purchase gasoline without the owners consent.

A research group in MIT ([Lin05]) designed and implemented an RFID field probe that can sense RFID magnetic fields from up to 4 meters. However, it is designed to sense magnetic fields of frequencies between 900 to 950 MHz, which are very different from the 13.56 MHz of the ISO 14443 standard.

1.2.3 RFID Systems and Protocols in General

A broad overview of RFID technology can be found in T.A.Scharfeld's thesis [Sch01]. This thesis analyzes RFID theory, standards, regulations, environment influence, and implementation issues.

Free attack/analysis tools that detect RFID cards and show their meta information are available from the RFDump web site [GW04]. These tools are able to display and modify the card data, such as the card ID, card type, manufacturer etc.

Juels, Rivest and Szydlo [JRS03] propose a blocking tag approach that prevents the reader from connecting with the RFID tag. Their method can also be used as malicious tool: In order to disrupt the Reader-to-Tag communication, their blocker tag actually performs a denial-of-service attack against the RFID reader protocol by using the ``Tree-Walking Singulation Algorithm'' in the anti-collision mechanism. Juels and Brainard [JB04] propose a variant on the blocker concept which involves software modification to achieve a soft blocking tag.

[Wei03] and [SWE02] offer a ``Hash-Lock'' approach to low cost RFID devices which use a ``lock/unlock'' mechanism to protect against retrieving the RFID ID number. In the simplest scenario, when the tag is locked it is given a value (or meta-ID) y, and it is only unlocked by presentation of a key value x such that y = h(x) for a standard one-way hash function h.

[RCT05] describe a portable device, called an RFID Guardian, that is supposed to cover a whole individual's surrounding, to communicate with the various tags in the person's possession, and protect the person from potentially hostile RFID fields. The RFID Guardian is supposed to be able to cover a range of 1-2 meters, however, the authors do not describe the RFID Guardian implementation, and it is unclear how it overcomes the physical limitations of the claimed range.

1.3 Contribution

In this study we show that the modeling predictions of [KW05] are quite accurate. We managed to build a portable, extended-range RFID skimmer, using only electronics hobbyist supplies and tools. Our skimmer is able to read ISO-14443 tags from a distance of  25cm, uses a lightweight 40cm-diameter copper-tube antenna, is powered by a 12V battery--and requires a budget of  $100.

Beyond validating the theoretical modeling, we believe that our design, implementation and tuning processes are of independent interest: Most circuit designs and application notes are written for well equipped RF labs, and we needed to modify them or design our own to meet our ridiculously low budget. In particular, our experience shows that the standard RFID tuning process, described in ISO 10373-6 ([ISO01], is inappropriate for hobbyist workshops, and may be missing some key details that are necessary to make it work. Instead, we describe several tuning processes that do work reliably, even in low-budget environments.

We conclude that (a) ISO-14443 RFID tags can be skimmed from a distance that does not require the attacker to touch the victim; (b) Simple RFID tags, that respond to any reader, are immediately vulnerable to skimming; and (c) We are about half-way toward a full-blown implementation of the relay-attack predicted by [KW05].

Organization: Section 2 describes our skimmer system's design. Section 3 describes our construction techniques. Section 4 details the tuning methods we experimented with. Section 5 describes the skimmer's actual performance, and we conclude with Section 6. Additional details can be found in an appendix.

2 System Design

RFID systems that are based on the ISO-14443 standard operate with a 13.56 MHz center frequency, which mandates RF design methods. The system units should be matched for maximal power transfer and efficiency, and the whole system should have an excellent noise figure to improve the receiving and discrimination circuits sensitivity, which in turn allows a large read range.

2.1 Design Paradigms

Our assumption is that we are constructing an ad-hoc system for attack purposes, and mass production is not involved. Therefore modular design and perfect implementation are not the main design goals. Instead, we focused on quick, simple, and cheap methods.

There are two design paradigms that can be followed; the ``normal'' paradigm is to design all the system sub-units to have a uniform 50 input and output impedance. The other paradigm is to design and implement a proprietary RF system, with non-standard characteristics.

The advantages of using standard design include the variety of ready-to-use designs, applications notes, and test equipment. The resulting system is scalable, versatile, and modular. However, the need for accurate design, dealing with accurate filters and semiconductor's min-max parameters and ratings, stretches the design and implementation time, and may cause long and tedious system testing and tuning.

In contrast, designing a proprietary, non-standard interface systems has some practical advantages. First, accuracy is no longer mandatory. Second, the system can work in its natural output and input characteristics without the need to adjust its interfaces to standard characteristics, that might need extra matching networks and components. In particular, some amplifier designs have an output impedance that differs from 50  , and their designated antennas' impedance is closer to the amplifier's impedance than to 50  . In this case, there is no sense to adjust both amplifier output and antenna input to 50  .

Since our goal was to emulate a hacker, we chose to follow the proprietary design paradigm. We used 50  designs where they suited our needs, but we did not attempt to tune all the sub-units precisely. As we shall see, the results were quite satisfactory, despite the very basic work environment and tools.

2.2 System Units

The skimmer is comprised of 5 basic units (see Figure 2): A reader, a power amplifier, a receive buffer, an antenna and a power supply. The RFID reader generates all the necessary RF signals according to the ISO 14443 type A protocol. These signals are amplified by the power amplifier to generate the RF power which is radiated through the loop antenna. The loop antenna performs the interaction with the ISO 14443 RFID tag, and senses the load modulation signals. These signals are buffered by the Load Modulation Receive Buffer and fed back to the reader detection input. The Reader communicates with a host system via an RS232 serial interface. Typically, the host is a computer, however, it can also be a small micro-controller based card, with some non-volatile memory that collects and stores skimmed data.

Our main objective was to increase the output power and antenna size as these two factors directly influence the reading range.

2.3 The RFID Reader

The RFID reader module we used was the Texas Instrument (TI) S4100 Multi-Function reader module, [TI03]. The module can be purchased alone for around $60, and the TI web site ([TI05]) contains sufficient documentation for designing and programming this module. The S4100 module has a built in RF power amplifier that can drive approximately 200 mW into a small antenna. The TI module supports several RFID standards. We focused on the ISO 14443 Type A standard, that is used in contactless smartcards and E-passports.

In addition to the basic S4100 module, we purchased the RX-MFR-RLNK-00 Texas Instrument Multi-Function Reader evaluation kit. The evaluation kit costs $650 and contains a complete ready-to-use reader, which is built around the S4100 module. The kit includes a small built-in 8.5 cm loop antenna and is assembled in a plastic box. It is supplied with basic demo software, various tags for its supported protocols, documentation and references. The kit has an RS232 serial port for interfacing a host computer. We measured a reading range of 6.5 cm using its built in antenna.

Although we could have used the (dismantled) evaluation kit's main board for our experimentation, we chose to build our own base board to demonstrate that buying the evaluation kit is not required. We followed the Interface Circuitry design suggested by TI ([TI03]), but omitted the Low Frequency LED driver. We could have omitted the RS232 level shifters and use TTL levels for the serial port communication, however, the skimmer is supposed to work near the antenna, and to be exposed to strong and noisy electro-magnetic fields, therefore we included common RS232 level shifters in our base board design. This design requires a 5 volts power supply. See Section 2.7 for power supply design and description.

2.4 Antennas

A necessary condition for an increased range is a larger antenna. Theoretical analysis ([Lee03]) shows that for a desired range, r , the optimal antenna diameter is r . We wanted to demonstrate a reading range of 25-30 cm.

TI's RFID Web site [TI04] supplies an antenna cookbook for building various kinds of antennas for different reading ranges and purposes. As a first experiment, we used a printed PCB 10 x 15 cm rectangular antenna design found in the cookbook. We later used it as a tuning aid for tuning the system, as described in Section 4. Figure 3 shows the PCB antenna's matching circuit.

For our larger, high power antenna, we constructed a 39 cm copper tube loop antenna. The basic design for the loop antenna's matching network was taken from the PCB antenna (Figure 3) , subject to minor changes: Specifically, the resonance parallel capacitors C33 and C34 that were merged into one capacitor of 82pF, since the calculated antenna's inductance was around 1 H.

2.5 Power Amplifier

We based our power amplifier on [Mel04], and modified it to suit our unit's interface. The scheme of the power amplifier we designed appears in Figure 4. We interfaced the power amplifier directly to the TI module's output stage embedded in the skimmer base board. However, we did not match impedances between the two since we did not have to transfer power to the power amplifier, but only drive its input for biasing the power FET by a sufficient voltage swing.

2.6 The Load Modulation Receive Buffer

The TI S4100 module is designed around the S6700 Multi-Protocol Transceiver IC, an integrated HF reader system that contains all the high frequency circuitry comprising an Analog Front End (AFE) that decodes the ISO standards protocols. The S6700 has a Receiver input, which is directly connected to the reader's antenna.

This receiver input is unable to handle the voltage levels that are developed on our large loop antenna: During the system development process we measured 184 volts over the antenna with a supply voltage of 17.1 volts. In order to keep the reader from potential damage, and still deliver the load modulation signals to the reader's receiver input, we had to attenuate the antenna signals before feeding them back to the TI module. A simple resistor attenuation network is not suitable since it dramatically influences the antenna's resonance circuit quality factor, Q. Therefore, we chose to use an attenuating buffer (See Figure 5). The buffer was designed using a high impedance RF FET (T2 in Figure 5), in order to keep the antenna's quality factor as designed. The buffer was attached to the antenna and to the TI module via a direct coupling connection, in order to reduce the signal phase shifting to minimum. The C21 variable capacitor is used to compensate for the parasitic capacitance introduced by the T2 FET.

2.7 The Power Supply

In order to drive the large loop antenna, we needed to provide a power supply.

For lab work, we used a stabilized external power supply. Note that the base board that embeds the TI module contains a voltage regulator, therefore the external power supply unit does not have to be regulated. Nevertheless, we used a regulated power supply to reduce its noise figure. Figure 6 shows the regulation and filtering circuity which we placed on the base board and on the power amplifier board.

The role of L52 in Figure 6 is to maintain clean and low ripple levels on the DC supply in order to keep a low noise figure of the DC supply voltage. Since the DC supply voltage reaches all the internal chips circuitry, having clean DC voltage to the internal load modulation signals detection circuitry can improve detection range.

To demonstrate the skimmer's mobility, we also operated it using a Non-Spillable 7 AH Zinc-Lead rechargeable battery used in home security systems. It has a 12 volts nominal voltage level, is very common and can be purchased in any home security system store. An added bonus of using a non-switched DC power supply is that it eliminates any switching noise.

3 System Building

3.1 Printing a PCB Antenna

Our first choice was to build a home made 10 x 15 cm PCB RFID antenna which is fully specified in the TI antenna cookbook. To demonstrate the low-tech requirements, we manufactured this antenna in our hobby workshop. Appendix A describes the PCB printing process.

3.2 Building a Copper Tube Loop Antenna

The TI cookbook describes a design for a square 40 x 40 cm copper-tube antenna, which seemed appropriate. However, we chose not to construct it precisely, since cheap copper tube (for cooking gas) is sold packed in circular coils, and constructing an antenna with a square or rectangle shape requires straightening the tube, and requires additional 90 degrees matching adapters, which increase the antenna's cost. Instead, we designed our own circular antenna, which has similar characteristics to the TI cookbook antenna.

We built the loop antenna from 5/16 inch cooking gas copper tube. The tube is tied to a solid non flexible wooden tablet, in order to maintain its shape and to avoid inductance changes under mechanical deformation forces.

The loop antenna construction process was basically mechanical handcraft work, requiring no special equipment beyond basic amateur's electrical tools. Note that copper tube must be soldered using at least a 100-watts blow torch. Figure 7 shows the finished copper tube antenna and the PCB antenna.

3.3 Building the RFID Base Board

According to the interfacing information we found in the S4100 module datasheet, we designed a small PCB base board, having the S4100 module as a Piggy Back.

We manufactured the RFID base board PCB using a different method than we used to make the PCB antenna. For this board, we used a Decon DALO 33 Blue PC Etch protected ink pen to draw the leads on the Glass-Epoxy tablet. This technique allowed us to print the PCB during any time of day, without the need to wait for the sun. See Figure 8 for a picture of the base board.

3.4 Building the Power Amplifier

As we noted in Section 2.5, the power amplifier design is based on a Melexis application note ([Mel04]), recall Figure 4. We used the output stage of the TI S4100 reader module in the base board to drive the power amplifier input. We did not invest any effort in impedance matching since the power amplifier input is voltage driven. We manufactured the PCB for the power amplifier using the same technique as used for the base board, and with the same low cost DC ripple filter (recall Figure 6) to maintain a low noise figure.

Beyond the Melexis design, empirical results led us to connect a filter comprised of R2 and C4 at the output (See Figure 4). This filter reduces the Q of the output impedance matching filter, enabling fine tuning of the output signal phase. We discovered that the filter increased the read range significantly.

The output voltage amplitude of the power amplifier varies depending on the power supply voltage. For instance, with a 17.1 volts power supply we measured over 180 volts on the resonance circuit and the antenna. Therefore, ideally, high voltage rating capacitors, and high current rating inductors should be used. We used regular, but easy to obtain, passive components, and managed to burn quite a few during our experimentation.

3.5 Building the Load Modulation Receive Path Buffer

As we mentioned before, the high voltage swing on an antenna driven by the power amplifier must be attenuated in order to supply the correct samples of the RF received signal back to receive input of the S4100 module. Therefore, we needed to build the buffer described in Section 2.6. We placed the buffer's circuitry on the same PCB that housed the power amplifier - see Figure 8.

One challenge we had to deal with is that the TI S4100 module is designed to work with a low power antenna, and includes an attenuation resistor that is suitable for such an antenna. In order to provide our (attenuated) signals to the S4100, we had to solder the buffer's output directly into the S4100 module, bypassing the original attenuation resistor. Figure 9 shows the bypass.

4 System Tuning

A crucial implementation phase is system tuning and adjustment. Specifically, we have to tune the various resonance circuits and matching networks for maximal power transfer. The only test equipment we used throughout the entire project was cheap 60 MHz oscilloscope, that any electronic hobbyist has in his workshop. Note that while resonance frequency can be tuned using an oscilloscope, matching the antenna to the amplifier requires a different procedure since both a magnitude and a phase must be matched.

4.1 Standard Tuning Methods

We say that a tuning method is ``standard'' if it requires a 50  design.

The first and most straightforward tuning method is to use an RF network analyzer. Among its various features, a network analyzer can measure the magnitude and phase of a system input, allowing us to know exactly what matching network to connect to this system in order to match it to the desired impedance. In our case, a network analyzer can measure the antenna input impedance, e.g., its phase and magnitude, which would enable us to calculate the matching circuitry for 50  input impedance. In case we already have a matching network, the RF network analyzer can measure the return loss and let us tune the system to minimum returned power. Unfortunately, an RF network analyzer costs over $10,000, well beyond the budget of an amateur.

Another tuning method is to measure the Voltage Standing Wave Ratio (VSWR), and to adjust the antenna's impedance to be best matched to the driving amplifier output stage by tuning the returned power to the desired value ([Poz05]). This method requires a VSWR meter, which costs several hundred US$: still beyond a typical hobbyist budget. A cheap way to measure the VSWR (without a VSWR meter) is to use directional couplers, that cost between $20-$70, but their input and output impedance is 50  , requiring 50  interface subsystems design. We have not attempted this method.

Finally, one can tune the system using an RF watt-meter, or an RF power meter. These instruments sense the RF power and translate the sensor's measurement to a standard scale. The sensor can be based on a diode, or on a bolometer: an RF power sensor whose operation is based on sensing purely resistive element radiation. This method is a second-order-effect tuning since it measures the antenna power reception rather than the actual direct amplifier to antenna matching. This kind of equipment costs between $300 (used) to $600 for a simple watt-meter, including the sensor, to about $3000 for an RF power meter that also features a VSWR meter and various other RF measurement capabilities.

4.1.1 The ISO 10373 Tuning Method

Since tuning the RFID receiver is a critical part of building such a device, Annex B of the ISO 10373-6 standard ([ISO01]) suggests a tuning process. This process seemed attractive since it only calls for low-cost components and uses basic oscilloscope capabilities. Therefore, despite the fact that ISO 10373 is a standard (50  ) tuning process, we invested a significant effort into trying to use it. Our experience leads us to conclude that the process is not very effective, at least for hobbyist setups.

The ISO 10373-6 testing configuration is based on monitoring a phase difference between the signal source and the load. The monitoring device utilizes a standard oscilloscope for displaying Lissajous figures in XY display mode, see Figure 10. If the time constant of the reference network equals the time constant of the network formed by the calibration resistor along with the oscilloscope Y probe's parasitic capacitance, no phase difference should be monitored. If there is a difference in the two time constants, there will be a phase shift between the two probes of the oscilloscope, and the Lissajous figure should form an ellipse, whose main axis is at a 45-degree angle. The ``fatness'' of ellipse is related to the phase difference: when the system is perfectly tuned, there is no phase difference, and the Lissajous figure collapses to a straight line.

[ISO01] has two steps. The first step calibrates the test set to eliminate the oscilloscope input impedance from influencing the tuning step. In this step, the impedance matching network and the antenna of Figure 10 are replaced with a 50  resistor to simulate 50  load. The second step is the actual antenna tuning step. In this step, we replace the calibration resistor with the antenna containing the matching circuit, and trim the capacitors until we monitor that the Lissajous figure is closed, indicating a zero phase shift.

4.1.2 Problems with ISO 10373

Despite its apparent simplicity, in practice we discovered that the ISO 10373-6 tuning process has a few problems.

The first thing to note is that this tuning method requires a 13.56 MHz signal source, with a 50  output impedance, that can deliver enough power to drive an antenna such as our copper tube antenna. We invested a significant effort trying to build a clean and accurate signal source, but this turned out to be difficult to do in reasonable time. Even obtaining an accurate 13.56 MHz crystal proved to be problematic--none of the electronics suppliers we contacted carried such a component. To bypass this obstacle, we decided to use the TI S4100 module itself as a signal source--since it is matched to 50  and can drive sufficient power to the antenna. Once we did this, we were able to construct the rest of the circuitry, and we tried to tune the antenna.

Unfortunately, in all possible settings of the antenna's matching circuitry, we did not manage to get the expected Lissajous figures. In some settings we got wavy figures implying a non linear circuit working point. In other settings we did not get the figures centered around the desired 45 degrees slope. Worst of all, we found no correlation between more closed Lissajous figures and longer read ranges (which we obtained using the methods of sections 4.2 and 4.3.

To our frustration, we found that ISO 10373-6 does not specify the exact oscilloscope Volt per Division setting. This level of detail matters since we are dealing with very fine tuning, and human eye, oscilloscope line thickness and human judgment in conjunction with parallax error, can lead to errors. We speculate that if major RF labs indeed use this standard for tuning, they probably have some additional ``secret sauce'' that fills in the missing details.

One possible reason for our difficulties may be that we used the TI module as a signal source. This improvisation may have inserted some undesired harmonics due to the sidebands in the downlink signal spectrum, interfering with the tuning process. Since the methods described in Section 4.3 were effective, we did not pursue this further.

4.2 Non-Standard Tuning Methods

Instead of the standard 50  tuning methods, we used the following two non-standard methods. We found that they both work reliably, and give satisfactory results.

One tuning method includes sensing the reception power using a small loop antenna as a sensor, leading its receptive power to a home-made RF power meter. The RF power meter can be an AM demodulator, whose DC level is proportional to the received RF power, or a home-made bolometer--we chose to use the latter.

The other non-standard method is a trial-and-error iterative process of reading an RFID tag at increasing distances, while tuning the matching circuitry, until a maximal range is reached.

4.3 Tuning Methods that Worked

The antenna has two tuning steps. The first is tuning the resonance frequency by trimming capacitor C35 in Figure 3. The second step is tuning the series capacitor C32 in Figure 3 to achieve maximal power transfer to the antenna. For tuning the resonance circuit we used the power amplifier's output signal, driven by the reader base board to tune center resonance frequency.

Then, for tuning the entire system, we used the iterations method described earlier. For this we used a Philips Mifare Standard IC tag. Initially, we located the tag at the basic range according to the RFID standard, and tuned the series antenna network capacitor C32 to some initial tag read. When an initial reading is observed, we know that the final position of C32 is near the position of the initial readout. We gradually increase the power supply, and each time adjust the various capacitors to get a stable reading range, while increasing the distance between the tag and the antenna. To hold the tag at a fixed distance we used non-ferromagnetic objects: most of the time we used a stack of disposable plastic cups, and for fine range measurements we used a small supply of 1-2mm thick beer coasters, see Figure 12. We stopped at a 19 volts power supply since the maximum semiconductor ratings were reached. Surprisingly, the variable capacitors survived the high swing voltage, which was more than 180 Volts.

During the iterations, a secondary source of tuning information was the sound level from the computer speakers. We turned the speakers to their maximum volume while we tuned the antenna matching capacitor: The tuning process caused the speakers to hum, and their loudness gave an idea how close we are to the final matching.

One disadvantage of this iterative method is its sensitivity to different tags: Some tags gave larger read ranges than others. On the other hand, the process is simple and quick: It took us approximately 10 minutes to tune the system to maximal performance.

A second tuning method that worked was based on a bolometer. We placed our smaller PCB antenna in the magnetic field produced by the large loop antenna, and measured changes in the RF power it was exposed to. Instead of purchasing an expensive industrial RF watt-meter or bolometer, we built our own: We attached a 100 K thermistor to a 50  resistor using super glue. To improve the bolometer performance, we increased its thermal conductivity by using a silicon thermal grease around the attaching surface between the resistor and the thermistor, see Figure 11. To keep it isolated from ambient temperature, we then covered it with a small piece of isolating PVC sleeve, used for thermal isolation of copper hot water pipes. Note that our bolometer is not calibrated to any standard units -- but this is unimportant since all we care about is to reach a maximum value; we do not need to quantify the level of received RF power.

Using a binary search, while examining the amplitude over the antenna and reading the bolometer's resistance-temperature, we tuned the matching capacitor until we observed the maximum temperature. The results were accurate, and we reached the same final position of C32 that we marked at the end of iterations tuning process. This tuning method is independent of a particular tag--but it is slower, since it takes  15 seconds per setting for the thermistor to adjust to a new temperature and for the bolometer's reading to stabilize.

4.4 Miscellaneous Tuning Tips

4.4.1 Strong Magnetic Fields

Note that the antenna's magnetic field is so strong that it crashed one of the lab's computers even though it was approximately 1 meter away. We had to format the disk and re-install the OS and all applications.

4.4.2 Power Amplifier Tuning

The power amplifier has a simple tuning procedure. First, position the the C3 capacitor at its mid-point, and get a first readout from the tag. Then tune the antenna as described before. Finally, after tuning the antenna to maximal power matching, fine-tune C3 and attempt to increase the read range further.

4.4.3 The Effect of a Battery Power Supply

During our lab work we used a linear stabilized power supply. We assumed that once we attach our system to a battery the reading range will grow because the battery delivers clean and ripple free voltage. However, in practice, we got only few millimeters improvement, if any. We believe that our linear power supply has quite a low noise figure so it gave us similar ranges to those achieved using a battery.

4.4.4 Surrounding Metal Objects

While tuning the antenna, care should be taken to remove any metal objects near the antenna. Reflections, grounded metal surfaces, and metal object permeability can influence the antenna's magnetic fields, leading to erroneous results. Even the human hands can influence the tuning results. To overcome these kinds of problems, we used only non ferromagnetic accessories, like a plastic table for laying the antenna, a wooden stick with the RFID tag attached to its edge for coarse range measurement, and plastic cups and coasters for fine range measurement.

5 Results

5.1 Achieved Read Ranges

Our reference system was the RX-MFR-RLNK-00 Texas Instrument Multi-Function Reader evaluation kit. The evaluation kit embeds the TI module we used, and comes with small 8.5 cm diameter round antenna directly connected to the module's output [TI05]. The basic read-range of the evaluation kit was 6.5 cm.

We first connected our 10 x 15 cm PCB antenna to the evaluation kit, without the power amplifier. This alone gave a range increase of 30%, to around 8.5 cm. Attaching the big loop antenna to the evaluation kit gave no results since the kit generates only 200 mW output power that is insufficient to drive the antenna.

Using the power amplifier we reached much larger ranges (see Figure 13). With the linear power supply providing 14.58 volts, we were able to read the tag at a range of 17.3 cm using the PCB antenna, and at a range of 25.2 cm using the copper tube antenna. With a 12-volt battery we reached a reading range of 23.2 cm using the copper tube antenna and 16.9 cm using the PCB antenna. Note that this type of battery, upon recharging, can supply more than its nominal voltage: we measured that it supplied 13.8 volts during the above experiments.

We observed that increasing the power supply voltage did not always cause a range increase: Higher power levels sometimes caused lower reception. This is in line with the predictions of [KW05]. The reason is that the distortion inserts harmonics that interfere with the detection of the side bands that are about 60 to 80 dB under the 13.56 MHz carrier power. We found that the optimal power supply voltage for our antennas was around 14.6 volts.

5.2 Comparison with the Theoretical Predictions

We measured a 170mA DC supply current to the power amplifier when using the the copper tube antenna. The combination of this current value and a read range of 25 cm match the predictions of [KW05] very well: The graph shown in Figure 14 is from [KW05], and the star indicates our empirical results on the predicted curve.

We believe that using high rating components and more powerful RF test equipment, we can reach the road map along the theoretical curve. This will be done in later work.

5.3 System Cost

Ignoring the time and cost of labor, the system cost is ridiculously low. The most expensive item in the system is the TI module, which costs around $60. All the other components, the materials for the PCBs, and the items needed for building the loop antenna, together cost at most $40-$50, giving a total cost of $100-$110.

6 Conclusions

In this work we have shown how to build a portable, extended-range RFID skimmer. Our skimmer is able to read ISO-14443 tags from a distance of  25cm, uses a lightweight 40cm-diameter copper-tube antenna, is powered by a 12V battery--and requires a budget of  $100. We were able to build and tune the skimmer using only electronics hobbyist supplies and tools. By doing this we have proved three things: First, we have validated the basic concept of an RFID ``Leech'' and the modeling and simulation work of [KW05]. Second, we have demonstrated that ISO-14443 RFID tags can be skimmed from a a range that is 3-5 time larger than the nominal range, and more importantly, is a distance that does not require the attacker to touch the victim. This last observation can make a noticeable difference in the attacker's mode of operation. Finally, we are about half-way toward a full-blown implementation of a relay-attack of [KW05].

Our work implies that simple RFID tags, that respond to any reader, are immediately vulnerable to skimming. Therefore, at the very least, RFID tags, and in particular E-passports, should incorporate additional controls that prevent the tag from being read surreptitiously: e.g., physical shielding inside a Faraday cage, and cryptographic application-level access controls that require the reader to authenticate itself to the tag.

However, in isolation, cryptographic controls can only protect against skimming--they cannot protect against a relay attack. To protect against a relay attack, the RFID tag must be equipped with additional physical controls such as an actuator, or an optical barcode physically printed on the passport jacket: these help ensure that the reader is in fact reading the tag that is presented to it and not some remote victim tag.

Acknowledgments

We would like to thank Sergey Belous, Sammy Datika, Klaus Finkenzeller, Yeheal Greenblat, Ziv Kfir, Motti Kirshenboim, Markus Kuhn, and Moshe Panijel, for many stimulating discussions and practical tips, that greatly helped us during this project.

Bibliography

BGS⁺05

S. Bono, M. Green, A. Stubblefield, A. Juels, A. Rubin, and M. Szydlo.
Security analysis of a cryptographically-enabled RFID device.
http://rfid-analysis.org/DSTbreak.pdf , 2005.

Fin03

Klaus Finkenzeller.
RFID Handbook: Fundamentals and Applications in Contactless Smart Cards and Identification.
John Wiley & Sons, 2003.

FK05

Thomas Finke and Harald Kelter.
Radio frequency identification-- Abhörmöglichkeiten der Kommunikation zwischen Lesegerät und Transponder am Beispiel eines ISO14443-Systems.
BSI - German Ministry of Security, 2005.
http://www.bsi.de/fachthem/rfid/Abh_RFID.pdf , in German.

GSA04

U.S. government smart card handbook.
Office of Governmentwide Policy, General Services Administration, February 2004.

GW04

Lukas Grunwald and Boris Wolf.
RFDump, 2004.
http://www.rf-dump.org/ .

Han05

Gerhard Hancke.
A practical relay attack on ISO 14443 proximity cards, 2005.
http://www.cl.cam.ac.uk/~gh275/relay.pdf .

Hes04

Arik Hesseldahl.
A hacker's guide to RFID.
Forbes Electronic Magazine, July 29 2004.
http://www.forbes.com/home/commerce/2004/07/29/cx_ah_0729rfid.html .

HK05

Gerhard Hancke and Markus Kuhn.
An RFID distance bounding protocol.
In Proc. 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm), Athens, Greece, September 2005. IEEE.

ISO00

Identification cards - contactless integrated circuit(s) cards - proximity cards - part 1 to 4.
ISO/IEC 14443, 2000.

ISO01

Identification cards - test methods - proximity cards - part 6, annex B.
ISO/IEC 10373-6, 2001.

JB04

A. Juels and J. Brainard.
Soft blocking: Flexible blocker tags on the cheap, April 2004.
http://theory.lcs.mit.edu/~rivest/ .

JRS03

A. Juels, R. Rivest, and M. Szydlo.
The blocker tag: Selective blocking of RFID tags for consumer privacy.
In Proc. 8th ACM Conf. Computer and Communications Security (CCS), pages 103-111, May 2003.
http://theory.lcs.mit.edu/~rivest/ .

Kre05

Brian Krebs.
Leaving Las Vegas: So long DefCon and Blackhat.
The Washington Post, 2005.
http://blogs.washingtonpost.com/securityfix/ 2005/08/both_black_hat_.html .

KW05

Ziv Kfir and Avishai Wool.
Picking virtual pockets using relay attacks on contactless smartcard systems.
In Proc. 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm), pages 47-58, Athens, Greece, September 2005. IEEE.

Lee03

Youbok Lee.
Antenna circuit design for RFID application.
Microchip Technology, Application Note AN710, DS00710C, 2003.
http://ww1.microchip.com/downloads/en/AppNotes/00710c.pdf .

Lin05

Rick Lingle.
MIT's economical RFID field probe, 2005.
http://www.packworld.com/articles/Departments/18784.html .

Mel04

A power booster for the MLX90121.
Melexis Application Note 390119012102, Rev.001, April 2004.
http://www.melexis.com/relinfofiles/AN90121_1.pdf .

Poz05

David M. Pozar.
Microwave Engineering.
John Wiley & Sons, Inc., third edition, 2005.

RCT05

Melanie Rieback, Bruno Crispo, and Andrew Tanenbaum.
RFID guardian: A battery-powered mobile device for RFID privacy management.
In Australasian Conference on Information Security and Privacy - ACISP'05, LNCS 3574, pages 184-194, Brisbane, Australia, July 2005. Springer-Verlag.

Sch01

Tom A. Scharfeld.
An Analysis of the Fundamental Constraints on Low Cost Passive Radio-Frequency Identification System Design.
Master's thesis, Massachusetts Institute of Technology, Cambridge, MA 02139, August 2001.

Sch05

Bruce Schneier.
RFID passport security revisited.
Schneier on Security: A weblog covering security and security technology, 2005.
http://www.schneier.com/blog/archives/2005/08/rfid_passport_s_1.html .

SWE02

Sanjay E. Sarma, Stephen A. Weis, and Daniel W. Engels.
RFID Systems and Security and Privacy Implications.
In Workshop on Cryptographic Hardware and Embedded Systems (CHES), LNCS 2523, pages 454-470. Springer-Verlag, 2002.

TI03

S4100 multi-function reader module data sheet.
Texas Instruments, Module 11-06-22-715, 2003.
http://www.ti.com/rfid/docs/manuals/refmanuals/rf-mgr-mnmn_ds.pdf .

TI04

HF antenna cookbook.
Technical Application Report 11-08-26-001, Texas Instruments, January 2004.
http://www.ti-rfid.com .

TI05

Rfid homepage.
Texas Instruments, 2005.
http://www.ti-rfid.com .

Wei03

Stephen A. Weis.
Security and Privacy in Radio-Frequency Identification Devices.
Master's thesis, Massachusetts Institute of Technology, Cambridge, MA 02139, May 2003.

Whi05

Dan White.
NCR: RFID in retail.
In S. Garfinkel and B. Rosenberg, editors, RFID: Applications, Security, and Privacy, pages 381-395. Addison-Wesley, 2005.

A. Printing the PCB antenna

The PCB antenna was made using PCB printing materials and hobbyist equipment as listed below:

• Raw PCB Glass-Epoxy tablet size 20x25 cm - price $5
• Photo resist, Positive process - $27
• Ferric Chloride - $9
• Lye (NaOH - Soda Caustic) - $9
• Piece of glass, size 18x23 cm for standard photo frame - $1
• 1 A4 Parchment paper - 20 cents
• Black alcohol based non erasable water proof pen - $1.25
• Acetone - $4
• Rubber gloves, can be bought in a Dollar Store - $1

The cookbook contains a complete description, including a print layout and electronic circuitry (See [TI04] pages 21-22).

The process of making the PCB antenna is identical to the process of making any PCB. Note that positive photo-resist PCB printing requires a positive layout film. Since making a celluloid film requires photographic equipment, we used the more common materials.

We first printed the antenna PCB layout on the pergament paper using an ink injection printer set up as follows:

-

Print quality - best paper setting

-

Transparency film - other transparency film

-

Color - Print in gray scale - black only

-

Check the GUI check box for ``Actual size''

-

Ink Volume - Heavy

The following instructions guide you through the antenna manufacturing process. Wear rubber gloves and protect eye glasses since Ferric Chloride acid is a very strong and harmful material, and contact with human eyes causes severe injury.

1. Cover the large areas of the ink with the water proof pen to avoid any penetrating light through the pergament paper.
2. Prepare the raw PCB Glass-Epoxy tablet for exposure by thoroughly cleaning it from dust and dirt. A clean surface is crucial to avoid PCB printing flaws.
3. Dry the tablet in an oven at a temperature around 70 Celsius degrees.
4. Thoroughly clean the glass against spots and dust.
5. In a dark room, spray a thin layer of Positive Photo Resist on the PCB tablet, and dry it in the oven at 70 Celsius degrees for about 20 minutes.
6. Make a 7% Soda Caustic solution with water.
7. Put the pergament printed layout over the PCB tablet in the correct direction (be aware of the Print Side (PS) and Component Side (CS)) .
8. Put the glass on the pergament paper and hold them together tightly.
9. Expose the ``sandwich'' to bright sunlight for 4 to 6 minutes.
10. Remove the glass and pergament paper, and insert the exposed PCB into the Soda Caustic solution for about 20 minutes until all the photo-resist that was exposed to the sun is removed.
11. Thoroughly wash the PCB with water. Be extra careful not to scratch the photo-resist printed leads.
12. Make a 25 Celsius degrees Ferric Chloride solution, and insert the PCB until the exposed copper is fully etched. The PCB should be rapidly shaken within the acid, otherwise the etching process will take a long time. Shaking it will shorten the etching process to around 45 minutes. An aquarium pump is an effective and cheap way to stir the acid.
13. Wash the PCB thoroughly with water, dry it, and use the Acetone to remove the photo-resist from the antenna's copper leads. We still had few small flaws left due to strong etching, therefore we covered the whole antennas copper leads with tin.

The 50 impedance matching network were soldered according to TI Antenna cookbook, see Figure 3, and we used a BNC connectors instead of SMA to reduce cost. At this point, the antenna is ready for tuning and use.

In countries lacking sunny days for long months, one can consider screen printing technology for printing the PCB antenna. This technique requires some background knowledge and some practical experience. The basic materials costs around $150 dollars, and after few attempts, an average handyman can handle the task quite easily. We have not tried the screen printing as the process we described worked successfully for us.

---

Footnotes

... Kirschenbaum ¹

Ilan Kirschenbaum is with the School of Electrical Engineering Systems, Tel Aviv University, Ramat Aviv 69978, ISRAEL E-mail: ilankir@gmail.com.

... Wool ²

Avishai Wool is with the School of Electrical Engineering Systems, Tel Aviv University, Ramat Aviv 69978, ISRAEL E-mail: yash@acm.org.

---

Avishai Wool 2006-05-08