“Reverse Engineering a passive UHF RFID Tag” was a tutorial given at IEEE RFID 2016. The talk was motivated by the fact that the EPC Gen2 protocol is available publicly, but the ISO-18000 documents are not. The tutorial is “mostly correct” technically; however, the audience was expected to be mostly RF/Radar people, the talk is very light on the circuit details.

There are several errors on the OTA slides due to poor copying; so, caveat lector, if it the schematic looks wrong: it is. The table for the 130 process also has “um” where I should have had “nm”.

03 MAY 2016Brian Degnanhttp://users.ece.gatech.edu/~degs

ReverseEngineeringapassiveUHFRFIDTag

Whynot?

BrianDegnan,Ph.D.

What’sthisabout?

• AparAalimplem

entaAonGen2forUHFRFID

• Whytheelectronicsideisrelevant.

• Components(sam

ebutdifferent)• System

componentsandbounding

theproblem

• CircuitintuiAon

TheTagSystem

• Gen2:860MHz-960M

Hzsub40kHz-640kHz• PassivelyPow

ered~20ktransistors

gSystematalink

Why

other?• IhaveW

ISPs!• Icanjustputaba\eryonit.• IcannottaketheAm

etodesignfrom

scratch• Rem

ovalofconstraintsopensinnovaAon

EnergyStorage• 1000J~1m

^2sunlightsecondsecond

• 100Jreleasedfrom

ahuman

persecond• U

SAuses4W

EIRP

MooreM

oreMooreLess

AssumpAons:

--Transistorsscaling--Processingpow

ercorrelatestotransistors

Moore’soriginalgraph.

Degnanetal,AssessingTrendsinPerform

anceperWa\forSignalProcessingApplicaAons

TVLSI2014

Howthingsusedtobe.

Advantages

• SuperiorPowerPerform

ance• SuperiorProcessingPow

er

A130nmProcess

eviceReview:

ransistor

• MOSFETisoneofm

anydevices.• Voltagecontrolledcurrentsource• Theinputlookslikeacapacitor• M

ulApleoperaAngregimes

• Mathem

aAcsandphysicsaresimple,but

realityisterrible.

TransistorSymbols

nFET@130nm

• SubVth

• AboveVthGraph:65nmnFETgatesw

eepfromIBM

’s65nmadverAsem

ents.

CompactEKVM

odel

Boundingaprocess

Diodes

DiodeConnectedMOSFET

LinearCapacitor

• Linearityisexcellent• Frequencyresponseisexcellent• ChargeDensityisLow

DepleAonCapacitor

• Linearityisvariable• Frequencyresponseisvariable• ChargeDensityisexcellent

(n)MOSC-Vcurveox

C

depC

Depletion

oxC

Inversion

max

,m

in,

min

, min

,m

in

w

here

d

Sidep

depox

depox

XC

CC

CC

C

ε≡

+=

ox oxox

tC

ε≡

d Sidep

XC

ε≡

Systemesign

• HarvestEnergy• Createastablepow

ersupply• ResettheSystem

• Decodetheincom

ingdatastream

• Respondtothedecodeddata

Gen2Protocol

Gen2Waveform

Exam

ple Tag 0.5mm

2Tag:Digital~30%

EEPRO

M~20%

RF+DCreg~20%

Others(RN

G,ChargePum

p,supportfuncAons):30%

Barnetetal,APassiveU

HFRFIDtransponderforEPCGen2in0.13umCM

OS(TI

sgen2tag)ISSCC2007

EnergyHarvesAng

nergyarvesAng

• Num

berofstages• ReceivedEnergy• CurrentLoad• EtCetera

Wuetal,

MOSChargePum

psforLow-VoltageO

peraAonJSSCC1998

owerRegulator

DigitalPOR

emodulaAon

DataExtracAon

PRNG

• SRAMIniAalState

• ThermalN

oise• O

scillatorSampling

OscillatorSam

pling

ModulatedResponse

QuesAons?