Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2014-03-14 14:13:44
- ikarus
- Contributor
- Registered: 2012-09-20
- Posts: 249
- Website
APDU Sniffer
Hi,
I'm interested in implementing an APDU sniffer using the Proxmark3. As I can see, there already is an
ISO 14443a ("hf 14a snoop") sniffer. Due to APDUs being the the highest layer (application protocol),
an APDU sniffer just have to transform the ISO 14443a trace (from "hf 14a snoop") to an ISO 7816 (APDU) trace.
Before I start on implementing anything I have some questions:
1. I noticed that the maximum trace length is 3000. This is not enough (at least for my purpose). Can it be extended?
2. I know the timing is critical, but is it possible to show the traced data live via the USB?
(The trace length wouldn't be a problem anymore. And the new USB interface is faster, isn't it?)
3. When I sniff a communication between a SCL011 and a contactless smart card
(using pcsc and "jcoptool.py info" from RFIDIOt) "huge" parts of the communication are missing.
Only anti collision, UID and some small extra data are there. This data (anticol & UID & foo) is repeating
itself (in trace, "hf 14a list"). But between each loop data is missing (the timestamps "say" so too).
Any idea what is causing this?
Kind regards,
ikarus
Offline
#2 2014-03-14 15:14:51
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: APDU Sniffer
Hi,
interesting topic. Looking forward...
It could only be extended slightly. We have only 64k RAM available. And some of the RAM is used for executable code as well (because it needs to be fast)
The speed of the USB interface isn't the issue (although it might be as well). The issue is that the ARM is busy with decoding the data and writing it into the trace buffer. The FPGA sends 1 byte reader data and 1 byte tag data every 9.4 microseconds when snooping. With the ARM running at 48MHz I leave it to you to calculate how many processor clock cycles are availabe for decoding and storing the data in this time. There will be no room to add USB communication overhead.
Please post the output of hw ver, hw tune, hf 14a snoop, hf 14a list for further analysis
Offline
#3 2014-03-14 17:47:16
- vivat
- Contributor
- Registered: 2010-10-26
- Posts: 332
Re: APDU Sniffer
You can design your version of proxmark with AT91SAM7SE microcontroller, which supports external RAM. I saw evaluation board with 32 megabytes of SDRAM and 512 megabytes of flash(ATMEL - AT91SAM7SE-EK). Or there is AT91SAM4S64 pin-compatiable ARM Cortex M4 microntrollers with up to 256kb memory onboard. But I'm looking for smaller and more powerful design, like NSA's hardware implants such as JUNI0RMINT(https://leaksource.files.wordpress.com/2013/12/nsa-ant-juniormint.jpg)
I agree with piwi, but I didn't try to stress-test our 48Mhz ARM yet.
Did you try it with libnfc? Can you make your SCL011 work with linfc? Also see this: http://www.libnfc.org/community/topic/286/scl011-german-basisleser/
Offline
#4 2014-03-18 15:24:11
- ikarus
- Contributor
- Registered: 2012-09-20
- Posts: 249
- Website
Re: APDU Sniffer
Thanks for the replies!
@piwi
Slightly extending the trace is not enougth for my purposes.
@vivat
My time window (and my knowledge) is not big enoght to build a custom Proxmark3. 
And libnfc does not support the SCL011 if I'm not mistaken.
@both
What do you think on this? Is it possible?:
- Remove the decoding code
- Send the raw (not decoded data) to the host via USB
(is there enough time for the ARM to do so? (without the decoding code?))
- Decode the raw data on the host and print it
Regarding my issue with "hf 14a snoop":
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 848 2014-03-03 14:28:02
#db# os: svn 848-unclean 2014-03-13 14:10:20
#db# FPGA image built on 2014/02/25 at 07:43:59
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memoryproxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
#db# Measuring complete, sending report back to host
# LF antenna: 0,00 V @ 125.00 kHz
# LF antenna: 0,00 V @ 134.00 kHz
# LF optimal: 0,00 V @ 12000,00 kHz
# HF antenna: 11,09 V @ 13.56 MHz
# Your LF antenna is unusable. (with no tag on antenna)
proxmark3> hf 14a snoop
#db# cancelled by button
#db# COMMAND FINISHED
#db# maxDataLen=4, Uart.state=0, Uart.len=0
#db# traceLen=1689, Uart.output[0]=000000d0
proxmark3> hf 14a list
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 992 | Rdr | 52
19520 | 24288 | Rdr | 50 00 57 cd
246464 | 247456 | Rdr | 52
248692 | 251060 | Tag | 48 00
293488 | 294480 | Rdr | 52
313712 | 318480 | Rdr | 50 00 57 cd
541488 | 542480 | Rdr | 52
543716 | 546084 | Tag | 48 00
550560 | 553024 | Rdr | 93 20
554212 | 560036 | Tag | 88 04 2a 28 8e
567456 | 577920 | Rdr | 93 70 88 04 2a 28 8e c1 8b
579156 | 582676 | Tag | 24 d8 36
587280 | 589744 | Rdr | 95 20
590916 | 596804 | Tag | a9 aa 1e 80 9d
604928 | 615392 | Rdr | 95 70 a9 aa 1e 80 9d 4c 12
616628 | 620212 | Tag | 20 fc 70
624880 | 629648 | Rdr | e0 80 31 73
631092 | 648436 | Tag | 0d 38 33 b1 4a 43 4f 50 33 31 56 32 32 8b 9c
667760 | 673616 | Rdr | d0 11 0a 08 09
676900 | 680420 | Tag | d0 73 87
1220112 | 1221104 | Rdr | 52
1222340 | 1224708 | Tag | 48 00
1229312 | 1231776 | Rdr | 93 20
1232948 | 1238772 | Tag | 88 04 2a 28 8e
1246192 | 1256656 | Rdr | 93 70 88 04 2a 28 8e c1 8b
1257908 | 1261428 | Tag | 24 d8 36
1266032 | 1268496 | Rdr | 95 20
1269668 | 1275556 | Tag | a9 aa 1e 80 9d
1283680 | 1294144 | Rdr | 95 70 a9 aa 1e 80 9d 4c 12
1295380 | 1298964 | Tag | 20 fc 70
1303376 | 1308144 | Rdr | e0 80 31 73
1309572 | 1320964 | Tag | 0d 38 33 b1 4a 43 4f 50 33 31 !crc
1346176 | 1352032 | Rdr | d0 11 0a 08 09
1355332 | 1358852 | Tag | d0 73 87
10200464 | 10201456 | Rdr | 52
10202692 | 10205060 | Tag | 48 00
10209664 | 10212128 | Rdr | 93 20
10213316 | 10219140 | Tag | 88 04 2a 28 8e
10238964 | 10242484 | Tag | 24 d8 36
10246576 | 10249040 | Rdr | 95 20
10250212 | 10256100 | Tag | a9 aa 1e 80 9d
10263456 | 10273920 | Rdr | 95 70 a9 aa 1e 80 9d 4c 12
10275156 | 10278740 | Tag | 20 fc 70
10283408 | 10288176 | Rdr | e0 80 31 73
10289620 | 10306964 | Tag | 0d 38 33 b1 4a 43 4f 50 33 31 56 32 32 8b 9c
10326160 | 10332016 | Rdr | d0 11 0a 08 09
10335300 | 10338820 | Tag | d0 73 87
19455824 | 19456816 | Rdr | 52
19458052 | 19460420 | Tag | 48 00
19465664 | 19468128 | Rdr | 93 20
19469316 | 19475140 | Tag | 88 04 2a 28 8e
19483200 | 19493664 | Rdr | 93 70 88 04 2a 28 8e c1 8b
19494900 | 19498420 | Tag | 24 d8 36
19502640 | 19505104 | Rdr | 95 20
19506276 | 19512164 | Tag | a9 aa 1e 80 9d
19519520 | 19529984 | Rdr | 95 70 a9 aa 1e 80 9d 4c 12
19531220 | 19534804 | Tag | 20 fc 70
19540112 | 19544880 | Rdr | e0 80 31 73
19546324 | 19563668 | Tag | 0d 38 33 b1 4a 43 4f 50 33 31 56 32 32 8b 9c
19583504 | 19589360 | Rdr | d0 11 0a 08 09
19592644 | 19596164 | Tag | d0 73 87
28434896 | 28435888 | Rdr | 52
28437124 | 28439492 | Tag | 48 00
28444736 | 28447200 | Rdr | 93 20
28448372 | 28454196 | Tag | 88 04 2a 28 8e
28462256 | 28472720 | Rdr | 93 70 88 04 2a 28 8e c1 8b
28473972 | 28477492 | Tag | 24 d8 36
28481712 | 28484176 | Rdr | 95 20
28485348 | 28491236 | Tag | a9 aa 1e 80 9d
28498592 | 28509056 | Rdr | 95 70 a9 aa 1e 80 9d 4c 12
28510292 | 28513876 | Tag | 20 fc 70
28519184 | 28523952 | Rdr | e0 80 31 73
28525380 | 28542724 | Tag | 0d 38 33 b1 4a 43 4f 50 33 31 56 32 32 8b 9c
28562560 | 28568416 | Rdr | d0 11 0a 08 09
28571716 | 28575236 | Tag | d0 73 87 root@kali ~ # jcoptool.py info :(
jcoptool v0.1d (using RFIDIOt v1.0e)
Reader: PCSC SCL011 Contactless Reader [SCL01x Contactless Reader] (21161137207137) 00 00
Card ID: 042A28A9AA1E80
ATS: 4A434F503331563232 (JCOP31V22)
JCOP Identity Data: 5C040124000000005048353232440103D88D93
FABKEY ID: 5C
PATCH ID: 04
TARGET ID: 01 (SmartMX)
MASK ID: 24 (Mask 36)
CUSTOM MASK: 00000000 (....)
MASK NAME: PH522D
FUSE STATE: 01 (Fused)
ROM INFO: 03D88D93 (Checksum)
COMBO NAME: SmartMX-m24.5C.04-PH522D
MANUFACTURER: Philips Semiconductors
PRODUCED: Year 5, Week 22, Build 4
Life Cycle data: 9F7F2A4790501540515158240072350638649124050000000000000000182A2836333836340000000000000000
IC Fabricator 4790
IC Type 5015
OS ID 4051
OS Release Date 5158
OS Release Level 2400
IC Fabrication Date Year 7 Day 235
IC Serial Number 06386491
IC Batch Number 2405
IC Module Fabricator 0000
IC Module Packaging Date Year 0 Day 000
ICC Manufacturer 0000
IC Embedding Date Year 0 Day 000
IC Pre-Personalizer 182A
IC Pre-Personalization Date 2836
IC Pre-Personalization Equipment 33383634
IC Personalizer 0000
IC Personalization Date Year 0 Day 000
IC Personalization Equipment 00000000
Authentication succeeded
Card contents:
Can't get Card Status! Failed - reason code 6985 (Conditions of use not satisfied)I can't find the data "jcoptool.py info" was reading (5C040124000000005048353232440103D88D93 and
9F7F2A4790501540515158240072350638649124050000000000000000182A2836333836340000000000000000)
in the trace of "hf 14a list"...
One thing i noticed: There is a "big" time difference between the tag response "d0 73 87"
and the reader saying "52".
Offline
#5 2014-04-02 18:41:59
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: APDU Sniffer
There had been more improvements to sniff/snoop and a fix of a nasty historic bug in svn852. Give it a try.
Offline
Pages: 1