Disney theme park customers have special RFID bands, called MagicBand, helping them use the parks. A 13-month old Wired article called this a $1B bet on their MagicBands, but such an expenditure would have been more on the back end, rather than on the bands themselves. https://www.wired.com/2015/03/disney-magicband/ At the time, Disney was quite forthcoming with tech details, photos and teardowns about the RFID bands. EETimes has a video, http://www.eetimes.com/author.asp?section_id=69&doc_id=1320977 At one level the MagicBands operated as 2.4GHz devices, but they also had a longer-range low-frequency capability they didn't discuss. This was explored by the fellow at AtDisneyAgain. See https://atdisneyagain.com/2014/01/27/making-the-band-magicband-teardown-and-more/ Their design has recently dramatically changed, which is obvious by comparing this photo I took, see dropbox, to the earlier teardowns. https://www.dropbox.com/s/sl5c4sh22idv4mp/2017_Disney_MagicBand_pcb.jpg?dl=0 I wasn't able to identify the new 32-pin primary RFID controller IC. But note the coupling components and the 1/4 turn 2.4GHz antenna. I also wasn't able to identify the large RF driver-IC / module connected to the outer five-turn low-frequency antenna loop (outer diameter 0.85 x 1.0 inches). Nor could I find any information about the low-frequency system, except that it could work at longer ranges. Perhaps somebody here can help. -- Thanks, - Win
RFID - the Disney way, two frequency bands
Started by ●April 28, 2017
Reply by ●April 29, 20172017-04-29
On 29/04/2017 03:10, Winfield Hill wrote:> Disney theme park customers have special RFID bands, called MagicBand, helping > them use the parks. A 13-month old Wired article called this a $1B bet on their > MagicBands, but such an expenditure would have been more on the back end, rather > than on the bands themselves. https://www.wired.com/2015/03/disney-magicband/ > > At the time, Disney was quite forthcoming with tech details, photos and > teardowns about the RFID bands. EETimes has a video, > http://www.eetimes.com/author.asp?section_id=69&doc_id=1320977 > > At one level the MagicBands operated as 2.4GHz devices, but they also had a > longer-range low-frequency capability they didn't discuss. This was explored by > the fellow at AtDisneyAgain. See > https://atdisneyagain.com/2014/01/27/making-the-band-magicband-teardown-and-more/ > > Their design has recently dramatically changed, which is obvious by comparing > this photo I took, see dropbox, to the earlier teardowns. > https://www.dropbox.com/s/sl5c4sh22idv4mp/2017_Disney_MagicBand_pcb.jpg?dl=0 > > I wasn't able to identify the new 32-pin primary RFID controller IC. But note > the coupling components and the 1/4 turn 2.4GHz antenna. > > I also wasn't able to identify the large RF driver-IC / module connected to the > outer five-turn low-frequency antenna loop (outer diameter 0.85 x 1.0 inches). > Nor could I find any information about the low-frequency system, except that it > could work at longer ranges. > > Perhaps somebody here can help. > >125-128kHz and 13.56Mhz are two other RFID frequencies much used. Clearly not enough turns for LF so my guess is they use 13.56Mhz and 2.4GHz. There are a lot of microcontroller+RF chips made for Zigbee/bluetooth usage that would be candidates for the 32pin device, for example I have seen Chipcon CC2xxx parts used for just that kind of RFID token. Are you sure that larger object you think is an RF driver-IC is some kind of semiconductor? I wonder if it is a capacitor or filter? piglet
Reply by ●April 29, 20172017-04-29
Winfield Hill <hill@rowland.harvard.edu> writes:> I wasn't able to identify the new 32-pin primary RFID controller IC. But note > the coupling components and the 1/4 turn 2.4GHz antenna.From the part number it's Nordic Semiconductors nRF31512. There's not much information in the web about it, but nRF has had a lot of chips that offer reduced functionality with lower price. I could not find any datasheets or detailed information, but they've had a lot of proprietary 900MHz, 2.4GHz, BLE chips with 8051 and Cortex-M0/M4. -- mikko
Reply by ●April 29, 20172017-04-29
Mikko OH2HVJ wrote...> > Winfield Hill writes: > >> I wasn't able to identify the 32-pin primary RFID IC... > > From the part number it's Nordic Semiconductors nRF31512. > There's not much information in the web about it, but nRF has had > a lot of chips that offer reduced functionality with lower price.Yes, that sounds right. A special reduced-functionality part. No doubt Disney bought millions at a reduced price. -- Thanks, - Win
Reply by ●April 29, 20172017-04-29
Winfield Hill wrote:> Mikko OH2HVJ wrote... > > > > >> I wasn't able to identify the 32-pin primary RFID IC... > > > > From the part number it's Nordic Semiconductors nRF31512. > > There's not much information in the web about it, but nRF has had > > a lot of chips that offer reduced functionality with lower price. > > Yes, that sounds right. A special reduced-functionality > part. No doubt Disney bought millions at a reduced price. >** Right - a "Micky Mouse" part at a "Minnie Mouse" price. ... Phil
Reply by ●April 29, 20172017-04-29
On 28 Apr 2017 19:10:39 -0700, Winfield Hill <hill@rowland.harvard.edu> wrote:>Disney theme park customers have special RFID bands, called MagicBand, helping >them use the parks.You might find this site easier to navigate than the FCCID mess: <https://fccid.io/Q3E-MB-R1G1> If you go to the FCCID search page at: <https://apps.fcc.gov/oetcf/eas/reports/GenericSearch.cfm> and enter: Grantee Code = Q3E Show [99] records (at bottom of page) and click "start search", you'll get all 12 of Disney's listings. The latest is dated Jan 2016 for the molded watch band. Also, notice the lower and upper frequencies in the 2.4GHz band. A few seem to be specific frequencies rather than ranges, such as 2482.0 MHz for the Q3E-xBR-R1G1 reader. From: <https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=1819645> "The model xBR V3 device, with the FCC product code Q3E-xBR-R1G1, has multiple receiving radios to receive signals from wristband transmitters. The device also transmits using a single radio to control the wrist bands." It would be interesting to know what they "control" on the wrist band? Perhaps a Star Trek style "Agonizer"? The design was by Synapse (A Cambridge Consultants Company): <http://www.synapse.com/projects> The use of "UHF" in the tag was removed from the FCC certification in 2013 making the tag operational only on 2.4GHz: <https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=1948649> Strictly speaking, UHF means 300-3000MHz, so 2.4GHz would be considered UHF. <https://en.wikipedia.org/wiki/Ultra_high_frequency> The 5 turn outer loop is 13.56MHz. Try this calculator to be sure: <https://www.medo64.com/2014/11/rectangular-nfc-antenna-calculator/> For something that isn't going to be used, the loop has appeared in all the known versions. Somewhat later versions of the band: <https://atdisneyagain.com/2014/01/27/making-the-band-magicband-teardown-and-more/> <https://atdisneyagain.files.wordpress.com/2014/01/making-the-band-025.jpg?w=1000&h=> show the 13.56MHz loop buried in a flex PCB. The chip in the photo is someone's RFID chip which appears to be only connected to the 13.56MHz antenna. My guess(tm) is that there are actually two RFID devices in the package. One non-removable battery powered active device for 2.4GHz, and one passive device for 13.56MHz. Using the "follow the money" principle, my guess(tm) would be that the 13.56MHz section is for some kind of NFC payment device for a future "Disney Pay" contrivance as illustrated in the FCCID pages: <https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=1979266> Yet another guess(tm). The 2.4GHz device might be transmitting a beacon at some random interval, which would likely be used for tracking visitors in the park. If the band you tore apart is still functional, you might check for this feature. Did the device you posted at: <https://www.dropbox.com/s/sl5c4sh22idv4mp/2017_Disney_MagicBand_pcb.jpg?dl=0> have a different FCCID number from the previous mutations? (Q3E-MB-R1G1) -- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
Reply by ●April 29, 20172017-04-29
On Sat, 29 Apr 2017 11:00:27 -0700, Jeff Liebermann <jeffl@cruzio.com> wrote: (...) Disney also has some other FCC ID prefixes. <https://fccid.io/Q3E> <https://fccid.io/2AJS4> 2AJS4-TP-R1G2 <https://fccid.io/document.php?id=3354163> "The TPv2 is a second generation Digital Access Point. The primary function of the device is to read multiple media types and relay that information using an Ethernet connection. The TPv2 is able to read HF RFID tags. The TPv2 can read UHF RFID tags embedded in cards. The TPv2 also has 2.4 GHz transmit and receive radios." So, it's a reader with 3 frequency bands, 13.56MHz, 900MHz(UHF), and 2.4GHz (bi-directional). This reader was added recently (Apr 11, 2017): 2AJS4-TP-R1G2 <https://fccid.io/2AJS4-TP-R1G2> I'm not sure what this device really looks). Notice that it transmits on 900MHz and 2.4GHz, and receives on 13.56, 900MHz, and 2.4GHz. The RF test report includes tests for all 3 bands, so I guess 900MHz is back in the picture. -- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
Reply by ●April 29, 20172017-04-29
On Sat, 29 Apr 2017 12:58:48 -0700, Jeff Liebermann <jeffl@cruzio.com> wrote:>On Sat, 29 Apr 2017 11:00:27 -0700, Jeff Liebermann <jeffl@cruzio.com> >wrote: >(...) > >Disney also has some other FCC ID prefixes. ><https://fccid.io/Q3E> ><https://fccid.io/2AJS4> > >2AJS4-TP-R1G2 ><https://fccid.io/document.php?id=3354163> > "The TPv2 is a second generation Digital Access Point. > The primary function of the device is to read multiple media > types and relay that information using an Ethernet connection. > The TPv2 is able to read HF RFID tags. The TPv2 can read UHF > RFID tags embedded in cards. The TPv2 also has 2.4 GHz transmit > and receive radios." >So, it's a reader with 3 frequency bands, 13.56MHz, 900MHz(UHF), and >2.4GHz (bi-directional). > >This reader was added recently (Apr 11, 2017): >2AJS4-TP-R1G2 ><https://fccid.io/2AJS4-TP-R1G2> >I'm not sure what this device really looks). Notice that it transmits >on 900MHz and 2.4GHz, and receives on 13.56, 900MHz, and 2.4GHz. The >RF test report includes tests for all 3 bands, so I guess 900MHz is >back in the picture.Low frequency receive and high frequency transmit are quite common... saves power since receiver is either on all the time, or keyed on to listen every fraction of a second or so... the chip designs I did for SAVI Technology (was independent, then Lockheed-Martin, now private: LaSalle Capital Group) were like that... since they're primarily used to track trucks and pallets. ...Jim Thompson -- | James E.Thompson | mens | | Analog Innovations | et | | Analog/Mixed-Signal ASIC's and Discrete Systems | manus | | STV, Queen Creek, AZ 85142 Skype: skypeanalog | | | Voice:(480)460-2350 Fax: Available upon request | Brass Rat | | E-mail Icon at http://www.analog-innovations.com | 1962 | Thinking outside the box... producing elegant solutions. "It is not in doing what you like, but in liking what you do that is the secret of happiness." -James Barrie
Reply by ●April 29, 20172017-04-29
On Sat, 29 Apr 2017 13:39:46 -0700, Jim Thompson <To-Email-Use-The-Envelope-Icon@On-My-Web-Site.com> wrote:>On Sat, 29 Apr 2017 12:58:48 -0700, Jeff Liebermann <jeffl@cruzio.com> >wrote: > >>On Sat, 29 Apr 2017 11:00:27 -0700, Jeff Liebermann <jeffl@cruzio.com> >>wrote: >>(...) >> >>Disney also has some other FCC ID prefixes. >><https://fccid.io/Q3E> >><https://fccid.io/2AJS4> >> >>2AJS4-TP-R1G2 >><https://fccid.io/document.php?id=3354163> >> "The TPv2 is a second generation Digital Access Point. >> The primary function of the device is to read multiple media >> types and relay that information using an Ethernet connection. >> The TPv2 is able to read HF RFID tags. The TPv2 can read UHF >> RFID tags embedded in cards. The TPv2 also has 2.4 GHz transmit >> and receive radios." >>So, it's a reader with 3 frequency bands, 13.56MHz, 900MHz(UHF), and >>2.4GHz (bi-directional). >> >>This reader was added recently (Apr 11, 2017): >>2AJS4-TP-R1G2 >><https://fccid.io/2AJS4-TP-R1G2> >>I'm not sure what this device really looks). Notice that it transmits >>on 900MHz and 2.4GHz, and receives on 13.56, 900MHz, and 2.4GHz. The >>RF test report includes tests for all 3 bands, so I guess 900MHz is >>back in the picture.>Low frequency receive and high frequency transmit are quite common...I'll assume that you're talking about the tag, not the reader.>saves power since receiver is either on all the time, or keyed on to >listen every fraction of a second or so...I don't see how that saves power. As I understand it, having both 13.56Mhz and 2.4GHz gives the tag the advantage of still being functional if the battery dies in the active tag and/or can do full duplex with data to the tag on 13.56MHz and from the tag on 2.4GHz. A passive 13.56MHz tag is cheap but a limited range of about 8 meters max as I recall. Meanwhile, the active 2.4Ghz tag can do very long distances. For example: <http://www.synometrix.com/synotag-2/active-rfid/> Judging by the button cell used by the Disney MagicBand, I would guess(tm) that these have about the same range as an automotive alarm key fob (30 meters). Since the MagicBand battery is small and cannot be replaced, methinks the intended lifetime might be rather short. So, rather than have someone show up at the gate with a dead battery in their MagicBand, the reader can at least identify the owner on 13.56MHz, which somewhat explains the 2nd tag. However, I'm guessing (as usual).>the chip designs I did for >SAVI Technology (was independent, then Lockheed-Martin, now private: >LaSalle Capital Group) were like that... since they're primarily used >to track trucks and pallets. > > ...Jim ThompsonI believe that their biggest customers are NATO and the US military: <http://www.savi.com/company/customers/nato/> -- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
Reply by ●April 30, 20172017-04-30
On 04/29/2017 03:58 PM, Jeff Liebermann wrote:> This reader was added recently (Apr 11, 2017): > 2AJS4-TP-R1G2 > <https://fccid.io/2AJS4-TP-R1G2> > I'm not sure what this device really looks). Notice that it transmits > on 900MHz and 2.4GHz, and receives on 13.56, 900MHz, and 2.4GHz. The > RF test report includes tests for all 3 bands, so I guess 900MHz is > back in the picture.Disney theme parks have a lot of rides and attractions that are completely indoors, say Space Mountain, the Epcot dome, and whatever else they've built in the 2 decades or so since I was last at the Magic Kingdom. Could they be using some kind of system where they have local 2.4 GHz receivers for the wristbands within the indoor attractions, but are then transmitting at a higher power on a lower frequency from a centralized location to achieve wall penetration, so they don't have to also install a transmitting system in every single building?
