218C - ANSEL aTOMs

RFID Spoof, a.k.a. "God Mode"

At some point in the project, we started wondering about how the Security Controller worked, and whether it was actually necessary to obtain a new security key from the security controller to capture an atoll.  The teaching staff assured us that it would not be possible to reuse security keys, and moreover the rules explicitly state that in order to capture an atoll we must obtain a new security key from the Security Controller every time.  We didn't want to violate protocol!

Finding the gray area

What we did want to do however, was find another way to trick the atolls into being captured for our team, without having to physically travel to the atoll and scan its RFID card.  We decided to take the route, therefore, of actually faking an entire RFID scan.  Our plan was to trick both the Security Controller and our own PIC that interfaced with the RFID reader that an atoll card had been scanned. 
By measuring the two relevant outputs of the RFID reader (the LED line and the Transmit line) during several scans, we found that the following sequence of events occurs (with specific timing) every time a card is scanned:
  1. At T = 0ms, the LED line goes high.
  2. At T = 11ms, the RFID reader begins transmitting the 14 bytes of scan data, including the 12 bytes of ASCII-encoded serial number and checksum, on its Transmit line at (9600,N,8,1).  At the natural end of this transmission the Transmit line goes idle.
  3. At T = 160ms, the LED line returns low.
This is quite a simple signal to fake!

Implementation

Picture
RFID Reader (left) next to our God Mode (right)
We coded a PIC (see our Code page for source code) that would produce the required LED line timing and Transmit a serial number over UART.  To generate the required transmissions, we hardcoded the 14-byte ASCII data and checksum corresponding to the serial number of one of each atoll's RFID cards.  We built a small board containing this PIC and the required pin setup to actually plug the board into the socket intended for the RFID reader (in theory we could have built a system where the RFID reader and our spoof chip acted in parallel, but we didn't quite have the spare time).  Please check out our ACV Electronics page for a schematic.
On a certain trigger input, our "God Mode" chip would sequentially generate fake scan data for each of the five atolls, about half a second apart.  This data was sent to the Security Controller and our own RFID chip, fooling them into thinking each atoll card had actually been scanned.  Our ACV would then go through the capture sequence for each atoll, and since each security key was new and valid, each atoll would be captured in turn.

Execution

Here is a demo of us capturing all five atolls near simultaneously, using God Mode:
We never did use God Mode during an exhibition match that we played in, however we did use it mercifully during another match.  While one team was unfortunately down 5-0, we secretly joined their team and, near the end of the match, activated God Mode and successfully captured all 5 atolls for their cause.  Since nothing was at stake during these matches, this was all done (and received, when we revealed our secret) in good fun.  It's just another great application of Smart Product Design, right?