Tesis de Maestria - A RFID Collision Avoidance Framework based on SDR

A RFID Collision Avoidance Framework
using SDR
by
Bruno Fernando Espinoza Amaya
Department of Electrical and Computer Engineering, University of Queensland
Submitted for the Degree of
Master of Computer Science
June, 2015

i
43388116
89 Zetland Street, Upper Mount Gravatt, QLD, Australia
15/06/2015
Prof Paul Strooper
Head of School
School of Information Technology and Electrical Engineering
The University of Queensland
St Lucia QLD 4072
Dear Professor Strooper,
In accordance with the requirement of the Degree of Master of Computer Science in
the School of Information Technology and Electrical Engineering, I submit the following
thesis entitled
“A RFID Collision Avoidance Framework using SDR”
The thesis was performed under the supervisor of Dr. Konstanty Bialkowski. I declare
that the work submitted in thesis is my own, except as acknowledged in the text and
footnotes, and has not been previously submitted for a degree at The University of
Queensland or any other institution.
Yours sincerely
_____________________________

ii
Acknowledgements
First, I would like to express my thanks to my supervisor, Dr. Konstanty Bialkowski, for
the guidance and support he provided during the course of this project. He always
answers my questions and helped to made things clear, so this thesis would not have
been possible without his continuous guidance.
Second, I would like to acknowledge the Peruvian Government for the scholarship
award and its support for getting certain materials for this project.
Last but not least, I would like to thank my family for the continuous support during the
entire degree at the University of Queensland.

iii
Abstract
This proposed project is to implement a RFID Framework for testing collision recovery
in the ISO 1800-6C Standard. According to this standard, tags reply to a RFID reader
which then decodes the replied information to access information of the tag. However,
in high throughput RFID systems, there is a need of reading a large number of tags in a
short amount of time. When more than one tag replies to a reader at any given time, a
situation called Collision is caused. Because the collision consists on multiple tags
replying, the encoding of the standard is violated, and the RFID reader cannot decode
it. Therefore the reader fails to read the tags and must restart the process, degrading
the overall performance of the entire RFID system. Although the standard implements
collision avoidance, to lower the probability of collisions happening, they cannot be
avoided completely and currently, according to the standard, there is no way of recover
information once the collision actually happens.
This research focuses on developing a framework to test collision resolution, which is a
technique that uses advance signal processing for trying to recover a valid Tag signal
from the collision. To implement this technique, a simulation model based on Software
Defined Radio (SDR) was developed. The developed framework implements a RFID
Listener, a RFID Signal Generator and a RFID Collision Model. The RFID Listener
decodes signals according to the standard and its implementation along with the RFID
Signal Generator was based on an existing open-source RFID SDR Reader. The
implementation was done in MATLAB, with compatibility with Octave software. The
Collision Model used the developed components from the Listener and Signal
Generator to simulate tag collision under a variety of scenarios, such as SNR,
amplitude and phase shift.
As for the SDR model, experiments were done with real RFID tags that complies with
the ISO 1800-6C standard. The experiments were done with the USRP1 device and
the RFID SDR Reader based on the open source stack GNU Radio.
It was found that from the four standardized encoding schemes for ISO 1800-6C RFID,
the one which perform best with FastICA based recovery was Miller M=2, while FM0
was the one which perform worst with a bad recovery rate even at high SNR. The
results were validated with experiments done with real tags that comply with the
simulated scenarios.

iv
Contents
Acknowledgements ........................................................................................................................ii
Abstract .........................................................................................................................................iii
List of Figures................................................................................................................................ 1
List of Tables ................................................................................................................................. 2
1. Introduction................................................................................................................................ 3
1.1 Background: ........................................................................................................................ 3
1.2 Goals, Aims and Advantages:............................................................................................. 4
2. Background ............................................................................................................................... 5
2.1 RFID: ................................................................................................................................... 5
2.1.1 Types of RFID: ............................................................................................................. 5
2.1.2 Privacy and Security Issues with RFID: ....................................................................... 6
2.1.3 The EPC Standard: ...................................................................................................... 6
2.1.4 Tag/Reader Collision:................................................................................................... 8
2.1.5 Anti-Collision Algorithms: ............................................................................................. 8
2.2 The ISO 18000-6C Standard:.............................................................................................. 9
2.2.1 The Tag: ..................................................................................................................... 10
2.2.2 Tag States and Commands:....................................................................................... 11
2.2.3 Q-Protocol: ................................................................................................................. 15
2.2.4 EPC Gen2 Timing Constraints: .................................................................................. 17
2.3 Blind Source Separation:................................................................................................... 17
2.3.1 Independent Component Analysis (ICA):................................................................... 18
2.3.2 FastICA Algorithm: ..................................................................................................... 20
3. Literature Review .................................................................................................................... 21
3.1 Model Research: ............................................................................................................... 21
3.2 Collision Avoidance Research:.......................................................................................... 21
3.3 Blind Signal Separation Research: ................................................................................... 22
3.4 SDR Research: ................................................................................................................. 23
4. System Design, Methods and Procedures.............................................................................. 25
4.1 Overall Design:.................................................................................................................. 25
4.2 SDR RFID Reader:............................................................................................................ 25
4.2.1 RFID Reader Components:........................................................................................ 26
4.2.2 Parameterizing the RFID Reader:.............................................................................. 26
4.2.3 The Issue of Latency: ................................................................................................. 27
4.3 RFID Signal Generation: ................................................................................................... 28
4.3.1 Reader Signals:.......................................................................................................... 28
4.3.2 Tag Commands:......................................................................................................... 30

v
4.4 RFID Listener: ................................................................................................................... 31
4.4.1 RFID Reader Decoding (PIE Decoding): ................................................................... 32
4.4.2 RFID Tag Decoding (Backscattering Decoding): ....................................................... 33
4.4.3 Command Parsing:..................................................................................................... 36
4.5 RFID Collision and Recovery Model: ................................................................................ 37
4.6 Collision Detection Model:................................................................................................. 44
4.7 SDR Considerations:......................................................................................................... 46
5. Testing, Results and Discussions ........................................................................................... 48
5.1 Testing and Verification:.................................................................................................... 48
5.1.1 Encode/Decode a 16 bits number into a Tag:............................................................ 48
5.1.2 Generate a RFID Signal and its Decoding:................................................................ 49
5.1.3 Decoding a Real RFID Signal: ................................................................................... 49
5.1.4 Generate a model for FastICA collisions recover:...................................................... 49
5.1.5 Validate the model by doing real life recovery of signals: .......................................... 50
5.2 Results:.............................................................................................................................. 50
5.2.1 Encoding / Decoding of RN16 Numbers: ................................................................... 50
5.2.2 Generate an RFID Signal:.......................................................................................... 51
5.2.3 Decoding a Real RFID Signal: ................................................................................... 53
5.2.4 Generate a FastICA Model Collision Recovery:......................................................... 55
5.2.5 Recovery of Real Life Collision Signals: .................................................................... 57
6. Conclusions and Future Recommendations ........................................................................... 61
6.1 Future Recommendations:................................................................................................ 61
6.1.1 Using Amplifiers to extend range: .............................................................................. 61
6.1.2 Use of different SDR Devices and More Antennas:................................................... 61
6.1.3 Real Time FastICA Recovery:.................................................................................... 61
6.1.3 Future Applications:.................................................................................................... 61
6.2 Conclusions:...................................................................................................................... 62
Appendices.................................................................................................................................. 63
Appendix A .................................................................................................................................. 63
Appendix B .................................................................................................................................. 64
Appendix C.................................................................................................................................. 65
Bibliography................................................................................................................................. 66

1
List of Figures:
Figure 1: Overview of an RFID system. ........................................................................................ 5
Figure 2: The Collision Problem.................................................................................................... 8
Figure 3: Tag Status Flow Chart. ................................................................................................ 12
Figure 4: SELECT Command Architecture. ................................................................................ 15
Figure 5: Slot selection for tags upon a QUERY command........................................................ 16
Figure 6: Tag response to a QUERY command. ........................................................................ 16
Figure 7: Buettner’s SDR RFID Reader Block Diagram ............................................................. 27
Figure 8: RFID Reader Preamble and Sync Frame.................................................................... 29
Figure 9: FM0 and Miller Baseband basic functions and State Diagrams.................................. 31
Figure 10: Finite State Machine for PIE Decoding...................................................................... 32
Figure 11: Finite State Machine for Tag Decoding...................................................................... 34
Figure 12: Finite State Machine for the RFID Listener................................................................ 37
Figure 13: Collision between two tags without time and amplitude shift..................................... 38
Figure 14: Collision between two tags with amplitude shift but without time shift....................... 39
Figure 15: Collision between two tags with amplitude and time shift.......................................... 40
Figure 16: FastICA recovery of a RFID Tag signal with a collision between 2 tags. .................. 41
Figure 17: FastICA recovery of a RFID tag signal without collision. (1 tag was present)........... 43
Figure 18: FastICA recovery of a RFID tag signal with a collision between 3 tags. ................... 43
Figure 19: Output of the absolute value of the Derivative after a Median Filter on the former
RFID signals from Figure 16. ...................................................................................................... 45
Figure 20: Generated RN16 value using FM0 Encoding, SNR of 26 and a RN16 value of 59845.
(0xE9C5). .................................................................................................................................... 50
Figure 21: Generated RFID Signal with a Tag backscatter and the ACK command. (No EPC
reply was modelled). Tari value was 24 uS................................................................................. 51
Figure 22: Real RFID signal recorded from the USRP1 device. (Only 1 tag was present). ....... 53
Figure 23: Generated collision and recovered RN16 signals...................................................... 56
Figure 24: Tag Error Rate results from the generated FastICA Collision Recovery over all the
available modulation types of ISO1800-6C under different SNR levels...................................... 56
Figure 25: Collision on the two RX antennas and recovery after the FastICA algorithm on a real
life signal recorded from a USRP1 device. Two tags were present............................................ 57
Figure 26: Collision on the two RX antennas and recovery after the FastICA algorithm on a real
life signal recorded from a USRP1 device. Four tags were present. .......................................... 60
Figure 27: Distribution of the Tags, RX and TX antennas and the SDR device used for this
project.......................................................................................................................................... 65

2
List of Tables:
Table 1: Types of RFID with some characteristics........................................................................ 6
Table 2: RFID UHF overview. ....................................................................................................... 7
Table 3: Differences between EPC Gen1 and EPC Gen 2........................................................... 7
Table 4: Minimum distance across antennas................................................................................ 8
Table 5: FastICA basic algorithm. ............................................................................................... 20
Table 6: Implemented RFID command for the framework.......................................................... 29
Table 7: RFID Reader Decoding................................................................................................. 33
Table 8: Pseudocode for the RFID Tag Decoding. ..................................................................... 36
Table 9: Outcome of the logical levels on RFID Backscattering in a collision of 2 tags. ............ 37
Table 10: Pseudocode for the FastICA recovery based on correlation scores........................... 43
Table 11: Pseudocode for the Collision Checking. ..................................................................... 45

4
handling via SDR, allowing testing to further improve ISO 18000-6C on tag intensive
scenarios, opening the door to future improvements on ISO 1800-6C and RFID
technology in general.
1.2 Goals, Aims and Advantages:
The aim of this project is to create a framework that allows testing on the collision
recovery by using FastICA.
In order to achieve a successful project and meet all the deadlines specified, clear
goals must be defined to avoid working out of the scope of this research.
The goals for this thesis project are as follows:
• Develop an ISO 18000-6C RFID software defined radio listener system which
can decode RFID signals in the environment.
• Evaluate the suitability of ICA to resolve collision on RFID signals.
• Implement an RFID software defined radio listener with support of ICA to allow
real time collision resolution.
• Evaluate the implementation performance versus a commercial RFID reader to
see how well this approach performs.

5
Chapter 2
Background
2.1 RFID:
RFID stands for Radio-Frequency Identification and consist in the use of radio
frequencies to identify a certain object. RFID is not a technology on itself, but a group
of them, because of the way different types of radio signals behave and also due to the
different approaches that are considered in the design of such systems. RFID systems
consist of an interrogator or reader, a transponder or tag and antennas. (Figure 1)
Normally most RFID systems do not operate on it own, but instead are part of a more
large system, such a Enterprise Resource Planning (ERP) or a Warehouse
Management System (WRP), altough there is need of a system that integrate RFID into
these systems, that is called Middleware. [1]
Figure 1: Overview of an RFID system. [1]
2.1.1 Types of RFID:
RFID system uses frequencies bands from the range of 100 kHz to 6 GHz. [1] The
actual frequencies are not arbitrary and are based on a mix of regulations and the
actual needs for the system. The most common used frequencies are the following:
• 125/134 kHz (LF)
• 13.56 MHz (HF)
• 860 – 960 MHz (UHF)
• 2.4 – 2.5 GHz (UHF)
The classes of the RFID are mostly divided on the frequency, so we can talk about LF,
HF and UHF RFID. Each type of RFID has a different performance based on the
limitations and performance of the radio signals at a given spectrum. A summary is
below:
Type of RFID Base
Frequency
Observations
LF RFID 125/134 kHz Water and skin does not have any effect on RFID
operation due to the wavelength. / Lower
bandwidth. / Larger antennas. / Lower range.

6
HF RFID 13.56 MHz Thin metals can stop signal propagation. Water
and skin have some effect on the signals. / Lower
bandwidth. / Smaller antennas. / Lower range.
UHF RFID 860 – 960 MHz Minimal propagation through water and skin act
as a barrier. / Higher bandwidth. / Smaller
antennas. / Large range.
2.4 – 2.5 GHz
Table 1: Types of RFID with some characteristics. [4]
Another way of classifying the RFID systems is by how the RFID tags are implemented.
We can talk about Passive RFID tags, which are the ones with no battery or external
energy source on them and work by using only the reader signal to activate themselves.
Semi-passive tags are the one which works with both the reader signal and an
external energy source on them. Finally, Active tags are tags that work exclusively
with an external energy sources, and therefore they can be considered complete radio
devices. [5]
2.1.2 Privacy and Security Issues with RFID:
RFID technology is practically everywhere, with applications in broad areas such as
tolling, transport, inventory control, security and many others. [5] However, there are
some issues with the technology that a present challenge to its implementation.
First problem is the “Ghost Read”, that is noise that can be mistaken by a legitimate
RFID signal. This is a serious issue in inventory and security systems, because of the
nature of the problem. (It can allow unlocking a door or miscount an item in a
warehouse). Newest standards, such as ISO 18000-6C have been developed for
resistant to ghost read but this are highly dependent on the environment. [6]
Second problem is the cryptographic encryption and eavesdropping of the
communication. This is not an easy task to solve; as many RFID tags (Mostly passive
ones) depend on low power consumption and implementation of such security
measures have a direct impact on such constraints. Because of this reason,
cryptographic algorithms for RFID tags are weak and still able to be intercepted, unless
the switch to Active Tags is performed. However this also limits the time span of the
tags, as it is not easy to replace batteries on certain scenarios. [7]
Third issue with RFID is the privacy and ethical concerns that it have arisen. As many
tags are writable, it is easy to track an item or a person, an while this have been used
to legitimate reasons (Military applications, kidnap avoidance and so on), some users
claims RFID is a threat to privacy and that allow many ways of tracking a person
without their consent.. Such claims are not a fault on the technology itself, but in the
way the information is used. [4] [5]
2.1.3 The EPC Standard:
RFID is just a data carrier, but the information that is able to convey it is also in need of
standardization. As RFID started as a way to replace the optical barcodes, and EPC
class structure was developed for it. EPC is a universal identifier for any physical object.
Within the EPC RFID Class Structure, the following classes exist:

7
• Class 01: Purest passive tags with minimal functionality for identification.
• Class 02: Passive tags with support of read/write memory.
• Class 03: Semi passive tags that work on the presence of a reader signal.
• Class 04: Active tags that initiate communication with other readers or tags.
• Class 05: Active tags that can communicate with any other one.
For this project, we will focus on EPC Class 02, which with some modifications is now a
standard known as ISO 18000-6C. This standard was initially developed by EPCglobal
and consists on RFID tags and readers that work on the UHF frequency, between 860
and 960 MHz. The actual frequency used depends on the country. Table 2 shows the
distribution of the frequencies.
North
America
Europe Singapore Japan Korea Australia Argentina,
Brazil and
Peru
New
Zealand
Band
Size
(MHz)
902 –
928
866 –
868
866 – 869
923 – 925
950 –
956
908.5 –
914
918 - 926 902 – 928 864 –
929
Power 4 W 2 W 0.5 W 4 W 2 W 4 W 4 W 0.5 – 4
W
Channel
Number
50 10 10 12 20 16 50 Varied.
Table 2: RFID UHF overview. [5]
The first version of the EPC specification: EPC Gen1, was a proprietary monopoly of
few companies. In 2003, due to the lack of standardization, an UHF RFID standard
started to be developed and in 2004 it was completed and called Class 01 Generation
2 EPC Standard. Sometime later this EPC standard was extended and approved by
ISO, creating a global standard for UHF RFID. However, not all UHF RFID systems are
standardized, as China does not recognize the EPC or the ISO standards and hoping
to develop its own one. [8]
A table with some differences from the both EPC Gen specifications is below:
Description EPC Gen1 EPC Gen2
Acceptance Level Proprietary Specification ISO standard.
Arbitration Binary Tree Probabilistic Slotted
Anti-Collision Algorithm Binary Tree. Q Algorithm.
Air Interface Modulation PWM (Pulse Width
Modulation)
PIE (Pulse Interval
Encoding), Miller and FM0.
Data Rate 40 / 80 Kbps. 40 to 640 Kbps.
Distance < 10 m < 10 m
Frequency Range 850 – 930 MHz 860 – 960 MHz
Security Password 8 bits 32 bits
Ghost Reads 1.3 per 1000 None
Write Speed 3 tags per second > 5 tags per second.
Sessions None 4 Sessions
Table 3: Differences between EPC Gen1 and EPC Gen 2. [8]

9
prevent collisions happening, as when the number of slots is smaller than the number
of tags, collision will occur. Also, if a tag never responds to a query of allocation, the
slot will remain assigned and the algorithm will run out of spaces. This is called “tag
starvation problem” and it is one of the main causes of collisions when using ALOHA
algorithms. [7]
On the other hand, Tree Algorithms exist, which treat the tags as a node of a tree. This
approach orders the tags on a binary tree according to certain conditions and then
proceeds to explore the tree. These algorithms do not have the tag starvation problem
of ALOHA, however they are relatively slower to complete than ALOHA. Two main
implementations of the Tree Algorithm approach exist: Binary Tree and Query Tree
Algorithm. [7]
Generally speaking, an Anti-Collision Algorithm must provide the following features:
• The reader must be able to identify all the tags inside its own reading range.
• The reader must recognize the tags as quickly as possible.
• The recognition must be performed using the minimum amount of energy, since
most tags are passive ones.
As for the ISO 18000-6C standard, it uses a variation of ALOHA called Q Protocol. [1]
More detailed explanation of the anti-collision protocol for ISO 18000-6C is in the next
section.
2.2 The ISO 18000-6C Standard:
ISO 18000-6C, also called EPC Class 1 Generation 2 before its standardization [1], is a
standard that details the communications between RFID tags and RFID readers. It is
based on a “reader talk first” architecture, in where the reader issue commands to a
single or group of tags and then collect responses. This standard was developed with
mind on multiple tag environments, such as warehouses. The frequency bands for this
standard are as follows:
• Region 01 (Europe and Africa): 865 – 868 MHz.
• Region 02 (United States and Canada): 902 – 928 MHz.
• Region 03 (Asia): Some countries follow Region 01 and others Region 02
regulations.
Usually, the frequency spectrum on each of the bands is divided in channels or sub
bands. This sub bands bandwidth varies on the region. In Region 01, the bandwidth is
about 500 KHz per each one and in Region 02 the bandwidth is about 200 KHz. Due to
regulations on the RFID frequency use, the reader has a limit of 400 ms to use a
certain channel and then switch to another random one. Also, readers must follow a
Listen before Talk scheme, in which the readers will only use a single channel if no
transmissions are detected below a certain threshold. [7]
The tags must understand at least 3 types of modulation schemes, because the
readers will select one of them, based on the current country of operation, the noise in
the channel and the own preferences established by the user. The three modulations
schemes are:

10
• DSB-ASK (Double Sideband Amplitude Shift Keying)
• SSB-ASK (Single Sideband Amplitude Shift Keying)
• PR-ASK (Phase Reversal Amplitude Shift Keying)
Tags usually reply to the reader with coding scheme called PIE (Pulse Interval
Encoding) in which the duration of a 0 bit pulse is established as Tari Frequency. The
duration of the 1 bit pulse is at least 50% longer than Tari frequency. The use of Tari
frequency allows the reader to set a data rate for the tag. (By changing Tari value).
This data rates varies between 40 to 640 Kbps, depending on the reader and in the
tags design. [7]
Tags must follow the Q Protocol, in which the reader sends an special signal to the
tags, then the tag choose a random value and is dependent on the Q value originally
sent by the reader, with a maximum number of 2^Q – 1 states. Tags provide
identification using a random 16 bits value, called RN16. This can also be used for
encrypting the tag response, but depends on the reader to do so. [7]
Tags also accept some commands that the reader can issue for enquiring, to access
certain memory positions on the tag memory map, to write the tag and even to
deactivate the tag if requested. Tags support up to 4 sessions and have some internal
memory that keeps constant even if the RF power is absent. [7]
Complete coverage on the standard is outside the scope of this report, so we will focus
only on the Tags internals, the protocol State and Commands and the Q Protocol for
anti-collision.
2.2.1 The Tag:
ISO 18000-6C describes an advanced tag, with the capabilities of write multiple cycles
on an internal memory, enforcing some restrictions on the read and writing and the
capability of being permanently disabled. For implementing the security measures, two
32 bits password are used, one for reading privileged sectors of the memory and other
to kill the tag.
Memory in ISO 18000-6C tags is divided into Banks. 2 Memory tags is the compulsory
capacity that a tag may have, with the possibility of implementing up to 4 banks.
Bank 00 includes the killing and I/O passwords and Bank 01 includes the EPC value,
as well as some information about the tag. As opposed to other standards, the CRC
value for the EPC code is now computed by the tag, instead of being saved in the
memory. As for the memory locations, the default word used is 8 bits. However, by the
using of EBV (Extensible Byte Vector), the address can be arbitrarily large: Every bit is
divided into 1 bit of control and 7 bits of address. If the control bit is 0, then the next 7
bits possess the entire address. If the control bit is 1, then the 7 bits are part of the
address and an additional byte is append. The next byte follows the same rules until
the control bit is 0.
By default, the EPC code inside the tag is a 96 bits one, with a word size of 16 bits.
The maximum value for 16 bits words that are part of an EPC code is 31, however only

11
up to 29 words can be used in practice. This provides up to 10139
different EPC
identifiers.
As for the protocol used for interfacing with the reader, the tag works by using PIE
(Pulse Interval Encoded) symbols, which are issued by the reader using a base value
knows a Tari Frequency. The encoding is similar to PWM, with the difference on the
duty cycle and period varies for each symbol. For bits values of 0, the power on interval
is 0.5 Tari, followed by a 0.5 Tari power off interval. For bit values of 1, the duration of
the power on interval could be from 1.5 to 2 Tari, followed by a 0.5 Tari power off
interval. Standard values used for Tari are 6.25, 12.5 and 25 µS, corresponding to data
rates of 160, 80 and 40 Kbps respectively. [1]
2.2.2 Tag States and Commands:
The following are the valid states for a communication session on ISO 18000-6C : [1]
• Ready: Initial state at power up.
• Arbitrate: The tag is getting a slot into the inventory process.
• Reply: The tag reply to the reader.
• Acknowledge: The tag has received data.
• Open: The reader has opened a channel with the tag for I/O operations.
• Secured: A secure channel with the tag has been established.
• Killed: The tag will not reply to any command.
The Ready state is the first state in which a tag enters, when it got power from the
reader. The transfer to any state depends on the commands issued by the reader.

12
Figure 3: Tag Status Flow Chart. [1]
Figure 03: ISO 18000-6C Tag Status Flow Chart. (Taken from: Dobkin [1])
The commands defined as Mandatory are the following: [9]
QUERY Command: As ISO 18000-6C was designed for supply chain environments,
this command launches a complete inventory round. The following parameters are
used: [9]
• DR (TRCal Divide Radio): A factor to configure the Tari frequency and data rate.
• M (Cycles per Symbol): Miller factor, related to the data rate and modulation used.
• TRExt: Sets the presence or absence of a pilot tone at the beginning of the packets.
• Sel: Indicates which tags will respond to the command. (Based on the status of the
SELECT status flag on the tags).
• Session: Indicate to which session the inventory round will correspond. (A tag can
be accessed by up to 4 different inventory rounds, each of them in a different
session).
• Target: Select which tags will respond based on the session value of them. (The
values for each session could be: A, inventoried or B, non-inventoried).
• Q: Specify the number of slots available for the inventory round.
• CRC-5: A 5-CRC to ensure that tags will only process a correct command.
QUERY-REP Command: This command indicates to the tags to decrement their slot
counter. If the slot value is already 0, this will make the tag to generate a RN16 number

14
• CRC-16: A 16-CRC to ensue only a correct command will be processed.
ACCESS Command: This command is used to request a secure access to the tag.
This command is used to allow READ and WRITE commands, to access protected
areas. This will cause the tag to switch to the Secure state. For security reasons, each
ACCESS command will net a different tag Handle value, and each ACCESS command
will only send a 16 bits block of the 32 bits tag password, so to access a tag, 2
ACCESS commands will be needed. [9] It has the following parameters:
• Password: 16 bits block of the 32 bits tag password.
• RN16: Specify the tag handle value.
SELECT Command: This command allows accessing to the tag memory and
executing some memory manipulation based on Union, Intersection and Negation
operators, depending on certain flag values on the tag. [9] It has the following
parameters:
• Target: Indicates if a specific Session flag will be modified or not.
• Action: Specify how the Session flag will be modified.
• MemBank: Specify the memory bank to be read.
• Pointer: Specify the start bit address for reading. This is not the same format
as the 16 bit address format of READ and WRITE commands. This is a bit
addressing.
• Length: Specify how many bits from the Pointer address will be read. It allows
only 0 to 255 bits to be reader per command.
• Mask: Specify a mask to match within the read value indicated in Pointer and
Length.
• Truncate: Specify is the result of the mask should be truncated to the mask
length.
Logical operations like AND, OR and XOR can be implemented using a sequence of
SELECT commands with various Target and Action parameters. However, the
possibility of failure during transmission is high, so it is recommended to perform only
simplest operations.

15
Figure 4: SELECT Command Architecture. [1]
KILL Command: This command will completely disable a tag. Depending on the tag, it
could be a non-password kill or a password kill, which needs that the reader uses the
ACCESS command first to authenticate itself with the tag and to send 2 KILL
commands due to the 32 bits password used. [9] It has the following parameters:
• Password: A 16 bits block that could be half a password for protected kills or
just random values for a non-password kill.
• RFU: 3 bits that must be 000. Reserved for future functionality of the standard.
• RN: Specify the tag handle value.
LOCK Command: This command allows editing the permissions on the memory of the
tags, enabling or disabling passwords, EPC edits or making such locking permanent.
[9] It has the following parameters:
• Payload: A 20 bit mask that specify which areas of the tag will be modified and
how. The exactly details are referenced on [9].
• RN: Specify the tag handle value.
2.2.3 Q-Protocol:
As opposed to former standards, ISO 18000-6C uses an ALOHA variant called Q
Protocol. [1] The basic scheme of how it works is as follows:
• The reader defines a number of slots, in an inventory: round.
• Each tag chooses a random slot within the round.
• The reader starts issuing each slot query.
• If the tag has the reader’s slot, it replies with a random number.
• If the reader can decode the number, it sent acknowledge to the tag.
• The tag replies with its EPC code.
• With the random number and the EPC code, the reader can issue other
commands to the tag. (Write, Kill, etc).

16
When a tag receives a QUERY command, it read the Q value that it’s included. Q is the
value for defining how many slots the reader can handle and once received the tag will
allocate a number between 0 and 2^Q -1 . The reader generates this Q number based
on input from the user and own heuristics. A complete set of 2^Q slots it’s called a
round. [1]
Figure 5: Slot selection for tags upon a QUERY command. [1]
If the random value generated by the tag is equal to 0, it replies immediately. If the
value is different than 0, the tag saves the value in a special register, slot counter, and
waits to QueryREP commands which will instruct it to decrease by one its slot counter.
When a tag hits 0 at the slot counter, it generates a random 16 bits number, called
RN16 to the reader, and the reader will just send an ACK command with the RN16
number of it. If there is no collision, the tag will receive the ACK command with the
RN16 number and then it will reply with its EPC code. The RN16 number will be used
by the reader as identification to establish a communication with the tag, for sending
other type of commands. [1]
Figure 6: Tag response to a QUERY command. [1]

17
If the reader just queries the tag for its EPC, it will need to free the slot that the tag is
allocating and it will send a QUERY-REP command that signalizes end of the session.
The tag then will wait for another QUERY command again. [1]
In the case that 2 tags got the same RN16 number, a collision will happen and the
output will be impossible to decipher. Getting the same RN16 is mostly caused
because the Q value on QUERY command is too short to allocate all the possible tags.
Upon the detection of a collision, the reader will select another value of Q and restart
the protocol. [1]
Notice that unless the user sets a minimum Q value or some record of past Q values
will remain on the reader, it will have no knowledge of what an appropriate Q value will
be. Also, the reader will reduce Q if it notices that only 20 – 30% of the slots were
allocated. [1]
It is important to notice that we are not guaranteed to be in a collision free environment
even if we increase Q value. Because ISO 18000-6C tags have 4 states, it is possible
that electrical interference would change the state value of a tag and reply to an
unrelated QUERY command. Also, depending on how the tags are distributed, some of
them could not receive enough energy to even process the signals and in a later point
in time, they will reply to another QUERY command. [1]
2.2.4 EPC Gen2 Timing Constraints:
In order to guarantee an acceptable performance in high throughput scenarios, EPC
Gen2 standard defines a series of constraint s in respect to the time that Tags and
Readers had to reply to each other. [9] The most important and relevant for this project
are listed below:
• T1, is defined as the maximum time that the tag has to reply to the reader after
the last rising edge of a command was received. It’s defined as 10 times the
backscattering frequency selected by the reader.
• T2, is defined as the maximum time allowed for the reader to reply after
receiving the last raising edge of a tag. It’s defined as 20 times the
backscattering frequency selected by the reader.
• T4, is defined as the minimum time that the reader has to wait before issuing
another command. It’s defined as 2 times the RTCal value choose by the
reader.
Value T2 is important as the Tag will ignore any message from the reader after this
value has expired. In order to allow the reader more time for processing, the smallest
value of the backscattering frequency must choose. The smallest value according to
the specification is 40 KHz. (And the maximum is 640 KHz).
2.3 Blind Source Separation:
The basic idea of Blind Source Separation is to separate a series of mixed signals into
the original source signals. This process is done knowing few or nothing about the
source signals. [10]

19
Kurtosis Measurement:
Kurtosis on a y signal is defined as:
= − 3
Where E is the cumulant of the probabilistic distribution of the signal. Kurtosis could be
positive or negative, but for the purposes of ICA, the absolute value is used as a
measurement of non gausianity. However, Kurtosis is sensitive to outliers and if not
enough observations are provided it will lead to false results.
Negentropy Measurement:
Negentropy is a measurement based in the differential of the entropy. Entropy is
defined as the degree of information that a variable conveys, so the larger the
randomness of the variable, the larger the entropy. Because of this property, we could
said that the Gaussian variables have the largest entropy and the one which
concentrate information on certain values, has lower entropy.
Negentropy of a signal y is defined as:
= !""# −
Where H() is the entropy measurement and ygauss, a Gaussian distribution with the
same covariance matrix of y. The negentropy value is set to be non-negative due to
this and only 0 if the y variable follows a Gaussian distribution.
Minimization of Mutual Information:
Other approach used on ICA instead of non gausianity measure is to the minimization
of information by taking the Kullback-Leibler divergence between two variables. This
value is defined to be non-negative and 0 if the variables are statistically independent.
ICA Pre-processing:
In order to guarantee converge on its operations, ICA needs to apply to the data some
pre-processing schemes:
• Centering, by subtracting the mean, so each observation had zero mean.
• Whitening, by transforming the vectors into a new uncorrelated vector with 1 of
variance.
• Band Pass Filtering: Higher frequency components could hurt the non-gaussian
estimation, so it’s recommended to filter them out before processing the signals.
ICA Limitations:
Due to the assumptions made by ICA, there are some limitations on the output:
• There would be amplitude ambiguity, as any amplitude would solve the ICA
relationship of non gausianity.
• There would be sign ambiguity, as both positive and negative values would
solve the ICA relationship of non gausianity.

20
• The order of the components is not guaranteed to be the same as the signals.
• ICA only holds if the mixing matrix is time invariant. If the mixing matrix is
changing, then the data must be split and processed accordingly.
2.3.2 FastICA Algorithm:
FastICA is a fixed point implementation of ICA, developed by Hyvärinen [11], which
uses Nonentropy measurements to calculate the non gausianity of the signals being
reconstructed. A fixed point approach is used, which gives the following properties:
• Convergence time is cubic (Or at least quadratic), if the signals are independent.
• No step size parameters, as opposed to other gradient descent
implementations.
• Being able to find independent components of any non-Gaussian distribution,
without the need of knowing the probability density function.
• Each independent component is estimated individually.
• Fixed Point algorithms allow FastICA to be parallel, distributed and consume
low memory.
choose an initial random weight value W
W_plus = E{xg(WT
x)} - E{g'(WT
x)}W
w = w+
/ ||w+
||
if (w not converged) loop
Table 5: FastICA basic algorithm.

21
Chapter 3
Literature Review
We said earlier in this document that the main problem of RFID tags on high use
scenarios is the collision, which is the reply of 2 or more tags at the same time which
causes a failure on the RFID reader due to its inability of decoding a mixed signal.
Although the RFID standard have considered and developed some methods to counter
the collision problem [9], this is still an open area on the RFID research.
3.1 Model Research:
In order to approach the collision problem properly, some models on how collisions are
created are needed. There is previous research on UHF RFID that proposes certain
approaches to model collision data:
Ayer [12] research’s on RFID signals it is focused on which factors influence on the tag
antenna response. The factors studied were the power of the transmission, the silicon
of 4 different types of tags that were evaluated, the frequency of the RFID reader
command and the width of the pulses of the reader commands. This research showed
that UHF RFID tags resist some degree of change between the parameters and
because of that it is possible to implement some kind of dynamic RFID readers.
A PhD thesis by Zhu [13], provide information on a model that tries to conform with the
four general approaches to anti-collision: ALOHA, Q Protocol, Interval and Hybrid
Model and proposes a general function to optimize the reading order of tags to avoid
collisions.
Also, the PhD thesis by Sun [14], provide insight into a collision model for EPC Gen2,
but focused on an additive model, in which the summation of two or more RFID tag
signals, will create a new signal with different amplitude levels which are related to the
logical levels of each of the tags that colluded together.
Research by Angerer, et al. [15], provides insight in a method of modelling collisions
based on the I/Q components, stating that due to phase and amplitude shift, each tag
will lie in a different part of the I/Q graph, and that this position is dependent on the
channel and SNR.
3.2 Collision Avoidance Research:
There is research that is focused on avoiding future collisions, by making either
detecting them easily or by improving the way on how the algorithms that assign slots
to the tags (The ALOHA one for EPC Gen2) works.
The work of Lei, et al. [16], focuses on the way on how a reader can detect collision.
The traditional approach of decoding the CRC and finding a non-match is considered
slow, as requires the entire tag to be decoded, so the proposed solution is to use
Boolean operations, which are faster than normal CRC decoding. The main
disadvantage is that this work requires modifications on the EPC Gen2 standard. No
current implementation of this algorithm exists yet.

22
Also, improving the overall algorithm used (ALOHA) could be useful, so the reader can
actually predict how many tags are present and update parameters accordingly. The
research by Cha and Kim [17], is focused on improving ALOHA prediction of the
population of tags, by implementing a dynamic slot allocation scheme, based on the
probability of a certain slot to be given to a tag. Another research, done by Cheng, et al.
[18] analyses how well ALOHA performs at different SNR levels, showing that
underperforms when the SNR levels are below 3 dB.
A different approach on collision avoidance that requires personalized commands, is
proposed by Hong Gang, et al. [19], which proposes the use of a ‘silent space’ between
tag preamble and actual data, to be able to detect a collision and to it, only the tags
which are estimated to be on this silent space will be required to reply again via a
personalized command.
Methods based on proposing a completely different collision avoidance algorithm exists,
such as the one by Yeh, et al. [20], called ASPS. This algorithm works by estimating
how many collisions are in a signal by splitting the signal and then using a probabilistic
approach to estimate tag population.
Another important piece of analysis in EPC Gen2 is the Q Protocol [8], which is used to
assign the slots for the tag reply. The work of Jianwei, et al. [21], proposes an algorithm
that divides the collision in 2 steps, and by using jumping reading ensures that the next
nodes in the tree are collision free, thus performing fewer calls to read colluded tags
and improving the speed of the anti-collision process in general, as there are less
nodes to explore.
A proposed protocol by Ji Hwan, et al. [22] called RN16QTA exists, which is based on
the Q Protocol. This algorithm depends on the random 16 bit number generated by
each tag (RTN16) which is used to construct a query tree that keeps track of which
tags have been already called in order to reduce time for exploring the whole Tree.
However, this is only a proposed protocol and it has not been implemented on real tags.
A related approach is proposed by Liang-Chin and Hsin-Chin [23], which analyses the
tag signal at each reply and then updates the Q value accordingly, based on the
detected logical levels of the signal.
Other approach, such as the estimation of number of tags from the I/Q components of
the signal, is proposed by Khasgiwale, et al. [24], which analyses the clusters of points
in the I/Q space and determines the number of tags to issue a correct Q Value update.
Finally, a literature review on many anti-collision algorithms for the ISO 18000-6C
standard was done by Quan, et al. [25] in which it concludes that memory less
algorithms, such as Q Protocol and its variants are similar or more effective than more
complex and probabilistic approaches such as ALOHA and its variants: STAC, I-Code
and Bit-Slot. Some further description on such algorithms can be found on Azambuja,
et al. [2]
3.3 Blind Signal Separation Research:
This kind of techniques try to recover signals from more than one RX signal, based on
the idea proposed by Yuan and He [26] which considers that collision is basically

24
At almost in the same time, in the same year, Buettner and Wetherall [32] developed a
Gen2 Listener, but this research was more focused on the creation of an RFID tester
for performing compliance tests. The approach used is exactly the same as the work of
Donno, et al. [31], which means that the Universal Software Radio Peripheral (USRP),
but in this research it was the USRP2 instead of the USRP1, was used to capture
signals from a physical RFID reader and then perform the decoding completely using
the GNU Radio subsystem. The research focuses on some delays caused by the
software processing which can make difficult to make a completely SDR compliance
tester. Like the Donno’s reader, this one is also open source and available in the
CGRAN Archive. (https://www.cgran.org/wiki/Gen2)
The next year, in 2011, Buettner and Wetherall [33] presented a complete
implementation of the Gen2 protocol with both a reader and a listener developed
entirely with Software Define Radio, that can successfully read tags up to 6 m. But this
research was more focused on using this complete SDR Gen2 Protocol to experiment
with the implementation itself, by using the WISP (A programmable RFID tag from Intel
Research) to develop some additions to the Gen2 protocol, both in tag and reader side.
The development of this two readers was used some time later to perform more
research and experimentation on UHF RFID in general, as demonstrated by Briand, et
al. [34], which extend Buettner’s implementation for cryptography. The main difference
with Buettner’s research is that in this one some experimentation was done with a
complete SDR tag, instead of the WISP tag that was user by Buettner. This project
does not release any code nor is it accessible in the CGRAN Archive.
Although not related to UHF RFID, there is a work by Dawei, et al. [35] which focuses
on separating colluded signals for ISO 1443-A (125 KHz) based on the amplitude and
phase differences between signals. The interesting part of this research is that they
claim to be able to separate signals using only one antenna by using 4QAM
modulations and a likelihood estimator. This approach was implemented with the
USRP device and GNU Radio, although no source code is released nor it is accessible
in the CGRAN Archive.
The PhD thesis by [Sun [14]] has a complete implementation of SDR-like collision
resolution based on FPGA and Labview NI platform. Because this was implemented as
code for the FPGA, it can be said that this is a complete implementation of collision
resolution related to the SDR approach. No source code it is available from the
document.
A related research done by De Donno, et al. [36] uses a SDR RFID Reader an WISP
tags in order to analyse a collision detection algorithm, but with a fixed number tags, so
the population of tags could be estimated depending in where the collision have been
occurred, such as in the preamble or inside the bits. As they were using SDR, they
propose modification to the signal layer of EPC Gen2 to allow these detections.

25
Chapter 4
System Design, Methods and Procedures
4.1 Overall Design:
The developed framework will have the following components:
• SDR RFID Reader
• RFID Signal Generator
• RFID Listener
• RFID Collision and Recovery Model
• RFID Collision Detection Model
• SDR Considerations
In order to successfully design this system, a series of requirements also have to be
followed.
• Efficient algorithms, as RFID runs in really constrained hardware.
• Fast parsing speed.
• Have to operate even if unwanted components are present in the signal.
• Highly adaptive.
• Has to be programmed as close as possible to a Real-Time approach.
Because of time limits during the development of this research, the following aspects of
the design are not implemented, although they are discussed:
• Real Time implementation of Collision Recovery on the fly.
• Clock recovery for RFID Signals.
All this components and requirements will be discussed in the next parts of this section.
4.2 SDR RFID Reader:
This project uses an open source RFID Reader implementation, specifically the one
developed by Buettner and Wetherall [33]. This reader was originally developed to
work with the Intel WISP tags, which are active RFID tags implementing the Gen2
RFID protocol in software.
The RFID Reader used was developed for GNU Radio, an open source framework to
perform SDR, which handles all the process of capturing from a supported SDR device
and recording the samples in a computer for further processing. Also a variety of
primitives are provided such as modulation, demodulation, filtering, etc.
The use of the SDR approach allows to develop the reader completely by software and
also to control all the aspects related to the RFID protocol.

26
4.2.1 RFID Reader Components:
In order to control the reader, we need to identify its part and how it operates. A
description of each stage on the SDR Reader software is provided:
• USRP RX: This software uses the USRP1 device, manufactured by Ettus
Research as the input device. The USRP1 by itself is just an ADC/DAC, so an
external transceiver which can tune the frequencies of Gen2 RFID (915 MHz for
this case) is needed. This external device is the RFX-900 Daughterboard which
is mounted on top of the USRP1 and allows it to receive and transmit on the
850 to 1050 MHz range. For this application, a sampling rate of 4 MS/s is used.
• Matched Filter: Due to the own nature of backscatter signals, these usually
present low SNR values. In order to improve the recovery and decoding, a
Matched Filter is used. The filter is implemented as a FIR Decimating one,
which sets the decimation value to 5 and with an order corresponding to the
number of samples for the backscatter frequency. The backscatter frequency
defined is 40 KHz, and after the decimation, the number of taps is set to 25.
• Command Gate: The reader will only process backscatter signals, so this
component will analyse the signals and filter out all the Reader commands
(Which are higher in amplitude in comparison with the tags), allowing only to
pass sections of the signal when a Tag response is expected to happen.
• ACG: The signal is amplified to an acceptable level to ensure detection.
• Normalization: The tag backscatter signal is a BPSK one, with only 2 logical
levels. However, the signal has a significant DC offset due to be modulated on
top of the RFID Reader wave, so this is filtered out.
• Clock Recovery: The signal is processed using a Muller & Mueller Clock
recovery scheme, to guarantee that all the symbols are of the same size, to
improve the decoding procedure.
• RFID Tag Decoder: The signal is decoded by using a correlation approach in
which the preamble and one and zero bit symbols are correlated.
• RFID Reader: According to the result of the tag decoding, the reader will reply
to tags using an ACK command or start another query cycle. The signal from
the reader is generated at a sampling rate of 800 KS/s.
• Amplifier: It just ensures that the signal is outputted with the highest possible
energy from the USRP1 to energize the tag.
• USRP TX: The signal is back transmitted to the tag.
4.2.2 Parameterizing the RFID Reader:
This RFID reader has most of the operation parameters, such as Tari value,
modulation type for tags and backscattering frequency, set as hardcoded values. Most
sections of the reader, especially the Tari values are limited due to restrictions in the
sampling rate from the USRP1 device, but other ones could be modified by the user
and does not need to be set as hardcoded. Those functions, including the modulation
type and the number of cycles per read were exposed to the user.
Values such as a Tari and RTCal, are left with the original values to the way on how
other components are tuned into the system.

27
Finally, this reader was developed for an old version of GNU Radio, which limits the
application, as it relies in old hardware. A porting to the latest stable GNU Radio
version at the time of this report (3.7) was done, in order to analyse the data. The
upgrade includes the capability of capturing from other devices supported by GNU
Radio and the capability of capturing from many antennas.
Figure 7: Buettner’s SDR RFID Reader Block Diagram
4.2.3 The Issue of Latency:
SDR has the flexibility of being able to control all the stages of RFID decoding, but also
has the problem of latency. The most time consuming process is to actually move the
captured samples from the USRP device. Timeout is a serious issue on RFID systems,
as the Gen2 RFID specification specifies a Reader -> Tag responding time to be less
than 20 times the backscatter frequency. Considering that the backscatter frequency
on the reader is set to 40 KHz, the time that is needed to do the tag decoding and
processing is less than 500 µS. (Assuming the sampling rate at 800 KS/).
The used SDR reader relies on the use of Intel WISP in order to bypass those timeout
restrictions, as the WISP tag implements RFID by software and the timeout can be
increased. However, in our case, as we are using real life tags, we are only able to get
the Tags backscatter, but not to actually get the EPC Values from the ACK responses,
as they happen after the timeout defined by the specification. For this reason, the next
stages will operate on captured data instead of real life data.
A way of solving this problem is to implement the model into a high speed device, such
as a FPGA. However, FPGA development is usually complex, so a prototype
developed in Matlab/Octave would be the first step into a real time solution. It’s
interesting to notice that most SDR devices in the market offer a FPGA in the capture
board to speed certain types of DSP operations, so if the algorithm is efficient enough it
can be included in the device’s own FPGA board, being able to operate without the
need of a computer.

29
Figure 8: RFID Reader Preamble and Sync Frame.
So, for the Reader Preamble, the reader must turn off for at least 12.5 uS and then
send a Zero-Bit, followed by the RTCal pulse and end with the TRCal pulse. After this,
it can send the first command to the tags. All the future commands from this point shall
begin with the Reader Frame Sync, which is the same as the Reader Preamble, except
for the absence of the TRCal pulse.
In addition, at the beginning of each inventory process, the tags must be energized
enough so they can operate, so at the beginning a large pulse is sent, which last
approximately 1500 uS, to allow the tags to get energy. Then, this initial pulse is
followed by the Reader Preamble to configure the tags.
The next stage on generating RFID Reader signals is to generate the signals
corresponding to the different commands. These signals can be represented with just
the zeros and ones bits explained before. For this project, the commands defined as
Mandatory in the ISO 1800-6C standard are implemented. (The commands are
explained in Section 2).
Command Bit Code
Length
(Bits)
Description
QueryRep 00 4 Decrement the Tags slot counter
ACK 01 18 Acknowledge the received RN16 from a tag.
Query 1000 22 Starts the inventory process.
QueryAdjust 1001 9 Adjust the Q value of the tags.
NAK 11000000 8 Tells the tag that the EPC was not received
successfully.
Table 6: Implemented RFID command for the framework.

30
4.3.2 Tag Commands:
The tag has the capability of being energized when the reader radiates power near to it
and then, by reading an internal memory, replies to the reader. However, it does not
reply by sending a new signal over a certain frequency, but it replies by backscattering.
(It drives a load into its internal received antenna to create a low frequency component
signal on top of the RFID Reader envelope).
Because of the way on how the Tag replies, only modulation schemes based on pulses
can be used, as the tag can turn on and off its load into the antenna according to
certain times to convey information. The rate on how the Tag switches the load is
dependent on the information sent by the reader on the QUERY command, which uses
the TRCal value sent to the tag as a reference and also two values from the QUERY
command: DR which specifies a frequency divisor on top of the TRCal value and M
which specify the modulation scheme used.
There are two main modulations schemes available for RFID Tags:
• FM0. (Manchester-like).
• Miller (Clock based scheme, which can be M=2, M=4 or M=8).
The main difference between them is the way on how they communicate information:
FM0 is based on the Differential Manchester Code, so a middle transition on the
symbol period will occur depending if the transmitted symbol is a zero or a one, while
Miller modulates the information into the phase of the number of square waves used for
the specific Miller type. (For example, Miller M=2 will transmit 2 square waves per
symbol). If the symbol is 0, Miller does not change the phase of the symbol, while if the
symbol is a one, the phase of the symbol is switched by 180 degrees.
Both encodings can be implemented easily by using PWM-like generators. For FM0,
the 0 symbol is represented by a duty cycle of 50% while the 1 symbol is represented
with a 100% duty cycle. Also, at the end of each cycle there must be a transition. This
allows the reader to recover the clock rate of the Tag and decode accordingly.
For Miller, a baseband representation can be generated that follows the same rules of
FM0, but using 100% duty cycle for 0 symbol and 50% for the 1 symbol. But, as
opposed to FM0, Miller requires a 180 degrees phase shift at the end of each symbol
and not a necessarily a transition. After that, each symbol is multiplied with a carrier
wave which consists in a specific number of square waves which depends on the type
of Miller Encoding used.

31
Figure 9: FM0 and Miller Baseband basic functions and State Diagrams.
Like the PIE Encoding, FM0 and Miller have preambles and in addition an EOS (End of
Signal) bit. The preambles can be of two types: Simple and Extended. Usually the
preambles do not follow the same rules of encoding described before. (As they must be
unique, they rely on invalid transitions, so the Readers are able detect them).
An important issue here is the symbol rate. The symbol rate is given by the TRCal
value and the D value on the QUERY command. For this project, and for the used D
and TRCal values, the symbol rate is 40 KHz. For FM0 encodings, as these are just
one PWM-like signal with or without transition, the rate for generating the signals is
exactly 40 KHz. However, for Miller Encoding, a number of square waves must fit into
the specified symbol rate, so in order to generate the signals; a different rate must be
used. For example, at 40 KHz and 800 KS/s, there will be 40 samples per FM0 symbol,
but we will need 20 samples per each square wave to represent a Miller M=2 and 5
samples per square wave to represent a Miller M=8. So this must be taken into
consideration when selecting a sampling rate when generating the signals.
4.4 RFID Listener:
This part is directly related to the signal generation, as we need to ensure that we can
not only decode our own generated signals, but also real life signals which are not
generated into the perfect conditions. For this reason we need to consider how
decoding RFID signals and also how to interpret them. Also, as we are interested on
approaching to a real time implementation, we must rely on decoding the reader
samples one by one, instead of waiting for an entire block to arrive and then process

32
such block. (As RFID tags are constrained at memory). RFID Readers have more
hardware, so the Tag Decoding could use more sophisticated techniques.
The details will be divided into 3 parts: Decoding Reader, Decoding Tag and Parsing
Commands.
4.4.1 RFID Reader Decoding (PIE Decoding):
For decoding RFID Reader signals, the own ISO 1800-6C specification gives us a
solution when specifying the RTCal value and a pivot value (Which is half the RTCal) to
compare the width of the pulses and determining if is a 0 or a 1 depending on if it
exceeds the pivot or not. Also, there must be a way for us to know that a given signal is
an invalid RFID Reader signal, and this is done by using a second pivot based on 4
times RTCal. If a pulse exceeds this second threshold, then the signal is an invalid
reader signal.
But before decoding PIE commands, we must know how to determine the actual duty
cycle of a given pulse. A simple and effective way of doing so is by Rising Edge and
sample counting. We start counting samples as soon we exceed a threshold that is
denoted as the rising edge and stop counting samples as soon as we are below that
threshold. Then, according to the pivot value we output a 0 or a 1 or an invalid symbol.
Then, we wait for the next rising edge before starting the process again.
Figure 10: Finite State Machine for PIE Decoding.
The next problem is to define how to tell the end of an RFID Cycle. For telling the end,
the simplest way is to start counting samples when we are below the threshold for edge
detection and if they exceed 4 times RTCal, we can know for sure that the tags lost the
energy and that the RFID Cycle has ended. Also, because SDR devices are not perfect,
temporal power outs could happen. In this case, we can establish to ignore samples
below threshold which are less than Tari.
Because we heavily depend on the rising edge threshold, we must devise a way on
how to get the threshold value (And by that, detecting the beginning of the RFID cycle).

33
That could be by taking the difference between the last value and the current value. By
defining a specific value that must be exceed (In real life tags, it must be enough
voltage difference to power up the internal chip on the device), we can tell that a RFID
cycle have started. We tend to ignore the first pulse width, as the ISO 1800-6C
standard specifies 1500 uS of pulse width at the beginning to allow the tag to initialize
and power up the internal chip. Then, in the next rising edge, we can start counting
samples above and below the threshold to get the parameters of operation.
current_sample = 0
threshold_reader = get_rfid_threshold()
pivot = get_rtcal_value() / 2;
pos_thres_count = 0
neg_thres_count = 0
no_deco_bits = 0
deco_bits[] = 0
while (is_more_samples_to_read())
sample = get_samples()
if (sample < threshold_reader && pos_thres_count == 0)
continue
if (sample > threshold)
pos_thres_count++
if (pos_thres_count > 8 * pivot) //invalid symbol
pos_thres_count = 0
continue
if (samples < threshold_reader && pos_thres_count > 0)
if (pos_thres_count > pivot)
deco_bits[no_deco_bits] = 1
else
deco_bits[no_deco_bits] = 0
no_deco_bits++
pos_thres_count = 0
if (samples < threshold_reader)
neg_thres_count++
if (neg_thres_count > 8 * pivot)
break //end of cycle
Table 7: RFID Reader Decoding.
4.4.2 RFID Tag Decoding (Backscattering Decoding):
The tag decoding is done by the RFID Reader. The RFID specification does not include
any recommended solution for decoding tags, as the modulation is not based on just
pulse width, but also in phase shift. Also, as the backscatter energy is really low in
comparison with the energy sent by the reader, threshold based algorithms are not the
best option for decoding.

3
Chapter 1
Introduction
1.1 Background:
RFID (Radio Frequency Identification) is a technology that allows little chips to be
interrogated for data or identifiers from distance. Those little chips are relatively cheap
to produce and because of that, RFID technology has been extended into many areas
of modern life, such as contactless payments, transport fares, products tracking,
security and many more. [1]
An interesting and demanded application of RFID is management of a supply chain, in
where it was considered to replace barcode identification systems. EPC Gen2, later
standardized as ISO 18000-6C was specifically develop to replace optical bar codes in
supply chain scenarios, although it also found some use toll systems and many others
areas.
During the development of ISO 18000-6C, a problem that could happen in high use
scenarios, called Collision, was identified and some measures were developed to avoid
it. We define Collision as the response of many tags at a reader at the same time,
producing that the reader cannot identify any of them, resulting on unreliably on the
system. The way on how the RFID standard deals with collision is called collision
avoidance.
Although, there are algorithms that perform collision avoidance [2], most of them
cannot resolve a collision once it happened, requiring the reader to resend the read
query to the interested tags. Approaches based on time slots have been developed to
handle collision; however these can impact negatively on the system performance
when many tags are present, so exploring new approaches to resolve the collision
problem is needed.
Some new research have been done in the area that shows that based on how the
RFID signals on each tag are generated and based on impossibility of two tags to
generate the same exact signals plus the environmental constraints during its
propagation, that it is possible to separate two colluded signals, provided some
requirements are meet. This is a new approach, as no commercially available RFID
reader provides such characteristics. [3]
Software Defined Radio (SDR), a way to implement a radio communication system
completely in software, would be a useful technology to simulate this new approach on
dealing with colluded RFID signals, without the needing of designing physical devices
and by capturing the required signals from real RFID devices.
This thesis project is focused on implementing the FastICA (Independent Component
Analysis) algorithm to resolve collisions by developing a framework that implements the
RFID standard to simulate those signals, and then try to perform the recovery on them.
Also via Software Defined Radio, validate the model, by capturing the needed signals
from an actual ISO 18000-6C reader and the performing the decoding and collision

35
tag_counter = 0
tag_length = length(tag_samples)
no_deco_bits = 0
decoded_bits[] = 0
preamble_mask = generate_preamble(encode_type, samples_per_cycle)
one_symbol_mask = generate_bit(1, encode_type, samples_per_cycle)
zero_symbol_mask = generate_bit(0, encode_type, samples_per_cycle)
for i=1 to tag_length step=length(preamble_mask)
preamble_samples = tag_samples[i:i + length(preamble_mask)]
//correlate for preamble
for j = 1 to length(preamble_mask)
score_data = score_data + (preamble_mask[j] *
preamble_samples[j])
sum_vals = sum_vals + tag_samples[j]
score_pream = score_data / sum_vals
if ((score_pream < 0.8) && (i < tag_samples -
length(preamble_mask)))
continue
else if ((score_pream < 0.8) && (i > tag_samples +
length(preamble_mask))))
return -1 //no signal detected
if (score > 0.8)
break
//correlate for signals
for i = 1 to tag_length step=length(one_symbol_mask)
data_samples = tag_samples[i: i + length(one_symbol_mask)]
score_data = 0
sum_vals = 0
//correlate with the one symbol
for j = 1 to length(one_symbol_mask)
score_data = score_data + (one_symbol_mask[j] *
data_samples[j])
score_one = score_data / sum_vals
score_data = 0
sum_vals = 0
for j = 1 to length(zero_symbol_mask)
score_data = score_data + (zero_symbol_mask[j] *
data_samples[j])
score_zero = score_data / sum_vals
if (score_zero > score_one)
decoded_bits[no_deco_bits] = 0
else
decoded_bits[no_deco_bits] = 1
no_deco_bits++

36
Table 8: Pseudocode for the RFID Tag Decoding.
4.4.3 Command Parsing:
So far, we have deal with how to decode the signals. But also we need to interpret
them and to maintain a kind of logic flow between the different stages. We must be
able to tell when we need to start searching for a preamble or to keep decoding Reader
commands. For this reason, the developed listener is divided into states of a Finite
State Machine. The states are described as follow:
• State 0: Looking for an initial threshold.
• State 1: Detecting valid configuration: Power Sync and Sync Word.
• State 2: Decoding PIE Commands.
• State 3: Holding samples for the Tag.
• State 4: Decoding Tag.
• State 5: Decoding PIE after the tag.
State 0: This state is focused on looking for the initial threshold which powers up the
tags. The threshold is calculated by taking the difference between the current and the
last symbol. If an already pre-established value is exceeded, then 75% of the
difference is used as the threshold to detect rising and falling edges. If the value is not
exceeded it keeps in the same state, if the value is exceeded, it goes to State 1.
State 1: This state validate that the signal is a RFID signal by counting the samples
between to rising edges and comparing them to the expected values of Tari, RTCal
and TRCal. If this checking fails, it goes back to State 0, if the check succeed, it goes
to State 2.
State 2: This state output 0 or 1 bits, depending it the pulse width between rising edges
is less or greater than the pivot value. (0.5 RTCal). It also counts samples below the
threshold. If any of this sample count is greater than 4 RTCal, then it goes back to
State 0. This state will also check if the received command requires Tag response and
if it needed it, it will go to State 3. If not, it will keep on the same state.
State 3: This state will store samples until the given values are less than the
established threshold and then it will go to State 4.
State 4: This stage will decode the tags by using cross-correlation between the tag
symbols and the stored samples. If no tag is detected and the Q Value of QUERY is
set to 0, it will go back to State 0. If not, it will go to State 5.
State 5: If a tag is decoded, then this stage will check for the next PIE symbols. If no
PIE Sync-Word is detected, it will go back to State 2, to decode the PIE symbols. If a
new Sync-Word is detected it will go back to State 1 to update the configuration.

37
Figure 12: Finite State Machine for the RFID Listener.
4.5 RFID Collision and Recovery Model:
In order to recover the collisions, we must determine if such recovery is possible and
also a way to detect if certain signal is a collision, to avoid unnecessary signal
processing, as the RFID protocol has to comply with certain time constraints. Because
we are using Blind Source Separation, we do not need to use this information for the
decoding, but this will also help us to understand the limitations of our approach.
Interference in RFID is generally additive with the presence of time shift. This means
that in the receiver, the signals of the colluded signals add together. Also signals
present time shift, as they arrive at different times at the receiver, due to multipath.
Knowing that the tags reply using 2 different logical levels (-A and A), we can construct
a table of the outcome of such levels when add together:
Tag 1 Tag 2 Result
A A 2A
A -A 0
-A -A -2A
-A A 0
Table 9: Outcome of the logical levels on RFID Backscattering in a collision of 2 tags.
As we can see in the table below, when the tags are have the same logical level and
collision, the resulting is a multiple of the original logical level, but when they have
different logical level, both cancel out. This would mean that in a collision which happen
without time shift, no recovery would be possible, as opposite states would end in a
zero-level, in which the decoder would not be able to tell which logical level the signal
had.

38
Figure 13: Collision between two tags without time and amplitude shift.
However, collisions also carry amplitude shift which is helpful, as the amplitude shift will
not put the signals into a level zero, but at least will show the logic level of the strongest
signal. Because of this, there are two probabilities on this signal, one in which Tag 1
will have the strongest amplitude, so the collision levels will shift to Tag 1 logical level,
and other in which Tag 2 will have the strongest amplitude, and so the logical levels will
shift to Tag 2 logical level. In those conditions, recovery will be possible. However this
is not enough to guarantee recovering, as there is a possibility that the noise on the
environment will shift logic levels.
But in real life, RFID tags have also time shift, due to the multipath, so the possibility of
getting zero levels on the signal is minimum due to the influence of amplitude, time shift
and noise. However is important to establish that recovery of collisions is not
guaranteed at 100% due to these characteristics.
0 100 200 300 400
-2
-1
0
1
2
Tag 1: 42551
0 100 200 300 400
-2
-1
0
1
2
Tag 2: 60436
0 50 100 150 200 250 300 350
-4
-2
0
2
4
Collision Result

40
Figure 15: Collision between two tags with amplitude and time shift
The method analysed in this thesis is the ICA one, which as stated in Section 2 of this
report, assumes that signals are Gaussian distributed ones and also statistically
independent. As the RN16 signals are generated by each tag random number
generator, they are statistically independent, and also the signals itself are Gaussian as
only 2 logic states are allowed on the data.
There are many implementations of ICA, but the one chosen for this project is FastICA,
which is a fixed point implementation of ICA. Its main advantage is that is 10 to 100
factors faster than other implementations that use gradient descent approaches. This is
important as RFID has time constraints and ICA by nature is an iterative algorithm, which
could take some time to converge, although for this project, a value of 1000 iterations is set
as the maximum of iterations.
For the recovery of collisions, the main requirement is to have at least two different
readings of the signal. Due to the position of the antennas and the multipath effects,
each antenna will receive a different amplitude and timing shift version of the signal.
Then, those signals will be used as input into the FastICA algorithm which then will
output a similar number of independent components. We are not interested on the
mixing matrix, so it would not be used in this project.
One interesting feature of FastICA is that is also used to separate noise from signals,
which can be useful not for recovering collisions, but to increase SNR in certain
scenarios.
For real life scenarios, we need to consider the capability of the devices used for
capture signals and how the antennas are placed. Generally we would not like to have
samples in which the signal is undetectable, as they will only make FastICA slower to
converge. A basic rule of thumb is to choose antennas which are closer to the collision
signals of interest. For this project, due to the limitations of the USRP1 device, only 2
antennas can be used to capture signals.
0 100 200 300 400
-0.5
0
0.5
Tag 1: 33331
0 100 200 300 400
-0.4
-0.2
0
0.2
0.4
Tag 2: 21360
0 50 100 150 200 250 300 350
-1
-0.5
0
0.5
1
Collision Result

Tesis de Maestria - A RFID Collision Avoidance Framework based on SDR

Tesis de Maestria - A RFID Collision Avoidance Framework based on SDR

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Tesis de Maestria - A RFID Collision Avoidance Framework based on SDR

Similar a Tesis de Maestria - A RFID Collision Avoidance Framework based on SDR (20)

Último

Último (20)

Tesis de Maestria - A RFID Collision Avoidance Framework based on SDR