Looking into hacking/rolling my own RFID reader. How big of an undertaking is that?

Thread Starter

strantor

Joined Oct 3, 2010
5,912
This is a brand new idea, I've done very little research. As is my usual process, I post here before having done much research, so that my research might be guided by the responses I get.

Here's the backstory:
At work I developed a system based around this RFID reader to read the ISO10374/AEI/ATA 902 to 928 MHz UHF RFID tags that are affixed to railcars. The system is installed at a railcar unloading position and will not allow the automated unloading process to begin unless the correct railcar is positioned per an online schedule. I have installed several of these systems and there are several more planned in the coming months. I requested lead time on an additional several units and was told that the current estimate of first availability is the end of March 2022, but that date has already been pushed back a few times. This is to do with the whole "chip shortage" debacle. There are only a handful of manufacturers that make readers explicitly stated to support this niche ISO10374/AEI/ATA physical/air interface protocol, and all of them are way more expensive and are also on extreme backorder. I am stuck and need a way to move forward sooner than (at best) March 2022.

Here are the ideas I've had so far, (list is in its infancy, open to other suggestions):
  • Get a commercial RFID reader that works in the 902 to 928 MHz UHF but that doesn't advertise compatibility with railcar tags, and hope it accidentally works or else hack it into submission.
  • Order one of every RFID dev kit, shield, hat, module, etc. that there is, that works in the 902 to 928 MHz UHF range, and hope that one of them is sufficiently barebones that the ability to read railcars hasn't already been designed out of it.
  • Get some kind of SDR kit (I know almost nothing about SDR, or radio for that matter) and maybe I could design some functionality of reading railcar tags with it
  • Throw up my hands in defeat
Any feedback on my ideas? Which way would you go?
 

Thread Starter

strantor

Joined Oct 3, 2010
5,912
One more idea to add to the list now that I've spent a few hours researching:
  • Use an ordinary commercial RFID reader that works in the 902 to 928 MHz UHF range but that doesn't advertise compatibility with railcar tags that probably won't work, but will still stimulate the tag so it sends out a signal, and sniff that signal with a SDR.
 

Thread Starter

strantor

Joined Oct 3, 2010
5,912
No thoughts? I guess I'm blazing a new trail then...
I will update this post in the future with whatever I end up finding out, in case anyone else finds it helpful.
 

Thread Starter

strantor

Joined Oct 3, 2010
5,912
Alright, some engagement! Love it! (Thank you).
Regarding the two links, were you able to view the actual documents?
After a brief search, it seems that your greatest challenge is going to be making said reader work at such high frequencies ... Have you taken a look at this document?
^This one links to ieee.org which requires an organization login, which I don't have.
And here's another paper dealing with the same subject.
^This one links to ee.washington.edu, but I get a "page not found" error.
Bingo? ... this module works at a range of 902.75-927.25 MHz ... definitely worth a serious look
Regarding that module and all (nearly all) similar modules/dev kits/finished products for UHF RFID, they are geared towards the ubiquitous ISO 18000-63 (EPC Class 1 Gen 2 / Gen 3) air protocol. This is what people are talking about 99% of the time when they talk about UHF RFID. These products will not read a railcar tag (ISO10374) (AKA AEI) (AKA ATA) (AKA AAR), although speaking in terms of hardware, per my understanding they theoretically should be able to. The reader I linked to in the OP is among this group who can only read the ISO 18000-63 EPC tags, but is unique among its peers in that by purchasing and entering an unlock code that costs more than the reader itself, you can now magically read railcar tags.

(following paragraph is mostly conjecture) I believe the firmware in these devices is what limits them. I think the difference is in the response format from the tag, and I think that these ISO18000-63 EPC readers do indeed see the response from the railcar tags, but it is in some alien format that they're not programmed to recognize, so the response gets ignored as nonsense on a level lower than what the user/developer typically has access to and there is no indication that any tag was found at all. The format for railcar tags is very simple; I believe much simpler than the ISO18000-63 EPC stuff and predates it by a few decades - I've attached the spec (only a couple of pages are relevant, section 4 through 6). If I could find a UHF RFID dev kit that is so barebones that it doesn't even have firmware, I believe I could design a system around it that is capable of reading railcars. Or, if I can find one for which you can access/modify/hack the firmware, then also there is a chance. I do not have confidence that I could design a working RF circuit from scratch though; at least not on a timeline that makes sense. I need to start with something that already "works."

For that reason, at this moment I am leaning towards buying something like what you linked; a generic, low-cost UHF RFID module that is meant for ISO18000-63 EPC just like everything else, and just power it on, not even connecting any comms to it. Its job is just to power on and energize the tags. Then use something like a HackRF or BladeRF SDR device as a "sniffer" between antenna and tag, to get the tag ID in a manner similar to what is described here. There are already some repositories online (ex: AdamLaurie/Gen2-UHF-RFID-Reader) from folks who have already done that and/or similar, but again their efforts were in the direction of ISO18000-63 EPC tags, and were more about scanning/cloning access cards. So I would still need to come up with the means to decode the ISO10374 format.

I have purchased a few different used/outdated ISO10374 RFID readers for cheap on eBay in hopes that one of them will power on and actually work (in which case I'll probably just use them) or at least power on have a way to Telnet/SSH into them and look for clues as to how they decode the ISO10374 format.
 

Attachments

Top