A Comprehensive Study on the RFID Technology of Delhi Metro Cards

In this paper, the authors analyse RFID technology, different types of Tags, Readers and various protocols associated with RFID. We read, write and dump the raw bytes from the MIFARE Classic Card using RC5220 and Arduino Mega. Delhi Metro Card uses MIFARE DESFire. MIFARE DESFire uses 3(DES) for encryption. In this paper, we also read the data structure of the Delhi Metro Card. Additionally, we also compare MIFARE Classic Card and MIFARE DESFire Card.


Fig 1. Typical RFID System
The goal of Automatic Identification & Data Capture can also be achieved by Barcodes [3] or QR codes [4].
Barcodes & QR Codes are also used in a lot of similar use cases, but they require line of sight to work. RFID tags don't require a direct line of sight. They just need to be in the proximity of the reader. Close for Passive Tags, 100s of meters for Active readers. Delhi Metro Cards use RFID technology for Entering, Exiting, Recharging etc. Our paper is a compilation of the analysis on RFID Technology in general and its implementation in MIFARE Classic Cards & MIFARE DESFire Cards (Delhi Metro Cards).

RFID Design 2.1 Tags
RFID Tags consists of three components: an antenna (used for receiving or transmitting the signal), a substrate & a microchip (an Integrated Circuit (IC) which is used to store the information, process it, generate the Radio-Frequency (RF) signals) [5][6]. The RFID Tag can either have a programmable or fixed Logic to process the data and transmit the data. Tags can also be classified based on their read-write properties. A read-only Tag will have only a factoryassigned Unique-Identification(UID) or a Serial Number which can be used as a key for Doors, Databases. Read-Write tags can be re-written by the system user for future upgrades or updates. Write-once-Readmultiple Tags can be used in Markets, Offices etc.

Readers
Active Reader Passive Tag (ARPT)[7] is an RFID system where the reader is active. The reader transmits interrogator signals. The reader also receives the replies from the Passive Tags. Active Reader Active Tags (ARAT)[7] is an RFID system that has both Reader and the Tag active. The active Tag in this system is pinged and awoken by the interrogator signal from the Active Reader. Passive Reader Active Tag (PRAT)[7] is an RFID system where the reader is passive. It only receives radio signals. Active Tag means a battery-operated Tag. A PRAT RFID system can have a range from 1-200 feet.

Signalling
Signalling among the Tag and Reader can be done in different ways, which depends upon the frequency band being used by the Tag. Tags that operate on Low-Frequency & High-Frequency (Radio Wavelength) need to be very near to the reader antenna. Tags that use Ultra-High-Frequency use a different approach (each scattering) because they are more than 1 radio wavelength away from the reader. [8]

UID/Serial Number
The first 9 bytes of the memory store the 7-Byte Unique Identification (UID) and 2 Check-Bytes. It covers the pages with addresses 00h, 01h, and 2 bytes of 02h. The Integrated Circuit (IC) manufacturer programs these Bytes. Because of security reasons, these Bytes are Write-Protected. Fig 4[11] shows the UID/Serial Number Data Block.

Memory Organisation
The 52 bit EEPROM memory is spread across 16 pages having 4 bytes per page. EEPROM cells are read as logic 0(Erased state) and logic 1(written state).

Module RC522
The RC522 is a 13.56MHz RFID module that is based on the MFRC522 controller by NXP semiconductors. Fig. 5 shows (a)RC522, (b)MIFARE Classic Card, (c)Key Fob(Token). RC522 can also support various communications protocols like I2C [13], SPI [14] and UART [15].  Fig 6 shows the circuit diagram of the connections between RC522 and Arduino Mega that we used in our experiments.    Fig. 10 shows the Data-Dump of the MIFARE Classic Card which we extracted using our script [17]. Fig  10 also shows that the MIFARE Classic Card has 16 sectors of 64 Bytes each.

Result and Conclusions
We