Old (pre-2010) PM3 unit with HF not working ?

edo512 · 2017-12-15 07:33:16

Hi!

very long time no post here, but I did contribute to the PM3 a long long time ago. Pretty cool to see everything that's been going on with it over the years!

I recently took my unit out of storage, and updated it to the latest git head, but it behaves strangely:

- LF operations seem to work perfectly
- HF operations all fail - despite the antenna tuning looking fine. I have tried on a bunch of antennas, PCB or self-wound... no luck on any tag kind (iClass, Mifare, Mifare UL, etc)

Looking at the output below, can anyone spot an issue? Are there known problems on older units with current firmware? One thing I noticed - and I don't remember with the old firmware - is whether the relay is used at all. I only hear it click at bootup, but never afterwards.

I have also tried the 3.0.1 release snapshot from github, no luck on that one either. Each time I made sure bootrom, fullimage and corresponding proxmark3 client were used.

parallels@ubuntu:~/Documents/Tools/proxmark3$ sudo ./client/proxmark3 /dev/ttyACM1
Prox/RFID mark3 RFID instrument          
bootrom: master/v3.0.1-216-gfeb1bf4-suspect 2017-12-15 05:57:57
os: master/v3.0.1-216-gfeb1bf4-suspect 2017-12-15 05:57:58
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59
          
uC: AT91SAM7S256 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 256K bytes. Used: 200515 bytes (76%). Free: 61629 bytes (24%).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory          
proxmark3> hw tune h

Measuring antenna characteristics, please wait...          
# LF antenna:  0.00 V @   125.00 kHz          
# LF antenna:  0.00 V @   134.00 kHz          
# LF optimal:  0.00 V @ 12000.00 kHz          
# HF antenna: 15.10 V @    13.56 MHz          
# Your LF antenna is unusable.
proxmark3> hf 14a info
iso14443a card select failed

Any input appreciated!

Last edited by edo512 (2017-12-15 07:33:55)

iceman · 2017-12-15 07:48:15

Welcome back!,
The community is always happy to welcome back an ol'timer, you will find that the pm3 has changed a lot.

I don't think anyone have tested the source code on an older modell since not many has one. Which model do you have? picture of pcb?

Also, the reading distance between tag and antenna / position for 14a is picky, usually 1-2cm distance is needed. When it comes to HF almost all tag reading distance for the different implementations is different. Rendering the hf search a bit unstable.

The new revisions of the pm3 device hardware has quite good performance.

edo512 · 2017-12-15 08:08:52

Yes, I'm impressed with the capabilities of the PM3! On the scope, I can see a nice carrier at 13.56MHz on the antenna - can't distinguish any modulation when a card is close though, even though the cards are working fine on contactless PC/SC readers - Mifare for instance.

Has the board ever had any significant revision since it was designed?

Below is a picture I took - lighting is not great, but it's in focus. Let me know if you catch anything! The MCU is a 256k and I noticed current boards use 512, but if that was an issue, I would most probably get a hard crash...

edo512 · 2017-12-15 08:14:35

Oh, and interestingly, hf snooping seems to work perfectly... only on the reader end ??? No data from the card is caught...

proxmark3> hf list 14a
Recorded Activity (TraceLen = 3520 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
iClass    - Timings are not as accurate          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |       4768 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)          
      16112 |      20880 | Rdr | 50  00  57  cd                                                  |  ok | HALT          
      43632 |      44624 | Rdr | 52                                                              |     | WUPA          
      59872 |      70336 | Rdr | 93  70  65  00  67  13  11  c2  69                              |  ok | SELECT_UID          
    1354912 |    1359680 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)          
    1371024 |    1375792 | Rdr | 50  00  57  cd                                                  |  ok | HALT          
    1398544 |    1399536 | Rdr | 52                                                              |     | WUPA          
    1414784 |    1425248 | Rdr | 93  70  65  00  67  13  11  c2  69                              |  ok | SELECT_UID          
    2709824 |    2714592 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)          
    2725936 |    2730704 | Rdr | 50  00  57  cd                                                  |  ok | HALT          
    2753456 |    2754448 | Rdr | 52                                                              |     | WUPA          
    2769696 |    2780160 | Rdr | 93  70  65  00  67  13  11  c2  69                              |  ok | SELECT_UID          
    4066016 |    4070784 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)          
    4082128 |    4086896 | Rdr | 50  00  57  cd                                                  |  ok | HALT          
    4109648 |    4110640 | Rdr | 52                                                              |     | WUPA          
    4125888 |    4136352 | Rdr | 93  70  65  00  67  13  11  c2  69                              |  ok | SELECT_UID          
    5421184 |    5425952 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)          
    5437296 |    5442064 | Rdr | 50  00  57  cd                                                  |  ok | HALT          
    5464816 |    5465808 | Rdr | 52                                                              |     | WUPA          
    5481056 |    5491520 | Rdr | 93  70  65  00  67  13  11  c2  69                              |  ok | SELECT_UID          
    6776096 |    6780864 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)          
    6792208 |    6796976 | Rdr | 50  00  57  cd                                                  |  ok | HALT          
    6819728 |    6820720 | Rdr | 52                                                              |     | WUPA          
    6835968 |    6846432 | Rdr | 93  70  65  00  67  13  11  c2  69                              |  ok | SELECT_UID          
    8131008 |    8135776 | Rdr | 30  00  02  a8                                                  |  ok | READBLOCK(0)          
    8147120 |    8151888 | Rdr | 50  00  57  cd                                                  |  ok | HALT          
    8174640 |    8175632 | Rdr | 52                                                              |     | WUPA          
    8190880 |    8201344 | Rdr | 93  70  65  00  67  13  11  c2  69                              |  ok | SELECT_UID

Last edited by edo512 (2017-12-15 08:19:00)

iceman · 2017-12-15 08:20:05

The offical pm3 releases fits the 256kb model. That is not an issue.

Since sniffing works well, I'd still say antenna. Test the strongest antenna, 20-30v is good one. Lesser than that and minor quirks starts to happen like placement and distance between antenna & tag becomes more important. Tags like legic will not read either then.

edo512 · 2017-12-15 08:27:58

I'll keep looking around. One of my antennas gives me about 22V and used to work great... very strange! I'll see if I can dig up an old firmware revision and test on that one.

As I mentioned in my previous message, it looks like the antenna actually picks up the reader APDUs only, not the tag's, so something's definitely fishy...

edo512 · 2017-12-16 23:58:10

Good news, my old PM3 is working again! After a couple of hours on the scope checking that the modulation was working great and the cards were answering properly, I tracked the problem to the C10 decoupling cap which had apparently gone bad - value much too low, in the pF range instead of 100nF... There is something to be said about pressing the board with your finger semi-randomly until something happens

I replaced it with a good 100nF cap and the board worked a lot better, but not perfect, so I started to investigate other values, and on a whim I just tried without the cap. To my surprise, this improved reading tremendously, to the point where I could reliably read a fancy metal EMV Paypass card that gives trouble even to a lot of commercial readers. Very unexpected!

I am just wondering why removing this cap improved things so much - as far as I can tell, this is simply a decoupling capacitor to give a steady Vmid (2.5V) voltage to the amplifier (IC6C), and should not have a major impact. I'm afraid this is a case of two wrongs cancelling each other, but as long as the reader is working reliably... If anyone can offer a reasonable analysis, I'm interested!

Below are a couple of scope traces, in case anyone cares - I'd be curious if anyone wanted to compare with their own units?

1. Raw RF field at the antenna:

2. The same field, zoomed in, where you can more easily see the reader/antenna communication

3. Trace after envelope detector and amplification, at the ADC_IN point. Note that somehow, the trace before/after removing C10 does not change there, at least I can't find any difference, so I am only attaching the one below, after removing C10:

Anyway, looking forward to doing more with the PM3 now!

iceman · 2017-12-17 07:17:34

+1 for logictrace porn

And a 8-10 year old hardware has a tendency to break down. Interesting thoughts on the c10 capacitor. Isn't this the famous one which everyone with different antennas need to change? (if I remember it correctly) At least if you had the green pcb and radiowars black one and ppl were building their own antennas.

Nowdays, many buys a elechouse revision, which has good voltage from the start. Not too many posts about building their own antennas anymore.

piwi · 2017-12-17 14:11:03

Interesting thoughts on the c10 capacitor. Isn't this the famous one which everyone with different antennas need to change?

No, the famous one is C35.

C10 and parallel C45 are decoupling capacitors for DC voltage Vmid. Did you check your C45 as well?

iceman · 2017-12-17 16:35:29

I stand corrected.

edo512 · 2017-12-18 22:20:35

C45 looks good... Did more operations, including "hf mf mifare" and EMV stuff, pretty reliable with the Ryscc antennas as far as I can tell. The newer models that are really portable do look cool though

Proxmark3 community

Announcement

#1 2017-12-15 07:33:16

Old (pre-2010) PM3 unit with HF not working ?

#2 2017-12-15 07:48:15

Re: Old (pre-2010) PM3 unit with HF not working ?

#3 2017-12-15 08:08:52

Re: Old (pre-2010) PM3 unit with HF not working ?

#4 2017-12-15 08:14:35

Re: Old (pre-2010) PM3 unit with HF not working ?

#5 2017-12-15 08:20:05

Re: Old (pre-2010) PM3 unit with HF not working ?

#6 2017-12-15 08:27:58

Re: Old (pre-2010) PM3 unit with HF not working ?

#7 2017-12-16 23:58:10

Re: Old (pre-2010) PM3 unit with HF not working ?

#8 2017-12-17 07:17:34

Re: Old (pre-2010) PM3 unit with HF not working ?

#9 2017-12-17 14:11:03

Re: Old (pre-2010) PM3 unit with HF not working ?

#10 2017-12-17 16:35:29

Re: Old (pre-2010) PM3 unit with HF not working ?

#11 2017-12-18 22:20:35

Re: Old (pre-2010) PM3 unit with HF not working ?

Board footer