Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
Hey all,
I have a CryptoRF tag and I am trying to use all capabilities of pm3 with this tag.
(1) Snooping: Going through all CryptoRF related topics in the forum (multiple times) I am now able to execute "hf 14b snoop" and list the collected commands successfully. Positioning of the antenna close to the tag helped a lot. I also wrote some code to annotate CryptoRF specific commands.
(2) Simulating a tag: When I try to simulate a CryptoRF tag I had less luck, my reader and the tag doesn't seem to synch up well, pm3 seems to get all commands from the reader but whatever it sends as a response is not picked up by the reader, sometimes it works, sometimes it doesn't. (Btw, I had to change the TR1 value to be 10 ETUs, otherwise it didn't work at all)
(3) Reading a tag: This is the worst, I have been trying to read a CryptoRF tag using only pm3, and it seems like I cannot even detect a subcarrier signal. While pm3 seems to successfully snoop and does flaky tag simulation it picks up no signal from the tag itself when I try to read it. I put the reader function in a loop and changed position of the tag constantly to see the effect of distance but no luck :/
Btw, I notice some interesting things in the code
1) Inside iso14443b.c, in TransmitFor14443b function, bits in the data is inverted, sending 0x0000 when bit is 1, and vice versa.
2) Inside iso14444b.c, in SendRawCommand14443B, after power on there is a delay for 10 units, while in ReadSTMemoryIso14443b, this delay is 200 units. I tried them both and didn't make a difference for me :/
any help for these issues is appreciated. Especially to read a tag using pm3.
I am using windows (ProxSpace-master) and the last version of the software I fetched from this repository.
Thanks.
Offline
Must be the first one in years I have heard someone actually having a CryptoRF tag. What does HF SEARCH tell you? What is voltage drop? (hw tune) and can you tell us more about your tag? Pictures?
Offline
HF Search says "no known/supported 13.56 MHz tags found"
Voltage drop is tricky, it changes with location so much. When I put the tag directly onto antenna it is ~4V and when I put 1cm between tag and the antenna (as it is suggested in the forum) the voltage drops ~1-2V depending on location of the tag.
None of the locations made pm3 discover the tag though.
I have been playing with the code to understand what exactly causes this situation, I made some changes in the iso14443b.c inside armsrc directory.
I do a longer spinDelay right after FPGADownloadAndGo function inside SendRawCommand14443B function and I did some reordering of the events in the same function. Now I can detect subcarrier signal (at some certain locations) but only for 3 units of time, while code expects 8 units.
Do you think tag somehow doesn't send long enough TR1?
Below is the datasheet for the tag and ISO 14443B values here matches with the pm3 code but I am not 100% sure.
Offline
+1 Nice datasheet!
Now, we could use a CryptoRF implementation for easy read / write / dump / restore / info commands...
Not to mention the crypto used..
Offline
Btw, I realized, the changes I made didn't make much effect, I changed one too many parameters all at once and got confused which one affected the result. It turns out only the location helped with detecting some subcarrier signals. But it is not long enough to sync and demodulate the tags response.
Like I mentioned, I did write some code for the CryptoRF specific commands, I can make additions to the project once I get sometime to polish my code. But first I would like to make the PM3 read the tag.
Other than the location, do you have any ideas I can try?
Offline
I have spent quite some time with the proxmark in the last 2 weeks.
I think I made some progress, but there are still hiccups and I am having a hard time understanding the reason for it.
First, I switched to the following repo (https://github.com/rfidresearchgroup/proxmark3) that was suggested by @iceman.
That helped with getting the pm3 work as a reader. It can now send raw commands and I get responses. However, it didn't seem very reliable until I changed the ISO14443B_DMA_BUFFER_SIZE to 16838 from 256. This helped a lot since there was no more overflowing of the dma buffer any longer. However now I have another problem, I get the same response twice. And sometimes the tag just gets stuck and stops responding, it only responds again after a switch_off(). So I can only run 4-5 commands consecutively. Every time I have to go back to REQB -> ATTRIB startup routine.
For simulation of the tag, after receiving the command from the reader, ISO14443B requires tag to not transmit a subcarrier signal for sometime. (This is the guard time TR0) - however in the armsrc, I cannot see any code that implements this delay. When I hardcoded some TR0 delay (8 ETUs according to the datasheet) using the GetCountSspClk() function, it started communicating with the reader but not 100% of the time, it seems like it becomes out of synch and there is no obvious reason for it.
Did anyone successfully use these 14B commands on other tags? - the setup seems to be always problematic and flaky for me.
Offline
don't think its the dma buffer size that causes this.
there is a wait time in some 14b armsrc code, which shouldn't be used. those could be the ones messing around.
Offline
@bystander,
the 14B source has been updated and there is also a PR for CryptoRF simulation.
Which CryptoRF tag do you have? Is there a possibility to get some spares from you?
You don't have a Secure memory RF tag?
Offline
Pages: 1