Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2014-03-20 09:48:29

danny
Member
Registered: 2014-03-19
Posts: 3

hf mf sim - what am i doing wrong?

Hello,

first of all, thanks for the great work. I bought the proxmark and the antennas and want to do some research on rfid. Now im stuck at this point:

 
hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 848 2014-03-18 11:33:04
#db# os: svn 850 2014-03-19 09:19:45
#db# FPGA image built on 2014/02/25 at 07:43:59
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

...the connection to my prox is working. It was quite hard to figure out, that i first have to use the old flasher with the new bootrom. Maybe it should be mentioned in the docs. Using the linux client here.

proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
--sector no:00 key type:00 key:ff ff ff ff ff ff

#db# READ SECTOR FINISHED
isOk:01
data:4a f3 c4 7b 06 88 04 00 46 8e 74 92 45 30 08 07
data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

data:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
data:00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ff

...reading the blank card is also working. Reading with my HTC ONE and the neat MCT-App gives the same result.

proxmark3> hf mf eclr
proxmark3> hf mf sim h
Usage:  hf mf sim  u <uid (8 hex symbols)> n <numreads> i x
           u    (Optional) UID. If not specified, the UID from emulator memory will be used
           n    (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite
           i    (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted
           x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)
           sample: hf mf sim 0a0a0a0a
proxmark3> hf mf sim u 4af3c47b i
 uid:4a f3 c4 7b , numreads:0, flags:3 (0x03)
Press pm3-button to abort simulation
#db# 4B UID: 4af3c47b

...so simulation is turned on, but reading the antenna with my phone gives no result. No Tag detected. I also tried reading with my SCL3711, nfc-list gives no result...

What am i doing wrong? Hints?

Greets,
Danny

Offline

#2 2014-03-20 14:44:15

danny
Member
Registered: 2014-03-19
Posts: 3

Re: hf mf sim - what am i doing wrong?

hmm... now i tried this:

proxmark3> hf 14a sim 1 4af3c47b
Emulating ISO/IEC 14443 type A tag with 4 byte UID (4af3c47b)
#db# Received unknown command (len=1):
#db# 01
#db# Received unknown command (len=1):
#db# 78
#db# Received unknown command (len=1):
#db# 78
#db# Received unknown command (len=1):
#db# 78
#db# Button press
#db# 0 0 e

Reading with my Phone did not work, but reading with my SCL3711:

$ sudo nfc-list
nfc-list uses libnfc 1.7.0-rc7
NFC device: SCM Micro / SCL3711-NFC&RW opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
       UID (NFCID1): 4a  f3  c4  7b
      SAK (SEL_RES): 08

ok, now i can emulate a tag with an uid. But it should be possible emulating the sectors of a mifare card...

Offline

#3 2014-03-20 14:57:25

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: hf mf sim - what am i doing wrong?

Have you tried to flash different svn revision, r838 for example?

Offline

#4 2014-03-20 16:13:45

danny
Member
Registered: 2014-03-19
Posts: 3

Re: hf mf sim - what am i doing wrong?

hi vivat,

thanks for your response. Flashed revision 838 as you proposed:

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 848 2014-03-18 11:33:04
#db# os: svn 838 2014-03-20 14:28:07
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

now after a few tries it kind of worked but only when i switched the switch on the antenna. Now hw tune shows: 

# LF antenna:  0.00 V @   125.00 kHz
# LF antenna:  0.00 V @   134.00 kHz
# LF optimal:  0.00 V @ 12000.00 kHz
# HF antenna:  8.51 V @    13.56 MHz
# Your LF antenna is unusable.

proxmark3> hf mf sim 4af3c47b
 uid:4a f3 c4 7b
#db# Started. 7buid=0
#db# Emulator stopped. Tracing: 1  trace length: 225

and reading with nfc-list shows: 

$ sudo nfc-list
nfc-list uses libnfc 1.7.0-rc7
NFC device: SCM Micro / SCL3711-NFC&RW opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
       UID (NFCID1): e6  84  87  f3
      SAK (SEL_RES): 08

NFC-Phone still not reading and the emulated UID is wrong: shows e6  84  87  f3 but was asked for uid:4a f3 c4 7b

something is still wrong... is that uid hard-coded?

Offline

Pages: 1

Board footer

Powered by FluxBB