• The Soup:
  • Categories:
  • Random Photos
      • Aluminum Plate + Space Junk
      Et c'est parti!
      Oh porn stars.
      img_0976.jpg
  • Archives:
  • November 2007
  • October 2007

  • Blogroll


    • Where small furry rodents roam free.

    This is my little pied-a-terre on the web where I can give my 2 euro-cents about the world.
    Feel free to roam around, everything here is cool.
    Ellegua, an RFID access control system (work in progress). October 28, 2007
    Filed under: Technical — Tags: , , , , , — Gabe @ 10:11 am

    My rocketry club has a door, and this door has 2 keys. There are 30 members. Needless to say this is a mess.

    The answer? RFID reader (based on the RC500) + NSLU2 + Python + SQLLite + 50 MiFare Light RFID cards from Hong Kong! I christen thee Ellegua.

    1. The reader:

    STK500

    I got this reader off of eBay for about $30. I think you can still find it, it reads MiFare Ultralight, 1K, and 4K cards (so it can read passports for example).

    The RC500 claimed to come with source code so you could hack it. Unfortunately the source code was all there except that the actual API was a binary windows .dll, so that wasn’t going to be very helpful for my Python/NSLU2 plans.

    The solution was to load up the program the vendor provided in windows and sniff the serial port to grab the individual serial commands that control the card. That took about an hour, and I ended up with a list of command to initialize the reader, read the ID, read some contents, and control the LEDs present on the RC500.

    Here are the cards:

    RFID Ultralight Cards

    These are MiFare ultralights, so they have an ID, and you can store some basic information on them, but there’s no key-based access control like on the 1K or 4K cards. Access to the club is controlled by the card’s ID only for now, but the reader can also read my metro pass for example, so I’ll personally be using that for a card instead.

    There is no cryptography or any sort of security with these cards, but emulating one is really quite difficult. I fell across one guy who managed to emulate the cards, but it took 2xQuad-Layer PCBs with 2 ARMs, $400 of materials, and 4 months of work. I think if someone wants to get into the club they can break a window.

    2. The Code

    Setting up the NSLU2 with Linux is not in the scope of this document, but more information can be found here.

    Using pyserial and the previously acquired serial commands, I was able to query the RC500 and read card IDs. Reading the actual memory on the card was being buggy and wasn’t necessary for simple access control so I quickly gave up on that. Writing to memory requires that you provide a checksum of what you’re writing to the RC500, which I never bothered to figure out, but the commands are quite straightforward and the checksum is a simple modulo calculation.

    The function to read the Card’s ID:

        def readIDL(self):

        """

        Read the IDL of the card.  Not quite sure what that is.

        Returns the IDL as string of the hex numbers, ex: '41DAC89CB280'.

        """

        self.__ser.write('\xaa\xbb\x06\x00\x00\x00\x01\x02\x26\x25')

        if(self.__ser.read(12) != '\xaa\xbb\x08\x00\x11\x12\x01\x02\x00\x44\x00\x44'):

            return False

        self.__ser.write('\xaa\xbb\x05\x00\x00\x00\x12\x02\x10')

        response = self.__ser.read(17)

        idl = struct.unpack('BBBBBBBBBBBBBBBBB', response)

        return ''.join(('%(num)02X'%{'num' : i}) for i in idl[9:-1])

    RC500 Reader Module

    I’ll post the rest of the code once it’s finalized with the access control system (SQLLite Database). You can get the reader/authenticator code here.

    3. Authenticator <-> Door Interface

    Once we have the yes/no access decision from the reader, we need to actually open the door. The solution we came up with is to use a small AtMega8 to control the servomotor with PWM, and somehow understand an ‘open’ signal. There are 2 ways to communicate with our atmega8: a serial link (USB<->RS232) that sends commands to the atmega8, or the easier solution: flash one of the LEDs on the card reader on for 1 second, and have the atmega8 look at the LED (either its voltage, or with an optical sensor). The PCB layout we made has pin-outs for both methods, but version 1 of this project uses the LED method. We have also included the necessary ports to put a small LCD display on the atmega8, and a buzzer. I’ll upload the card schematics and code for the atmega8 once I get back from break.

    4. The Door

    The main constraint for this whole system is that the campus security and technicians need to still be able to access the club with their set of physical keys, and we need to be able to get in if there is a power outage. Therefore the solution is to piggyback a system onto the door lock with a servomotor that locks the door for us. The mechanical part uses a 90° gear set which links together the servomotor with the physical lock. The 90° gear set is too complicated to align properly. We are moving towards a belt-driven system, as this is much more tolerant and takes about as much space. We’ll be using a toothed belt to make sure there is no slippage. More on this (with pictures) once it’s actually in place.

    No Comments »

    No comments yet.

    RSS feed for comments on this post. TrackBack URL

    Leave a comment

    You must be logged in to post a comment.



    Gabe 2008