Hacking EZ Pass, E-ZPass (US toll road transponder)

[Renate]

The EZ Pass (technically "E-ZPass") is a toll road transponder used in the northeast of the US.
Wikipedia says: "This 915 MHz signal is sent at 500 kbit/s using the TDM (formerly IAG) protocol in 256‑bit packets."

No, I'm not talking about spoofing or fraud or anything like that.
The little plastic unit gives no indication that it is being polled or that a transaction has occured.
It's easy to drive through some checkpoint and not be sure if it registered or if the battery died.
The units are also polled for non-toll use to monitor traffic.

I figure that I could do some battery load monitoring and get a sense that it's active.
If it were cheap, I'd like a reader so that I could check if my transponder is working.
(That might even make a garage door opener, except that I have no garage.)

The best answer would be "Yeah, there are unpopulated places for two LEDs and a beeper on the circuit board."
I'll do a teardown later this weekend.
Does anybody have any experience with this?

[CJay]

readers for 915MHz aren't exactly expensive but may not be compatible with your tag.

https://www.aliexpress.com/item/1005002329191366.html?algo_pvid=b3366a49-8436-47e1-a908-77c3f23bb040&algo_exp_id=b3366a49-8436-47e1-a908-77c3f23bb040-2

I'd probably start out seeing if I could 'hear' the tag transaction using something like a laptop and RTL-SDR, from there maybe see if I could hack together some kind of receiver, 915MHz is an ISM band so there are plenty of solutions out there.

[TimFox]

The original "I-Pass" transponders used in Illinois would beep when activated by the tollgate, but that stopped long ago.  In remote areas, a blue light at the tollgate indicates a successful transaction with the transponder, but in metropolitan areas (such as the Chicago suburbs), that no longer happens.  I assume this was due to battery life concerns:  the older transponders used a replaceable battery but the new ones need to be replaced after a specified period.
I-Pass and E-ZPass are now reciprocal between Illinois and some (but not all) States east of Illinois.

[ajb]

Yeah, I imagine battery life is why there isn't any indicator on the tag itself.  Most of the tolls around me either have an LED matrix display that says "EZPass paid" or something, or they have a purple LED near the reader that flashes, although it's not positioned where you can see it from your car and would be hard to see in daylight anyway. 

AFAIK all EZPass tolls also have a video system and if the tag doesn't read they'll just look up your license plate and bill you that way--and presumably send you a letter or something to let you know there's a problem with your tag.  So if the purpose of the project is just to know that a toll was paid there's probably no need--the people who manage the system will help you make sure you pay your tolls, no need to worry about that! 

[Renate]

Well, I'm not so worried about them getting their money as the efficiency and competency of the system.
I went to renew the registration on my current vehicle and the online application asked me which vehicle I meant.
Among the choices was something that I junked about 30 years ago.

The EZ Pass system has a dozen states participating and they acknowledge that it take 72 hours for charges to appear.
Who's to say that some state won't send a piece of snail mail to some address I had decades ago?

The SDR sounds like a good idea.

[Renate]

So, I hacksawed it apart. Then removed the four melted/smooshed plastic posts and got the PCB.
It took a bit of doing.
I can imagine in another decade a landfill with millions of these suckers.

The decoder chip is a Kapsch (Mark IV) 322631-011.
I haven't found a datasheet yet. Most of those datasheet sites are a waste of time.

Looking at the PCB, it looks like there is space at the top for 3 LEDs?
The unpopulated 14 pin is the driver?

The 915 MHz stuff (at least in the first protocol) is very old, 1987.
They are moving to the new 5.9 GHz stuff.

[CJay]

DOesn't look complex, Motorola/On transponder/microcontroller, receiver/filter bottom right next to the tadiran battery and I think RF PA is the larger ceramic capped bit (very similar to the 433MHz one in my car key).

Agree the missing 14 pin chip could be drivers for LEDs but I suspect the Moto chip should be able to drive them direct.

[Renate]

I traced it out enough to see that the six pins on the left are power and what I presume are outputs on the 14 pin.
The LEDs all go to the 14 pin.
There's only a few component possibilities for the 14 pin so I presume that there is only one pulse stretcher.
The decoder chip only goes directly to pads on the 14 pin.

I wouldn't be surprised if the decoder chip was made by Motorola, but what makes you assert that?
Any idea of the pinout since that's what I'd have to deal with?

The 14 pin has 3.6V on pin 8 and ground on pin 7.
It's clearly not a 14/7 IC.
(Unless it's the other way and pin 1 is 3.6V and pin 14 is ground. But that makes less sense.)
The only thing I can think of with a similar pinout is the ULN2003A which has the clamp voltage on the upper right (but it's 16 pin).
Maybe a 6 channel transistor driver?

And is that area to the right of the LEDs with the big pads for a beeper?

[CJay]

If you draw out the schematic around the 14 pin device then it may become more clear.

The transponder has "On" marked near pin 1, On Semiconductor were/are Motorola semiconductor division.

No idea what the pinout would be but if you know it's a Moto/On part then it narrows down the field enormously.

Could be, could also be for a battery, again, need the schematic.

[Renate]

If you draw out the schematic ...

Well, yeah, but it's difficult.
The meaning of the LEDs is unknown and even the polarity isn't labelled.
Two of the LEDs are in parallel/anti-parallel, but one end is ground. It could be that only one is populated based on case.
All the traces to the decoder run under the chip and I don'e even know what the pinout of that is.
I'm not particularly looking to install the 14 pin, only to determine which of the decoder pins to monitor.
There is no test drive-through around here, I can only test by driving at highway speed through a checkpoint.

The decoder decodes multiple protocols, I'm not even sure if there is full handshake that would indicate a confirmed capture.
Query -> ID
Query -> ID -> Ack

So the pinout of the 14 pin so far:
Pin  2 input from decoder
Pin  3 output to single LED
Pin  7 ground
Pin  8 3.6V
Pin 14 output to double LED

[dmendesf]

As you have only one input to the 14 pin seems that the led info is coded (maybe serial?). I think you will have to log this pin output while driving.

[Renate]

As you have only one input ...

Well, pins 4, 5, 6 go to the decoder too.

Tracing can only help me so far when it's a chip with unknown function and pinout connected to another chip with unknown function and pinout.

I have seen one write-up of somebody just using a current shunt on the battery.
Still, I don't even know what the peak current is.

[Renate]

Of the five pins on the 14 pin (unpopulated) only pin 3 shows action.
It goes high (could be a short burst) every 1 of 18 milliseconds when under a scanner.
This could even be the demodulated receive signal.

But...
The transponder is dead. I must have killed it.
Since it has a soldered in lithium battery I'm wondering if the programming of the serial number is in RAM and not OTP or EEPROM.
I might have shorted something taking it apart.
Maybe this is a case for @Noopy

[Renate]

So can anybody identify the two RF thingies?

I tend to think that the big one is the receiver/demodulator and that it is unpowered and harvests the RF.
The labelling is almost unreadable, I make it out as "915F V013".
Of course that agrees with the 915 MHz.
Not shown, but the big one has two small (empty) holes that go through body of the module.

I tend to think that the small one is the transmitter or even the switched RF load?

I traced pin 3 of the 14 pin (the only thing that I saw active) and it goes to/from pin 3 of the big RF thingy.

[eb4fbz]

Both are RF filters. The small one is a SAW filter from Epcos and the second one is a dielectric filter.

[Renate]

Both are RF filters.

Ah, then I think that the stuff near the little filter is receive.
There are two 6 pin ICs down there both labelled "C1R".
I don't believe that they get fed any power.
Any idea what those are?

The big filter apparently? inhales the RF to modulate the back wave.

[Noopy]

I have taken some pictures of the Kapsch 322631-011 / 12069-002 / PWJ1548G. 






The epoxy was a little pig-headed but I finally was able to remove most of it.
The edge length of the die is 1,8mm. There is quite a big frame supplying the circuit.




The part was designed by AMI in 2000.
The small circuit on the left could be a clock generator... 




I don´t think that is a damaged spot. But what should this structure tell us? 




Too small...  That are mask revisions...




Most of the area is occupied by standard logic. In the upper right corner there is something different...




The typical standard logic. You can see the horizontal and the vertical supply lines. Between the horizontal supply lines there are the interconnections around the standard cells. The standard cells are too small to be identified. There are at least two layers of interconnection probably more. You can see the bigger lines on top of the other.




We can´t be sure what the special structure in the upper right corner does. Perhaps some memory? Probably...




There is an additional small circuit right of the memory (?) circuit outside of the supply frame. Could be a high voltage generator for an EEPROM. 




There is one testpad in the upper left corner.




It´s possible to distinguish the inputs and outputs. The input bondpads (left side) have smaller connections than the output bondpads (right side). Above the output bondpads you can see two horizontal slots that are probably connections to the supply. There are also some more vertical lines probably the output stages.




It´s possible to identify the supply contacts too. At the upper edge there is a bondpad directly connecting the metal frame and on the left side there is a bondpad that is connected to the outer frame that probably connects the substrate. Normally that´s the most negative potential, GND in this case.

Take a closer look... ...the output stages are different in size.


https://www.richis-lab.de/transponder02.htm

 

[Noopy]

I don´t think that is a damaged spot. But what should this structure tell us? 

Idaho! 

[Electro Fan]

I don´t think that is a damaged spot. But what should this structure tell us? 

Idaho! 

LOL

[Bassman59]

I don´t think that is a damaged spot. But what should this structure tell us? 

Idaho! 

It is indeed the outline of the state of Idaho.

Micron is based in Boise, that state's capital.

I wonder if Micron provided fab services for this.

[Noopy]

I don´t think that is a damaged spot. But what should this structure tell us? 

Idaho! 

It is indeed the outline of the state of Idaho.

Micron is based in Boise, that state's capital.

I wonder if Micron provided fab services for this.

AFAIK AMI has/had it´s headquarter in Idaho (Pocatello).

[Renate]

Hmm, so the 1/4 of the chip that could be memory can't be further identified?
Why is the top half and the bottom half of that such different structure?
Could any of it be encryption or ALU or something?
Why would it have a voltage generator unless it would write itself (besides the factory writing which it would seem easier to have external voltage)?

[Noopy]

Hmm, so the 1/4 of the chip that could be memory can't be further identified?
Why is the top half and the bottom half of that such different structure?
Could any of it be encryption or ALU or something?
Why would it have a voltage generator unless it would write itself (besides the factory writing which it would seem easier to have external voltage)?

Unfortunately the structures are too small to get more details. But I´m pretty sure with more magnification it would still be hard to get more details. I assume there are some security features that are visually protected.

In my view in the logic area you can integrate whatever you want. You can build an ALU a state machine, encryption, nearly everything. It´s even possible to built volatile memory.

They probably had a good reason to integrate the upper right part.

We can be sure that there are some security features. It is quite likely that there is some special memory in this area. Some memory which isn´t easily available, not optical and not electrical. To achieve this and since you don´t want to transmit the plain ID in always the same manner they probably integrated some encryption. The decryption / encryption has to be fast and hidden as good as possible. With this requirements it´s consequent to integrate a special area that hides your memory and does the fast crypto job without showing the way they go. As I have written before I assume we wouldn´t see much more with more magnification.

The small circuit on the far right looks like a voltage generator but we can´t be 100% sure.
My read is that it can write itself.