Youtube: https://youtu.be/Naw5qo8UOLE
]]>pm3 -_> hw tune
# HF antenna: 34.60 V @ 13.56 MHz
pm3 --> hf search
UID : xx xx xx 00
ATQB : 00 00 00 00 00 81 71
CHIPID : 00
App Data: 00 00 00 00
Protocol: 00 81 71
Bit Rate: 106 kbit/s only PICC <-> PCD
Max Frame Size: 256 bytes
Protocol Type: Protocol is compliant with ISO/IEC 14443-4
Frame Wait Integer: 7 - 4096 ETUs | 38656 us
App Data Code: Application is Proprietary
Frame Options: NAD is not supported
Frame Options: CID is supported
Tag :
Max Buf Length: 0 (MBLI) chained frames not supported
CDI : 0
Valid ISO14443-B Tag Found - Quiting Search
pm3 --> hf emv trans
#db# Can't select card
#db# EMV TRANSACTION FINISHED
Running on a RDV2.0, 512 Kb, latest source from icemanfork, in a docker container.
This incl "with_LF", nothing is removed yet when compiling.
pm3 --> hw version
[[[ Cached information ]]]
Proxmark3 RFID instrument
bootrom: iceman/master/release-build(no_git)-suspect 2016-10-28 12:50:01
os: iceman/master/ 2017-02-14 11:57:31
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 241067 bytes (46%). Free: 283221 bytes (54%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
The code can be found here: https://github.com/lumag/emv-tools/
I may assume that this handling should also apply for NFC way of communication.
]]>Nonvolatile Program Memory Size: 256K bytes. Used: 222420 bytes (85%). Free: 39724 bytes (15%).
Transaction goes well
pm3 --> hf emv trans
#db# SELECT AID COMPLETED
#db# EMV TRANSACTION FINISHED
pm3 --> hf 14a list
Recorded Activity (TraceLen = 211 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |04 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |ef 91 43 88 b5 | |
18816 | 29344 | Rdr |93 70 ef 91 43 88 b5 ca 23 | ok | SELECT_UID
30516 | 34036 | Tag |28 b4 fc | |
35584 | 40352 | Rdr |e0 80 31 73 | ok | RATS
49460 | 70324 | Tag |10 78 80 70 02 00 31 c0 64 1f 27 01 00 00 90 00 | |
| | |38 57 | ok |
74880 | 102688 | Rdr |0a 00 00 a4 04 00 0e 32 50 41 59 2e 53 59 53 2e | |
| | |44 44 46 30 31 00 b0 54 | ok |
333236 | 382836 | Tag |0a 00 6f 23 84 0e 32 50 41 59 2e 53 59 53 2e 44 | |
| | |44 46 30 31 a5 11 bf 0c 0e 61 0c 4f 07 a0 00 00 | |
| | |00 04 10 10 87 01 01 90 00 86 5f | ok |
But unfortunately dumping EMV tag values is not working, seems that some code adjustments required as the array of card data is not filled in:
pm3 --> hf emv dump
#db# currentcard->ATQA=
#db# 00 00
#db# currentcard->UID=
#db# currentcard->SAK1=
#db# 00
#db# currentcard->SAK2=
#db# 00
#db# currentcard->ATS=
#db# currentcard->tag_4F=
....
As an outcome of some investigations, EMV cards can also provide transaction history, that's might be an interesting stuff to implement as well.
]]>