Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-09-18 12:47:42

DerbyDale
Contributor
Registered: 2019-09-17
Posts: 6

Proxmark3 RDV4 Standalone Issue

Hi all,

I have recently purchased a new Proxmark3 RDV4 and after following all of the guidelines to upgrade it to the RRG / Iceman repo (which appears to have gone well), the LF_SAMYRUN standalone mode isnt or doesn't appear to be working via the button commands. I can run lf sim and it will read a card and simulate it fine. Have I missed something?
Below are the outputs:

HW STATUS

#db# Memory           
#db#   BIGBUF_SIZE.............40000          
#db#   Available memory........40000          
#db# Tracing           
#db#   tracing ................1          
#db#   traceLen ...............0          
#db# Currently loaded FPGA image           
#db#   mode.................... LF image built for 2s30vq100 on 2019-07-31 at 15:57:16          
#db# Flash memory           
#db#   Baudrate................24 MHz           
#db#   Init....................OK           
#db#   Memory size.............2 mbits / 256 kb           
#db#   Unique ID...............0xD567A882A7887325          
#db# Smart card module (ISO 7816)           
#db#   version.................v3.11           
#db# LF Sampling config           
#db#   [q] divisor.............95 ( 125 kHz )          
#db#   [b] bps.................8          
#db#   [d] decimation..........1          
#db#   [a] averaging...........Yes          
#db#   [t] trigger threshold...0          
#db# LF T55XX config           
#db#            [r]               [a]   [b]   [c]   [d]   [e]   [f]   [g]          
#db#            mode            |start|write|write|write| read|write|write          
#db#                            | gap | gap |  0  |  1  | gap |  2  |  3          
#db# ---------------------------+-----+-----+-----+-----+-----+-----+------          
#db# fixed bit length (default) |  29 |  17 |  15 |  47 |  15 | N/A | N/A |           
#db#     long leading reference |  31 |  20 |  18 |  50 |  15 | N/A | N/A |           
#db#               leading zero |  31 |  20 |  18 |  40 |  15 | N/A | N/A |           
#db#    1 of 4 coding reference |  29 |  17 |  15 |  31 |  15 |  47 |  63 |           
#db#           
#db# Transfer Speed           
#db#   Sending packets to client...          
#db#   Time elapsed............500ms          
#db#   Bytes transferred.......27648          
#db#   Transfer Speed PM3 -> Client = 55296 bytes/s          
#db# Various           
#db#   DBGLEVEL................1          
#db#   ToSendMax...............-1          
#db#   ToSendBit...............0          
#db#   ToSend BUFFERSIZE.......2308          
#db#   Slow clock..............31924 Hz          
#db# Installed StandAlone Mode           
#db#   LF HID26 standalone - aka SamyRun (Samy Kamkar)          
#db# Flash memory dictionary loaded           
#db#   Mifare..................857 keys          
#db#   T55x7...................109 keys          
#db#   iClass..................7 keys 

HW VERSION

[ CLIENT ]          
  client: RRG/Iceman          
  compiled with GCC 9.2.1 20190821 OS:Linux ARCH:x86_64          

 [ PROXMARK RDV4 ]          
  external flash:                  present           
  smartcard reader:                present           

 [ PROXMARK RDV4 Extras ]          
  FPC USART for BT add-on support: present           
          
 [ ARM ]
  bootrom: RRG/Iceman/master/d3651cc0-dirty-unclean 2019-09-18 06:13:05
       os: RRG/Iceman/master/d3651cc0-dirty-unclean 2019-09-18 06:13:30
  compiled with GCC 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907]

 [ FPGA ]
  LF image built for 2s30vq100 on 2019-07-31 at 15:57:16
  HF image built for 2s30vq100 on 2018-09-03 at 21:40:23          

 [ Hardware ]           
  --= uC: AT91SAM7S512 Rev B          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 271519 bytes (52%) Free: 252769 bytes (48%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

HW TUNE

[=] Measuring antenna characteristics, please wait...
          
..
          
[+] LF antenna: 31.02 V - 125.00 kHz          
[+] LF antenna: 50.84 V - 134.00 kHz          
[+] LF optimal: 61.75 V - 137.93 kHz          
[+] LF antenna is OK  
          
[+] HF antenna: 19.75 V - 13.56 MHz          
[+] HF antenna is OK           
          
[+] Displaying LF tuning graph. Divisor 89 is 134kHz, 95 is 125kHz.

Any help would be appreciated.

Offline

#2 2019-09-18 18:39:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: Proxmark3 RDV4 Standalone Issue

Offline

#3 2019-09-18 20:04:48

DerbyDale
Contributor
Registered: 2019-09-17
Posts: 6

Re: Proxmark3 RDV4 Standalone Issue

I have scrutinised the standalone section from your link above, I have spent days looking in to this, but still have no idea why it isn't working.
Everything compiles ok, I have even changed the standalone mode, but the buttons are still the same! I would really appreciate some help here please?
When I long press the button all of the LED's flash to enter standalone mode, then LED D stays lit for a split second, if I press again LED A stays lit, another press LED A flashes for a second or so then goes off. Nothing after that, all LED's are off.

Last edited by DerbyDale (2019-09-18 20:14:11)

Offline

#4 2019-09-18 22:34:38

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Proxmark3 RDV4 Standalone Issue

I just had a quick play and used the wiki and image (from a link on the wiki) as a guide.
Latest from the RRG repo.

It can be a little tricky as you need to work though all the button presses.

I have not confirmed things 100%, just had a play and could clone a HID 26 bit card.

I suggest you run the client and connect to the proxmark3,  then while the client is connected press and hold to go into stand alone mode.
The client will display debug messages.  This will help you know what stage you are at.

Sample debug messages

#db# Stand-alone mode, no computer necessary
#db# >>  LF HID Read/Clone/Sim a.k.a SamyRun Started  <<
#db# [=] start recording
#db# DEBUG: (preambleSearchEx) preamble found at 74
#db# DEBUG: (preambleSearchEx) preamble 2 found at 170
#db# TAG ID: xxxxxxxxxx (xxxxx) - Format Len: 26bit - FC: xx - Card: xxxxx     
#db# HID fsk demod stopped
#db# [=]   recorded 0 | xxxxxxxxxx
#db# [=] simulating 0 | xxxxxxxxxx
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, STT: 0, n: 4800
#db# [=] simulating done
#db# [=]    cloning 0 | xxxxxxxxxx
#db# [=] cloned done

Offline

#5 2019-09-19 08:40:45

DerbyDale
Contributor
Registered: 2019-09-17
Posts: 6

Re: Proxmark3 RDV4 Standalone Issue

Hi,

Below is the result that I get... very baffling. The card used during this test can be simulated using LF SIM and works just fine at giving me swipe access.

#db# Stand-alone mode, no computer necessary          
#db# >>  LF HID Read/Clone/Sim a.k.a SamyRun Started  <<          
#db# [=] start recording          
#db# HID fsk demod stopped          
#db# [=]   recorded 0 | 000000000          
#db# [=] only got zeros, retry recording after click          
#db# [=] start recording          
#db# HID fsk demod stopped          
#db# [=]   recorded 0 | 000000000          
#db# [=] only got zeros, retry recording after click          
[usb] pm3 --> 

The standalone output comes after a long button press, 'start recording' runs after a further short press, finally another third short press creates the 'only got zeros, retry recording after click' (This is all with the card resting on the Proxmark).
None of the above is automated, it all required button presses!
Could it be a faulty device?

Last edited by DerbyDale (2019-09-19 08:41:50)

Offline

#6 2019-09-21 05:18:25

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Proxmark3 RDV4 Standalone Issue

Not sure whats going on.
What I did (with the debug was)

1. With no card on the proxmark... long press , released with the leds start to "scan" (all leds scan on/off) the debug shows
#db# Stand-alone mode, no computer necessary
#db# >>  LF HID Read/Clone/Sim a.k.a SamyRun Started  <<

2. With no card on the proxmark - press and hold until led A is on
#db# [=] start recording

3. Move the original code over the reader
The Proxmark, reads the card and displays the output (all leds go off)
#db# DEBUG: (preambleSearchEx) preamble found at 38
#db# DEBUG: (preambleSearchEx) preamble 2 found at 134
#db# TAG ID: xxxxxxxxxx (xxxxx) - Format Len: 26bit - FC: xx - Card: xxxxx
#db# HID fsk demod stopped
#db# [=]   recorded 0 | xxxxxxxxxx

... then the sim and clone bits (clone needs the "blank" cards on the PM3 prior to cloning.
I also tested the above with the card on the reader the whole time and it seemed to work as well.

Offline

#7 2019-09-25 11:30:16

DerbyDale
Contributor
Registered: 2019-09-17
Posts: 6

Re: Proxmark3 RDV4 Standalone Issue

Does anyone have an idea whats going on here? I just cannot get it to run automatic! Do you think this is a faulty device?

Offline

#8 2019-09-25 22:29:02

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Proxmark3 RDV4 Standalone Issue

Can you show the output of the lf search of the original card.
I would like to see what hid format is being used.

Offline

#9 2019-09-26 09:29:50

DerbyDale
Contributor
Registered: 2019-09-17
Posts: 6

Re: Proxmark3 RDV4 Standalone Issue

Thanks for the reply.
Below is the full output using lf search, this is the original card.

[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary          
[=] if it finds something that looks like a tag          
[=] False Positives ARE possible          
[=]           
[=] Checking for known tags...
          
[+] EM410x pattern found          

EM TAG ID      : 5F00267990           

Possible de-scramble patterns
          
Unique TAG ID  : FA00649E09          
HoneyWell IdentKey {          
DEZ 8          : 02521488          
DEZ 10         : 0002521488          
DEZ 5.5        : 00038.31120          
DEZ 3.5A       : 095.31120          
DEZ 3.5B       : 000.31120          
DEZ 3.5C       : 038.31120          
DEZ 14/IK2     : 00408024414608          
DEZ 15/IK3     : 001073748418057          
DEZ 20/ZK      : 15100000060409140009          
}
Other          : 31120_038_02521488          
Pattern Paxton : 1597683600 [0x5F3AB790]          
Pattern 1      : 1691723 [0x19D04B]          
Pattern Sebury : 31120 38 2521488  [0x7990 0x26 0x267990]          
          
[+] Valid EM410x ID found!

Offline

#10 2019-09-26 11:13:26

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Proxmark3 RDV4 Standalone Issue

OK, that tag is showing as and EM410x tag.
SamyRun is for HID cards.

From the debug output
   #db# >>  LF HID Read/Clone/Sim a.k.a SamyRun Started  <<

As per the link from iceman
   LF_SAMYRUN (def)    HID26 read/clone/sim    Samy Kamkar


If you have some t55xx cards you could try this.

Create a 26 bit hid card
    lf hid clone 20041accab

Confirm it was created ok
   lf search

Then try the standalone samyrun again with that card as the source card.

Offline

Board footer

Powered by FluxBB