Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
I'm very new to having a proxmark (just got it last week), and I'm trying to get a handle on if I'm seeing normal behavior when using "hf 14a snoop". When run without the antenna a tag or reader to snoop nearby, about how long should it take for the command to return due to the buffer being full?
Mine take roughly 5 seconds. After which, if I run a hf list 14a, I see mostly lines like this:
2036304 | 2036816 | Tag | 02 | |
2041200 | 2041456 | Tag | 00! | |
2044224 | 2044480 | Tag | 00! | |
2051712 | 2051968 | Tag | 00! | |
2052880 | 2053136 | Tag | 00! | |
2072656 | 2072912 | Tag | 00! | |
2093216 | 2093472 | Tag | 00! | |
2113440 | 2113696 | Tag | 00! | |
2118272 | 2118528 | Tag | 00! | |
2120688 | 2120944 | Tag | 00! | |
2139824 | 2140080 | Tag | 00! | |
2152128 | 2152640 | Tag | 02 | |
2178016 | 2178272 | Tag | 00! | |
2186976 | 2187232 | Tag | 00! | |
2188624 | 2189008 | Tag | 00! | |
2195408 | 2196240 | Tag | 3c! | |
2216128 | 2216384 | Tag | 00! | |
2223536 | 2223728 | Tag | 01 | |
Since none of the examples of hf 14a snoop I've found online usually include anything like this, I wanted to determine if there was something odd, or if it was just background that was normally trimmed out of examples?
Offline
Which version are you running? (hw ver)
If you are not using the latest source from github, then its time to upgrade.
It is easier to find potential problems if everyone is using the latest source.
Offline
Prox/RFID mark3 RFID instrument
bootrom: master/v2.2.0-57-g9dd0ac5-dirty-suspect 2015-09-09 03:37:16
os: master/v2.2.0-57-g9dd0ac5-dirty-suspect 2015-09-11 03:20:54
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/06/22 at 21:47:54
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 168030 bytes (64). Free: 94114 bytes (36).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
Iceman: To my original question, when you run hf 14a snoop without a card or reader nearby, how long does it take to return if you don't interrupt it using the button? Do you see lines like those I pasted when you run hf list 14a?
Offline
since the changes to the tracelog, it now snoops a long time. Before it was like 2-5sec,..
And yes, you can get all kind of responses. However, you should see a normal hf 14a transaction.
You'll need to test different spots for your snooping antenna and distance between reader/snoop/card ...
Offline
since the changes to the tracelog, it now snoops a long time.
Can you quantify? Like, seconds, 10's of seconds, minutes? Even just approximately.
And yes, you can get all kind of responses.
So these are normal 'background' interference expected when there is no tag or reader present?
However, you should see a normal hf 14a transaction.
Unlikely, since I'm explicitly keeping it away from nfc sources while performing this test. I'm concerned that there is something wrong with my environment, my device, or my software to create interference, and so I'm trying to get a baseline for the experience others are having.
Offline
until the memory runs out... Havn't tested exact how long it takes.
but a guess would be something like one minute.
Without a tag, then your hf 14a snoop shouldn't find anything at all... If it doesn't get a transmission it shouldn't collect anything
how strong is your antenna? And you say nothing is nearby it....
Offline
until the memory runs out... Havn't tested exact how long it takes.
but a guess would be something like one minute.
I'm aware that it takes until the memory runs out, and mine takes about 5 seconds. Which I thought was odd
Without a tag, then your hf 14a snoop shouldn't find anything at all... If it doesn't get a transmission it shouldn't collect anything
Exactly what I would expect.
how strong is your antenna?
proxmark3> hw tune
Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)
#db# DownloadFPGA(len: 42096)
# LF antenna: 0.14 V @ 125.00 kHz
# LF antenna: 0.00 V @ 134.00 kHz
# LF optimal: 0.00 V @ 12000.00 kHz
# HF antenna: 17.37 V @ 13.56 MHz
# Your LF antenna is unusable.
And you say nothing is nearby it....
Offline
hm, do you get this static everytime you run the "hf 14a snoop" ?
Offline
Yup.
If I snoop with a normal setup (reader - proxmark - 1cm - tag), I'm able to see a transaction, but there is lots of this static, and lots of parity errors, and my transactions always had a "!crc" for the Rdr response (nr/ar). I also get lots of "Collision after Bit 8" for other commands, as well as this static for simple things like "hf 14a reader" with no tag present:
proxmark3> hf 14a reader
iso14443a card select failed
proxmark3> hf list 14a
Recorded Activity (TraceLen = 60 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
65652 | 65908 | Tag | 00! | |
67200 | 69664 | Rdr | 93 20 | | ANTICOLL
70980 | 71236 | Tag | 00! | |
74240 | 84704 | Rdr | 93 70 00 00 fb ff 04 ea c5 | | SELECT_UID
I bought my proxmark3 from hacker warehouse (http://hackerwarehouse.com/product/proxmark3-kit/) including antenna, so none of this was built by me. It sounds like this static is unexpected, and probably not software related? If you agree, then I can contact hacker warehouse about getting a replacement. I just wanted to make sure this was unusual and not user error or software error before contacting them.
Offline
you can try replacing the antenna cable.
does your antenna have a switch on it?
Offline
It doesn't have a switch on it, but the kit came with a second cable since it has one for each antenna. I swapped the cables, but still get the same result for snoop and reader.
Offline
hm, if you snoop a tag, how much space do you have between ?
Offline
My test of the new cable was testing snoop and reader with no tag present. If this static is uncommon, which its sounding like it is, I'm going to talk with hacker warehouse about a replacement.
Offline
there are other items that run on that frequency. it may be possible that you have something near that frequency in your house that it is picking up. (car keys, large electronics running in or near the house.) i would try from a different room or building and see if results change before RMAing the device. (these things are very sensitive to electromagnetic interference)
Offline
An excellent point. I am in a studio apartment, and the most portable system I have is my raspberry pi, so my options are somewhat limited. I hooked the proxmark up to a raspberry pi and set it up in the other areas of my apartment, as far from my other electronics as I could. I also tried both in locations that are much higher, and much lower. Sadly, I got the same results in all the places I tested. On the upside, the proxmark was really easy to use with the pi, and very stable. On my desktop system (OS X), it always seemed like the proxmark terminal would sorta time out after a while and become unresponsive.
Offline
I have exactly the same issue and I thing the problem is related to firmware version not hardware.
I can downgrade PM3 to 0.0.7 and all works fine, but after upgrade to 2.2.0 there is a issue with randoms data.
my logs:
http://www.proxmark.org/forum/viewtopic.php?pid=18057#p18057
Last edited by Piorun (2015-10-01 21:44:02)
Offline
I tried Iceman's suggestion of an older fpga_hf.bit and results are promising. I haven't done extensive testing, but I was able to do a hf 14a reader and not see any collisions of weird errors, and I used snoop and didn't see the static I saw before, and didn't see any checksum or crc errors in the snooped data. I'm going to continue to test.
[[[ Cached information ]]]
Prox/RFID mark3 RFID instrument
bootrom: master/v2.2.0-57-g9dd0ac5-dirty-suspect 2015-09-09 03:37:16
os: master/v2.2.0-58-gdfb387b-dirty-suspect 2015-10-02 01:08:42
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/02/11 at 21:05:50
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 168186 bytes (64%). Free: 93958 bytes (36%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
Offline
I tried Iceman's suggestion of an older fpga_hf.bit and results are promising.
Could you publish your build to somewhere? I would like to load it to my PM3.
Offline
Sensitivity has been substantially increased with the new FPGA version. This allows more reliable reading/snooping even at higher distances . You have discovered the downside: it is also more sensitive to pick up other devices' signals.
Maybe there should be a "hf mf sensitivity" command?
Offline
I have one older Pm3 model and for that one I also need the older fpga_hf.bit when I compile it.
Either we do it with the makefile, but then we need to maintain two hf images
or we do @pwpiw's suggestion to add a "hw sensitivity" , I think the main change you did in the fpga was to turn on the powerline3, which boosted the antenna voltage (?)..
If we can make that optional then it would a good solution.
Offline
I think the main change you did in the fpga was to turn on the powerline3, which boosted the antenna voltage (?)..
If we can make that optional then it would a good solution.
The main changes had been on the receiver rather than on the sender part. My proposal would be to make EDGE_DETECT_THRESHOLD adjustable.
Offline
yeah, you and holiman look into the MillerDecoding and startpatterns for the signal.
If you remember my issues with one of your FPGA change, where I have a older PM3, and it don't work well unless I use the older FPGA_hf.bit from before Feb-2015. For that pm3 I use one image around 2015-01-20.
I think your answer (in short) was that my antenna was bad, I'm glad not to be the only one have the issue anymore.
Since then, the only real downside is that I can't use the later FPGA fixes for "iso14443b" for that specific pm3 device.
I wonder if this image works for @betts et al. https://github.com/Proxmark/proxmark3/b … pga_hf.bit
It should be the last one before @piwi's edge_detect fixes. @Eric, can you test it?
Offline
@iceman: That is the version I am using, and it is doing great
@Piorun: I think all you need is my fullimage.elf, and I've uploaded it here: https://dl.dropboxusercontent.com/u/156593/fullimage.elf.zip
Let me know how it goes!
Offline
I think your answer (in short) was that my antenna was bad,
Nope. It was you who wrote
I solve it by changing hardware, a stronger antenna.
I will now have a look at the code again. But it is always hard to find a bug if everything is working fine...
Offline
>I will now have a look at the code again. But it is always hard to find a bug if everything is working fine...
I can replicate a bug, how can I support you?
Offline
@Piorun: I think all you need is my fullimage.elf, and I've uploaded it here: https://dl.dropboxusercontent.com/u/156593/fullimage.elf.zip
Let me know how it goes!
Works fine, thank you
proxmark3> hw version
[[[ Cached information ]]]
Prox/RFID mark3 RFID instrument
bootrom: /-suspect 2015-08-16 18:49:55
os: master/v2.2.0-58-gdfb387b-dirty-suspect 2015-10-02 01:08:42
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/02/11 at 21:05:50
uC: AT91SAM7S256 Rev A
...
proxmark3> hf search
UID : da 55 xx xx
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Valid ISO14443A Tag Found - Quiting Search
proxmark3>
Offline
iceman wrote:I think the main change you did in the fpga was to turn on the powerline3, which boosted the antenna voltage (?)..
If we can make that optional then it would a good solution.
The main changes had been on the receiver rather than on the sender part. My proposal would be to make EDGE_DETECT_THRESHOLD adjustable.
How to rollback the changes?
FPGA_CMD_SET_EDGE_DETECT_THRESHOLD <- this is defined in fpgaloader.h but I can see any references in code.
Offline
Hmm... so there is a difference between older and newer PM3's? Is the discrepancy in the FPGA chip itself?
Offline
Chips look the same - i don't know what was changed in new build - but version > 2.x doesn't work well
Offline
Pages: 1