Flexible FPGA-Based RFID Emulation

Platform for Experimental Purpose

Ibrahim Mezzah, Omar Kermia, and Hamimi Chemali

Abstract Rapid advances in radio frequency identification (RFID) applications

are the driving force behind the development of new tools for embracing
frequently optimal solutions. In this work, an FPGA-based RFID emulation plat-
form conforming to EPC UHF Gen2 protocol has been developed to be used as a
development and evaluation tool to promote and extend RFID solutions. This plat-
form is mainly composed of a highly flexible architecture of a tag and a reader.
The VHDL designed platform around an IP core microcontroller serves as an effi-
cient and a low cost research development environment. The platform utility and its
features are demonstrated through analysis and evaluation of fault impact on a UHF
tag architecture.

Keywords RFID · Platform · Tag · Transponder · Reader · Emulation · EPC UHF

Gen2 · FPGA · Wireless technologies

1 Introduction

Radio frequency identification (RFID) is widespread in several currently application

fields such as supply chain management, transportation, wireless sensor networks
and internet of things. This technology is in continuous progress where new appli-
cations, new solutions and new protocol improvement appear frequently. However,
prototyping and evaluation tools as simulation and emulation platforms are essential
and play a significant role in this progress [1]. These platforms are very useful and can

I. Mezzah (B) · O. Kermia

Centre for Development of Advanced Technologies (CDTA), Algiers, Algeria
e-mail: [email protected]
O. Kermia
e-mail: [email protected]
H. Chemali
Department of Electronics, University of Setif, Setif, Algeria

© Springer Nature Singapore Pte Ltd. 2021 1111

S. Bououden et al. (eds.), Proceedings of the 4th International Conference on Electrical
Engineering and Control Applications, Lecture Notes in Electrical Engineering 682,
https://doi.org/10.1007/978-981-15-6403-1_77
1112 I. Mezzah et al.

be employed in diverse aspects such as prototyping, sensing application, protocols

evaluation, performance assessment, attacks emulation and security analysis.
In the last decade, several RFID simulation environments have been reported.
They focus generally on the evaluation of a single RFID component whether tags
or readers [2], while other environments consider the physical and logical layer
simulation [3]. Some of them use hardware support for the implementation and
the validation. As RFID is highly up-to-date and a very interesting area, RFID tag
and reader prototypes realisation are then frequently reported. In these reported
prototypes, developed tag circuits are generally used in sensing applications [4]
or emulation means [5]. These circuits have been developed around microcontrollers
[5] or FPGA circuits [6]. For reader reported platforms, several works such as in
[7] rely on microcontrollers, on FPGA [8] and others on combination of DSP and
FPGA circuits [3]. In this work, the two RFID components, a tag and a reader,
are considered simultaneously in a designed flexible and high performance FPGA
based RFID platform. A tag and a reader are built conforming to EPC UHF Gen2
protocol [9]. The MCIP microcontroller IP core [10] is used in the development of
both components. Some helpful modules are added as peripherals to MCIP to provide
simple and powerful architectures developed in VHDL. The developed tag and reader
constitute therefore an experimental platform whose flexibility is doubly guaranteed
by FPGA design circuit flexibility and monitoring software. The developed tag and
reader are completely independent and, thus, can be used together or separately.
The paper is organised as follows: Sects. 2 and 3 present details on the design of the
tag and the reader of the developed platform. In Sect. 4 the physical implementation
of the system tag-reader is presented, while an application example is given in Sect. 5.
The last section concludes this paper.

2 Design of the Tag

A variety of known RFID tag (transponder) architectures deployed in real appli-

cations or proposed in research works rely on architectures processor based, inte-
grating hardware and software parts, as well as on architectures solely hardware built.
Each category has its advantages over the other; for example architectures based on
processors are more flexible due to the software flexibility and efficiently support
complexity and RFID protocols features. On the other hand, hardware-based archi-
tectures support basic RFID protocols functionalities in small area, low power and
low cost solutions.
Since tag architecture flexibility is targeted in an emulation platform, we have
developed, in this work, a new architecture based on MCIP microcontroller IP core
[10]. The configurability of MCIP is thoroughly explored to build the tag architecture
where new modules, such as “Transmitter” and “Receiver”, are designed and added
to the MCIP as peripherals (Fig. 1). Several tag functionalities are therefore hardware
implemented in these peripherals, which in turn considerably reduced the software
part and made it easier to adopt. The resulting tag is then so flexible, that it is possible
Flexible FPGA-Based RFID Emulation Platform … 1113

Input
Receiver
Output
MCIP Transmitter
(Configurable Microcontroller)
Backs. clock

Data Bus
Timer

PRNG
Program Data
Memory Memory Tag Memory

Fig. 1 RFID tag block diagram

to add any optional or costumed functionality conforming to the EPC UHF Gen2
version 2 protocol [11]. In addition, attention is directed to developing and applying
new RFID solutions such as those related to the authentication and the security.
As shown in Fig. 1, six peripherals are developed and added to MCIP to complete
the tag hardware design. The “Receiver” and the “Transmitter” constitute the main
modules since concerned by the generation and the reception of frames. For the others
peripherals, the “Backscatter clk” generates the used clock in the replay frames gener-
ation, the “Timer” counts the time periods, the “PRNG” is a pseudo random number
generator and finally the “Tag Memory” which includes the “Reserved memory”,
“EPC memory”, “TID memory” and “User memory” according to the protocol
[9]. The “Receiver” block contents is illustrated in Fig. 2 where commands are
acquired through monitoring the two registers “RXCON” and “RXSTAT” under the
supervision of “PIE decoder” commands.

TRcalH TRcalL

RTcal
Received
Data Bus

data Tag
16-bit shift register input
Interrupt Load PIE Decoder
counte

RXdataH RXdataL

RXCON CRC5 CRC5/CRC16

CRC16 Decoder
RXSTAT

Fig. 2 Tag receiver block diagram

1114 I. Mezzah et al.

Software part has been developed using C language in conjunction with assembly
code in order to obtain an optimal program. Several functions are defined and organ-
ised in twenty functions in addition to the main program and the interrupt subroutine.
Figure 3 illustrates the program functions tree and the size of each function. As shown
in this figure, “Frame reception”, “Open state” and “Secured state” functions occupy
a large volume in the program since they integrate the majority of functionalities.
As “Open state” and “Secured state” functions include nearly the same functional-
ities, they could be regrouped. In our case we have voluntary kept them separated
to distinguish the different states of the tag activity. The total size of the obtained
program is 5944 bytes while the used RAM is only 28 bytes. For optimising the
power consumption, the sleep mode is extensively employed. During the tag-reader
communication, the tag remains in the sleep mode about 90% of the time.
Implementation results of the developed tag on Virtex-5 FPGA (XC5VLX50T)
are given in Table 1. The number of used slice registers is 674 slices, while the number
of used slice LUTs is 3475 slices which represent 12% of the FPGA resources. These

main 698 bytes

frame_reception 1117 bytes
New_Round 242 bytes
inventoried_transition 66 bytes
loading_Slot_counter 88 bytes
Slot_counter_checking 56 bytes
Arbitrate_state 100 bytes
Slot_counter_checking
loading_Slot_counter
Reply_state 138 bytes
loading_Slot_counter
Slot_counter_checking
Acknowledged_state 182 bytes
inventoried_transition
Open_state 994 bytes
inventoried_transition
Write_process 42 bytes
Secured_state 1038 bytes
inventoried_transition
Write_process
Open_Kill_seq_state 266 bytes
Open_Access_seq_state 268 bytes
reply_generation 106 bytes
RN16_tag_reply 24 bytes
handle_tag_reply 24 bytes
EPC_tag_reply 250 bytes
Data_tag_reply 102 bytes
Write_success_tag_reply 36 bytes
Error_tag_reply 44 bytes
interrupt 4 bytes

Fig. 3 Functions tree of the tag software with the program size of each function
Flexible FPGA-Based RFID Emulation Platform … 1115

Table 1 Tag area occupation on Virtex-5 (XC5VLX50T)

Logic Used Available Utilization (%)
Number of slice registers 674 28800 2
Number of slice LUTs 3475 28800 12
Number of DSP 48Es 1 48 2

results concern the implementation of both hardware and software parts. Note that
the tag program memory (software part) occupies about 7% of FPGA resources.

3 Design of the Reader

Following the same methodology of the tag development, the designing of the reader
is completed by the development of two additional peripherals: the “Transmitter”
and The “Receiver” (Fig. 4). Three other MCIP peripherals are then used: the “I/O
Port” for LCD display, the “Timer0” for counting time periods and the “UART”
for enable serial communication. Several functions such as PIE encoding, delim-
iter/RTcal/TRcal generation and CRC5/CRC16 calculation [9] are hardware imple-
mented on the “Transmitter” module, in such a way as to facilitate the commands
generation and to easily add new commands through software. The design effort is
focused on the receiving part since the decoding process is always more complicated
than the encoding process. Indeed, only FM0 decoding is integrated in this current
version of the reader. The reader implementation reported area occupation of 6% on
Virtex-5 XCVLX50T FPGA (Table 2).

Output
Transmitter
MCIP Input
(Configurable Microcontroller) Receiver

I/O Port
Data Bus

Timer0
Program Data
Memory Memory UART

Fig. 4 RFID reader block diagram

1116 I. Mezzah et al.

Table 2 Reader area occupation on Virtex-5 (XC5VLX50T)

Logic Used Available Utilization (%)
Number of slice registers 708 28800 2
Number of slice LUTs 1900 28800 6
Number of DSP 48Es 1 48 2

4 Physical Implementation

Both developed circuits of the tag and the reader and all the defined modules are
completely validated in the simulation process. A physical implementation test is
then achieved by implementing the tag and the reader in a single FPGA using wired
communication between the two, this therefore constitutes an emulation of a perfect
RFID communication. For this implementation, we have used Digilent Genesys
board which includes a Virtex-5 FPGA (Fig. 5).
An oscilloscope is also used to visualize the communication between the tag and
the reader. Figure 6 illustrates the captured signals during the communication process
where the reader sends some commands that allow the tag to enter in the open state.

Fig. 5 Physical system implementation on Digilent Genesys board

Flexible FPGA-Based RFID Emulation Platform … 1117

RN16 EPC handle

Tag

Select Query ACK Req_RN

Reader

RN16 (FM0)
Tag

Query
Reader

Fig. 6 Captured signals during the communication process reader-tag

5 Application Example: RFID Tag Robustness

and Security Evaluation

A fault emulation system for RFID tag robustness and security evaluation is derived
from the developed platform and from the approach presented in [12]. This system
(Fig. 7) contains a couple of tag-reader implemented on a single FPGA with fault
emulation mechanism which permits the emulation of transient faults including single
or multiple bit upset (SBU, MBU) and single event transient (SET). In fact, faults
are injected into one tag, while the other is kept fault free. In addition, the present
solution has excluded the radio frequency communication by implementing in a
single FPGA both readers and tags. This choice greatly simplifies the emulation
process upon keeping valid analysis outcomes since the tag behaviour is willingly
maintained unaffected through this exclusion [13].
As illustrated in Fig. 7, the fault emulation system includes specific monitoring
circuits which control readers, tags and the communication. This defined structure
delivers information about injected faults and effects. Fault injection operation is
carried out through a module based on a VHDL fault injection technique [14]. In
addition, an emulation controller manages every system component and synchronises
the emulation process [15].
1118 I. Mezzah et al.

FPGA Fault free

tag
Reader1
monitoring
circuit
FPGA board

Fault Faulty host

injection tag
Reader2 computer
module

Emulation controller

Fig. 7 RFID fault emulation platform

An exhaustive single SEU analysis is then performed on the targeted tag, following
the communication scenario illustrated in Fig. 6. As shown in this scenario, the reader
starts by sending a ‘Select command’. Going through necessary steps of inventories
and accesses, the tag replies at the end with ‘Handle’ and enters in ‘Open state’.
For every flip-flop (FF) within the tag, a single fault is injected at every clock cycle,
except cycles for which the tag remains idle since injected faults will produce the
same result. Every tag FF, in total of 314 FFs, has been the subject of 6598 SEUs.
Consequently, in this experimentation, 2071772 SEUs are autonomously introduced
and analysed.
According to their effects, injected faults are classified in five defined categories
as follows: 1. Silent (S): communication scenario achieved with no error detection.
2. Frame Alteration (FA): communication scenario achieved in presence of frame
alteration. 3. Latent (L): communication scenario achieved but accompanied with
memory content altered which in turn may produce failure on forthcoming cycles.
4. Latent with Frame Alteration (L&FA): similar to latent but in presence of frame
alteration. 5. Failure (F): no achievement of communication scenario.
Table 3 summarises the deduced errors, they are divided into two categories,
major errors and minor errors, according to their impact on the tag security and
reliability. Note that one fault may produce several errors at the same time. Minor
errors have limited impact on the tag. For example, with ‘valid altered frame’ error,
frames either include non-destructive encoding faults or have delays without any
scenario corruption or breaking the communication. The remaining minor errors
may be recovered at new interrogations or when initiating a new round. In addition,
the presence of major errors, although in a minority (eight in total), is damaging
since the tag security and data contents are affected. ‘Enter into the Secured state’
error is a serious tag security threat since it can lead to secure data delivering or
data altering unwillingly. In addition, ‘enter into the Killed state’ and ‘change of tag
memory content’, considered as major errors, have not been detected through the
performed exhaustive injection.
Flexible FPGA-Based RFID Emulation Platform … 1119

Table 3 Summary of produced errors for the SEU experimentation

Errors Nb. Prop Fault category
Major Enter into the secured state 8 1/258,971 F
Enter into the killed state 0 0% F
Change of tag memory content 0 0% F
Minor Valid altered frame 202,176 9.76% L&FA/FA
Frame corruption 68,143 3.29% F
Invalid frame 40,875 1.97% F
Identification failed 157,795 7.62% F
Exiting the current round 61,368 2.96% F
Change of inventoried parameters 34,926 1.69% F/L/L&FA
Change of query parameters 107,085 5.17% F/L/L&FA

6 Conclusion

In this work, a UHF RFID emulation platform based on FPGA is developed. It

constitutes a low cost and a useful tool to carry out multiple tasks in prototyping,
protocol evaluation, attacks emulation and security analysis. The usefulness of this
platform is demonstrated through an exhaustive single SEU fault emulation on an
RFID tag. This experimentation has allowed the evaluation of the tag robustness and
the identification of the most vulnerable tag parts.

References

1. Steger C, Janek A, Weiß R, Derbek V, Jantscher M, Preishuber-Pfluegl J, Pistauer M (2010)

Simulators and emulators for different abstraction layers of UHF RFID Systems. RFID
SYSTEMS
2. Derbek V, Steger C, Weiß R, Wischounig D, Preishuber-Pfluegl J, Pistauer M (2007) Simulation
platform for UHF RFID. In: Proceedings of the conference on Design, automation and test in
Europe. EDA Consortium, pp 918–923
3. Angerer C, Langwieser R, Rupp M (2012) Evaluation and exploration of RFID systems by
rapid prototyping. Pers Ubiquit Comput 16(3):309–321
4. Sample AP, Yeager DJ, Powledge PS, Mamishev AV, Smith JR (2008) Design of an RFID-based
battery-free programmable sensing platform. IEEE Trans Instrum Meas 57(11):2608–2615
5. Plos T, Aigner M, Baier T, Feldhofer M, Hutter M, Korak T, Wenger E (2012) Semi-passive
RFID development platform for implementing and attacking security tags. Int J RFID Secur
Crypt 1(16–24):39
6. Abdelmalek O, Hely D, Beroulle V, Mezzah I (2013) An UHF RFID emulation platform with
fault injection and real time monitoring capabilities. In: 2013 8th international on design and
test symposium (IDT). IEEE, pp 1–2
7. Nikitin PV, Ramamurthy S, Martinez R (2013) Simple low cost UHF RFID reader. In: IEEE
international conference on RFID. pp 126–127
8. Li X, Wang C (2011) Design and FPGA verification of UHF RFID reader digital baseband. In:
2011 International conference on IEEE electrical and control engineering (ICECE)
1120 I. Mezzah et al.

9. EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID, Protocol for
Communications at 860—960 MHz”, Version 1.2.0, October 2008, EPCglobal Inc., http://
gs1.org
10. Mezzah I, Chemali H, Mezzah S, Kermia O, Abdelmalek O (2015) MCIP: High configurable
8-bit microcontroller IP-core. In: 2015 science and information conference (SAI). London, pp
1387–1390
11. EPC Radio-Frequency Identity Protocols Class-1 Generation-2 Version 2 UHF RFID, Protocol
for Communications at 860—960 MHz”, Version 2.0.1, April 2015, EPCglobal Inc., http://
gs1.org
12. López-Ongil C, García-Valderas M, Portela-García M, Entrena L (2007) Autonomous fault
emulation: a new FPGA-based acceleration system for hardness evaluation. IEEE Trans Nuclear
Sci 54(1):252–261
13. Mezzah I, Chemali H, Kermia O (2017) Emulation-based fault analysis on RFID tags for
robustness and security evaluation. Microelectron Reliab 69:115–125
14. Lala PK (2012) Transient and permanent fault injection in VHDL description of digital circuits.
Circ Syst 3(2):192–199
15. Mezzah I, Kermia O, Chemali H, Abdelmalek O, Beroulle V, Hély D (2013) Assertion based
on-line fault detection applied on UHF RFID tag. In: 2013 8th IEEE design and test symposium.
Marrakesh, pp 1–5