OpenPICC 
How to sniff RFID reader to ISO 14443 tag data transmission using OpenPICC

The OpenPICC project for Proximity Integrated Circuit Cards (PICC) is the counterpart to OpenPCD. It is a device that emulates 13.56MHz based RFID transponders / 
smartcards. OpenPICC can be used to e.g. simulate ISO 14443 or ISO 15693 transponders, such as those being used in biometric passports and FIFA worldcup tickets.

 

Like OpenPCD, the hardware design and software are available under Free Licenses.
Downloads

    * Schematics (pdf)
    * PCB layout (pdf)
    * Bill of materials (pdf)
    * Gerber files (zip)


How to sniff RFID reader to ISO 14443 tag data transmission using OpenPICC

1. configure OpenPCD to send data continuously

    * connect USB debug cable to RS232_CMOS connector on OpenPCD - black wire is Pin 1
    * cu -l/dev/ttyUSB0 -s115200 (debug terminal - where ttyUSB0 is the debug cable. You can find 'cu' in the uucp packet. Make sure that your current user is 
also in the group 'uucp' to use this software )
    * power cycle OpenPCD again - OpenPCD boot message appear
    * press 'A' on debug terminal to enable continuous long packet transmission by OpenPCD - green LED turns on continuously in return

2. compile openpcd_test:

    * mkdir openpicc
    * cd openpicc
    * svn co http://svn.openpcd.org/trunk/host/
    * svn co http://svn.openpcd.org/trunk/firmware/
    * cd host
    * make opcd_test
    * mv opcd_test opicc_test
    * plug OpenPICC into USB port
    * sudo ./opicc_test -L

3. Configure OpenPICC via USB debug cable:

    * plug the debug cable into OpenPICC - black wire towards jumper socket in top right
    * press '}` several times to decrease the sampling clock divider to the lowest value
    * press 'd' till SSC-Mode is set to '5'
    * press 's' to start sampling
    * press 'a' to stop sampling
    * analyse /tmp/opcd_samples for sampled data (see example file)

4. Decode the sniffed data:

    * wget http://www.openpcd.org/dl/openpicc/decode_openpicc.c
    * gcc -O2 -o decode decode_openpicc.c
    * ./decode /tmp/opcd_samples
    * Example output:

      Y
      Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[07]0 Z[00]0  [11]1   ==0x00
      X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1 X[07]1   ==0xFF
      X[07]1 X[11]0 Z[07]0 Z[00]0  [11]1 X[11]0 Z[07]0 Z[00]0  [12]1   ==0x11
      X[00]0  [14]1 X[11]0 Z[07]0 Z[00]0  [11]1 X[11]0 Z[00]0  [11]1   ==0x22
      X[07]1 X[07]1 X[11]0 Z[00]0  [11]1 X[07]1 X[11]0 Z[00]0  [11]1   ==0x33
      X[12]0 Z[00]0  [10]1 X[11]0 Z[07]0 Z[00]0  [11]1 X[00]0  [16]1   ==0x44
      X[06]1 X[00]0  [15]1 X[00]0  [16]1 X[00]0  [14]1 X[00]0  [15]1   ==0x55
      X[00]0  [16]1 X[06]1 X[12]0 Z[00]0  [11]1 X[06]1 X[00]0  [15]1   ==0x66
      X[00]0  [16]1 X[00]0  [14]1 X[11]0 Z[00]0  [12]1 X[10]0 Z[08]0   ==0x4A
      Z[07]0 Z[00]0  [11]1 X[07]1 X[11]0 Z[00]0  [11]1 X[10]0 Z[08]0   ==0x4C
      CRC OK