Help with Tag simulation for Low Frequency

Tiberius · 2017-03-03 17:42:53

Hello folks,

I try to understand the tag simulation of the proxmark. As I understand it, to simulate a tag that modulates the field the coil should be short-circuited and open-circuited. But this seems to be the case only for the hf modulation, for the lf frequency it just passes through and says the arm will bit bang it.

// The way that we connect things in low-frequency simulation mode. In this
// case just pass everything through to the ARM, which can bit-bang this
// (because it is so slow).

In the hitag code it is just implemented with LOW(GPIO_SSC_DOUT) and HIGH(GPIO_SSC_DOUT), but with the same configuration of the pins as with simulating a reader. But this can't be right, right? As I see it, the reader simulation should do something different for tag than for reader simulation.

- So how can I simulate a tag with the proxmark?
- Is it possible to simulate and at the same time record adc samples?

Thanks for any help!

Cheers!

iceman · 2017-03-04 12:22:45

Continue with your approach right now, read the source code and try to understand it.
In some code you'll see the twi pins being hijacked direct and we use a timer to know when to turn off/on to generate the wanted signal pattern. Seen here https://github.com/iceman1001/proxmark3 … 931.c#L397

Tiberius · 2017-03-04 18:14:45

Thanks, Iceman, I will continue to go through it. I just think that is the last piece I need to understand to implement all functionality for the EM4170 chip.

But modulating as a tag and acting as a reader are different things, right? Or am I understanding this wrongly and they are really the same thing?

iceman · 2017-03-04 18:46:08

of course its different. If you act reader, you need to send commands and listen.
if you act tag, you need to listen and answer.

impl the protocol, sending in right byteorder, etc etc.. well you get the idea. Same same but different.

And EM4170 has Authentication / crypto to make things harder. Some google later, ok, you are into the MEGAMOS crypto part I see.

I need to read up on that part. Maybe you should start EM4170/MEGAMOS thread under 125khz category.

Tiberius · 2017-03-04 20:11:11

Hi,

You're right, but the thing I want to understand is not specific to the megamos crypto transponder, although that is what I'm working with. I was able to snoop the communication between reader and tag and use that to get a crypto answer from the tag by acting as a reader. But what i want is acting as a transponder.

I see that the order of receiving and sending commands is different for reader and tag. My question was more about the physical side.

A reader builds up a field and drops it to modulate a message. A tag opens and closes its circuit coil.That should also be two different commands for the proxmark. But when I compare simulating a reader and a tag, I find the same pin configuration and the same HIGH and LOW commands.

That is, what confuses me. Maybe there is a subtle difference I am yet missing.

marshmellow · 2017-03-07 03:21:18

The difference, I believe, is in the FPGA modes selected. The simulation code leaves part of the antenna on so it can continue to receive the reader clock and responds in sync with it. (At least that is how the simple sims work, not looking at the hitag code.)

Reader modes rely on the pm3s own clock for timing and turns on the reader field solid to receive.

The circuit coil in the pm3s case when acting as a tag is the antenna, so you will be flipping some of the same wires

Tiberius · 2017-03-22 12:45:59

Hi,

thanks you two!

I figured out what confused me (with the help of someone). In the hitag-Simulation code the FPGA is still in reader mode, where its own field is on. I didn't understand how it could reliably simulate a passive tag, with its own field on. That would take timing on the 125kHz level and I didn't find clocks for that.

FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
	FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
	RELAY_OFF();

Now I think this is just a copy paste error and the reader field should just be turned of, similarly to the sim function in the general lf routines (lfops.c).

FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
	AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
	AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
	AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;

According to the git history, Iceman changed the line in the hitag code at some point.

Iceman, can you confirm, whether this was a copy-paste mistake, or whether I still got it wrong?

Cheers
Tiberius

iceman · 2017-03-22 13:00:09

Let me look into it. Is it PM3 Master or iceman fork we are talking about? And which file (hitag2.c or hitags.c) / method?

Tiberius · 2017-03-23 21:34:57

@Iceman: It is in both (s and 2), . It is the regular PM3 master branch.
Method:

void SimulateHitagTag(bool tag_mem_supplied, byte_t* data)

iceman · 2017-03-24 03:19:27

ok. I'vent looked into Hitag source code that much.

iceman · 2017-03-24 21:36:07

That sure looks like a cut & paste error. And according to "git blame" it me... Mea culpa.
I've removed the offending reader_field option. Great pointing it out!

Proxmark3 community

Announcement

#1 2017-03-03 17:42:53

Help with Tag simulation for Low Frequency

#2 2017-03-04 12:22:45

Re: Help with Tag simulation for Low Frequency

#3 2017-03-04 18:14:45

Re: Help with Tag simulation for Low Frequency

#4 2017-03-04 18:46:08

Re: Help with Tag simulation for Low Frequency

#5 2017-03-04 20:11:11

Re: Help with Tag simulation for Low Frequency

#6 2017-03-07 03:21:18

Re: Help with Tag simulation for Low Frequency

#7 2017-03-22 12:45:59

Re: Help with Tag simulation for Low Frequency

#8 2017-03-22 13:00:09

Re: Help with Tag simulation for Low Frequency

#9 2017-03-23 21:34:57

Re: Help with Tag simulation for Low Frequency

#10 2017-03-24 03:19:27

Re: Help with Tag simulation for Low Frequency

#11 2017-03-24 21:36:07

Re: Help with Tag simulation for Low Frequency

Board footer