IEEE/ACM TRANSACTIONS ON NETWORKING 10 TABLE I:Summary of Gen2-compatible Tags Approach Function ImpinJ Monza series Alien ALN series NXP Tash r D E QT X-2K X-8K R6 9662 961097269820 9715 9716 U7xm 12C DNA MI (bits) 128 496 128 128 128/96 96 128 96-480 128 128 128 128 448 160 224 M3 (hits 32 1285122176 8192 512 512 128 128 128 128 2.0483.328 3.072 W/S/Q/R Truncate + + (1)'*'denotes this function is essential to Tash or TagMap;(2)''or'x'denote that this function is available or unavailable on tag:(3)W/S/Q/R denotes the commands of Write,Select,Query and RN16 respectively.(4)Ml and M3 denote memory bank 1(EPC memory)and memory bank 3(user defined memory). Applications bits,but the de facto standard remains 128 bits.In particular, the Monza serials of tags from ImpinJ were firstly release in2005[54]. All query related commands such as Select,Query and Gate Tag Reade RN16 are serviceable by all of the investigated tags.The Encoder Truncate is dispensable to Tash.Our real tests suggest that no Truncate-supportable tags in the market are Fig.13:TagMap reader architecture.The reader allows upper-layer application to provide a JSON-like configuration file and outputs the available currently,even though this is a mandatory function acquired BF in result file in the Gen2 protocol.This confines the effectiveness of Tash [43]in reality.However,TagMap leverages RN16 as opposite,which is called as uplink transmission.Both links presence signals and does not rely on this function.Thus, modulate data by OOK (i.e.,changing the amplitudes of the TagMap is universally applicable to today's commercial CW),but involve different channel coding methods. tags. Downlink (reader-tag):A reader encodes the data bits In summary,TagMap is perfectly compatible with the Gen2 using Pulse-Interval Encoding (PIE)for the downlink.The protocol and serves almost all of today's commercial tags even PIE coding has three user-defined parameters:Tari,Pw those released 13 years ago. (Pulse Width)and x.The Tari is the reference interval for the downlink signaling.Pw indicates the time duration C.Application Program Interface of the lower edge,which can be set to a value between For the sake of simplicity,the TagMap reader interacts 0.265Tari and 0.625Tari but is capped at 2us.The with upper applications through the file system.Applications duration of the bit '1'is x-us longer than that of bit 0' write parameters of each intercepted inventory into a JSON- and X must be between 0.5Tari and Tari.The downlink formatted setting file Code 1.In particular,the codes between rate varies between 27Kbps and 128Kbps with respect to the line 4 ~13 define two Select commands with different parameter choice.In our test,for the max-throughout,we pointers(i.e.,the random numbers).The reader encoder begins set above three parameters to 6.25us0.3Ti(1.87)to schedule the intercepted inventory based on the settingfile and 0.5Tari (3.125us). every time when it detects a change of the file.Majority of Uplink (tagreader):A tag uses either FMO or Miller signal processing is performed in GNURadio host computer. coding [47],both of which are highly similar to PIE.We The reader outputs decoded BFs into a "result"file,from omit their coding details because tags cannot be controlled which the upper applications can obtain the bitmap and meta in our design. data (time stamp,etc). 2{//Settings of an intercepted inventory B.Serviceability of Commercial Tags 3 "Select":【{ We investigate mainstream RFID tags in today's market "MEMBANK"[1,1],//MemBank3 in terms of their serviceability to the Gen2 commands that "P0 INTER":[0,0,0,0,0,0,1,1], "LENGTH":[0,0,0,0,0,0,1,1], TagMap and Tash require.For commercial interests,readers "MASK":[1,0,1] and tags are usually designed separately and produced by different manufactures.The Gen2 protocol is the glue that "MEMBANK"[1,1], adheres the two actors.We use our USRP reader to test 40 10 "P0 INTER":[0,0,0,0,1,0,0,1], 11 types of tag chips from ImpinJ [48].Alien [49]and NXP [50], "LENGTH":[0,0,0,0,0,0,1,1], "MASK":[1,0,1] which occupy majority of today's RFID market [1].Due to the 13 H. limited space,we only list the results of 15 basic models in "Query": Table.I as example,and will release the entire white paper on "SEL":[1,1],//Query all selected tags our website soon(for anonymity).We have the observations: 16 "SESSION":[0,0],//Inventory session "Q":[0,0,0,1]//set frame length to 1 Both TagMap and Tash require MemBank3 to store hash 18 values.The investigation suggests that 39/40=97.5%types 19 of tags serve to write to and read from their MemBank3. 20 The exception is ImpinJ Monza R6,which is read only.The Code 1:Program interface memory size of MemBank3 fluctuates around 32~3,328IEEE/ACM TRANSACTIONS ON NETWORKING 10 TABLE I: Summary of Gen2-compatible Tags Approach Function ImpinJ Monza series Alien ALN series NXP Tash Ours D E QT X-2K X-8K R6 9662 9610 9726 9820 9715 9716 U7xm I2C DNA ? ? M1 (bits) 128 496 128 128 128/96 96 128 96-480 128 128 128 128 448 160 224 ? ? M3 (bits) 32 128 512 2176 8192 × 512 512 128 128 128 128 2,048 3,328 3,072 ? ? W/S/Q/R X X X X X × X X X X X X X X X ? – Truncate × × × × × × × × × × × × × × × (1) ‘?’ denotes this function is essential to Tash or TagMap; (2) ‘X’ or ‘×’ denote that this function is available or unavailable on tag; (3) W/S/Q/R denotes the commands of Write, Select, Query and RN16 respectively. (4) M1 and M3 denote memory bank 1 (EPC memory) and memory bank 3 (user defined memory). Host USRP Source Matched Filter Gate USRP Sink Tag Decoder Reader Encoder BF Configure Applications Fig. 13: TagMap reader architecture. The reader allows upper-layer application to provide a JSON-like configuration file and outputs the acquired BF in result file. opposite, which is called as uplink transmission. Both links modulate data by OOK (i.e., changing the amplitudes of the CW), but involve different channel coding methods. • Downlink (reader → tag): A reader encodes the data bits using Pulse-Interval Encoding (PIE) for the downlink. The PIE coding has three user-defined parameters: Tari, PW (Pulse Width) and X. The Tari is the reference interval for the downlink signaling. PW indicates the time duration of the lower edge, which can be set to a value between 0.265Tari and 0.625Tari but is capped at 2µs. The duration of the bit ‘1’ is X-µs longer than that of bit ‘0’ and X must be between 0.5Tari and Tari. The downlink rate varies between 27Kbps and 128Kbps with respect to the parameter choice. In our test, for the max-throughout, we set above three parameters to 6.25µs, 0.3Tari (1.875µs) and 0.5Tari (3.125µs). • Uplink (tag → reader): A tag uses either FM0 or Miller coding [47], both of which are highly similar to PIE. We omit their coding details because tags cannot be controlled in our design. B. Serviceability of Commercial Tags We investigate mainstream RFID tags in today’s market in terms of their serviceability to the Gen2 commands that TagMap and Tash require. For commercial interests, readers and tags are usually designed separately and produced by different manufactures. The Gen2 protocol is the glue that adheres the two actors. We use our USRP reader to test 40 types of tag chips from ImpinJ [48], Alien [49] and NXP [50], which occupy majority of today’s RFID market [1]. Due to the limited space, we only list the results of 15 basic models in Table. I as example, and will release the entire white paper on our website soon (for anonymity). We have the observations: • Both TagMap and Tash require MemBank3 to store hash values. The investigation suggests that 39/40 = 97.5% types of tags serve to write to and read from their MemBank3. The exception is ImpinJ Monza R6, which is read only. The memory size of MemBank3 fluctuates around 32 ∼ 3, 328 bits, but the de facto standard remains 128 bits. In particular, the Monza serials of tags from ImpinJ were firstly release in 2005 [54]. • All query related commands such as Select, Query and RN16 are serviceable by all of the investigated tags. The Truncate is dispensable to Tash. Our real tests suggest that no Truncate-supportable tags in the market are available currently, even though this is a mandatory function in the Gen2 protocol. This confines the effectiveness of Tash [43] in reality. However, TagMap leverages RN16 as presence signals and does not rely on this function. Thus, TagMap is universally applicable to today’s commercial tags. In summary, TagMap is perfectly compatible with the Gen2 protocol and serves almost all of today’s commercial tags even those released 13 years ago. C. Application Program Interface For the sake of simplicity, the TagMap reader interacts with upper applications through the file system. Applications write parameters of each intercepted inventory into a JSON￾formatted setting file Code 1. In particular, the codes between line 4 ∼ 13 define two Select commands with different pointers (i.e., the random numbers). The reader encoder begins to schedule the intercepted inventory based on the setting file, every time when it detects a change of the file. Majority of signal processing is performed in GNURadio host computer. The reader outputs decoded BFs into a “result” file, from which the upper applications can obtain the bitmap and meta data (time stamp, etc). 1.... 2 {//Settings of an intercepted inventory 3 "Select": [{ 4 "MEMBANK":[1, 1], //MemBank3 5 "POINTER":[0, 0, 0, 0, 0, 0, 1, 1], 6 "LENGTH":[0, 0, 0, 0, 0, 0, 1, 1], 7 "MASK":[1, 0, 1] 8 },{ 9 "MEMBANK":[1, 1], 10 "POINTER":[0, 0, 0, 0, 1, 0, 0, 1], 11 "LENGTH":[0, 0, 0, 0, 0, 0, 1, 1], 12 "MASK":[1, 0, 1] 13 }], 14 "Query": { 15 "SEL":[1,1],//Query all selected tags 16 "SESSION":[0,0],//Inventory session 17 "Q":[0,0,0,1] //Set frame length to 1 18 } 19 } 20... Code 1: Program interface