Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
so happy I can run my pm3 with d18c7db's workspace ("20081121_prox.zip" and ""20081211_prox.zip), but I find a strange problem, that is, if i use the "2008.09.17-armpgm-ebuller-proxmark3-image.S19" to flash my pm3 and exec. "tune" command then show "HF antenna @ 127 mA", but it'll show "HF antenna @ 44 mA" if i use the "bootrom-merged.s19" compiled by ur workspace, and the graph are diff. when I exec. "plot" command with the diff bootroms but the same 14443a card and the same atenna, I'm a noob and don't know which is better (127mA or 44mA)? why will be like this?
pls help me! thx a milllion in advance!
Kindly regards.
Ryan
Offline
The reason tune gives different values is because the original ebuller code calculates the HF value using 130pF as the capacitor value on the HF antenna but in fact the latest revision of the board actually uses a 50pF capacitor so the calculations with my version of the code take that into account to display the correct value. Look at armsrc\appmain.c in the section:
void MeasureAntennaTuning(void)
{
// Impedances are Zc = 1/(j*omega*C), in ohms
#define LF_TUNING_CAP_Z 1273 // 1 nF @ 125 kHz
#define HF_TUNING_CAP_Z 235 // 50 pF @ 13.56 MHz
Not sure why your plot graphs are different between versions, but since your tune values for HF are so low I assume you don't have a properly working HF antenna so you're probably picking up noise. The HF value for my antenna using tune is in the 11000mV range (ie around 11 volts), see the output of my tune command in this post
I've tested my latest code on both HF and LF cards and I can read either just fine.
Last edited by d18c7db (2009-01-20 08:06:57)
Offline
thx a ton for ur help at first! I'll re-build my atenna and then try, but I'd ask for ur help about snoop, when I exec. "hi14asnoop" cmd, and then run "librfid-tool -s" (used for OpenPCD reader) to scan a 14443a card, then press the button of pm3 to stop snoop, and then exec. hi14alist, but the pm3 restart soon and no further info, why'll be like this? my snoop-process right or wrong?
thx in advance!
Offline
If the PM3 restarts it means it crashed and the watchdog has rebooted it. Have you flashed all three components of the new version software, the bootloader, the FPGA image and the osimage? Does it do the same when running ebuller. You'll need to supply us with more information.
Also have you fixed your antenna problem, you should get much more than 127mV on HF when running tune, it should be somehwere in the several thousands of mV.
I've just done a test with my latest code (20081211) see below:
>> Connected to device
> tune
# LF antenna @ 22 mA / 28601 mV [1273 ohms] 125Khz
# LF antenna @ 21 mA / 25109 mV [1187 ohms] 134Khz
# HF antenna @ 40 mA / 10571 mV [235 ohms] 13.56Mhz
> hi14asnoop
#db# cancelled_a
#db# 00000062, 00000000, 00000000
#db# 00000020, 00000097, 00000002
> hi14alist
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 26
+ 5143: : 26
+ 1440: : 93 20
+ 5014: : e0 50 bc a5
+ 61295: : 26
+ 5143: : 26
+ 1440: : 93 20
+ 3462: : 93 70 08 e7 57 91 29 b7 d3
+ 1552: : e0 50 bc a5
+ 17094: : 02 00 a4 04 00 07 d4 10 00 00 03 00 01 cd 0d 00 00
+ 18086: : 02 90 4c 00 00 04 57 c6 00 00Last edited by d18c7db (2009-01-21 22:50:03)
Offline
hi d18c7db,
so great, I can run the snoop function correctly with ur help, many thanks! u're awesome and warm-hearted!
that's the log with ur latest code (20081211) and the newer antenna, I think the antenna is the keypoint for me, I use a coiled silver wire to make the old antenna, but it can't work correctly for me, according to ur suggestions, I use some bared copper wire to re-build the newer atenna and then like a charm.
I'm confused that it hasn't the "response" data in the log, I mean I exec. a "Get Challenge" APDU command ("0084000008") to get 8-bytes data from the card and I can find the 8-bytes challenge response in the output window of "MifareWnd" tool (provided by NXP), that is
"Send = 00 84 00 00 08
Receive = 19 79 60 A2 D5 B6 FB 80 90 00", I cant find something like "19 79 60 A2 D5 B6 FB 80 90 00" in the log of pm3, why? maybe the buffer of pm3 is incomplete?
anyway, thx a ton for ur patient help!
>> Started prox, built Jan 20 2009 13:51:54
>> Connected to device
> tune
# LF antenna @ 0 mA / 0 mV [1273 ohms] 125Khz
# LF antenna @ 0 mA / 134 mV [1187 ohms] 134Khz
# HF antenna @ 52 mA / 12375 mV [235 ohms] 13.56Mhz
> hi14asnoop
#db# cancelled_a
#db# 00000032, 00000000, 00000008
#db# 00000020, 00000077, 00000002
> hi14alist
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 26
+ 74: 0: TAG 01
+ 710: : 93 20
+ 74: 0: TAG ec
+ 112: 0: TAG 32
+ 78: 0: TAG 03!
+ 1288: : 93 70 26 53 01 67 13 d5 22
+ 919963: : e0 80 31 73
+ 1466: 0: TAG 00!
+2568402: : 02 00 84 00 00 08 2f ecLast edited by shinechou (2009-01-22 10:22:11)
Offline
Hi, your tag responses are incomplete (as you already know) from the above 14443a trace. I have this problem too, I guess it may be to do with how you orientate the proxmark antenna, tag and reader. The reader signal is generally much stronger.
Try taking the same trace/snoop a few times, changing the position of reader/card/proxmark and checking the output.
edit: Thinking about it, I have not yet been able to capture tag responses with hi14asnoop, I generally get the reader OK but all the tag transmissions are either truncated or corrupt.
Last edited by doob (2009-01-21 09:19:34)
Offline
hi doob,
thx for ur suggestions! I'd changed the position of reader/card/proxmark as u said, but can't get complete snoop yet, so strange!
Offline
Yeah your output doesn't look clean, you should not have exclamation marks (crc error).
What I found is that the orientation of the antenna is critical, for example I sometimes get output like this:
> hi14asnoop
#db# cancelled_a
#db# 00000049, 00000000, 00000000
#db# 00000020, 00000042, 00000026
> hi14alist
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: 0: TAG fb
+ 112: 0: TAG 02
+ 969544: 0: TAG 01
+ 48: 0: TAG 0f!
+ 36260: 0: TAG df! df! 1f ff e5! cd! 1f !crc
+ 536: 0: TAG 01But then if I reposition the antenna by rotating it 90 degrees I get clean capture like so:
> hi14asnoop
#db# cancelled_a
#db# 00000063, 00000000, 00000000
#db# 00000020, 00000148, 00000002
> hi14alist
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 26
+ 5143: : 26
+ 1440: : 93 20
+ 3462: : 93 70 08 b6 cc f4 86 d5 fc
+ 1552: : e0 50 bc a5
+ 49438: : 26
+ 5144: : 26
+ 1438: : 93 20
+ 3464: : 93 70 08 b9 0d 0a b6 f1 c9
+ 1552: : e0 50 bc a5
+ 16239: : 02 00 a4 04 00 07 d4 10 00 00 03 00 01 cd 0d 00 00
+ 18925: : 02 90 4c 00 00 04 57 c6 00 00Try playing with your antenna position until you get some success, I know the current code seems to work for me without problems so all things being equal it should work for you too, if not it's probably something related to your antenna or its placement. The capture buffer in the current code is almost 2000 bytes so you should be able to capture heaps of traffic before you run out of buffer.
Last edited by d18c7db (2009-01-21 22:50:27)
Offline
hi d18c7db,
I noticed in your second hi14asnoop output, there are only reader transmissions there, no tag responses. Perhaps the re-orientation on the antenna resulted in the proxmark not picking up any signal from the tag.
I think this is what I seem to get when trying the snoop function although more often than not I will get a few corrupt TAG reponses in the hi14alist output as well.
+ 1584: : 52
+ 1136: : 93 20
+ 2464: : 93 70 88 04 33 30 8f 92 d8
+ 824: : 95 20
+ 8: 0: TAG 02
+ 2448: : 95 70 51 48 1d 80 84 12 38
+ 47: 0: TAG 00!
+ 1273: : e0 21 b2 c7
+ 650: 0: TAG 00!
+ 4568: 0: TAG 00!
+ 38726: : d1 11 00 8e fc
+ 2080: : 0a 01 5a 58 48 00 c6 d1
+ 2112: : 0b 01 0a 00 b9 31
+ 180135: : 0a 01 af d0 54 f6 77 27 f2 a7 7b b8 d5 83 e2 c5 0f e5 cd 7d 92
+ 228: 0: TAG 01
+ 135: 0: TAG 00!
+ 61189: : 0b 01 bd 00 00 00 00 08 00 00 32 44
+ 39967: : ca 01 f3 38
+ 1408: : 50 00 57 cd
+ 24814: 0: TAG 01
+ 5554: 0: TAG 00!
+ 3576: 0: TAG 00!thx
doob
Last edited by doob (2009-01-22 01:39:37)
Offline
the newest log, but incomplete yet!
>> Started prox, built Jan 20 2009 13:51:54
>> Connected to device
> tune
# LF antenna @ 0 mA / 0 mV [1273 ohms] 125Khz
# LF antenna @ 0 mA / 0 mV [1187 ohms] 134Khz
# HF antenna @ 54 mA / 12826 mV [235 ohms] 13.56Mhz
> hi14asnoop
#db# cancelled_a
#db# 00000033, 00000000, 00000008
#db# 00000020, 0000009b, 00000002
> hi14alist
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 26
+ 64: 0: TAG 04 00
+ 720: : 93 20
+ 64: 0: TAG 7c 3c 5d d3 ce
+ 1488: : 93 70 7c 3c 5d d3 ce 24 46
+ 64: 0: TAG 08 b6 dd
+1170760: : e0 80 31 73
+ 64: 0: TAG 04
+9615776: : 93 70 00 00 00 00 00 9c d9
+2209704: : 93 20
+58529032: : 02 00 84 00 00 08 2f ec
+ 7657: 0: TAG 01Last edited by shinechou (2009-01-22 10:22:53)
Offline
so, the position and orientation of the atenna of PM3 is the keypoint, congratulations, I'd got the complete snoop as following,
> tune
# LF antenna @ 0 mA / 0 mV [1273 ohms] 125Khz
# LF antenna @ 0 mA / 134 mV [1187 ohms] 134Khz
# HF antenna @ 55 mA / 13019 mV [235 ohms] 13.56Mhz
> hi14asnoop
#db# cancelled_a
#db# 0000001b, 00000000, 00000008
#db# 00000020, 00000027, 00000002
> hi14alist
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 02 00 84 00 00 08 2f ec
+ 3008: 0: TAG 02 9b 47 1a b0 c0 8a 5b fa 90 00 be 8eLast edited by shinechou (2009-01-22 10:23:25)
Offline
Doob your are correct. I didn't look closely at the output before posting, I just saw I was getting data, but didn't notice I wasn't getting TAG data.
I was suffering from the same problem I was advising shinechou about, ie antenna orientation. By repositioning my antenna I got a proper capture as below. I haven't analysed the data in detail but the anticollision phase looks correct (both PCD and PICC sides) and in the data received from the card I can see the serial number 0x130542 of my test card and the dollar balance of $20.00 = 2000 = 0x07d0 (last line)
>> Connected to device
> hi14asnoop
#db# cancelled_a
#db# 0000006d, 00000000, 00000000
#db# 00000020, 00000146, 00000002
> hi14alist
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 26
+ 5143: : 26
+ 64: 0: TAG 04 00
+ 1304: : 93 20
+ 64: 0: TAG 08 aa c9 52 39
+ 3470: : 93 70 08 aa c9 52 39 ae 27
+ 64: 0: TAG 20 fc 70
+ 1488: : e0 50 bc a5
+ 88: 0: TAG 08 57 80 02 01 10 00 09 94 da
+ 55266: : 26
+ 5144: : 26
+ 64: 0: TAG 04 00
+ 1302: : 93 20
+ 64: 0: TAG 08 98 a5 7d 48
+ 3472: : 93 70 08 98 a5 7d 48 31 30
+ 1552: : e0 50 bc a5
+ 88: 0: TAG 08 57 80 02 01 10 00 09 94 da
+ 17238: 0: TAG 02! 6f 31 b0! 2f! 00! 10! 01! 02! 10! 10! 00 00 00 13! 05 42 00 00 01! 30 54! 20! 08 06 17 20 28 06 16 01 00 00 00 75 30 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 88 23
+ 12766: : 02 90 4c 00 00 04 57 c6 00 00
+ 472: 0: TAG 03 00 00 07 d0 90 00 3a eeLast edited by d18c7db (2009-01-22 09:15:18)
Offline
Hi everyone,
Great that you guys found out that the orientation is so important.
Hence it should be documented well, so others can learn from it.
Would anyone care to show, with a small drawing or picture, the orientation that's working for him /her?
Cheers,
Tom
Offline
What works for me is the plane of the PM3 antenna is right next to the plane of the RFID card but the long side of the RFID card is rotated about 45 degrees relative to the long side of the antenna. If you look here at the first two pictures, where the green wire rectangle is the PM3 antenna you get an idea of the setup.
Later in that post I show a different antenna that I built but the actual positioning of the card remains the same. I imagine that if others have made different types of antennas, ie circular, they would need to experiment with what works best for them.
Offline
very same as mine setup!
Offline
OK!
Thanks for the feedback.
Cheers,
Tom
Offline