PCF7931

John78 · 2012-11-05 04:58:33

Hello,

I have some PCF7931 tags, which are 1k memory tags that works at 125kHz.
First of all I would like to read those tags with the pm3.

The thing is a complete transmission takes a lot of cycles :
there are 128 bytes organised in 8 blocks of 16 bytes each.
Data are ASK modulated and coded using Diphase, that means during a period
of 64 carrier periods (64 x 8µs), if there is no change of state a 'one' is read,
if there are 2 changes of state, a "zero" is read. After every period, the state change.

That beeing said, a complete transmission takes (128bytes x 8bits x 64carrier period + 8 x 384carrier period) x 8µs
(The 8 x 384 are pauses between blocks in order to enter in programming mode.)
To simply read a tag completely roughly 549ms (68608 carrier period)!!

My question is how can I record this with the pm3?
As far as I have read in the documentation and in the forums, the pm3 uses the 2k of RAM in the ARM µC, that is
very small compared to the 68608 that I would need at least to record.
Is there a snoop mode available now in the pm3 or a simple pass through mode that would feed in "real time" samples
from the ADC to the USB? If the USB link can't follow the speed, downsampling would work because one bit takes
64 pm3 sampling period.

The snooping, pass through or spy mode mode could also be used to spy data exchange with a reader, because
the communication from the reader to the tag is far more slower.

Any clue?
Any help from anybody who has already have to face those problems would be greatly appreciated.

Best regards,
John.

Cex · 2012-11-08 08:07:38

The AT91SAM7S has 64K of RAM, not 2K.
The PM3 firmware has a buffer of 10.000 samples.

If you check the DoAcquisition125k routine, you'll see how the samples are read.
You can make a variant where only some samples are stored in buffer instead of all of them.

Regards.

John78 · 2012-11-09 15:08:14

OK I see the code is really straightforward, I could have had a look myself, sorry, but I wanted to know wether such feature was already in the firmware
before digging in the code.
Thanks a lot.

Chalk · 2013-01-02 09:11:00

Hi,

I wrote code to read PCF7931 some time ago, I can port it to the latest version of the firmware/client and commit it, it someone give me the correct permissions. Or I can send my patch to a contributor.

Regards.

moebius · 2013-01-02 20:28:49

Chalk wrote:

Hi,
I wrote code to read PCF7931 some time ago, I can port it to the latest version of the firmware/client and commit it, it someone give me the correct permissions. Or I can send my patch to a contributor.
Regards.

ask Roel.

rule · 2013-01-02 22:15:41

Please sent me your google account and I'll give you SVN access.

Thijs · 2013-01-15 11:17:31

Chalk wrote:

Hi,
I wrote code to read PCF7931 some time ago, I can port it to the latest version of the firmware/client and commit it, it someone give me the correct permissions. Or I can send my patch to a contributor.
Regards.

Hi Chalk, It would be very nice to have that code, did you commit it already?

Chalk · 2013-01-15 20:33:32

Not yet, my code works for my tag, which only has 4 blocks. I didn't test it on other tags. If you have one, do you want to be beta tester ? Or I can commit with a warning about the lack of tests ...

Thijs · 2013-01-16 12:32:29

I suggest that you commit your code (with a warning).
I do have some PCF7931DS transponders, but no datasheet. Do you have the datasheet? Maybe you can commit the sheet also?

Chalk · 2013-01-18 22:30:27

I've commited the code -> revision 650
You can test it and write me if you got errors.

Here is also the datasheet I found for the PCF7931:
http://www.grix.it/UserFiles/battlechess/File/pcf7931.pdf

Thijs · 2013-01-21 21:51:37

Thanks! I will take a look at the code and post my findings as soon as possible.

rule · 2013-03-01 12:31:44

Does your code provide more features than the pcf7931 in the current trunk/cdc version? or is more stable? then it could be wise to update to your code.

If you have more code that supports various tags that are currently not supported, feel free to contribute.

For svn access, please send me your google account.

asper · 2013-04-17 11:14:51

The PCF7931 read command works GREAT ! (I only have to put the that perpendicular to my antenna)

Does anyone know how/want to implement the "write" function for it ?

jonor · 2013-08-25 17:14:43

@asper have you a photo of your antenna?
I would like to try to read, but with my antenna, I have some problems. Maybe is too big.

asper · 2013-08-25 18:56:19

It is a normal empty&cutted plastic ribbon bobbin with 60-100 enamelled copper-wire loops (i don't remember the exact number) and the hirose connector at the end.

Last edited by asper (2013-08-25 18:58:59)

jonor · 2013-08-25 19:57:33

Thank you for your photo. I have a similar antenna, but I can't read the tag. I will try better.

n0ne · 2015-08-01 17:52:56

Sorry to dig out this thread but a forum search for "128 bit" brought me here, as the OT's tag description an most of the datasheet are the closest match to my unknown tag captured in http://www.proxmark.org/forum/viewtopic.php?id=2546 - everything except for the sync symbol makes sense - is there a chance these tags are "related"?

Dake · 2015-08-03 08:42:50

Hello ! Actually I am in internship to work on NFC/RFID for a R&D project, especially on pcf7931 tags. Reading functions works great on pcf79931AS (memory of 4 blocks).

I have finished to develop pcf7931 writing functions that I am testing. What is tricky is that pcf7931 needs a high precision on times (many us).

Moreover, usually on these tags, writing is protected with a password 56 bits. My function take in parameter a password that you can get by eavesdropping.

For example, here my custom tag for snooping :

Last edited by Dake (2015-08-03 08:44:11)

meter · 2015-08-03 20:59:31

For snooping I think you can try to emulate a PCF793X, so you can receive the password without problems

Dake · 2015-08-21 08:13:31

Hello, I have finished to develop functions for writing on pcf7931 tags that I can share. Could I merge my code ?

iceman · 2015-08-21 13:18:58

make a PullRequest on GitHub, and it will be analysed.

meter · 2015-08-21 17:40:02

Dake wrote:

Hello, I have finished to develop functions for writing on pcf7931 tags

Which antenna have used for that? Have you changed capacitors on proxmark? Do you think to write also emulation for that chip or only snooping?

meter · 2015-08-21 17:41:05

I forget thank you for your work

meter · 2015-08-23 16:03:50

Dake wrote:

I have finished to develop functions for writing on pcf7931 tags that I can share. Could I merge my code ?

I'd like test your code, where I can download it?

Dake · 2015-08-24 09:01:59

Hello meter,
The official LF antenna is not suitable for writing on PCF7931 tags (because it is flat), so I have built a specific antenna for that use :

I used 0.1mm enamelled copper with a 1nF capacitor. (I directly connected my antenna on Proxmark because my connector doesn't work well)

[== Undefined ==]
Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)                 
......#db# DownloadFPGA(len: 42096)                 
.          
# LF antenna: 20,62 V @   125.00 kHz          
# LF antenna: 11,28 V @   134.00 kHz          
# LF optimal: 20,62 V @   125,00 kHz          
# HF antenna:  0,07 V @    13.56 MHz

For snooping the existing code of the github is enough (use cmd lf snoop, lf config and plot). You only have to build an antenna like presented in my last post.

I will proposed my code for the writing during the week on Github Request.

asper · 2015-08-24 10:26:18

We hope to see your code ! Thank you for your contribution.

meter · 2015-08-24 11:18:30

Hello Dake,

Dake wrote:

I used 0.1mm enamelled copper with a 1nF capacitor. (I directly connected my antenna on Proxmark because my connector doesn't work well)

thank you for your precious informations, so have you removed the capacitors soldered on proxmark for 125KHz?
The antenna should be 1621 uH with 125KHz and 1nF capacitor. How many about rounds did you do?
I'd like replicate your work without make too many changes to my PM3 and continue to use for other ways.

Dake wrote:

For snooping the existing code of the github is enough (use cmd lf snoop, lf config and plot). You only have to build an antenna like presented in my last post.

Have you never tried with inductor about 18uH (not self made), place side by side to PCF?

Dake wrote:

I will proposed my code for the writing during the week on Github Request.

I waiting, thank you

Dake · 2015-08-24 17:50:48

I have not touched the components soldered on the proxmark, I simply add a specific antenna. So my PM3 can be use for other ways.

Here the theoretical features of my antenna :

I do not know inductor about 18uH not self made but the substantial is that the antenna must resound around at 125k with a good power. To be programmed, the PCF7931 tags must be in a magnetic field >= 170 uWb/m².

Last edited by Dake (2015-08-24 18:19:14)

meter · 2015-08-24 19:15:02

Dake wrote:

I have not touched the components soldered on the proxmark, I simply add a specific antenna. So my PM3 can be use for other ways.

Perfect!!! Although I did not understand how with both capacitors antenna resound correctly. I will try.

Where did you buy the toroidal or it's a simple piece of plastic?

Dake wrote:

I do not know inductor about 18uH not self made but the substantial is that the antenna must resound around at 125k with a good power. To be programmed, the PCF7931 tags must be in a magnetic field >= 170 uWb/m².

I have used an inductor 18uH for snoop not for writing. Zip are large, but I don't have a zip.

meter · 2015-08-24 20:06:34

I forgot, in my PM3 I have added a 100pF capacitor, because my antenna for 125KHz is 1.4 mH, which software have you used for calculate your antenna?
I'd like make an antenna of 1.4 mH and not 1.6mH.

18 meters I don't have enough wire. I need to buy it.

Dake · 2015-08-25 08:37:07

I didn't found capacitor in parallel at TP2 and TP5 (pins of antenna) on proxmark schematic. My antenna resound at one frequency :.

I have created the toroidal with a 3D printer but it can be done by other ways.

meter wrote:

I have used an inductor 18uH for snoop not for writing. Zip are large, but I don't have a zip.

Ok, for the snoop it could be work, to test.

To calculate your antenna you can use this tool : http://www.coolcircuit.com/tools/multi_layer_coil_calculator/

Last edited by Dake (2015-08-25 09:15:17)

meter · 2015-08-25 20:18:19

Dake wrote:

I didn't found capacitor in parallel at TP2 and TP5 (pins of antenna) on proxmark schematic.

page 4 of schematic there is this:

I populated C39 with 100pF so I have 1.1nF and resound better for 1.4uH antenna. You should have it too C20 with 1nF

Dake wrote:

I have created the toroidal with a 3D printer but it can be done by other ways.

Great, I should go myself one day with 3D print. Please, could you upload your file for 3D print or is it top secret?

Thank you for all your informations.

meter · 2015-08-25 20:36:13

Dake wrote:

To calculate your antenna you can use this tool : http://www.coolcircuit.com/tools/multi_layer_coil_calculator/

I tried this tool, how you calculated the Coil Length? Have you just used the length of PCF7931 (12 mm) or is there some also reason?
Have you tried also different lengths?
What it is accurate the turns around the toroidal?

meter · 2015-08-26 17:07:56

Dake wrote:

Ok, for the snoop it could be work, to test.

I don't know with PM3, but surely works with audio recording, I got a very good signal.

Dake · 2015-08-26 18:17:52

I will see to upload the file of the antenna. For the coil length I got the length of PCF7931, however after the tests, an antenna more thin could works. The tag can be writed even half set in the antenna.

The numbers of turns around toroidal are approximate, you have to refine features of your antenna with "hw tune".

marshmellow · 2015-08-26 19:09:59

i'm curious Dake, your antenna is around 20V, i would suspect the smaller of the "Flat" antennas below would function fine as it is rated at ~45V:

is there any reason for the height dimension being needed for this tag specifically?

Last edited by marshmellow (2015-08-26 19:58:43)

meter · 2015-08-26 19:56:13

Dake wrote:

The numbers of turns around toroidal are approximate, you have to refine features of your antenna with "hw tune".

My doubt was about as to wrap the wire. As you can see in many photos in this forum, even from the antennas of marshmellow, every turn is not side by side but simply wrapped, from your photo I can't understand if the wire is simply wrapped or is very accurate.

I saw your pull request, I will try it, I hope in this weekend.

Last edited by meter (2015-08-26 19:57:42)

Dake · 2015-08-26 21:16:04

Hello marshmellow, my official LF antenna works at 20 V at 133k and 13V at 125k. If your antenna is rated at 45V at 125k, maybe it could works. However the PCF7931 tags needs to be perpendicularly placed at antenna, so the transponder could be out of reach of antenna radiation.

I have sized a wide antenna (12mm) to be certain that the transpondeur will be in a sufficient magnetic field. I don't tested other dimensions for the antenna, but I think an antenna more thin can also works.

@meter : I have also simply wrapped the wire, it is not accurate

Last edited by Dake (2015-08-26 21:27:02)

meter · 2015-09-05 14:20:34

This is my antenna

about 1.472 mH this is the result "hw tune" with latest github + patch for write in pull request:

proxmark3> hw tune

Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)                 
......#db# DownloadFPGA(len: 42096)                 
.          
# LF antenna: 46.34 V @   125.00 kHz          
# LF antenna: 17.05 V @   134.00 kHz          
# LF optimal: 46.34 V @   125.00 kHz          
# HF antenna:  0.11 V @    13.56 MHz          
# Your HF antenna is unusable.          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

maybe 46V is too much?
I tried to read without success.

proxmark3> lf pcf7931 read
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample                 
#db# buffer samples: 00 00 00 00 00 00 00 00 ...                 
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample                 
#db# buffer samples: ff ff ff ff ff ff ff ff ...                 
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample                 
#db# buffer samples: 00 00 00 00 00 00 00 00 ...                 
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample                 
#db# buffer samples: 00 00 00 00 00 00 00 00 ...                 
Waiting for a response from the proxmark...          
Don't forget to cancel its operation first by pressing on the button          
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample                 
#db# buffer samples: 00 00 00 00 00 00 00 00 ...                 
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample                 
#db# buffer samples: ff ff ef 85 2d 00 00 00 ...                 
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample                 
#db# buffer samples: 00 00 00 00 00 00 78 ff ...                 
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample                 
#db# buffer samples: ff ff ff ff ff ff ff ff ...                 
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample                 
#db# buffer samples: 00 00 00 00 00 00 00 00 ...                 
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample                 
#db# buffer samples: 00 00 00 00 00 00 00 00 ...                 
#db# Error, no tag or bad tag

I tried to plot data with:

proxmark3> lf config b 8 L
#db# LF Sampling config:                  
#db#   [q] divisor:           95                  
#db#   [b] bps:               8                  
#db#   [d] decimation:        1                  
#db#   [a] averaging:         1                  
#db#   [t] trigger threshold: 0                  
proxmark3> lf read
#db# LF Sampling config:                  
#db#   [q] divisor:           95                  
#db#   [b] bps:               8                  
#db#   [d] decimation:        1                  
#db#   [a] averaging:         1                  
#db#   [t] trigger threshold: 0                  
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample                 
#db# buffer samples: 7f 80 80 80 80 80 80 7f ...                 
proxmark3> data samples
Reading 39999 bytes from device memory
          
Data fetched          
Samples @ 8 bits/smpl, decimation 1:1           
proxmark3> data plot

and this is the result:

maybe PMC is not good? I tried manual decode and should be correct the data.

marshmellow · 2015-09-05 15:02:43

Try varying the distance of the tag from the reader and read again.

Dake · 2015-09-09 12:02:36

I had the same problem for the reading, that is surprising is the informations are presents in the plots between PMCs.

As says Marshmellow, varying the distance of the tag is the solution. For me, I had to put the tag almost outside of the antenna to read it.

In last solution, you can read it manually, with the quality of the plots it is pretty easy.
Bit 1 : one change of state during 64*T0
Bit 0 : two changes of state during 64*T0
(http://www.grix.it/UserFiles/battlechess/File/pcf7931.pdf)

Last edited by Dake (2015-09-09 12:26:38)

meter · 2015-09-09 13:04:35

I tried many positions, alls without success. PMC is always bad, other bits are good and easy to decode.
I have already another programmer self-build with PIC microcontroller, I can read and write without problems. It was just a test for read and write also with PM3.
Diameter of my antenna is 23 cm, I'll try a little bigger maybe there are some improvements.

Dake · 2015-09-09 14:09:52

For reading you can also try to use the official antenna, putting the tag at the center perpendicularly to the antenna.

What did you try for writing with PM3 ? The configuration is important (lf pcf7931 config).

Last edited by Dake (2015-09-09 14:15:54)

meter · 2015-09-09 15:21:51

I don't know which is the official antenna. I have bought one from proxmark.com many years ago, but doesn't works. The signal is very bad with data plot.
I have not tried to write, because I think without PMC, we can't detect when to enter in program mode

Last edited by meter (2015-09-09 15:24:19)

meter · 2015-09-11 14:36:39

new antenna, diameter 32 cm, 1.5mH.

proxmark3> hw tune

Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)                 
......#db# DownloadFPGA(len: 42096)                 
.          
# LF antenna: 19.39 V @   125.00 kHz          
# LF antenna: 10.45 V @   134.00 kHz          
# LF optimal: 46.20 V @   114.29 kHz          
# HF antenna:  0.07 V @    13.56 MHz          
# Your HF antenna is unusable.          
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

about 20V for 125KHz, now I can read without problems (sure when tag transmit all blocks). Write doesn't work.

I analyzed better the code for write, but I can't find the wait of PMC for send 3T pulse and enter in program mode.
You put a simple delay and you hope to send 3T pulse in the correct time windows, good luck!
The better implementations is wait for a PMC and send 3T for enter in program mode, so you are sure to talking with PCF7931.
PCF7931 protocol is time based and is very critical, I know because I lost many time to write my firmware for PIC.

Dake · 2015-09-11 15:25:30

Yes it is a simple delay, to mesure, for writing on the tag. A default time is proposed in commands examples but it can change a little with other tags. So, actually the best way to use my functions is to get an oscilloscope to be sure of the initialization time.

As you say, the next amelioration could be to add an automatic detection of the PMC, so the user would not need to know the initialization delay, only password. But actually I have not Proxmark to improve it.

Last edited by Dake (2015-09-11 15:27:03)

meter · 2015-09-11 20:47:44

PMC is the life of PCF7931, with 3T on PMC we can enter in program mode, with 6T we can reset the tag and begin to read the transmission, without reset we don't know where the trasmission start.
Also read algorithm is not well developed, if block 0 e 1 is not detected there is an error, but with PCF7931 is normal transmit only one block and that can not be block 0 or 1. There are many rows of source code useless for read operation.
I'd like to improve, but it's require many time for me, but in this period it's missing. I have just some minutes for make new antenna
I'd like to develope a snoop for decode write operations.
pcf7931 snoop should wait for PMC, understood if there is a pulse 3T and begin to decode write operation.
... and for last tag emulation, so PM3 is complete for PCF7931. Maybe a day....

meter · 2015-10-20 07:06:41

Little update I tried to read with my new PM3 RDV2.0 from Elechouse and antenna LF from kit so no build and works very well, I got a good signal

mariolino · 2015-10-27 19:37:57

This is my PCF audio sniff

Dake · 2015-10-31 14:54:10

@novadrome : the next improvement could be an automatic detection of PMC but for now I am very busy

Good job Mariolino ! You are near of goal.

If you use writing pcf functions you have to enter your bytes in LSB first. For example if you read with your snooper :

10011110 00011010 11101010 .........

you have to enter in the command :

01111001 01011000 01010111 .........
=> in hex
79 58 57 .........

Last edited by Dake (2015-10-31 15:19:10)

Proxmark3 community

Announcement

#1 2012-11-05 04:58:33

PCF7931

#2 2012-11-08 08:07:38

Re: PCF7931

#3 2012-11-09 15:08:14

Re: PCF7931

#4 2013-01-02 09:11:00

Re: PCF7931

#5 2013-01-02 20:28:49

Re: PCF7931

#6 2013-01-02 22:15:41

Re: PCF7931

#7 2013-01-15 11:17:31

Re: PCF7931

#8 2013-01-15 20:33:32

Re: PCF7931

#9 2013-01-16 12:32:29

Re: PCF7931

#10 2013-01-18 22:30:27

Re: PCF7931

#11 2013-01-21 21:51:37

Re: PCF7931

#12 2013-03-01 12:31:44

Re: PCF7931

#13 2013-04-17 11:14:51

Re: PCF7931

#14 2013-08-25 17:14:43

Re: PCF7931

#15 2013-08-25 18:56:19

Re: PCF7931

#16 2013-08-25 19:57:33

Re: PCF7931

#17 2015-08-01 17:52:56

Re: PCF7931

#18 2015-08-03 08:42:50

Re: PCF7931

#19 2015-08-03 20:59:31

Re: PCF7931

#20 2015-08-21 08:13:31

Re: PCF7931

#21 2015-08-21 13:18:58

Re: PCF7931

#22 2015-08-21 17:40:02

Re: PCF7931

#23 2015-08-21 17:41:05

Re: PCF7931

#24 2015-08-23 16:03:50

Re: PCF7931

#25 2015-08-24 09:01:59

Re: PCF7931

#26 2015-08-24 10:26:18

Re: PCF7931

#27 2015-08-24 11:18:30

Re: PCF7931

#28 2015-08-24 17:50:48

Re: PCF7931

#29 2015-08-24 19:15:02

Re: PCF7931

#30 2015-08-24 20:06:34

Re: PCF7931

#31 2015-08-25 08:37:07

Re: PCF7931

#32 2015-08-25 20:18:19

Re: PCF7931

#33 2015-08-25 20:36:13

Re: PCF7931

#34 2015-08-26 17:07:56

Re: PCF7931

#35 2015-08-26 18:17:52

Re: PCF7931

#36 2015-08-26 19:09:59

Re: PCF7931

#37 2015-08-26 19:56:13

Re: PCF7931

#38 2015-08-26 21:16:04

Re: PCF7931

#39 2015-09-05 14:20:34

Re: PCF7931