Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2013-11-22 16:38:18

ProxmarkPoly
Member
Registered: 2013-11-22
Posts: 7

Problem when trying to sniff exchange between MiFare Card and reader

Hi buddies,

I am trying to sniff an exchange between a MiFare Card (a badge) and its reader.
It's RFID so I use the HF antenna with the proxmark3.

After I type in the proxmark3 command line : "hf mf sniff",
but It detects absolutely nothing...

I think it's not a distance problem because I put the HF antenna between the reader and the badge.
I know that the exchange between the badge and the reader is made because the reader 's Led become red (bad badge for this door).
I know that the antenna is OK because I can read the badge easily with the command "hf mf dump".

Somebody can help me please ?

Thanks a lot
looking forward to your reply,

Poly.

Offline

#2 2013-11-22 16:57:42

piwi
Contributor
Registered: 2013-06-04
Posts: 701

Re: Problem when trying to sniff exchange between MiFare Card and reader

Which version are you using (output of "hw ver")?

Offline

#3 2013-11-22 17:10:57

sboudjem
Member
Registered: 2013-11-07
Posts: 2

Re: Problem when trying to sniff exchange between MiFare Card and reader

Hi,
First thank you for your interest,
I'm working with Poly, and here is the version we're using:

proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 486-unclean 2011-08-28 18:52:03
#db# os: svn 651-suspect 2013-01-25 15:52:19
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56

Looking forward,

Sboudjem.

Offline

#4 2013-11-26 16:09:22

ProxmarkPoly
Member
Registered: 2013-11-22
Posts: 7

Re: Problem when trying to sniff exchange between MiFare Card and reader

Finally we found how to listen to a communication using the "hf 14a snoop" and "hf 14a list" commands.
We obtained these results :

recorded activity:

 ETU     :rssi: who bytes
---------+----+----+-----------
 +      0:   0: TAG 02
 + 152797:   0: TAG 00!
 + 289126:   0: TAG 02
 + 147123:   0: TAG 01
 + 147462:   0: TAG 05!
 + 147290:   0: TAG 02
 + 441954:   0: TAG 02
 + 441954:   0: TAG 02
 + 531882:   0: TAG 04  00
 +    746:   0: TAG 4e  46  7e  16  60
 +   2048:   0: TAG 08  b6  dd
 + 120402:   0: TAG 02
 +  21846:   0: TAG 04  00
 +    744:   0: TAG 4e  46  7e  16  60
 +   2052:   0: TAG 08  b6  dd
 + 142234:   0: TAG 04  00
 +    746:   0: TAG 4e  46  7e  16  60
 +   2048:   0: TAG 08  b6  dd
 + 142220:    :     26
 +   4752:    :     26
 + 142579:    :     26
 +   4751:    :     26
 + 142578:    :     26
 +   4750:    :     26
 + 142576:    :     26
 +   4752:    :     26
 + 142579:    :     26
 +   4751:    :     26

Does someone knows how to interpret it?

Offline

#5 2013-11-26 17:02:10

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Problem when trying to sniff exchange between MiFare Card and reader

Following the official ISO144443-3A scheme:
SzxiFhQ.png
ATQA+UID+SAK = 0004 4e467e16 08: it probably is a Mifare 1K card with UID = 4e467e16.

Last edited by asper (2013-11-26 17:04:17)

Offline

#6 2013-11-26 17:24:35

ProxmarkPoly
Member
Registered: 2013-11-22
Posts: 7

Re: Problem when trying to sniff exchange between MiFare Card and reader

Ok,
btw i have some questions, please tell me if you know the answer, i'll be glad,
1/ what is ETU ?
2/ I know that rssi is the intensity oof the signal, but why is it 0? does it mean that the signal is very very weak ?

3/ what doest
+ 152797:   0: TAG 00!
+ 289126:   0: TAG 02
+ 147123:   0: TAG 01
+ 147462:   0: TAG 05!
+ 147290:   0: TAG 02
+ 441954:   0: TAG 02
+ 441954:   0: TAG 02
mean ? is it a bad exchange ? a noisy exchange ?

4/ Do you know how to simulate this recorded exchange with the proxmark ?

Thanks a lot

Offline

#7 2013-11-26 19:25:34

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: Problem when trying to sniff exchange between MiFare Card and reader

1) An elementary time unit (ETU) is the nominal bit duration used in the character frame.
2) Dunno.
3) Probably non-meaningful bad exchanges (need a dev confirmation).
4) You cannot simulate a transaction, you can emulate a tag or a reader, not both at the same time; using bytes aboce you can make pm3 act as a mifare card with that UID; if you need to know how to emulate or how to act as a reader have a look at pm3 documentation pages (for example here).

Last edited by asper (2013-11-26 19:26:08)

Offline

#8 2013-11-26 22:12:11

ProxmarkPoly
Member
Registered: 2013-11-22
Posts: 7

Re: Problem when trying to sniff exchange between MiFare Card and reader

Thanks a lot for all your informations.

I want to rise the distance of the proxmark when I'm snooping an exchange between a mi fare card and a reader.
How can I do that ?

Is it enough to rise the alimentation of the card by using a battery ? but what is the maximum voltage ? or maybe there is another solutions ?

Thanks for your help

Offline

Board footer

Powered by FluxBB