Incidentally Saturn9, the read range when you approach your ACR122U reader to your forearm is surprisingly poor: with an antenna coil that size, I expected something like half the range of a full size credit card tag - so maybe an inch or more.
8 mm is what I get with the same reader and my conventional NFC glass implant (not DT). Is that kind of performance typical of NFC Flex implants? Because going to the trouble of implanting something that size and not getting any real read range benefit would be a bit disheartening, to say the least.
Completely depends on the reader. The ACR122U has a great antenna, so it couples really well from a variety of orientations, but it doesn’t have very high power output to couple over great distances. That’s also the primary benefit of a flex implant, it couples well from different angles so you don’t have to be finicky about finding the sweet spot.
With HF implants, no matter what coil shape or size, you’re not likely to get more than 3cm of read range. Add to that the attenuation introduced by skin and (in my case) large blood vessels and the range diminishes a bit more. Communicating via magnetic field is inherently a short range endeavor.
Yes, but I’m only considering read ranges of different transponders with the same reader in ideal conditions. So the particular reader and orientation doesn’t matter.
The ACR122U does read credit cards with the right shape and size coils from a good 2 inches away. A Flex also has the right shape coil, just not the right size. Hence my expecting it to yield maybe half of that.
I have a small coin-sized Mifare Ultralight that the ACR122U reads over an inch away when I put it inside my mouth against the inside of my cheek. I sort of thought the Flex would yield a similar read range. Half an inch at worse. That’s why I was very surprised to see how close you had to bring your reader do your arm.
Well, that’s the other thing: in your video, you seemed to have to hit exactly the right spot to get it to read. It doesn’t appear to be very forgiving. But then videos have a knack for showing a distorted version of reality. Do you reckon your Flex reads more easily than your glass implant?
Out of interest, why? As in why is read range the main concern, I would think it’s easier to get close enough to a reader than to find the right angle in day to day use.
Oh yeah, it’s so much easier to read. If I had to position my phone precisely on the sweet spot of my NExT to unlock it every time I would pull my hair out. To read my flexDF reliably I just need to hover my phone a few mm over my skin in a wide range of orientations and I’m good. I don’t know if I can recommend this install location, though. It’s kinda tight
Although I do have other reasons: when I ask about read range, I’m indirectly trying to assess how well it couples with the reader’s coil, because I’d be interested to make that thing work for me. With my M1k - which, for a glass implant, is quite a hard hitter - it won’t wake up no matter what. I’m sort of hoping a Flex would.
Also, if it made it a bit easier to trigger my Yale Doorman, that would be a plus too. While I can open my front door with the glass Mifare, it takes great skill to stick my hand at precisely the right spot.
Okay that’s good to know.
I guess I’m luckier than your with my glass implant, because it’s much less finicky than that. Most phones require me to be within, say half an inch of the magic spot. But once I find it, it hits easily each and every time. And usually it’s not that hard to find, because it’s either around the camera lens, or over the battery. So I guess my own experience makes me a lot less easy to please with potential improvements
It’s tough to think about these abstract field behaviors in a tactile way. Read range is not linearly related to the size of the coil. A 4cm diameter circular coil will not read from twice as far away as a 2cm.
Additionally, most of the flex implants do not have a circular coil (which is the ideal shape for coupling efficiency). Most flex implants have an elongated coil of approximately 25mm length and 4mm width, to get the best performance with the least install difficulty. The length doesn’t primarily increase the read range, it primarily helps with coupling orientation. If you’re solely examining the read range, the flex implants mine as well have a 5mm diameter circular coil.
Hopefully that helps explain some of the perceptions about the performance.
This can never ever be the case because it takes two to tango, as they say. The reader antenna shape and power output are what creates the shape and size of the magnetic field that the tag antenna must couple with. You can never have a tag that is universally good for every reader… except when every reader is designed to work with specific tag antenna shapes (like ISO card dimensions)… in fact, the ISO14443 standard has several parts, and part 1 specifically deals with antenna shapes.
The ACR122U has a very VERY interesting coil design… it’s sandwiched between a ground plane which is something I’ve never actually seen in use before in my life… but the result is a very specifically shaped magnetic field that is REALLY good within a short range. You will notice that the reader plastic actually has an indent on the face of it the size of an ISO credit card… this is so contactless cards can be dropped into that indent and have a ROCK SOLID coupling. Other shapes, not so great at range, but if you position them correctly, they too will have a very solid connection, just not a lot of range.
If you want to study the black arts of magnetic field coupling, look into antenna Q factors and how that can affect range vs coupling quality… in fact, the proxmark3 rdv4 LF antenna even has switches to change the Q factor of the reader antenna so you can choose range or accuracy (low noise) of the coupling … and these switches do nothing to the power output, they just change the harmonics of the antenna itself to adjust the Q factor.
All that said, the best general antenna shapes for tags is one that is equilateral, meaning circles and perfect squares typically have the best chance at coupling with most basic flat spiral plane or flat circle / square reader antennas. That has a lot to do with how the lines of flux cross the antenna and what effect they have in which direction. To make the flex implants easily implantable, we squish that antenna down into a long narrow run, which reduces the orientations in which it will couple well with most reader antennas… effectively giving is a “sweet spot” where a perfect circle like the flexEM has a much broader area with which to couple to a reader’s field.
This is a real test with a flexM1 gen2 which is working at 2cm (20mm) above the face of the reader. This is exactly half of the 4cm the “perfect” full size ISO credit card gets on the same reader… so I’d say range is great… it’s just that unlike the card, range is affected by position and orientation.
You misunderstood me. Of course antenna shapes and orientation matter. What I meant to say was that I was comparing the best read range in the best orientation for a given transponder/reader combination, on the same reader for two different transponders, so I can get variables out of the equation and only compare the read range difference between two transponders.
It may seem pointless to compare read ranges that way. But look at it from a practical perspective: if you want to get a stubborn reader or cellphone to read, you have to find the best spot and twist your hand into odd shapes - which means, in reality, that you’re positioning / orienting your implant to get best coupling anyway. So if you already know transponder t1 reads at max distance d1 and transponder t2 at max distance d2 in the best case scenarios, maybe you have a chance to guestimate whether or not transponder t2 has a chance to trigger that reader that t1 doesn’t.
At the end of the day, what’s really needed is measuring instruments and samples. But absent that, the “tool” I’m working with to determine if a Flex implant would trigger an Idesco door handle before buying said door handle is your internet forum, the forum dweller’s good will (thanks you guys for the wealth of information by the way, this is really rare and noteworthy on the internet!) and their subjective feeling on how well this-or-that implant works. Hardly scientific…
This is much more in line with what I expected to see. So it does look like Satur9’s Flex has a slight problem after all Just kidding…
Lol. 2cm off the reader does comport with my brief experiment in the video, though. I was roughly estimating 8mm off the surface of my skin, but there’s at least 5mm of slightly attenuating flesh in the way, and I didn’t perfectly position the reader, and it’s a flexDF not a flexM1
Hi,
per our private discussion I did some research on this with my Gen1 and Gen2 cards and here are the findings.
So the idea is to write incorrect access bits to sector trailer and see what happens. I used Amal’s document as a starting point for good access bit values: http://amal.net/wp-content/uploads/2012/11/NFC-Access-Control-for-Mifare-S50.pdf
These are good, valid access bits: 787788. I then modified a single bit to get invalid values:
797788 - invalid inverted bit for block 0
7A7788 - invalid inverted bit for block 1
7C7788 - invalid inverted bit for block 2
707788 - invalid inverted bit for block 3
786788 - invalid “regular” bit for block 0
785788 - invalid “regular” bit for block 1
783788 - invalid “regular” bit for block 2
78F788 - invalid “regular” bit for block 3
More invalid combinations can be generated. I tested with the above to “cover” scenarios when “regular” and inverted bits are invalid.
Gen1 findings
Messing up access bits does indeed lock the whole sector for reads and writes (with either key A or key B).
Other sectors on the card are NOT affected by the messed up sector. Reading other sectors on a card works fine with regular Mifare commands.
Chinese “magic” commands can still read everything normally - even when access bits are invalid!
Chinese “magic” commands CAN easily fix invalid access bits. Just write valid access bits to sector trailer and done. Previously written values in data blocks are preserved.
After fixing the sector with the chinese “magic” command, data blocks in the sector can normally be read and written.
Gen2 findings
Writing invalid access bits locks the whole sector. Can’t read with either key A or key B. Proxmark returns an error:
#db# Auth error
failed reading block
Reading from and writing to other sectors on the card still works fine. Messed up sector does NOT affect the whole card.
If sector access bits are messed up, it’s game over for that sector. It’s locked forever. I was unable to find a way to fix access bits with neither key A or key B.
By “memory tear” you mean repetitive reads and writes (like hundreds or thousands of iterations). Thousand writes goes well, and then on the 1001st write the card erroneously writes a single invalid access bit and the sector is locked?
I guess this can happen… but my uneducated guess is these scenarios are more likely to happen:
A user plays with the card and writes invalid access bits
I think what @amal meant by tearing in the context he used it is what @Dean is thinking.
As in if an erroneous bit gets written to the sector trailer by a coupling accident or a writing hardware glitch, is it recoverable?
From looking at @franskav’s very detailed post (great work, thanks for such an in depth write up!) it seems the answer is that Gen1 is pretty safe and unbrickable, but Gen2 can possibly be bricked more easily, so it should be treated with care when performing writes.
Does that conclusion seem to match what everyone is thinking?
