Gregory's ServerThe Montreal Métro uses this paper ticket for occasional use. The gold chip is completely fake, just printed ink. But there's a different chip hidden inside... 2/15
|
23 comments
 The chip is about the size of a grain of salt. I took this photo under a microscope showing the NFC chip next to some salt. The black squares in the corner are where the antenna was attached. 4/15 How does the card work without a battery? The reader sends a signal through its antenna to the card's antenna. This signal both transmits data and powers the card. The two antennas are so close that they are coupled magnetically rather than by radio. 5/15 The card doesn't transmit a signal back. Instead it changes its antenna load, causing the card to absorb more or less energy from the reader. The reader detects this "load modulation", allowing it to receive data from the card without the card using power to transmit data. 6/15 I dissolved the chip's metal and oxide layers to reveal the chip's underlying silicon, showing the layout of its transistors. 7/15 This block diagram from the datasheet shows the components of the card. The RF interface is the analog circuitry connected to the antenna. The card stores 48 bytes (the ticket info) in the EEPROM. The digital circuitry accepts commands to read and write the EEPROM. 8/15 Most of the chip is digital logic, implemented with standard-cell circuitry, but there's lots of analog circuitry to handle the antenna signal. The four bond pads are where the antenna is attached. 9/15 Many chips use standard-cell circuitry. A program converts the logic description into rows of standardized blocks (NAND gates, flip-flops, etc.) and lays out the metal wiring between them. Much faster than creating an optimized layout by hand. 10/15  @kenshirriff Does this mean that the back-end has a database of all issued tickets (identified by their UID), and whether they have been tapped in and/or out?   @kenshirriff "load modulation" is carrier modulation. The carrier is a side effect of the interrogation signal. Any carrier is merely a baseline reference in the time domain. To suggest that the return signal does not emanate from the chip because it is powered by the interrogator is a weird perspective to me.  @kenshirriff Have you seen Hannah Frye's "How stuff works" video (I think that's what it was called) on NFC credit cards? @kenshirriff Have you seen Hannah Fry's "Secret Genius of Modern Life" video where she explains how contactless payments work using induced currents? It was fascinating! https://www.youtube.com/watch?v=UpMlUQI9KsY  @kenshirriff Ooo, the Soviets had a bug placed in the US embassy back in the day which used the same principle, if memory serves. Clever!    @kenshirriff The printed gold chip is because the real Opus Card for Sekteurs A et B is a plastic card with a gold chip. I noticed that too, when I started in MTL in 2018. There is even a chip card reader obtainable from the STM (which will be phased out by the end of the month.  @kenshirriff Excellent read. Do you want an actual Opus card? I have a couple that have "expired". I'd be happy to send one or two for science. |
Underneath the paper coating, the subway ticket contains a thin plastic sheet with a foil antenna printed on it. In the lower right, the tiny black speck is the NFC chip that makes it work. 3/15