Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I'm creating a separate topic to my previous recent topic so as to separate the issues. This new issue pertains to Mifare Classic, but with different cards and readers.
I can read and emulate the card (using "script run mifare_autopwn", and also via running the various commands manually) but when I present the HF proxmark antenna to the reader whilst "hf mf sim" is in effect I get no response. I tried "hf 14a 1 000000" and presenting the antenna to the reader and get the following response:
Emulating ISO/IEC 14443 type A tag with 4 byte UID (00000000)
#db# Received unknown command (len=1):
#db# 02
#db# Auth attempt {nr}{ar}: 32408c6f 76874b00
#db# Auth attempt {nr}{ar}: 2d64c430 2d8f6437
#db# Auth attempt {nr}{ar}: 2241297e 617ec94b
#db# Auth attempt {nr}{ar}: 0cd7d286 38dbc225
#db# Auth attempt {nr}{ar}: acb53e6d 0df648ba
#db# Auth attempt {nr}{ar}: e499e71b b7071753
#db# Auth attempt {nr}{ar}: 0d343ee2 209aec22
#db# Auth attempt {nr}{ar}: 58062703 ffa56a0d
#db# Auth attempt {nr}{ar}: ad084512 88f1ca2a
#db# Auth attempt {nr}{ar}: 5c57f751 f34e3b5a
#db# Auth attempt {nr}{ar}: f9ff3002 be905ce2
#db# Trace Full. Simulation stopped.
#db# 0 0 4c
hf 14a list:
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 352 | Rdr | 02
2092068 | 2093124 | Rdr | 26
2094296 | 2096664 | Tag | 04 00
4183884 | 4184940 | Rdr | 26
4186112 | 4188480 | Tag | 04 00
6281250 | 6282306 | Rdr | 26
6283478 | 6285846 | Tag | 04 00
6288930 | 6291394 | Rdr | 93 20
6292566 | 6298390 | Tag | 00 00 00 00 00
6304674 | 6315202 | Rdr | 93 70 00 00 00 00 00 9c d9
6316374 | 6319894 | Tag | 08 b6 dd
6328722 | 6333426 | Rdr | 60 0c 99 b1
6334662 | 6339334 | Tag | 00 00 00 00
6341536 | 6350848 | Rdr | 32 40 8c 6f 76 87 4b 00 !crc
8526536 | 8527592 | Rdr | 26
8528764 | 8531132 | Tag | 04 00
8533832 | 8536296 | Rdr | 93 20
8537468 | 8543292 | Tag | 00 00 00 00 00
8550088 | 8560616 | Rdr | 93 70 00 00 00 00 00 9c d9
8561788 | 8565308 | Tag | 08 b6 dd
8574520 | 8579224 | Rdr | 60 0c 99 b1
8580460 | 8585132 | Tag | 00 00 00 00
8587600 | 8596912 | Rdr | 2d 64 c4 30 2d 8f 64 37 !crc
10773118 | 10774174 | Rdr | 26
10775346 | 10777714 | Tag | 04 00
10780798 | 10783262 | Rdr | 93 20
10784434 | 10790258 | Tag | 00 00 00 00 00
10796926 | 10807454 | Rdr | 93 70 00 00 00 00 00 9c d9
10808626 | 10812146 | Tag | 08 b6 dd
10820974 | 10825678 | Rdr | 60 0c 99 b1
10826914 | 10831586 | Tag | 00 00 00 00
10833792 | 10843168 | Rdr | 22 41 29 7e 61 7e c9 4b !crc
13018916 | 13019972 | Rdr | 26
13021144 | 13023512 | Tag | 04 00
27662882 | 27663938 | Rdr | 26
27665110 | 27667478 | Tag | 04 00
29754698 | 29755754 | Rdr | 26
29756926 | 29759294 | Tag | 04 00
31846784 | 31847840 | Rdr | 26
31849012 | 31851380 | Tag | 04 00
33938888 | 33939944 | Rdr | 26
33941116 | 33943484 | Tag | 04 00
36030974 | 36032030 | Rdr | 26
36033202 | 36035570 | Tag | 04 00
40214876 | 40215932 | Rdr | 26
40217104 | 40219472 | Tag | 04 00
42306978 | 42308034 | Rdr | 26
42309206 | 42311574 | Tag | 04 00
44398794 | 44399850 | Rdr | 26
44401022 | 44403390 | Tag | 04 00
44406728 | 44409192 | Rdr | 93 20
44410364 | 44416188 | Tag | 00 00 00 00 00
44422984 | 44433512 | Rdr | 93 70 00 00 00 00 00 9c d9
44434684 | 44438204 | Tag | 08 b6 dd
44447416 | 44452120 | Rdr | 60 0c 99 b1
44453356 | 44458028 | Tag | 00 00 00 00
44460496 | 44469872 | Rdr | 0c d7 d2 86 38 db c2 25 !crc
46646016 | 46647072 | Rdr | 26
46648244 | 46650612 | Tag | 04 00
46653312 | 46655776 | Rdr | 93 20
46656948 | 46662772 | Tag | 00 00 00 00 00
46665600 | 46666656 | Rdr | 26
46667828 | 46670196 | Tag | 04 00
48763718 | 48764774 | Rdr | 26
48765946 | 48768314 | Tag | 04 00
48771398 | 48773862 | Rdr | 93 20
48775034 | 48780858 | Tag | 00 00 00 00 00
48787526 | 48798054 | Rdr | 93 70 00 00 00 00 00 9c d9
48799226 | 48802746 | Tag | 08 b6 dd
48811702 | 48816406 | Rdr | 60 0c 99 b1
48817642 | 48822314 | Tag | 00 00 00 00
48824384 | 48833696 | Rdr | ac b5 3e 6d 0d f6 48 ba !crc
51009756 | 51010812 | Rdr | 26
51011984 | 51014352 | Tag | 04 00
51017052 | 51019516 | Rdr | 93 20
51020688 | 51026512 | Tag | 00 00 00 00 00
51032924 | 51043452 | Rdr | 93 70 00 00 00 00 00 9c d9
51044624 | 51048144 | Tag | 08 b6 dd
51057420 | 51062124 | Rdr | 60 0c 99 b1
51063296 | 51067968 | Tag | 00 00 00 00
51070064 | 51079440 | Rdr | e4 99 e7 1b b7 07 17 53 !crc
53255586 | 53256642 | Rdr | 26
53257814 | 53260182 | Tag | 04 00
53263266 | 53265730 | Rdr | 93 20
53266902 | 53272726 | Tag | 00 00 00 00 00
53279522 | 53290050 | Rdr | 93 70 00 00 00 00 00 9c d9
53291222 | 53294742 | Tag | 08 b6 dd
53303826 | 53308530 | Rdr | 60 0c 99 b1
53309766 | 53314438 | Tag | 00 00 00 00
I tried emulating the previously-captured card and presenting the antenna to the reader:
Loaded 64 blocks from file: ....eml
uid:N/A, numreads:0, flags:0 (0x00)
#db# 4B UID: ...
#db# Emulator stopped. Tracing: 1 trace length: 0
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data
-----------|-----------|-----|--------
I get the same result whether I load the card into emulator and also specify the UID "hf mf sim u F3DE65D9".
The reader in question is an iSmart 101BM. Sector 3 on the card contains the key. The card I read and emulated works on the reader, and provides the marked card number over wiegand after a scan.
Please note: I have scrambled the nr/ar numbers in the above logs. It's shitty, but out of my hands.
Last edited by tjhowse (2014-08-07 00:39:43)
Offline
Your hf 14a sim and the following hf 14a list look somewhat OK. hf 14a sim doesn't support the non-ISO Mifare commands, your card reader therefore cannot authenticate, or read or write sectors. hf 14a sim nevertheless shows the authentication attempts (for those who can make use of it).
The hf mf sim and the empty trace of course is weird.
The many aborted REQA (26) are unusual. Did you ever try a hf 14a snoop with a legitimate card and the reader?
Offline
I did try a snoop with a valid card, but I didn't log the results. I'll do so when I get into the office tomorrow.
Thanks,
tjhowse.
Offline
The following is a hf 14a snoop, valid card scan, pm3 button press then hf 14a list.
#db# COMMAND FINISHED
#db# maxDataLen=3, Uart.state=0, Uart.len=0
#db# traceLen=717, Uart.output[0]=00000026
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 1056 | Rdr | 26
2092096 | 2093152 | Rdr | 26
4184192 | 4185248 | Rdr | 26
6276016 | 6277072 | Rdr | 26
8368112 | 8369168 | Rdr | 26
10460208 | 10461264 | Rdr | 26
12552032 | 12553088 | Rdr | 26
14644512 | 14645568 | Rdr | 26
16736608 | 16737664 | Rdr | 26
18828688 | 18829744 | Rdr | 26
20920784 | 20921840 | Rdr | 26
23012624 | 23013680 | Rdr | 26
25104720 | 25105776 | Rdr | 26
25107156 | 25107348 | Tag | 01
27196800 | 27197856 | Rdr | 26
29288640 | 29289696 | Rdr | 26
29290868 | 29293236 | Tag | 04 00
29296192 | 29298656 | Rdr | 93 20
29299828 | 29305716 | Tag | .. .. .. .. 91
29312448 | 29322912 | Rdr | 93 70 .. .. .. .. 91 1f 3c
29324148 | 29327668 | Tag | 08 b6 dd
29336896 | 29341600 | Rdr | 60 0c 99 b1
29343604 | 29348276 | Tag | 5f 29 69 0f
29350336 | 29359648 | Rdr | b4 f1 22 f6 61 2b 1a 22 !crc
29360884 | 29365556 | Tag | 8d! 27 76 cb!
29368000 | 29372768 | Rdr | 37 c4 bc 36 !crc
29374084 | 29394884 | Tag | 78! 61 1b! 73 bf! 07 92! f7 19 86! ec cb! f0 fa ce df 8b 57! !crc
36836288 | 36837344 | Rdr | 26
38928384 | 38929440 | Rdr | 26
41020336 | 41021392 | Rdr | 26
43112432 | 43113488 | Rdr | 26
45204528 | 45205584 | Rdr | 26
47296624 | 47297680 | Rdr | 26
49388448 | 49389504 | Rdr | 26
51480928 | 51481984 | Rdr | 26
I hope this sheds some light.
Last edited by tjhowse (2014-08-07 00:40:41)
Offline
The result of hf 14a snoop doesn't show anything extraordinary. It shows a select (anticollision) sequence, a successful authentication sequence for block 12 (sector 3) followed by an encrypted sequence which is probably a block read.
Unique to mf sim is a reader's field strength detection (doesn't exist in hf 14a sim, hf mf sniff, hf 14a snoop). If your reader's field is weak and/or your PM3 antenna is bad, hf mf sim may not detect the field's presence and therefore not work. You may check the yellow LED during hf mf sim - it is lit when the reader's field is detected.
Offline
Hmm. If I wanted to test that, could I tweak the magic number (33k) in the below code to trigger on a lower threshold?
iso14443a.c:2222
// find reader field
// Vref = 3300mV, and an 10:1 voltage divider on the input
// can measure voltages up to 33000 mV
if (cardSTATE == MFEMUL_NOFIELD) {
vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
if (vHf > MF_MINFIELDV) {
cardSTATE_TO_IDLE();
LED_A_ON();
}
}
Edit: Or... just edit MF_MINFIELDV... That could also work.
Last edited by tjhowse (2014-08-04 09:36:11)
Offline
Yes, you may try a lower MF_MINFIELDV. Its currently set to 4000 (the induced voltage in mV, i.e. 4000mV - which is quite low already).
You may also try hw detectreader h and then presenting the PM3 antenna to the reader. It displays the vHf values (in each line the previous, the current value, and a count). The values should increase if you approach the reader with the PM3 antenna. You should see values above 0x7C ((0x7C * 33000) >> 10 = 3996) in order for hf mf sim to work correctly with the current MF_MINFIELDV.
Offline
Hi,
I have a similar problem. My hf mf sim does not work at all when hf mf sim c653c7ff I get:"
uid:N/A, numreads:0, flags:0 (0x00)
#db# 4B UID: c653c7ff "
Nothing light up on the proxmark and reader does not respond
When I'm doing hf 14a sim 1 c653c7ff reader does not respond but proxmark gives me lots of:
"Emulating ISO/IEC 14443 type A tag with 4 byte UID (c653c7ff)
#db# Received unknown command (len=1):
#db# f0
#db# Received unknown command (len=1):
#db# 93
#db# Received unknown command (len=1):
#db# f0
#db# Received unknown command (len=1):
#db# 93
#db# Received unknown command (len=1):
#db# f0
#db# Received unknown command (len=1):
#db# 93
#db# Received unknown command (len=1):
#db# f0
#db# Received unknown command (len=1):
#db# 00
#db# Received unknown command (len=1):
#db# f0
#db# Received unknown command (len=1): "
Also when doing an hw detectreader my values are:"
HF 13.56 Field Change: b9 ae 2
#db# HF 13.56 Field Change: ae ba 1
#db# HF 13.56 Field Change: ba ad 3
#db# HF 13.56 Field Change: ad ba 4 "
My antenna is the Ryscorp one from the proxmark website and I treid with older bootroms/os/fpga as well as the current one and the PenturaLabs-iclass-research/v1.0.0-39-g9e28ee9-suspect. Simulating never worked
Offline
Would it be a good idea to use arg2 of void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain) to set a sensitivity value? High/low?
Offline
Right, when hf mf sim it does work, just tried it against an omnikey. It does not shows up on the ominkey but I get a trace with lots of 26s
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 1056 | Rdr | 26
2484 | 4852 | Tag | 04 00
109312 | 111776 | Rdr | 93 20
113460 | 119284 | Tag | c6 93 c7 fd 6f
272640 | 283168 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
284852 | 289524 | Tag | 08 b6 dd 00
11607738 | 11608794 | Rdr | 26
11610222 | 11612590 | Tag | 04 00
11716282 | 11718746 | Rdr | 93 20
11720302 | 11726126 | Tag | c6 93 c7 fd 6f
11879866 | 11890394 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
11891950 | 11896622 | Tag | 08 b6 dd 00
23255444 | 23256500 | Rdr | 26
23257800 | 23260168 | Tag | 04 00
23364116 | 23366580 | Rdr | 93 20
23368136 | 23373960 | Tag | c6 93 c7 fd 6f
23528340 | 23538868 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
23540424 | 23545096 | Tag | 08 b6 dd 00
34863196 | 34864252 | Rdr | 26
34865680 | 34868048 | Tag | 04 00
34972252 | 34974716 | Rdr | 93 20
34976272 | 34982096 | Tag | c6 93 c7 fd 6f
35135838 | 35146366 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
35147922 | 35152594 | Tag | 08 b6 dd 00
46484566 | 46485622 | Rdr | 26
46486986 | 46489354 | Tag | 04 00
46592342 | 46594806 | Rdr | 93 20
46596298 | 46602122 | Tag | c6 93 c7 fd 6f
46756566 | 46767094 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
46768586 | 46773258 | Tag | 08 b6 dd 00
58132082 | 58133138 | Rdr | 26
58134310 | 58136678 | Tag | 04 00
58241664 | 58244128 | Rdr | 93 20
58245812 | 58251636 | Tag | c6 93 c7 fd 6f
58419328 | 58429856 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
58431540 | 58436212 | Tag | 08 b6 dd 00
69901754 | 69902810 | Rdr | 26
69904110 | 69906478 | Tag | 04 00
70010874 | 70013338 | Rdr | 93 20
70014830 | 70020654 | Tag | c6 93 c7 fd 6f
70175098 | 70185626 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
70187118 | 70191790 | Tag | 08 b6 dd 00
81522964 | 81524020 | Rdr | 26
81525320 | 81527688 | Tag | 04 00
81631764 | 81634228 | Rdr | 93 20
81635784 | 81641608 | Tag | c6 93 c7 fd 6f
81795604 | 81806132 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
81807688 | 81812360 | Tag | 08 b6 dd 00
93171550 | 93172606 | Rdr | 26
93174034 | 93176402 | Tag | 04 00
93280478 | 93282942 | Rdr | 93 20
93284498 | 93290322 | Tag | c6 93 c7 fd 6f
93444062 | 93454590 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
93456146 | 93460818 | Tag | 08 b6 dd 00
104779064 | 104780120 | Rdr | 26
104781420 | 104783788 | Tag | 04 00
104887864 | 104890328 | Rdr | 93 20
104891884 | 104897708 | Tag | c6 93 c7 fd 6f
105051704 | 105062232 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
105063788 | 105068460 | Tag | 08 b6 dd 00
116426752 | 116427808 | Rdr | 26
116429236 | 116431604 | Tag | 04 00
116536320 | 116538784 | Rdr | 93 20
116540468 | 116546292 | Tag | c6 93 c7 fd 6f
116712960 | 116723488 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
116725172 | 116729844 | Tag | 08 b6 dd 00
128048442 | 128049498 | Rdr | 26
128050798 | 128053166 | Tag | 04 00
128156986 | 128159450 | Rdr | 93 20
128161006 | 128166830 | Tag | c6 93 c7 fd 6f
128320954 | 128331482 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
128333038 | 128337710 | Tag | 08 b6 dd 00
139668500 | 139669556 | Rdr | 26
139670856 | 139673224 | Tag | 04 00
139777300 | 139779764 | Rdr | 93 20
139781320 | 139787144 | Tag | c6 93 c7 fd 6f
139942548 | 139953076 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
139954632 | 139959304 | Tag | 08 b6 dd 00
AND the 14a snoop with a valid card
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 1056 | Rdr | 26
11458768 | 11459824 | Rdr | 26
22850720 | 22851776 | Rdr | 26
34334320 | 34335376 | Rdr | 26
45847120 | 45848176 | Rdr | 26
45849348 | 45851716 | Tag | 04 00
45955664 | 45958128 | Rdr | 93 20
45959300 | 45965124 | Tag | c6 93 c7 fd 6f
46119888 | 46130416 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
46131604 | 46135124 | Tag | 08 b6 dd
47691472 | 47696240 | Rdr | 30 00 02 a8
47697556 | 47698196 | Tag | 04
47744992 | 47749760 | Rdr | 50 00 57 cd
48966240 | 48967232 | Rdr | 52
48968484 | 48970852 | Tag | 04 00
49075552 | 49078016 | Rdr | 93 20
49079204 | 49085028 | Tag | c6 93 c7 fd 6f
49239008 | 49249536 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
49250724 | 49254244 | Tag | 08 b6 dd
50801776 | 50806544 | Rdr | 30 00 02 a8
50807860 | 50808500 | Tag | 04
50850288 | 50855056 | Rdr | 50 00 57 cd
52071408 | 52072400 | Rdr | 52
52073652 | 52076020 | Tag | 04 00
52180608 | 52183072 | Rdr | 93 20
52184244 | 52190068 | Tag | c6 93 c7 fd 6f
52344576 | 52355104 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
52356276 | 52359796 | Tag | 08 b6 dd
53916288 | 53921056 | Rdr | 30 00 02 a8
53922372 | 53923012 | Tag | 04
53969408 | 53974176 | Rdr | 50 00 57 cd
55177360 | 55178352 | Rdr | 52
55179604 | 55181972 | Tag | 04 00
55285776 | 55288240 | Rdr | 93 20
55289412 | 55295236 | Tag | c6 93 c7 fd 6f
55449616 | 55460144 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
55461332 | 55464852 | Tag | 08 b6 dd
55569552 | 55574320 | Rdr | 50 00 57 cd
56816784 | 56817776 | Rdr | 52
56819028 | 56821396 | Tag | 04 00
56925712 | 56928176 | Rdr | 93 20
56929364 | 56935188 | Tag | c6 93 c7 fd 6f
57089808 | 57100336 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
57101524 | 57105044 | Tag | 08 b6 dd
57156368 | 57161136 | Rdr | 30 00 02 a8
57162452 | 57163092 | Tag | 04
57210128 | 57214896 | Rdr | 50 00 57 cd
58417184 | 58418176 | Rdr | 52
58419428 | 58421796 | Tag | 04 00
58525856 | 58528320 | Rdr | 93 20
58529492 | 58535316 | Tag | c6 93 c7 fd 6f
58690080 | 58700608 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
58701796 | 58705316 | Tag | 08 b6 dd
58756640 | 58761408 | Rdr | 30 00 02 a8
58762724 | 58763364 | Tag | 04
58811808 | 58816576 | Rdr | 50 00 57 cd
60032288 | 60033280 | Rdr | 52
60034532 | 60036900 | Tag | 04 00
60140592 | 60143056 | Rdr | 93 20
60144228 | 60150052 | Tag | c6 93 c7 fd 6f
60304176 | 60314704 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
60315876 | 60319396 | Tag | 08 b6 dd
61875376 | 61880144 | Rdr | 30 00 02 a8
61881460 | 61882100 | Tag | 04
61929136 | 61933904 | Rdr | 50 00 57 cd
63149632 | 63150624 | Rdr | 52
63151876 | 63154244 | Tag | 04 00
63258304 | 63260768 | Rdr | 93 20
63261956 | 63267780 | Tag | c6 93 c7 fd 6f
63422400 | 63432928 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
63434116 | 63437636 | Tag | 08 b6 dd
64994256 | 64999024 | Rdr | 30 00 02 a8
65000324 | 65000964 | Tag | 04
65047760 | 65052528 | Rdr | 50 00 57 cd
66268880 | 66269872 | Rdr | 52
66271124 | 66273492 | Tag | 04 00
66377808 | 66380272 | Rdr | 93 20
66381460 | 66387284 | Tag | c6 93 c7 fd 6f
66541392 | 66551920 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
66553108 | 66556628 | Tag | 08 b6 dd
68113248 | 68118016 | Rdr | 30 00 02 a8
68119332 | 68119972 | Tag | 04
68166752 | 68171520 | Rdr | 50 00 57 cd
69387232 | 69388224 | Rdr | 52
69389476 | 69391844 | Tag | 04 00
69495920 | 69498384 | Rdr | 93 20
69499556 | 69505380 | Tag | c6 93 c7 fd 6f
69660144 | 69670672 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
69671844 | 69675364 | Tag | 08 b6 dd
So the first difference is when simulated reader sends a 26 and when a card is presented it sends a 30 00 02 a8. Any ideas what the proxmark fails to emulate as the APDUs look just the same until that point?
Also, the omnikey successfully detects a 14a sim uid, so the problem is in mf sim for sure
Last edited by meccan (2014-08-04 19:16:44)
Offline
The more important difference is that hf mf sim sends an additional erroneous byte after SAK. I will fix that later today.
Btw: please make use of the code tag.
Offline
bugfix pushed to github master. hf mf sim should now send the correct SAK (08 b6 dd).
Offline
Thanks piwi it works against my Omnikey now, however it does not work against a doors or phones reader. Just nothing proxmark does not even light up and even with omnikey transmission power seems very week.
Offline
I should have asked before: how good or bad is your PM3 antenna? Please try hw tune (without any card reader or card or metal nearby the antenna) and post the results.
Offline
I did three hw tune and got:
HF antenna: 9.76 V @ 13.56 MHz
HF antenna: 9.89 V @ 13.56 MHz
HF antenna: 9.80 V @ 13.56 MHz
Offline
That might be too low for sniffing and simulating. This is the voltage when the PM3 acts as a reader, i.e. the coil is actively driven by the PM3. It will be higher if the antenna is properly tuned to the carrier frequency and adapted to the PM3 and therefore resonates. For comparison: I get 14.5V with my self made antenna.
When sniffing or simulating the voltage in the antenna is induced by the external reader's field and will be lower. It is then even more important that it is tuned to the carrier frequency and correctly adapted to the PM3. See antenna building tips (http://code.google.com/p/proxmark3/wiki/Antennas). I propose to start with Roel's Hirose antenna and then change the wirelength (and therefore the diameter) of the coil (thereby changing the length of the non-coil part accordingly) until the voltage (hw tune or hf tune) doesn't increase any more. Always keep the three windings close together and don't change the general form (circle, square, rectangle - whatever you prefer) during tuning. 1cm in total in coil wire length (and that results in an even less difference in the coil's diameter) makes a difference - especially nearby the optimum. Then fix your antenna design to stay tuned.
Offline
Thanks for the advice, and you might be right. However, sniffing and I think hf 14a sim (although I am getting an Received unknown command (len=1) etc, but that I think is because 14a sim does not know how to respond?) works, thus I think it might be in hf mf
Last edited by meccan (2014-08-06 09:44:47)
Offline
You confirmed that hf mf sim works with the Omnikey reader.
hf 14a sim produces "unknown commands" at other readers which is an indication that only fractions of the reader commands are received and hf mf sim doesn't work at all at other readers with the "field detected" yellow LED not lit - both are indications that the voltage induced in your PM3 antenna is too low.
Your sniffing/snooping trace is from the Omnikey reader which probably produces a stronger field than the others (btw: it tries to read block 0 without authenticating first - are you sure that this is a Mifare reader?).
When doing hf 14a snoop with the other readers and a card, what do you get?
Offline
From a mifare reader on a door I get:
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 992 | Rdr | 52
2244 | 4612 | Tag | 04 00
16624 | 16848 | Rdr | 01
20276 | 26100 | Tag | c6 93 c7 fd 6f
40304 | 40528 | Rdr | 01
52004 | 55524 | Tag | 08 b6 dd
68704 | 73408 | Rdr | 60 00 f5 7b
75412 | 80148 | Tag | 16 ee 21 a7
81504 | 90880 | Rdr | 8a 00 82 e8 6b da 66 c8 !crc
256864 | 257856 | Rdr | 52
259108 | 261476 | Tag | 04 00
277140 | 282964 | Tag | c6 93 c7 fd 6f
297296 | 304048 | Rdr | 93 70 c6 93 c7 !crc
308996 | 312516 | Tag | 08 b6 dd
325696 | 330464 | Rdr | 60 04 d1 3d
332404 | 337076 | Tag | 09 7d 02 be
338496 | 347872 | Rdr | 8b ad 0a ee 29 c8 b5 f5 !crc
516100 | 518468 | Tag | 04 00
530496 | 532960 | Rdr | 93 20
534132 | 539956 | Tag | c6 93 c7 fd 6f
554288 | 564816 | Rdr | 93 70 c6 93 c7 fd 6f 6f b3
565988 | 569508 | Tag | 08 b6 dd
582944 | 587648 | Rdr | 60 0c 99 b1
589652 | 594388 | Tag | 84 ec 51 25
606308 | 610980 | Tag | 27! 3e 6f 02!
622480 | 627248 | Rdr | 57 12 3d a1 !crc
629204 | 633876 | Tag | 45! 88! dd 2c!
635280 | 635440 | Rdr | 00
645844 | 650580 | Tag | 7a 9c ac! 9c!
656912 | 661680 | Rdr | 99 e0 23 88 !crc
662980 | 683780 | Tag | 41! 22 19 bc 48! 00 36 cc a8 da! c5! fa! 6d e4! 79 0c! 57 9f !crc
698496 | 702624 | Rdr | 96 57 db !crc
704564 | 725364 | Tag | 59 cb df! bf! 91! 9b! e1! 99! 1b! 07 1f! a8 89 a1! fe! 9e! b4! ce! !crc
1312544 | 1317312 | Rdr | d5 c4 96 3c !crc
1318628 | 1339492 | Tag | 75 58 8d 77! a8! 19! 05! b9 d9 39! d7 dc 33! 05 6e a7 9b 1e! !crc
5785172 | 5787540 | Tag | 04 00
9778896 | 9779888 | Rdr | 52
9781124 | 9783492 | Tag | 04 00
13776304 | 13777296 | Rdr | 52
13778548 | 13780916 | Tag | 04 00
17772752 | 17773744 | Rdr | 52
17774996 | 17777364 | Tag | 04 00
21788128 | 21789120 | Rdr | 52
21790372 | 21792740 | Tag | 04 00
25782016 | 25783008 | Rdr | 52
25784260 | 25786628 | Tag | 04 00
29776896 | 29777888 | Rdr | 52
29779140 | 29781508 | Tag | 04 00
33790320 | 33791312 | Rdr | 52
33792564 | 33794932 | Tag | 04 00
37788692 | 37791060 | Tag | 04 00
41801600 | 41802592 | Rdr | 52
41803844 | 41806212 | Tag | 04 00
45799412 | 45801780 | Tag | 04 00
49811024 | 49812016 | Rdr | 52
49813268 | 49815636 | Tag | 04 00
53827184 | 53828176 | Rdr | 52
53829428 | 53831796 | Tag | 04 00
57822352 | 57823344 | Rdr | 52
57824564 | 57826932 | Tag | 04 00
61836672 | 61837664 | Rdr | 52
61838900 | 61841268 | Tag | 04 00
65833472 | 65834464 | Rdr | 52
65835716 | 65838084 | Tag | 04 00
69830308 | 69832676 | Tag | 04 00
That first snoop was probably from my samsung s4 mini that does not support mifare
Last edited by meccan (2014-08-06 10:53:03)
Offline
This confirms my assumption.
E.g. we have
Rdr | 01 or Rdr | 00 : such commands don't exist - commands from the reader picked up incompletely
consecutive reader commands (at times 81504 and 256864) : missed the tag's answer and probably some more communication during this large time gap
consecutive tag answers (e.g. at times 259108 and 277140) : missed a reader command and probably some more communication during this big time gap
Rdr | 93 70 c6 93 c7 !crc : truncated reader select command (last byte of cards UID and CRC not picked up)
-> Your antenna isn't able to reliably pick up everything. Simulation therefore cannot work either.
Offline
You should see values above 0x7C ((0x7C * 33000) >> 10 = 3996) in order for hf mf sim to work correctly with the current MF_MINFIELDV.
The highest I see when running a hw detectreader h and presenting the antenna to the troublesome reader is 0x58, with an average of 0x4a, so a max of 2800 mV, far below the threshold. I tried unplugging and replugging the connectors a few times to get a better connection, and I also tried the antenna switch in the towards-plug position, neither improved it at all.
With a different mifare reader I get values around 0xeb.
Assuming changing the threshold will make it work in my case (an assumption I will test today), what's the more broad solution? I'd love to contribute a patch to proxmark to solve it. Is adding another optional argument to hw mf sim the best solution?
Thanks,
tjhowse
Offline
So I adjusted the threshold down to 2300 mV and did a "hf mf eload ...", "hf mf sim", held the antenna to the reader a few times, then "hf 14a list". I saw the yellow light flickering when the antenna was in range, and occasionally the green light flashed.
Loaded 64 blocks from file: ....eml
uid:N/A, numreads:0, flags:0 (0x00)
#db# 4B UID: ...
#db# Emulator stopped. Tracing: 1 trace length: 954
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data
-----------|-----------|-----|--------
0 | 1056 | Rdr | 26
2420 | 4788 | Tag | 04 00
2092104 | 2093160 | Rdr | 26
2094524 | 2096892 | Tag | 04 00
4189440 | 4190496 | Rdr | 26
4191732 | 4194100 | Tag | 04 00
6287366 | 6288422 | Rdr | 26
6289722 | 6292090 | Tag | 04 00
8385102 | 8386158 | Rdr | 26
8387586 | 8389954 | Tag | 04 00
10483078 | 10484134 | Rdr | 26
10485434 | 10487802 | Tag | 04 00
12580460 | 12581516 | Rdr | 26
12582752 | 12585120 | Tag | 04 00
14678052 | 14679108 | Rdr | 26
14680344 | 14682712 | Tag | 04 00
16769836 | 16770892 | Rdr | 26
16772192 | 16774560 | Tag | 04 00
18867490 | 18868546 | Rdr | 26
18869910 | 18872278 | Tag | 04 00
20964778 | 20965834 | Rdr | 26
20967262 | 20969630 | Tag | 04 00
58626986 | 58628042 | Rdr | 26
58629342 | 58631710 | Tag | 04 00
60724578 | 60725634 | Rdr | 26
60726934 | 60729302 | Tag | 04 00
62822344 | 62823400 | Rdr | 26
62824636 | 62827004 | Tag | 04 00
64919936 | 64920992 | Rdr | 26
64922228 | 64924596 | Tag | 04 00
67017992 | 67019048 | Rdr | 26
67020348 | 67022716 | Tag | 04 00
69115214 | 69116270 | Rdr | 26
69117698 | 69120066 | Tag | 04 00
71212550 | 71213606 | Rdr | 26
71214906 | 71217274 | Tag | 04 00
73310528 | 73311584 | Rdr | 26
73312756 | 73315124 | Tag | 04 00
73317838 | 73320302 | Rdr | 93 20
73321858 | 73327746 | Tag | .. .. .. .. 91
73334478 | 73344942 | Rdr | 93 70 .. .. .. .. 91 1f 3c
73346562 | 73350082 | Tag | 08 b6 dd
73358956 | 73363660 | Rdr | 60 0c 99 b1
73368032 | 73372768 | Tag | 01 02 03 04
75463844 | 75464900 | Rdr | 26
75466136 | 75468504 | Tag | 04 00
77561452 | 77562508 | Rdr | 26
77563744 | 77566112 | Tag | 04 00
In parallel to this I have written the appropriate sector to another mifare classic card and I can successfully authenticate to the reader with that. I had feared that this was a non-standard reader that would only work with a specific brand of mifare classic cards, but this is not the case.
Thanks,
tjhowse.
Last edited by tjhowse (2014-08-07 00:41:32)
Offline
This confirms my assumption.
E.g. we have
Rdr | 01 or Rdr | 00 : such commands don't exist - commands from the reader picked up incompletely
consecutive reader commands (at times 81504 and 256864) : missed the tag's answer and probably some more communication during this large time gap
consecutive tag answers (e.g. at times 259108 and 277140) : missed a reader command and probably some more communication during this big time gap
Rdr | 93 70 c6 93 c7 !crc : truncated reader select command (last byte of cards UID and CRC not picked up)
-> Your antenna isn't able to reliably pick up everything. Simulation therefore cannot work either.
Right, thanks for getting that sorted for me, will build another antenna.
Offline
@tjhowse:
Your trace indicates antenna issues as well. It took 19 attempts to pass the selection phase - and then to fail with the authentication. Obviously the threshold has been chosen such that communication would reliably work with signal above the threshold - with a good antenna.
Please don't try to fix hardware issues with software patches.
Offline
I'm using a RyscCorp RFID-ANTENNA REV A. I get 9.96-10.02v doing a hw tune in free air.
It's just the one that came with my PM3 a few years ago. I've never given any thought as to whether it's a good or bad antenna as it has always worked for many different readers. Is this particular product or design known to be bad? You mentioned that you got 14.5v on your self-made antenna. What design do you use?
Thanks,
tjhowse.
Offline
Well, this is HF, which sometimes is hard to predict. I can see, that this antenna has some capacitors which can obviously be added by the switch. This may be too coarse to tune successfully. I can also see that a USB cable is used to connect this antenna. This will add an additional capacitor depending on length plus two connections with possible reflections. I don't think that USB cables are really suitable for HF. And finally: The PM comes in to variants (with either 47pF or 100pF input capacitance).
I wouldn't say that this or that type of antenna is good or bad. It all depends.
I use Roel's Hirose antenna design.
Offline
I've got a spare USB-A to Hirose cable here that is long enough to make one of those antennae. I might just give it a go.
http://www.proxmark.org/files/Documents/Antennas/2009.03.01-proxmark_HF_13.56MHz_mifare_antenne.pdf
For future reference.
Offline
I've built one of those antenna, and I get 12.86v on hw tune, and 7c when I hw detectreader, but only barely. I'll try tweaking it a bit to get it planar, see if I can get a better signal.
Offline