Gregory's ServerTo use the Montreal subway, you tap a paper ticket against the turnstile and it opens. But how does it work? And how can the ticket be so cheap that it's disposable? I opened up the tiny NFC chip inside to find out more... 1/15
 58 comments
Underneath the paper coating, the subway ticket contains a thin plastic sheet with a foil antenna printed on it. In the lower right, the tiny black speck is the NFC chip that makes it work. 3/15 The chip is about the size of a grain of salt. I took this photo under a microscope showing the NFC chip next to some salt. The black squares in the corner are where the antenna was attached. 4/15 How does the card work without a battery? The reader sends a signal through its antenna to the card's antenna. This signal both transmits data and powers the card. The two antennas are so close that they are coupled magnetically rather than by radio. 5/15 The card doesn't transmit a signal back. Instead it changes its antenna load, causing the card to absorb more or less energy from the reader. The reader detects this "load modulation", allowing it to receive data from the card without the card using power to transmit data. 6/15 I dissolved the chip's metal and oxide layers to reveal the chip's underlying silicon, showing the layout of its transistors. 7/15 This block diagram from the datasheet shows the components of the card. The RF interface is the analog circuitry connected to the antenna. The card stores 48 bytes (the ticket info) in the EEPROM. The digital circuitry accepts commands to read and write the EEPROM. 8/15 Most of the chip is digital logic, implemented with standard-cell circuitry, but there's lots of analog circuitry to handle the antenna signal. The four bond pads are where the antenna is attached. 9/15 Many chips use standard-cell circuitry. A program converts the logic description into rows of standardized blocks (NAND gates, flip-flops, etc.) and lays out the metal wiring between them. Much faster than creating an optimized layout by hand. 10/15  @kenshirriff Does this mean that the back-end has a database of all issued tickets (identified by their UID), and whether they have been tapped in and/or out?   @kenshirriff "load modulation" is carrier modulation. The carrier is a side effect of the interrogation signal. Any carrier is merely a baseline reference in the time domain. To suggest that the return signal does not emanate from the chip because it is powered by the interrogator is a weird perspective to me.  @kenshirriff Have you seen Hannah Frye's "How stuff works" video (I think that's what it was called) on NFC credit cards? @kenshirriff Have you seen Hannah Fry's "Secret Genius of Modern Life" video where she explains how contactless payments work using induced currents? It was fascinating! https://www.youtube.com/watch?v=UpMlUQI9KsY  @kenshirriff Ooo, the Soviets had a bug placed in the US embassy back in the day which used the same principle, if memory serves. Clever!    @kenshirriff The printed gold chip is because the real Opus Card for Sekteurs A et B is a plastic card with a gold chip. I noticed that too, when I started in MTL in 2018. There is even a chip card reader obtainable from the STM (which will be phased out by the end of the month.  @kenshirriff Excellent read. Do you want an actual Opus card? I have a couple that have "expired". I'd be happy to send one or two for science.  @kenshirriff nice work. So they just use a conventional wire bond and glob-top over it or is there something else going on for the antenna connections? Maybe some sort of thick film metalization these days? @kenshirriff Great work! π π€© π  @kenshirriff i ask myself, how am i going to abuse this thing to make music?! NICE teardown! Thank you (out of the depths of my binary ripple counting heart)! @kenshirriff I seem to remember reading about someone who took the chip from an Oyster card (usable on London Transport) and attached it to a wand, so that they could open the tube gates as if by magic!  @kenshirriff very cool thread. it dovetails really nicely with a book i'm reading - Chip War by Chris Miller. but, i'm still sad that we dont reuse more stuff. ugh. @kenshirriff i think the most pressing question from the community is: can i install and play DOOM on it? π Awesome work, thanks. π @kenshirriff  @kenshirriff Quite disposable. @kenshirriff this is so cool! I was recently wondering the same since the metro in Rome, Italy, uses the same mechanism  @kenshirriff Disposable RFID chips might be whatβs required to actually do #plastic #recycling The type of plastic canβt be identified by people readily enough. It has to be done by machine. Printing RFID chips that simply contain recycling instructions on the paper labels would go a long way.  @kenshirriff I have been negligent in failing to mention how much I appreciate these deep dive reverse engineering threads. Great work!   @kenshirriff There are some talks on reverse engineering those. @kenshirriff Here in the future, we use our personal pocket computer devices to tap on and off the trains/buses. Some even use their personal wrist-mounted computer devices.  Super cool, now I know. Always wondered how "paper" bus passes and such, worked π @kenshirriff Montrealer here if you want more tickets or local information. I also have a fairly large collection of transfers from the previous system if you'd like some, but they are paper/analog stuff. @kenshirriff Thank you for this! Really appreciated the article and the resulting HN discussion :)  @kenshirriff Whereas, to use the #Ottawa LRT, you call an Uber because it's probably not running. @kenshirriff Disney Parks use these on soda cups to stop people from getting too many refills. At least they did the last time I went to one in 2015. @kenshirriff Amazing blog post, thanks a lot Ken! I've been working for more than 10 years in NFC applications (software backend side) and I am still amazed that these things work at all!  @kenshirriff Even at 10ct/ticket, why dispose this? The subway in Chinese cities uses RFIDs, too. Either as rechargeable card, or as token for one ride (the token is round and plastic). The one-ride token is collected when you leave the subway. Given that the cheapest ride there is just 20ct, not wasting the 10ct for the token seems reasonable. @kenshirriff This is officially the most interesting post I've seen on mast that wasn't culture/race related. I kinda/mostly knew how RF antenna stuff worked, but not at this level of detail or how cheap it's become. I remember when the Sun Java ring was the mad hotness and you could store your coffee preferences in it to order by touching a reader at the Java conference. Dang, I kinda want one now.  @kenshirriff @kenshirriff Seems wonderful, well, excepted for the "throw it in a paper bin where it won't be correctly recycled" |
The Montreal MΓ©tro uses this paper ticket for occasional use. The gold chip is completely fake, just printed ink. But there's a different chip hidden inside... 2/15