Pet implant (RFID) reader

Thread Starter

akke

Joined Dec 17, 2015
77
I have serveral (6) Surepet Surefeed Connect RFID feeders for my cats. They read RFID implants of the cat, and it only opens the bowls when the right cat is at the right feeder. It's this device: https://www.surepetcare.com/en-eu/pet-feeder/microchip-pet-feeder-connect

Now, this works, more or less but it's quite unstable. Because of that I'm thinking about removing the PCB and creating something custom instead. Using an arduino. That way I can completely customize it to my needs and connect it to a local application for datalogging.

I don't have experience with RFID readers so I'm thinking about buying this RFID reader board: https://www.ebay.com/itm/284550130560
It should return the cat's chip ID over a serial connection.

The only thing I'm not sure of:
Can I use the original RFID coil/antenna of the Surefeed Connect and just connect it to this PCB? Or does it neet to match the inductance of the included antenna/coil? Or can the PCB be adjusted to match that antenna/coil?

There's a teardown of the surepet feeders here: https://fccid.io/XO9-MPF001-001/Internal-Photos/Internal-Photos-2431846

It looks like there aren't many PCB's out there for reading RFID pet tags. So, I do hope this one will work.

Any help / suggestion is much appreciated!

Thanks
 
Last edited:

Thread Starter

akke

Joined Dec 17, 2015
77
Why do you think you can do better than the manufacturer at reading the tag?

The problem I have with the device is that it's connected to the manufacturers cloud. There is no way to make the device connect to my own application for datalogging (amount eaten, when eaten, ....). Besides this, their cloud and/or app has many problems. It doesn't always report when the cat has eaten or reports are being sent like an hour later.
These are problems I can certainly do better than the manufacturer does.

Reading the RFID tags works quite well so I don't think I will be able to read the tags better. I would be happy if I can read them equally good. It's just the other features of the device, like explained above, that are my biggest issue with the device.
 

Ya’akov

Joined Jan 27, 2019
9,237
Ah, when you said:

"Now, this works, more or less but it's quite unstable. Because of that I'm thinking about removing the PCB and creating something custom instead. Using an arduino. That way I can completely customize it to my needs and connect it to a local application for datalogging."

I took it to mean the reader was “unstable”.

Because of the sensitivity of RF to impedance matches, I think you might need to do one of two things:

1. Try it. If it works, well... then works.

2. Get a TinyVNA and check the antenna's impedance. If it’s not a match, you could make a matching network for it. This could be done after 1 fails, if it does.

A third thing that I would personally try is to reverse engineering the PCB and see if I bend it to my will. If the chip is identifiable, this could actually be reasonably easy.

I might even start by seeing if I could hijack the protocol used to talk to the cloud. Wireshark, some creative DNS, and a little code and it might be usable.
 

Thread Starter

akke

Joined Dec 17, 2015
77
I already tried reverse engineering the RF protocol. It's a modified zigbee protocol but the payload seems random for every same event. So it must be encrypted somehow. I was unable to somehow get any usable data out of it so I gave up.

The HUB itself is making connection to surepet's cloud using SSL connections and it refuses to connect to my own server (using DNS changes like you suggested). So, sadly, it's not possible to make it connect to anything except the servers of surepet. It's pinned to their own SSL certificate.

The HUB is running a PIC microchip. I already tried reading the firmware using a pickit but the chip is read-protected so I was unable to download the firmware binary (which I wanted to byte patch and upload a patched version).

So it looks like their product is secured quite decently and won't allow me to get data from it in any way.

I'm not sure what a TinyVNA is exactly. I guess I can measure the impedance of the antenna with it.
I can buy something like that but I'm not quite sure what you mean with "build a matching network for it". Do you mean winding a new antenna in the surefeed feeder?


I haven't checked the PCB of the surefeed feeder yet and chances are quite high it's running on a pic microchip too. It'll be read-protected most likely but writing a new firmware for it should be possible. Except that it won't be easy to know how everything is connected and how to make the rf reader work. I know it's quite a full pcb with lots of components. So I still think creating something from scratch would be easier to build.
 

Ya’akov

Joined Jan 27, 2019
9,237
I already tried reverse engineering the RF protocol. It's a modified zigbee protocol but the payload seems random for every same event. So it must be encrypted somehow. I was unable to somehow get any usable data out of it so I gave up.

The HUB itself is making connection to surepet's cloud using SSL connections and it refuses to connect to my own server (using DNS changes like you suggested). So, sadly, it's not possible to make it connect to anything except the servers of surepet. It's pinned to their own SSL certificate.

The HUB is running a PIC microchip. I already tried reading the firmware using a pickit but the chip is read-protected so I was unable to download the firmware binary (which I wanted to byte patch and upload a patched version).

So it looks like their product is secured quite decently and won't allow me to get data from it in any way.

I'm not sure what a TinyVNA is exactly. I guess I can measure the impedance of the antenna with it.
I can buy something like that but I'm not quite sure what you mean with "build a matching network for it". Do you mean winding a new antenna in the surefeed feeder?


I haven't checked the PCB of the surefeed feeder yet and chances are quite high it's running on a pic microchip too. It'll be read-protected most likely but writing a new firmware for it should be possible. Except that it won't be easy to know how everything is connected and how to make the rf reader work. I know it's quite a full pcb with lots of components. So I still think creating something from scratch would be easier to build.
Well, seems that you‘ve tried the things I would. I might add trying Ettercap to make a man-in-the-middle attack on the TLS connection, but that’s less likely to be useful since you’d still have to use their cloud everytime.

I was imaging they are using an RFID ASIC that has some kind of data I/O (serial, SPI, I²C, etc.). In that case, I’d just leave the MCU out of it and leave power and required passives in place, cutting the traces to anything I wasn’t going to reuse. This depends on an identifiable, documented chip which, by way of Bayesian thinking, has about a 50% chance of being the case.

NanoVNA is a very small, inexpensive, open source Vector Network Analyzer which can make various measurements of antennas and transmission lines. It’s really quite a thing since a VNA before NanoVNA was a five figure item at least. Obviously, it‘s not as good as one of those but it has an extremely high level of utility.

A(n impedance) matching network is a circuit that has one impedance on one end and a different one of the other resulting in a match between otherwise mismatched impedances. It is frequency dependent and there are many ways to make them The chosen method will depend on the power it will have to handle an the wavelength of the target signal.
 

Thread Starter

akke

Joined Dec 17, 2015
77
I tried "mitmproxy" instead of Ettercap and poisoned DNS entries but the HUB is disconnecting right after making the https connection. So it must be validating the certificate with it's own CA and refuses to connect. It's common and recommended practice these days but it makes it impossible for me to make the HUB connect to anything else except surepet's server.

Using ettercap won't help as the HUB will close connection anyway. Ettercap won't be able to sniff any data.


Now, regarding the VNA: How exactly would one measure the inductance of this RFID coil/antenna? I just hook it up to the VNA and it will tell me the inductance? So if I buy this cheap device I can at least measure the inductance and if it's quite different than the antenna/coil from the chinese PCB there's an option to make it match using some circuit. (and I guess you can help with that after I measured the antenna's?)
 

Ya’akov

Joined Jan 27, 2019
9,237
I tried "mitmproxy" instead of Ettercap and poisoned DNS entries but the HUB is disconnecting right after making the https connection. So it must be validating the certificate with it's own CA and refuses to connect. It's common and recommended practice these days but it makes it impossible for me to make the HUB connect to anything else except surepet's server.

Using ettercap won't help as the HUB will close connection anyway. Ettercap won't be able to sniff any data.


Now, regarding the VNA: How exactly would one measure the inductance of this RFID coil/antenna? I just hook it up to the VNA and it will tell me the inductance? So if I buy this cheap device I can at least measure the inductance and if it's quite different than the antenna/coil from the chinese PCB there's an option to make it match using some circuit. (and I guess you can help with that after I measured the antenna's?)
It’s impedance that you are going to measure. You will have to compare the antennas at the frequency of interest. If the new antenna’s impedance is different from the existing one, one of the matching methods will have to be employed to match the old antenna to the new reader.
 

MisterBill2

Joined Jan 23, 2018
19,033
I am wondering about what part of the operation is "unstable." I frequently take care of a family of three cats, which one of them uses that same feeder, and I have not seen any signs of other than correct operation. Of course, this is with it set to feed one cat of the three and deny the other two any access.
So I am really wondering about what the claimed unstable part is. I am also wondering about the additional uses, such as the external monitoring, are claimed for the device. Just what is it claimed to be able to do? Does it do all of those things adequately?
 
Top