Project Details

Description

By using an SDR receiver it is possible to capture, demodulate and decode the NFC signal between the card and the reader.

I do not have as an objective to explain the NFC norms or modulation techniques, there is a multitude of documentation accessible through Google, I will describe as simply as possible the method that i have used to implement this software.

Currently, only detection and decoding for NFC-A modulation has been implemented.

Signal processing

The first step is receive the 13.56MHz signal and demodulate to get the baseband ASK stream, for this purpose any SDR device capable of tuning this frequency can be used, i have the fantastic and cheap AirSpy Mini capable of tuning from 27Mhz to 1700Mhz. (https://airspy.com/airspy-mini/)

However, it is not possible to tune 13.56Mhz with this receiver, instead i use the second harmonic at 27.12Mhz or third at 40.68Mhz with good results.

Let's see a capture of the signal received in baseband (after I/Q to magnitude transform) for the REQA command and its response:

As can be seen, it is a signal modulated in 100% ASK that corresponds to the REQA 26h command of the NFC specifications, the response of the card uses something called load modulation that manifests as a series of pulses on the main signal after the command.

Demodulation

Due to the digital nature of the signal i used a technique called symbol correlation which is equivalent to carrying out the convolution of the signal with the shape of each symbol to be detected. Without going into details, the NFC-A modulation is based on 6 patterns: Y, X and Z for reader commands and E, D, F for card responses (see NFC specifications for complete description).

Demodulation is performed by calculating the correlation for these patterns and detecting when the maximum approximation to each of them occurs. Below is the correlation functions for the two basic symbols S0, S1 used to calculate all the others. Last value is function SD represent the absolute difference between S0 and S1 necessary to detect the timmings.

The response of the card is much weaker but enough to allow its detection using the same technique for patterns E, D, F, here it is shown in better scale.

Symbol detection

For the detection of each symbol the value of each correlation is evaluated in the appropriate instants according to the synchronization. The number of samples per symbol is defined as N and must be calculated before starting the process knowing the sampling frequency (fc) and symbol duration.

The correlation process begins with the calculation of the S0 and S1 values that represent the basic symbols subsequently used to discriminate between the NFC patterns X, Y, Z, E, D and F, as shown below.

This results in a flow of patterns X, Y, Z, E, D, F that are subsequently interpreted by a state machine in accordance with the specifications of ISO 14443-3 to obtain a byte stream that can be easily processed.

Bitrate discrimination

So, we have seen how demodulation is performed, but how does this apply when there are different speeds? Well, since we do not know in advance the transmission speed it is necessary to apply the same process for all possible speeds through a bank of correlators. Really only is necessary to do it for the first symbol of each frame, once the bitrate is known the rest are decoded using that speed.

BPSK modulation

ASK modulation is relatively simple and easy to implement, however the specification ISO 14443 defines the use of BPSK for card responses when the speed is 212Kbps or higher.

For BPSK demodulation a reference signal is required to detect the phase changes (carrier recovery), since that is complex i have chosen to implement it by multiplying each symbol by the preceding one, so that it is possible to determine the value of symbols through the changes produced between then.

Below you can see the signal modulated in BPSK for a response frame at 424Kbps, followed by the demodulation y(t) and integration process over a quarter of a symbol r(t).

Finally, by checking if the result is positive or negative, the value of each symbol can be determined. It is somewhat more complex since timing and synchronization must be considered.

Signal quality analisys

This version includes a OpenGL spectrum analyzer and IQ graph to show the quality of the received signal.

Application example

An example of the result can be seen below.

Signal capture with spectrum analysis and IQ diagram:

Caspture of the protocol and time measurement.

Protocol detail.

Inside the "doc" folder you can find a video with an example of how it works.

SDR Receivers tested

I have tried several receivers obtaining the best results with AirSpy Mini, I do not have more devices, but surely it works with others.

• AirSpy Mini or R2: Better results, tuning the third harmonic 40.68Mhz, with a sampling frequency of 10 Mbps, with these parameters it is possible to capture the communication up to 424 Kbps.
• RTL SDR: It works by tuning the second harmonic 27.12Mhz, due to the limitation in the maximum sampling frequency of 3Mbps and its 8 bits of precision only allows you to capture the commands.

NOTE: The support for RTL-SDR is not finalized due to its limited application.

Upconverters

To avoid the use of harmonics it is possible to use an up-converter and thus tune directly to the carrier frequency of 13.56Mhz, although I have not tried this combination.

Hardware requirements and performance

The demodulator is designed to run in real time, so it requires a recent computer with a lot of processing capacity.

During development, I have opted for a mixed approach where some optimizations are sacrificed in favor of maintaining clarity in the code and facilitating its monitoring and debugging.

For this reason it is possible that certain parts can be improved in performance, but I have done it as a didactic exercise rather than a production application.

The real-time spectrum analyzer requires a graphics card with OpenGL support and geometry shaders, otherwise the "NFC Frequency" view will not be displayed correctly.

Source code and licensing

If you think it is an interesting job or you plan to use it for something please send me an email and let me know, I will be happy to exchange experiences, thank you very much.

This project is published under the terms of the MIT license, however there are parts of it subject to other types of licenses, please check if you are interested in this work.

• AirSpy SDR driver at src/nfc-lib/lib-ext/airspy see https://github.com/airspy/airspyone_host
• RTL SDR driver at src/nfc-lib/lib-ext/rtlsdr see https://osmocom.org/projects/rtl-sdr
• nlohmann json at src/nfc-lib/lib-ext/nlohmann see https://github.com/nlohmann/json
• mufft library at src/nfc-lib/lib-ext/mufft see https://github.com/Themaister/muFFT
• QCustomPlot at src/nfc-app/app-qt/src/main/cpp/support see https://www.qcustomplot.com/
• QDarkStyleSheet at src/nfc-app/app-qt/src/main/assets/theme see https://github.com/ColinDuquesnoy/QDarkStyleSheet

Project resources

Source code, installers and more instructions can be found at github page.