Mezzah 2019
Mezzah 2019
Mezzah 2019
1 Introduction
Input
Receiver
Output
MCIP Transmitter
(Configurable Microcontroller)
Backs. clock
Data Bus
Timer
PRNG
Program Data
Memory Memory Tag Memory
to add any optional or costumed functionality conforming to the EPC UHF Gen2
version 2 protocol [11]. In addition, attention is directed to developing and applying
new RFID solutions such as those related to the authentication and the security.
As shown in Fig. 1, six peripherals are developed and added to MCIP to complete
the tag hardware design. The “Receiver” and the “Transmitter” constitute the main
modules since concerned by the generation and the reception of frames. For the others
peripherals, the “Backscatter clk” generates the used clock in the replay frames gener-
ation, the “Timer” counts the time periods, the “PRNG” is a pseudo random number
generator and finally the “Tag Memory” which includes the “Reserved memory”,
“EPC memory”, “TID memory” and “User memory” according to the protocol
[9]. The “Receiver” block contents is illustrated in Fig. 2 where commands are
acquired through monitoring the two registers “RXCON” and “RXSTAT” under the
supervision of “PIE decoder” commands.
TRcalH TRcalL
RTcal
Received
Data Bus
data Tag
16-bit shift register input
Interrupt Load PIE Decoder
counte
RXdataH RXdataL
Software part has been developed using C language in conjunction with assembly
code in order to obtain an optimal program. Several functions are defined and organ-
ised in twenty functions in addition to the main program and the interrupt subroutine.
Figure 3 illustrates the program functions tree and the size of each function. As shown
in this figure, “Frame reception”, “Open state” and “Secured state” functions occupy
a large volume in the program since they integrate the majority of functionalities.
As “Open state” and “Secured state” functions include nearly the same functional-
ities, they could be regrouped. In our case we have voluntary kept them separated
to distinguish the different states of the tag activity. The total size of the obtained
program is 5944 bytes while the used RAM is only 28 bytes. For optimising the
power consumption, the sleep mode is extensively employed. During the tag-reader
communication, the tag remains in the sleep mode about 90% of the time.
Implementation results of the developed tag on Virtex-5 FPGA (XC5VLX50T)
are given in Table 1. The number of used slice registers is 674 slices, while the number
of used slice LUTs is 3475 slices which represent 12% of the FPGA resources. These
Fig. 3 Functions tree of the tag software with the program size of each function
Flexible FPGA-Based RFID Emulation Platform … 1115
results concern the implementation of both hardware and software parts. Note that
the tag program memory (software part) occupies about 7% of FPGA resources.
Following the same methodology of the tag development, the designing of the reader
is completed by the development of two additional peripherals: the “Transmitter”
and The “Receiver” (Fig. 4). Three other MCIP peripherals are then used: the “I/O
Port” for LCD display, the “Timer0” for counting time periods and the “UART”
for enable serial communication. Several functions such as PIE encoding, delim-
iter/RTcal/TRcal generation and CRC5/CRC16 calculation [9] are hardware imple-
mented on the “Transmitter” module, in such a way as to facilitate the commands
generation and to easily add new commands through software. The design effort is
focused on the receiving part since the decoding process is always more complicated
than the encoding process. Indeed, only FM0 decoding is integrated in this current
version of the reader. The reader implementation reported area occupation of 6% on
Virtex-5 XCVLX50T FPGA (Table 2).
Output
Transmitter
MCIP Input
(Configurable Microcontroller) Receiver
I/O Port
Data Bus
Timer0
Program Data
Memory Memory UART
4 Physical Implementation
Both developed circuits of the tag and the reader and all the defined modules are
completely validated in the simulation process. A physical implementation test is
then achieved by implementing the tag and the reader in a single FPGA using wired
communication between the two, this therefore constitutes an emulation of a perfect
RFID communication. For this implementation, we have used Digilent Genesys
board which includes a Virtex-5 FPGA (Fig. 5).
An oscilloscope is also used to visualize the communication between the tag and
the reader. Figure 6 illustrates the captured signals during the communication process
where the reader sends some commands that allow the tag to enter in the open state.
Tag
RN16 (FM0)
Tag
Query
Reader
A fault emulation system for RFID tag robustness and security evaluation is derived
from the developed platform and from the approach presented in [12]. This system
(Fig. 7) contains a couple of tag-reader implemented on a single FPGA with fault
emulation mechanism which permits the emulation of transient faults including single
or multiple bit upset (SBU, MBU) and single event transient (SET). In fact, faults
are injected into one tag, while the other is kept fault free. In addition, the present
solution has excluded the radio frequency communication by implementing in a
single FPGA both readers and tags. This choice greatly simplifies the emulation
process upon keeping valid analysis outcomes since the tag behaviour is willingly
maintained unaffected through this exclusion [13].
As illustrated in Fig. 7, the fault emulation system includes specific monitoring
circuits which control readers, tags and the communication. This defined structure
delivers information about injected faults and effects. Fault injection operation is
carried out through a module based on a VHDL fault injection technique [14]. In
addition, an emulation controller manages every system component and synchronises
the emulation process [15].
1118 I. Mezzah et al.
Emulation controller
An exhaustive single SEU analysis is then performed on the targeted tag, following
the communication scenario illustrated in Fig. 6. As shown in this scenario, the reader
starts by sending a ‘Select command’. Going through necessary steps of inventories
and accesses, the tag replies at the end with ‘Handle’ and enters in ‘Open state’.
For every flip-flop (FF) within the tag, a single fault is injected at every clock cycle,
except cycles for which the tag remains idle since injected faults will produce the
same result. Every tag FF, in total of 314 FFs, has been the subject of 6598 SEUs.
Consequently, in this experimentation, 2071772 SEUs are autonomously introduced
and analysed.
According to their effects, injected faults are classified in five defined categories
as follows: 1. Silent (S): communication scenario achieved with no error detection.
2. Frame Alteration (FA): communication scenario achieved in presence of frame
alteration. 3. Latent (L): communication scenario achieved but accompanied with
memory content altered which in turn may produce failure on forthcoming cycles.
4. Latent with Frame Alteration (L&FA): similar to latent but in presence of frame
alteration. 5. Failure (F): no achievement of communication scenario.
Table 3 summarises the deduced errors, they are divided into two categories,
major errors and minor errors, according to their impact on the tag security and
reliability. Note that one fault may produce several errors at the same time. Minor
errors have limited impact on the tag. For example, with ‘valid altered frame’ error,
frames either include non-destructive encoding faults or have delays without any
scenario corruption or breaking the communication. The remaining minor errors
may be recovered at new interrogations or when initiating a new round. In addition,
the presence of major errors, although in a minority (eight in total), is damaging
since the tag security and data contents are affected. ‘Enter into the Secured state’
error is a serious tag security threat since it can lead to secure data delivering or
data altering unwillingly. In addition, ‘enter into the Killed state’ and ‘change of tag
memory content’, considered as major errors, have not been detected through the
performed exhaustive injection.
Flexible FPGA-Based RFID Emulation Platform … 1119
6 Conclusion
References
9. EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID, Protocol for
Communications at 860—960 MHz”, Version 1.2.0, October 2008, EPCglobal Inc., http://
gs1.org
10. Mezzah I, Chemali H, Mezzah S, Kermia O, Abdelmalek O (2015) MCIP: High configurable
8-bit microcontroller IP-core. In: 2015 science and information conference (SAI). London, pp
1387–1390
11. EPC Radio-Frequency Identity Protocols Class-1 Generation-2 Version 2 UHF RFID, Protocol
for Communications at 860—960 MHz”, Version 2.0.1, April 2015, EPCglobal Inc., http://
gs1.org
12. López-Ongil C, García-Valderas M, Portela-García M, Entrena L (2007) Autonomous fault
emulation: a new FPGA-based acceleration system for hardness evaluation. IEEE Trans Nuclear
Sci 54(1):252–261
13. Mezzah I, Chemali H, Kermia O (2017) Emulation-based fault analysis on RFID tags for
robustness and security evaluation. Microelectron Reliab 69:115–125
14. Lala PK (2012) Transient and permanent fault injection in VHDL description of digital circuits.
Circ Syst 3(2):192–199
15. Mezzah I, Kermia O, Chemali H, Abdelmalek O, Beroulle V, Hély D (2013) Assertion based
on-line fault detection applied on UHF RFID tag. In: 2013 8th IEEE design and test symposium.
Marrakesh, pp 1–5