Low Frequency Antenna

Discuss commercial and home made antennas.
evelyette
Posts: 6
Joined: Sun Dec 24, 2017 12:59 pm

Low Frequency Antenna

Post by evelyette » Sun Dec 24, 2017 1:18 pm

Hi,

I'm a beginner with SDR and signal processing in general, but have been reverse engineering, fuzzing, security checking for more than a decade - I've also visited a highly technical signal processing class in my university, so things shouldn't be too hard for me (in theory). However, we've never actually done anything signal related in real-time with existing gadgets, etc. Therefore, I would like to get myself involved in this in order to expand my horizons. Therefore I've bought the following already:

- HackRF
- Spyverter v2

I would like to record 125kHz frequences, since supposedly my car key transponder works at that frequency. I have the following car key: http://www.digital-kaos.co.uk/forums/sh ... 3373067B-C and the transponder documentation is here: http://www.mouser.com/catalog/specsheet ... 1__C,1.pdf .

Basically, I'm thinking I would do the following:

1. Connect a low-frequency antenna to SpyVerter in order to be able to receive the signal sent from my car key to the car.
2. Connect SpyVerter to HackRF, which will be able to receive frequencies 1kHz to 60 MHz (advertizes here: https://airspy.com/spyverter-r2/)
3. Use HackRF to receive upconverted frequencies: the SpyVerter will upconvert the frequencies to the frequency that HackRF is able to work with, which is 1 MHz to 6 GHz.

Then I would use gnuradio-companion (or any software) to record the signal to analyze it and possibly create my own car key for my car only. This would be an interesting learning and useful thing to do in order to get myself familiarized with all the components that are required to do such a think.

I would like to know what your input is on the challenge and whether I'm missing something that I should address. Also, I was wondering what a good low-frequency antenna, that would enable me to record/transmit 10kHz frequencies would be - I found the following https://www.ebay.com/itm/Mini-Whip-HF-V ... 1576908470, but I'm not sure whether it is any good.

I would be glad if anybody can suggest an antenna that I could connect to SpyVerter v2 in order to receive low-frequencies.

Thank you

snn47
Posts: 167
Joined: Tue Dec 27, 2016 11:00 pm

Re: Low Frequency Antenna (<400 kHz)

Post by snn47 » Sun Dec 24, 2017 2:34 pm

If it is your own key you want to receive a small loop in close proximity should be sufficient to couple enough energy into your Rx.

Antennas for large wavelength 2400 m at 125 kHz or lower the size of a quarterwave antenna is already large, even for military uses. Therefore the antenna needs to be mechanically shortened, for which there are the following options

- The quick and dirty method is a potato antenna. Roll of some thin cooper wire from an discarded transformer, thread is through a potatoe and throw it into a tree. It's nearly invisible, will fit through a closed window without breaking. Use, if you have them, metal waterpipes as ground. I was able to receive DCF 77.5 kHz time signal in Europe, about 100 km away, that way.

- Coil on ferrites, like found in varying sizes in AM-Radio-Rx, the size matched to the case size of the radio. You can also find reports of some packing many of the ferrites to a larger ferrite core. Mainly Litz-wire is is used, which can be hard to find today.

- Magnetic (Loop) Antennas using a coils on some non conducting frame. Long such pickup coils were used on top op old detector radios, consisting of Litz-wire again. A lot of information can be found e.g. here https://translate.google.com/translate? ... edit-text=http://www.fading.de/rahmenantenne.php Rahmenantenne means frame antenna, which again is another designation for multi turn Magnetic (Loop) Antenna.

- Active antenna which consist of a short whip or potato antenna, acting as a capacity which is then amplified, like used in very short car antennas or at the input of frequency counters.

As for most things related to antennas and TRx you will find ideas and guidance in the HAM radio literature.
vy 73
_.. .._. ..... .__. _.__

PS.: Depending on the transmitter within the aera you live at, you may have to make the antennas resonant/tune them with a capacitor to eliminate interference from power line, switching power supplies or overloading from broadcast stations.

evelyette
Posts: 6
Joined: Sun Dec 24, 2017 12:59 pm

Re: Low Frequency Antenna

Post by evelyette » Mon Dec 25, 2017 1:23 am

Hi, thank you for a detailed answer. You've specified a potato/loop antenna that can be used. However, I'm looking for an antenna that I can buy (I don't wish to make my own antenna at this state), which is also compatible with HackRF/SpyVerter.

Therefore, if somebody knows any antennas compatible with those hardware that I already own I would be forever grateful if they can specify them here.

rtlsdrblog
Site Admin
Posts: 2283
Joined: Mon Nov 19, 2012 11:54 pm

Re: Low Frequency Antenna

Post by rtlsdrblog » Wed Dec 27, 2017 2:19 am

If you're pressing the button on your keyfob close range then all you'd need a wire antenna probably. The signal should be strong enough at close range.

Otherwise you could just get a RFID reader, take the coil and solder it to a standard SMA connector. Then you can connect it to your HackRF easily. e.g. https://www.aliexpress.com/item/UART-12 ... xMEALw_wcB

snn47
Posts: 167
Joined: Tue Dec 27, 2016 11:00 pm

Re: Low Frequency Antenna

Post by snn47 » Thu Dec 28, 2017 9:02 pm

If you want to buy an active antenna using a in relation to the lower wavelength (15 000m) very short whip (0.02 m) look here
http://www.bonito.net/boni-whip/en/index.html
or from R&S
https://www.rohde-schwarz.com/us/produc ... 72072.html

For those who want to have more information on electronical short antennas (passive and active) for general application look here https://synergymwave.com/articles/2016/ ... tation.pdf
R&S 8GE02: Active Antennas for Radiomonitoring
https://cdn.rohde-schwarz.com/pws/dl_do ... toring.pdf
Active antenna overview
http://www.g8jnj.net/activeantennas.htm

evelyette
Posts: 6
Joined: Sun Dec 24, 2017 12:59 pm

Re: Low Frequency Antenna

Post by evelyette » Wed Jan 03, 2018 1:55 am

Hi, first of all, thank you for the provided answers. I have studied them, which was quite fun, but now I have a couple of additional questions.

1. Reading Signal: From what I can gather, I have three choices to obtain the RFID signal sent from the car key to the car:

a. RFID reader: Use RFID reader directly without using HackRF. Can I connect with the https://www.aliexpress.com/item/UART-12 ... 69610.html via USB or how do I get the data from the reader to the computer?
b. Use 125kHz RFID Antenna + HackRF: The red thing http://wiki.seeed.cc/125Khz_RFID_module-UART/ is the external antenna right? Then I can use that antenna, which I have to solder to SMA connector, which is then connected to HackRF.
c. Low-frequency Antenna: I can buy an antenna like http://www.bonito.net/boni-whip/en/index.html and connect it directly to the HackRF. Will this provide me with equivalent data as using the RFID reader?

I'm basically interested if these are all alternative ways to obtain the communication details between the transponder and the car.

2. Android: I've tried reading the RFID with my android phone by using the NFC reader application and android's built in NFC. However, the phone wasn't able to read anything when pressing the car key buttons to lock/unlock the car while holding the phone nearby. Is this the case, because car key transponder operates at 125kHz (RFID LF), but the phone only works at 13.56 Mhz (RFID HF)?

3. Antenna-less: If the car key is in close proximity to the HackRF, do I even need an antenna to record the signal. I'm guessing that this would be the case only for HackRF supported frequencies, which is from 1MHz - 6Ghz. Therefore, without a proper antenna, HackRF will not be able to record frequencies at 125kHz right?

4. Passive/Active RFID: This is the transpoder datasheet: http://www.mouser.com/catalog/specsheet ... 1__C,1.pdf . Does anybody know whether active or passive RFID is used. I'm guessing it's using active RFID, since the car key has a battery of its own?

5. RFID communication: How are the data packets exchanged between the transpoder (car key) and receiver (car). During their communication, is the master key exchanged or are there only challenge-response data packets, i.e.: car sends a challenge that a car key uses as input together with the master car to deter the response, which it sends back to the car (therefore master key is not exchanged between the two). Does this imply that the car key has a master key stored in firmware, which means if I extract the firmware from the car key, I'll be able to obtain the master key, which can consequently be used to lock/unlock the car?

I realize some questions are not antenna/signals related, but if you know at least some of the answers I'll be glad to hear the answers - no need to provide all of the answers.

Thank you,

rtlsdrblog
Site Admin
Posts: 2283
Joined: Mon Nov 19, 2012 11:54 pm

Re: Low Frequency Antenna

Post by rtlsdrblog » Wed Jan 03, 2018 5:23 am

evelyette wrote:
Wed Jan 03, 2018 1:55 am
Hi, first of all, thank you for the provided answers. I have studied them, which was quite fun, but now I have a couple of additional questions.

1. Reading Signal: From what I can gather, I have three choices to obtain the RFID signal sent from the car key to the car:

a. RFID reader: Use RFID reader directly without using HackRF. Can I connect with the https://www.aliexpress.com/item/UART-12 ... 69610.html via USB or how do I get the data from the reader to the computer?
b. Use 125kHz RFID Antenna + HackRF: The red thing http://wiki.seeed.cc/125Khz_RFID_module-UART/ is the external antenna right? Then I can use that antenna, which I have to solder to SMA connector, which is then connected to HackRF.
c. Low-frequency Antenna: I can buy an antenna like http://www.bonito.net/boni-whip/en/index.html and connect it directly to the HackRF. Will this provide me with equivalent data as using the RFID reader?

I'm basically interested if these are all alternative ways to obtain the communication details between the transponder and the car.

Yes you can use either of those antennas, and the red thing is the antenna. You'll still need to solder it to an SMA connector though.

2. Android: I've tried reading the RFID with my android phone by using the NFC reader application and android's built in NFC. However, the phone wasn't able to read anything when pressing the car key buttons to lock/unlock the car while holding the phone nearby. Is this the case, because car key transponder operates at 125kHz (RFID LF), but the phone only works at 13.56 Mhz (RFID HF)?

Yes if the frequencies are different the Android reader wont pick it up as whatever chip is inside is not designed to receive the lower frequency.


3. Antenna-less: If the car key is in close proximity to the HackRF, do I even need an antenna to record the signal. I'm guessing that this would be the case only for HackRF supported frequencies, which is from 1MHz - 6Ghz. Therefore, without a proper antenna, HackRF will not be able to record frequencies at 125kHz right?

You'll need an antenna for sure. But if the keyfob is close enough to the HackRF then even the standard whip antenna included with the HackRF might be able to pick it up.

4. Passive/Active RFID: This is the transpoder datasheet: http://www.mouser.com/catalog/specsheet ... 1__C,1.pdf . Does anybody know whether active or passive RFID is used. I'm guessing it's using active RFID, since the car key has a battery of its own?

Had a quick read, it says "The Security Transponder derives its power supply from the magnetic field (LF field) established by the basestation. No additional battery supply is needed. Data is transmitted by modulating the LF field."

5. RFID communication: How are the data packets exchanged between the transpoder (car key) and receiver (car). During their communication, is the master key exchanged or are there only challenge-response data packets, i.e.: car sends a challenge that a car key uses as input together with the master car to deter the response, which it sends back to the car (therefore master key is not exchanged between the two). Does this imply that the car key has a master key stored in firmware, which means if I extract the firmware from the car key, I'll be able to obtain the master key, which can consequently be used to lock/unlock the car?

Not sure, there's probably tons of papers and app sheets on this subject though.

I realize some questions are not antenna/signals related, but if you know at least some of the answers I'll be glad to hear the answers - no need to provide all of the answers.

Thank you,

evelyette
Posts: 6
Joined: Sun Dec 24, 2017 12:59 pm

Re: Low Frequency Antenna

Post by evelyette » Wed Jan 03, 2018 10:45 am

rtlsdrblog wrote:
Wed Jan 03, 2018 5:23 am
1A. Yes you can use either of those antennas, and the red thing is the antenna.

Preferably I would like to solder the wires inside the cable to some kind of connector in order to connect to the WHITE connector of the antenna as presented here - so I can easily connect/disconnect the antenna without statically soldering it together. Any ideas how that white connector is called, so I can search for it on ebay?

Image

1B. You'll still need to solder it to an SMA connector though.

Is there any sketch anywhere about how to solder the SMA-male to the connector of the antenna. I've ordered this https://www.ebay.co.uk/itm/162699354838 cable and I plan to cut the cable in half, but afterwards I'm not sure how many wires are inside or how to solder them onto the antenna.

2. Yes if the frequencies are different the Android reader wont pick it up as whatever chip is inside is not designed to receive the lower frequency.

Yes this is the case as specified here: https://news.samsung.com/global/everyth ... newest-nfc - it only supports 13.56MHz.


3. You'll need an antenna for sure. But if the keyfob is close enough to the HackRF then even the standard whip antenna included with the HackRF might be able to pick it up.

How is HackRF operating at 1MHz - 6GHz and standard antenna operating at 75MHz-1GHz able to pick up a signal being set at 125kHz. The frequencies of the HackRF or the antenna don't support it?

4. Had a quick read, it says "The Security Transponder derives its power supply from the magnetic field (LF field) established by the basestation. No additional battery supply is needed. Data is transmitted by modulating the LF field."

Does this mean the transponder is a passive RFID, which gets energy from the car RFID counterpart? As such, the battery in the car key is needed only to calculate whatever the key is supposed to do, but the energy for the actual transmission of data comes from the car itself?

rtlsdrblog
Site Admin
Posts: 2283
Joined: Mon Nov 19, 2012 11:54 pm

Re: Low Frequency Antenna

Post by rtlsdrblog » Wed Jan 03, 2018 11:09 pm

Coax is very simple, it's just two wires, the inner wire and the shield. Solder the red wire to the inner wire, and the black wire to the shield.

Not sure what the white header is called, but its a very typical probably 2.57mm header. There's no adapters for that to SMA as far as I know. You'd have to rig up your own PCB to create an adapter.

Antennas are tuned for a specific frequency range, but that doesn't mean that they won't pick up stuff outside the range, especially if the signal is close and strong.

For the keyfob, I guess the car excites the RFID part with it's own transmitter. So if you want to investigate the RFID part you'll also need some way to excite the RFID yourself if doing it outside of the car. Either that or just bring the keyfob to the car. The battery is probably for the buttons on the remote which work with a different signal.
evelyette wrote:
Wed Jan 03, 2018 10:45 am
rtlsdrblog wrote:
Wed Jan 03, 2018 5:23 am
1A. Yes you can use either of those antennas, and the red thing is the antenna.

Preferably I would like to solder the wires inside the cable to some kind of connector in order to connect to the WHITE connector of the antenna as presented here - so I can easily connect/disconnect the antenna without statically soldering it together. Any ideas how that white connector is called, so I can search for it on ebay?

Image

1B. You'll still need to solder it to an SMA connector though.

Is there any sketch anywhere about how to solder the SMA-male to the connector of the antenna. I've ordered this https://www.ebay.co.uk/itm/162699354838 cable and I plan to cut the cable in half, but afterwards I'm not sure how many wires are inside or how to solder them onto the antenna.

2. Yes if the frequencies are different the Android reader wont pick it up as whatever chip is inside is not designed to receive the lower frequency.

Yes this is the case as specified here: https://news.samsung.com/global/everyth ... newest-nfc - it only supports 13.56MHz.


3. You'll need an antenna for sure. But if the keyfob is close enough to the HackRF then even the standard whip antenna included with the HackRF might be able to pick it up.

How is HackRF operating at 1MHz - 6GHz and standard antenna operating at 75MHz-1GHz able to pick up a signal being set at 125kHz. The frequencies of the HackRF or the antenna don't support it?

4. Had a quick read, it says "The Security Transponder derives its power supply from the magnetic field (LF field) established by the basestation. No additional battery supply is needed. Data is transmitted by modulating the LF field."

Does this mean the transponder is a passive RFID, which gets energy from the car RFID counterpart? As such, the battery in the car key is needed only to calculate whatever the key is supposed to do, but the energy for the actual transmission of data comes from the car itself?

jagdap
Posts: 1
Joined: Wed Jan 10, 2018 9:39 pm

Re: Low Frequency Antenna

Post by jagdap » Wed Jan 10, 2018 9:44 pm

If you'd like a very nice summary about FOBs and their RFID interactions with the vehicle, I recommend the following article:

"Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars" by Aur´elien Francillon, Boris Danev, Srdjan Capkun <https://eprint.iacr.org/2010/332.pdf>

For my vehicle (purchased in USA), the transmissions from the FOB are at 315MHz, while the transmissions from the vehicle are in the RIFD range (130KHz-ish).

Post Reply