Standalone mifare/14a sniffing/snooping

jbf · 2016-02-08 22:13:15

Hi,

I needed to sniff tag without having a PC connected.

If someone is interested here is what you can do :

WARNING/DISCLAIMER : for this to work, you need to plug the proxmark3 on an external usb battery and the PC at the same time. I am NOT sure at all if this is a safe thing to do (I'm pretty sure it is not!). By doing this you may break your PC, do it at your own risk.
(I did it on 2 PC without issue, but I still think this is something risky for the PC).

1/ Get a Y usb cable (I cut one from a 2,5 hard drive and solder a micro usb connector on one side while keeping the 2 usb connector on the other side)
2/ I made some quick & dirty changes to proxmark code in order to be able to start sniffing by pressing the button (https://github.com/jbfuzier/proxmark3/tree/standalone_sniff)
3/ Plug the Y usb cable to an external battery in order to power the proxmark3
4/ Press 1sec the button, wait for led to light on in order to confirm sniffing is enabled
5/ Sniff..
6/ Press the button to stop sniffing
7/ Plug the other usb connector to a PC
8/ Launch proxmark3 client as usual
9/ hf 14a list

jbf · 2016-02-09 22:20:41

After playing around with sniffing/snooping, I think I have stumbled uppon the following bug :

1/ Sniff some exchange (hf 14a snoop or sniff)
2/ Stop by pressing button
3/ Print the result (hf list 14a) => You see the whole exchange
4/ exit proxmark client
5/ Open proxmark client
6/ hf list 14a => You get a corrupted trace

I have had this issue both on the code from the official repos and from @iceman's repo.

Could someone check if you are having the same issue ?

iceman · 2016-02-10 09:32:33

When you exit the client, and then open it, it unpacks the fpga code on device side, so yes, the devicememory is voilatile and will be overwritten by the unpacking of the fpga_mode code. (see piwi's zlib memory saving changes)

jbf · 2016-02-10 17:27:23

Are you sure that the fpga code is reloaded when the client is reopened ? I am not cutting power to the device.

From what I can understand in appmain.c FpgaDownloadAndGo is called when the board is poweringup. Then is is just looping waiting for command. Am I wrong ?

iceman · 2016-02-10 17:38:12

You are right, once it loops the Fpgadownloadandgo is not called.
Question is if the client sends something to the device when shutting down.
Next possible reason would be the "hf list" command, if it clears the mem afterwards.

jbf · 2016-02-10 17:43:39

hf list does not seems to clear memory afterwards, if you run it twice you still get the result.

I am gonna look into what commands the client is sending on start/exit...

benoit37000 · 2016-04-12 21:48:40

Hi,
i had the same issue
so i put some debug print and see tha function BigBuf_free() was called many time after proxmark client starting.

After hours, i just found tha the Readmen() function launched at startup call fpga loading which call the function BigBuf_free()
put some comment in appmain.c
in ReadMem() and in AppMain(void)
recompile and done

Now i can plug in and plug out the pm3 without losing the collected data
i tested and it work fine .

see below what i comment in appmain.c
it is quite dirty but it helps when you need snoop in stand alone mode

pm3 /proxmark3-master/armsrc$ cat appmain.c | grep "//Fpga" -n
293: //FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
295: //FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
1374: //FpgaDownloadAndGo(FPGA_BITSTREAM_HF);

Ben

Proxmark3 community

Announcement

#1 2016-02-08 22:13:15

Standalone mifare/14a sniffing/snooping

#2 2016-02-09 22:20:41

Re: Standalone mifare/14a sniffing/snooping

#3 2016-02-10 09:32:33

Re: Standalone mifare/14a sniffing/snooping

#4 2016-02-10 17:27:23

Re: Standalone mifare/14a sniffing/snooping

#5 2016-02-10 17:38:12

Re: Standalone mifare/14a sniffing/snooping

#6 2016-02-10 17:43:39

Re: Standalone mifare/14a sniffing/snooping

#7 2016-04-12 21:48:40

Re: Standalone mifare/14a sniffing/snooping

Board footer