rfid uhf phy

8/3/2019 Rfid Uhf Phy

1/11

The RF in RFID:physical layer operation of passive UHF tags and readers

4. UHF RFID Protocols

Daniel M. DobkinOctober 2005; revised April 2007

A communications protocol is a way of organizing the conversation between devices -- in the case of RFID,between tags and a reader -- to ensure that information actually gets transferred. A protocol defines:

an air interface: what sort of modulation of the reader signal is used to define a binary one? what's a zero?what kind of signal does the tag send? how fast does everything go? is information sent in discretepackets, and if so how are they formed?

medium access control: who gets to talk when? how are collisions between contending users (tags in thiscontext) resolved?

data definitions: what sort of data is associated with a tag? what does it mean?

Passive RFID tags face some special problems not encountered in most other digital radio systems. Tagsare cheap and dumb, so only changes in amplitude of the reader signal can be used; advanced modulationslike phase-shift keying or quadrature-amplitude-modulation (QAM) are not available. Further, turning offthe power from the reader reduces the power available to the tag, so the modulations of choice for thereader are those in which power is on most of the time; such modulations are wasteful users of spectrum,leading to realtively wide channels or low data rates. The tag reflection can be modulated in phase oramplitude, but the small tag reflection is combined with large reflections from the antenna and ambient, sothat the resulting signal at the reader may change amplitude when the tag reflection changes phase, and soon. One can only hope to detect changes in state of the tag antenna, but not the type of change. The readercan count edges from the tag but not the absolute or differential phase or amplitude. Tag and reader

symbols must be chosen with these constraints in mind.

There are numerous protocols using different approaches to each of these issues, and all of them work -- butthe reader and tag need to use the same one! In this discussion we'll briefly examine the three UHF tagprotocols that have been promulgated by EPCglobal for supply-chain tracking using passive RFID tags.The EPCglobal protocols assume the tag carries a unique identifier, the electronic product code (EPC).EPC's can be either 64 or 96 bits long (longer ID's are availble for future use), and are partitioned into aheader describing the EPC structure, some information about the 'manager' (typically a company owningsome ID space), and other information about the type of object marked and the serial number.

It appears at the time of writing (2007) that the Class 0 and Class 1 Generation 1 protocols are being rapidlyreplaced by Class 1 Generation 2 (ISO 18000-6C), so the reader short of time may wish to skip their

descriptions. However, it is interesting and educational to see alternative methods of solving commonproblems, so I recommend perusing the older standards if you have the stamina.

EPCglobal Class 0

The class 0 standard describes passive, write-once tags that are distinguished primarily by the use of asubcarrier modulation scheme for the tag-to-reader link. Tags manufactured by Symbol Technologies,Impinj, and some Avery tags, are generally compliant to EPCglobal's published standard, though note that

Page 1 of 11The RF in RFID: RFID protocols

11/28/2007http://www.enigmatic-consulting.com/Communications_articles/RFID/RFID_protocols.h ...


2/11

the standard was never fully ratified and there is no compliance verification procedure. Many class 0 tagsare configured as dual dipole tags: that is, the integrated circuit is connected to two distinct antennas,typically orthogonal to one another. Dual dipole tags are necessarily larger than the corresponding single-dipole tag, but in compensation they are much less sensitive to the polarization of the incident radiationthan a single dipole. However, this is a characteristic of the commercial implementations and is notcovered in the standard.

Note also that the standard doesn't cover writing a new electronic product code (EPC) to the tag. Symboland Impinj both implemented field-writeable tags. Symbol's are called "class 0+" and Impinj's tags areknown as "Zuma". These two implementations are supersets of the published standard, and are completelyincompatible with one another in memory architecture and command definitions.

Before sending any data, the reader first goes through a turnon sequence to get the tags ready to go. First itsends some DC power, and then a series of synchronization pulses to help the tags set their clock oscillatorsto 2.25 MHz (see below). The whole process takes about 800 microseconds, after which the reader cansend commands to the tags.

Passive tag modulations differ from typical radio communications schemes because the reader signal alsopowers the tag, so it is useful to have the signal be at its maximum value most of the time. The air interface

for class 0 is based onpulse-width modulation for the reader-to-tag (forward) link. There are three basicsymbols, shown below. (Note that the diagram shows the transmitted power of the reader vs. time; theactual signal is a modulated carrier wave at around 900 MHz.) A binary '0' is transmitted by turning thereader power down or off for a brief time, typically 3 microseconds in US operation, after which the poweris turned back up for the remainder of the symbol. A binary '1' is send by turning the power down for alonger period of time, typically 6 microseconds. A special symbol, thenull, is used to signal tags to changetheir state; this symbol occurs infrequently, and so the fact that the reader power is turned off for much ofthe symbol doesn't affect the tag power level much. The total time for each symbol is about 12.5microseconds in US operation, corresponding to a data rate of 80 Kbps.

A specialized approach is employed for the tag-to-reader (reverse) link. The tag actually scatters its replyduring the 'high' part of each symbol. The symbols themselves use sub-carrier modulated frequency-shiftkeying : the tag switches at a relatively high rate of either 2.25 or 3.25 MHz to send a binary '0' or '1'. Theuse of this sub-carrier modulation has some advantages: in essence, the demodulator gets to count a lot of

edges for each tag transmission, so it is easy to tell which symbol was sent and corruption of a single edgedue to e.g. noise or interference doesn't prevent the reader from distinguishing a '1' from a '0'. Therelatively high frequency also means that the downconverted baseband signal contains information only inthe region 2-4 MHz away from the carrier, where the phase noise of the local oscillator is typically small,so that good sensitivity is easier to achieve. However, the scheme encounters problems when manyreaders are present, because the tag reply is so far away from the carrier that it may lie right on thefrequency transmitted by a neighboring reader. In Europe, even passive tags are regulated as transmitters,and the tag radiation may be centered outside of the fairly narrow bands allocated to RFID operation,causing compliance problems.




3/11

A notably simple approach is used to control access to the medium. To start with, the reader sends acommand informing all the tags that can hear that it is going to execute abinary tree traversal. The readerthen sends the null symbol followed by a binary '0'. All tags then backscatter the first binary bit of their ID.The reader can tell if a '1' or '0' was sent, though it can't say if more than one tag transmitted at the sametime. If some tags send '1' and some '0' the reader may detect a collision, or it may simply randomly chooseto see either bit. The reader then echoes the bit that it heard. Any tags that hear their bit stay in thetraversal and send their next bit. Tags that don't hear their bit fall out of the traversal (transitioning to theMUTE state) and wait for another (null,0). If everything goes smoothly, by the end of the traversal onlyone tag is still participating (if all the tags have unique numbers), and all its bits have been read. Byremembering which branches of the tree had responses, the reader should ideally be able to navigate only

the occupied parts of the tree of all possible tags. For example, in the tree shown below, the reader mightgo down 0001 but wouldn't bother with 001... because no tag responded with a '1' at that bit.

The procedure above may still be very inefficient if a large number of tags with the same ID except for thelast few bits are present: each traversal wastes a lot of time repeating the same path. The standard providesthe option to use either a random number generated upon demand by each tag (known as ID0) or a short

random number stored in each tag (ID1) instead of the tag's unique electronic product code (ID2). ID0 andID1 are not guaranteed to be unique in a tag population, but in realistic populations the chance of duplicatesis small. Another disadvantage of using ID2 for singulation is that since the reader echoes each bit, thereader sends the whole EPC of each tag. Readers can be heard from up to several kilometers away underthe right conditions, whereas tags are hard to intercept from more than a few meters away.

Once a tag has been identified, it can be KILLED if the kill password is known. According to the standard,a successful KILL command results in a permanently non-functional tag. It's not really clear what goodthis does; retailers would be reluctant to kill a tag if the item it was attached to could be returned, and howis a consumer to know if a tag is really dead or merely temporarily out of commission? See RFID:




4/11

Thanks to Chris Parkinson of IntegralRFID

Applications , Security and Privacy, eds. Simson & Garfinkel, for useful discussions of privacy andsecurity issues.

Although the EPCglobal standard document treats class 0 tags as having a factory-written unique identifiernot field-modifiable, in practice customers have found that it is often desirable to write a new ID, as well asother specialized data, to tags in use. Unfortunately, since the standard did not specify an approach towriting tags, the two primary vendors (Matrics -- now part of Symbol -- and Impinj) chose different and

incompatible approaches.

Zuma tag memory is organized in 15 rows of 18 bits each. Bit 0 is not used in most rows, and bit 17 is therow locking bit. The allocation of rows differs depending on the size of the tag's EPC, as shown in thechart. The first row, Fab Protect, must be set to the value 0997A (NOTE that the first character is binaryand the remainder hexadecimal: that is, the row is x0 1001 1001 0111 1010, where x is the lock bit). If thelock bit is set high the tag is permanently locked.

Bit 17 of the control word, instead of locking the row, locks memory against writes. Bit 16 is the row lock.Bits 15-12 set the EPC size, and are 0101, 0111, and 1001, for 64, 96 and 128 bit tags. The remainder ofthe rows use bit 17 for row lock. The kill passcode is programmed into bits 16 thru 5 of two consecutiverows. Rows 4 through 14 contain the EPC, error check (CRC) and user memory.

Class 0+ re-uses the nomenclature of the class 0 standard to denote memory pages. Memory is organizedinto four pages, but not all of them can be written to. The ID0 page is used to record the KILL password.The ID1 page contains the random singulation code, but the code is generated from a seed rather thanbeing written directly. The seed is the last 20 bits of the ID2 page. For a 64-bit-EPC tag this part of the




5/11

page would not otherwise be used, but should be filled with 20 random bits. For a 96-bit-EPC (shownbelow) the seed bits overlap the CRC (error check). The last page, ID3, can be used in any fashion by theuser.

EPCglobal Class 1

The class 1 standard document describes a 'write-once' passive tag, though in practice tags can be written(at least) hundreds of times. Alien Technology, Avery, and Rafsec have produced large numbers ofcommercial tags that are substantially compliant with the standard, though it was never ratified and there isno compliance verification procedure. The tag-to-reader (forward-link) symbols are very similar to thoseused in class 0; in fact, the optional symbol set is identical.

The tag reply uses a simple frequency-shift keying scheme known as F2F: an edge in the middle of the

symbol denotes a binary '0', whereas three edges denote a binary '1'.




6/11

Unlike class 0, class 1 is a packetized interface in which the reader sends a full command, and then one ormore tags may reply with either a few bits or a complete message. If one expects only one tag in the readzone at any given time, collision resolution can be skipped: the reader repeatedly sends theSCROLLALLID command, and any tag hearing it replies with the tag CRC and EPC. This 'global scroll'mode of operation is relatively fast; about 500 tags/second can in principle be read (though most of thereads will simply be repeat reads of the same tag). The reader can optionally add a TALK command at the

beginning to make sure that tags are all active, and a QUIET command directed to a tag after it has beenread to make it possible for other tags to talk. The first steps are shown below. The QUIET command israther time consuming, since the whole tag ID must be sent as a 'filter' to ensure that only the desired tagstops talking. The whole procedure takes around 4 ms for a 64-bit tag, allowing around 250 tagreads/second, and works reasonably well when up to 4-5 tags are present near the reader.

When a large number of tags are simultaneously present in the read zone of a reader, a more sophisticatedanti-collision algorithm can be employed, using the filter capability built into reader commands. Eachcommand can contain filter bits, of any length up to the full length of the CRC+EPC, and startinganywhere in memory. Only tags whose EPC fits the filter will respond to the command. The PINGcommand causes tags whose EPC's match the filter to respond by sending the next 8 bits of their EPC, anddoing so within one of 8 reply 'bins', each marked by a special symbol from the reader, the choice of bindepending on the first three bits of the reply. When the reader believes that only one tag is replying in a




7/11

bin, it can request the full EPC of the tag.

Class 1 memory organization is fairly simple: memory is organized in 7 or 9 rows of 2 bytes each. TheCRC occupies the first row, the EPC (most-significant-byte first) the next five or seven rows. (The astutereader will note that this is two more bytes than are actually required to carry the EPC. The class 1 errorcheck uses a sequence of 16 '0' bits after the EPC; curiously these bits are programmed into the tag eventhough the calculation is only performed by the reader, which could certainly insert the bits under programcontrol.) The last row contains the lock byte, which is set to hexadecimal A5 to prevent further writing ofthe tag, and the kill password. Since the kill password is only 8 bits long, some commercial tags time outafter a failed KILL attempt in order to prevent a dictionary attack, otherwise very simple since there areonly 256 possible codes.

The 64-bit EPC map is shown below; the 96-bit map adds the requisite EPC rows. It is important to notethat at least some class 1 tags are not rendered non-functional when KILLed, but merely erased.




8/11

EPCglobal Class 1 Generation 2 (ISO 18000-6C)

Both first-generation standards share some significant disadvantages. It is awkward to address a specifictag, particularly if you have erased the EPC in the course of assigning a new code to the tag. The use of a16-bit CRC as the only validation of a tag ID means that on average one in 64,000 reads of random noise

would produce an accidentally valid tag read -- aphantom orghost tag. Class 0 tags have problems withlarge numbers of collocated readers due to the large frequency offset between the tag signal and the readersignal, and have no standard for field writeable tags. Class 1 singulation is relatively slow when a largenumber of tags are present. Both protocols have problems with late arrivals: tags that enter the read zonewhen a tag inventory has already started. Finally, class 0 and class 1 are mutually incompatible andapproximately equivalent in applications and performance: if the goal is to achieve one global standard, twois one too many.

Realizing these problems, the EPCglobal Hardware Action Group (make the acronym for yourself -- oneimagines they hired the people who invented the catchy moniker "802.11b" for the WiFi standard) in early2004 started work on a second-generation standard that would fix the problems in the first-generationstandards and provide sufficient performance at sufficiently low cost to become the universal protocol for

RFID in supply chain applications. The Class 1 Generation 2 standard was ratified in early 2005, and isnow also ratified by the International Organization for Standardization (ISO) as ISO 18000-6C. In order toobtain the aforementioned improvements in performance, the Gen 2 committee started anew in manyrespects; the Gen 2 standard is completely incompatible with first-generation class 0 and class 1 readers andtags.

The reader symbols are distinct from those introduced previously but are fairly straightforward. A binary'0' is a short high level pulse followed by low pulse of equal length; a binary '1' is a longer high pulsefollowed by the same low pulse width. This symbol set provides a high average RF power delivered to thetag. The length of a binary '0' is defined as Tari, and is used as a reference for several other times in the




9/11

standard. The data rate can vary from 27 to 128 Kbps (Tari from 25 to 6.5 microseconds); the mostsignificant bit of the most significant word is always sent first.

Communication between the tag and reader is packetized, conceptually similar to class 1 Gen I, but thepacket details are quite different from the earlier standard.

Two distinct sets of tag symbols are used. The basic approach is FM0: a binary '0' has a transition in themiddle of a symbol, whereas a binary '1' does not. However, a second option is provided, Miller-modulated subcarrier (MMS). The FM0 signal is multiplied by a square wave with either 2, 4, or 8periods for each FM0 symbol. It is important to note that, although in the figure below we show the FM0symbol time as constant so you can see how the transmitted signal is related to the FM0 signal, in fact it isthe time between transitions, or equivalently the link frequency, that is held constant. As a consequence,the data rate for a fixed link frequency isreduced by the MMS multiplier. If we set a link frequency of 100KHz, FM0 provides a data rate of 100 Kbps, but MMS with a multiplier of M=4 only provides 25 Kbps.

It seems contradictory to intentionally reduce the data rate, but MMS offers some advantages over FM0. Inspectral terms, the energy in an MMS signal is concentrated away from the carrier (roughly by the linkfrequency), making it easier to detect in the presence of phase noise and possible interference from otherreaders. In the time domain, interpretation of an FM0 symbol depends on a single edge, whereas an MMSsymbol provides a number of edges to locate, reducing the likelihood of a bit error.

Inventory operations are based onslotted Aloha collision resolution. Unlike class 1 and class 0, no attempt




10/11

is made to use the tag ID binary tree. Instead, the reader issues a QUERY command, and each tageffectively rolls a many-sided die, where the number of sides is set by the reader. A tag that rolls a 0replies immediately; all tags that roll other numbers record those numbers in a counter and say nothing.The reader, after either receiving a reply or no response, can issue a QUERY REP command, causing allthe tags to decrement their counters by 1; any tag reaching a counter value of 0 responds. If the number ofsides is chosen properly, one and only one tag will respond to most of the QUERY REP commands.

A tag replies by sending a 16-bit random number RN16. If the reader hears the random number it echoesthat number as an acknowledgement, causing the tag to send its electronic product code and error check,along with someprotocol control bits (PC). The PC bits provide the length of the EPC stored in the tag, aswell as some information pertaining to the numbering system and optionally the type of object to which thetag is attached (theapplication family identifier (AFI)). The reader can then send commands specific tothat tag, or continue to inventory other tags.

The use of a random number as ahandle is an important feature of the Gen 2 protocol. This allows thereader to define a unique session with a particular tag even if that tag has not been identified, or does nothave a unique EPC (e.g. if it has just been received from the factor with its EPC initialized to all 0's). AGen II reader can count tags in the field even if all the tags have the same EPC. It can write to a single tageven if that tag has not yet been given a unique identifier. Furthermore, the sequence of exchanging a validRN16 followed by transmission of the EPC makes it less likely that the reader will see aghost orphantomtag where none is present.




11/11

Unlike the class 0 situation, the Gen 2 standard specifies the tag's memory organization. Memory isorganized in 4 banks, organized into 32-bit words. Bank 00 is reserved for passwords for the lock and killfunctions. Block 1 contains the protocol control bits, the error check, and the unique identifier, normallythe EPC. Block 2 contains information about the tag, possibly including a unique tag identifier distinctfrom the EPC (that is, a number identifying the tag itself and not the object to which it is attached). Block 3is user memory and may be organized in any fashion. A SELECT command, that works somewhat like theclass 1 filter command, is available to choose tags which are to participate in a given inventory session.

If you'd like to get more familiar with the workings of the protocol, a simple tag emulator and control panelimplemented in Python are available here. The emulator makes it possible to watch an example exchangebetween a reader and a tag.

The ISO 18000 suite describes a series of passive tag standards. 18000-6A and 18000-6B are distinct UHFtag protocols. A few aspects of the standards are common, but the modulations, symbol sets, and commandsets and mostly incompatible. At the time of this writing (2007) it appears that 18000-6C will become themost common worldwide standard for UHF passive tags in supply chain applications.

The EPCglobal standards are specifically designed for supply chain applications. There are a number ofother RFID protocols applicable to UHF operation, as well as numerous standards for LF and HF tags andreaders.

www.enigmatic-consulting.com


11/28/2007http://www enigmatic consulting com/Communications articles/RFID/RFID protocols h

rfid uhf phy

Documents