Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
hi;
am trying to simulate HID card after i read its ID
proxmark3> lf hid fskdemod 1
proxmark3>
proxmark3> #db# TAG ID: 20065a92b6 (18779) - Format Len: 26bit - FC: 45 - Card: 18779
proxmark3> #db# Stopped
then i simulated it using the following command:
proxmark3> lf hid sim 20065a92b6
Emulating tag with ID 20 65a92b6
Press pm3-button to abort simulation
proxmark3>
A led is green and D is blue
i disconnected the PROXMARK after connecting external power source to it and tried to use it with the reader but it didn't work. any help?
i wonder if the proxmark emulated the wrong ID " 20 65a92b6"
the following is the version:
Prox/RFID mark3 RFID instrument
bootrom: iceman/master/v1.1.0-2051-ge82496ca 2017-06-17 15:11:42
os: iceman/master/v1.1.0-2051-ge82496ca 2017-06-17 15:11:47
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 216650 bytes (83%). Free: 45494 bytes (17%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
Offline
Do you have the same problem if you use the official version instead of Iceman's?
Offline
thanks for your reply.
yes it is the same with the official version as well. but the main reason i changed to ice man instead of official is that the HW tune command doesn't work as well while in iceman copy it works fine
Prox/RFID mark3 RFID instrument
bootrom: master/v2.2.0-528-g2a7861e-suspect 2017-06-27 09:17:15
os: master/v2.2.0-528-g2a7861e-suspect 2017-06-27 09:17:19
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 192561 bytes (73%). Free: 69583 bytes (27%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> lf hid sim 20065a92b6
Emulating tag with ID 20 65a92b6
Press pm3-button to abort simulation
proxmark3>
proxmark3> #db# Stopped
proxmark3> hw tune
Measuring antenna characteristics, please wait...
# LF antenna: 0.00 V @ 125.00 kHz
# LF antenna: 0.00 V @ 134.00 kHz
# LF optimal: 0.00 V @ 12000.00 kHz
# HF antenna: 0.00 V @ 13.56 MHz
# Your LF antenna is unusable.
# Your HF antenna is unusable.
proxmark3>
thanks
Offline
```
# Your LF antenna is unusable.
# Your HF antenna is unusable.
```
the same I've faced when flashed image from official but used client from iceman and vice versa.
please try to use client and firmware built from one source.
```
i disconnected the PROXMARK after connecting external power source to it and tried to use it with the reader but it didn't work
```
Tried to simulate HID yesterday on the latest official build - no reaction from my office's wall-mounted reader.
Weak antenna?
How does pm3 emulate from hardware perspective? Maybe too low power is emitting? Our readers could even see my tiny nfc-ring with very little antenna.
Offline
check your antenna cable?
Offline
check your antenna cable?
Yeap, classic. "One old sysadm always told me - check cables first."
I'm personally using /pm3 v3 easy/ from china - LF antenna is attached to board with screws, no cables at all.
like this one https://images-na.ssl-images-amazon.com/images/I/51ojySkuwlL.jpg
Just right now played around hid reader rotating antenna - no luck:(
Will do some experiments today.
Last edited by eug33ne (2017-07-28 21:02:08)
Offline
Well, pm3 detects reader's field:
proxmark3> #db# LF 125/134kHz Field Change: 10862mV
proxmark3> #db# LF 125/134kHz Field Change: 1375mV
proxmark3> #db# LF 125/134kHz Field Change: 4537mV
proxmark3> #db# LF 125/134kHz Field Change: 16087mV
proxmark3> #db# LF 125/134kHz Field Change: 3162mV
and so on.
tune:
Measuring antenna characteristics, please wait.........
# LF antenna: 25.16 V @ 125.00 kHz
# LF antenna: 16.77 V @ 134.00 kHz
# LF optimal: 28.88 V @ 120.00 kHz
# HF antenna: 21.27 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
but reader doesn't react to:
proxmark3> lf hid sim <tagID>
(A led stays ON while emulation, D led blinks near the reader, but no reaction from reader.)
I just can't believe that this little buddy http://www.jakcom.com/ins/R3/JAKCOM_R3.files/image002.jpg has more inducted power or clearer modulation than fpga-driven proxmark with several times bigger antenna.
Offline
looks like your antenna is no long "unusable", which is good.
Are you using the sim command correct? Using the raw output from lf search ?
Offline
thanks for your reply, Iceman. Topic starter has had troubles with antenna - my was good )
Not sure about *raw* output. I've used
proxmark3> lf search
lf search
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possibleChecking for known tags:
HID Prox TAG ID: 2004fc614e (12455) - Format Len: 26bit - FC: 126 - Card: 12455
Valid HID Prox ID Found!
then
lf hid sim 2004fc614e
btw, "lf hid clone 2004fc614e" works perfect.
Offline
sorry, missed that little info.
ok, I see that the source doesn't have the correct fix in iceman fork. Offical PM3 Master should have worked.
https://github.com/iceman1001/proxmark3 … f93417c517
Offline
sorry, missed that little info.
ok, I see that the source doesn't have the correct fix in iceman fork. Offical PM3 Master should have worked.
https://github.com/iceman1001/proxmark3 … f93417c517
Hm, that's the issue:
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-62-g6f7a0f7-dirty-suspect 2017-07-27 18:18:30
os: master/v3.0.1-63-g8cf533f-suspect 2017-07-27 19:28:56
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
from official git. I see code from your fork and official/master slightly different for armsrc/lfops.c @SimulateTagLowFrequency()
will try to go deeper in difference.
Offline
I got the hid-sim to work with two pm3, running iceman fork with fix.
Will need some testing with the offical pm3 master to see whats up.
[edit] yep, sneaky old problem.
Offline
Well, I've tried last build from Iceman, latest official and marshmallow builds- results are the same.
Reader HID doesn't respond to simulation via lf hid sim.
Even to lf simfsk with various clockings from demodbuff.
Offline
OMG! Just for lolz I flashed back the old 'stock' firmware from unknown source (marked as 2.0.0) that came with my pm3
#db# bootrom: /-suspect 2015-05-24 09:54:53
#db# os: /-suspect 2015-05-24 09:56:23
#db# LF FPGA image built on 2015/03/06 at 07:38:04
and LF simulation surprisingly managed to work.
Did some digging in blame and history on lfops.c, seems like it was
https://github.com/Proxmark/proxmark3/commit/83f3f8ac40b47e220954e620a5ecbe41f54f4dc7
that might broke sim.
I afraid usb_poll_validate_length() in the loops waiting until SSC_CLK goes HIGH or LOW induces some delays breaking modulation timings.
if(BUTTON_PRESS() || (usb_poll_validate_length() )) {
long story short - recompiled last Iceman's code excluding usb_poll_validate_length() from that "if" - LF simulation is working now. Hm.
Need review from wise comrades.
Offline
I don't have real reader to test and report back, but LF HID simulation is working again is very good news.
Hope this find will be confirmed soon by Marshmellow, iceman, piwi, Holiman, app-01 ets and by other testers against real reader.
Offline
Yeah, I gonna perform some additional testings to leave usb loop-break ability and will wrap my thoughts to git PR for review
Offline
add a counter and only check button/usbpol every 1000th iteration.
it is interesting that i can get it to work as is on my pm3, but i agree it is not very consistent.
adding my suggestion above makes it more consistent with my pm3.
i also noticed there is a bug somewhere that makes the first attempt to sim always fail but the second attempt works.
Offline
// set LF so we don't kill the bigbuf we are setting with simulation data.
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
needs to be added to cure the bug that makes the first attempt fail. (for each lf simulation)
Offline
see https://github.com/Proxmark/proxmark3/pull/369
and let me know if it fixes your issues.
Offline
...
i also noticed there is a bug somewhere that makes the first attempt to sim always fail but the second attempt works.
I've also noticed this bug.
But from my point of view, after some debugging, I've found out that conditions are not correctly used in "while".
"// wait until SSC_CLK goes HIGH"
is really
while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
, not inverted,
and condition "//wait until SSC_CLK goes LOW" is really
while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
, really inverted!
so, following the code that is now in master:
when there is no external reader, the first run of loop "for" skips first "while(!(...))", emits 1 bit from buf, jump into second "while(..)" and waits reader field here. That is not OK btw. (or do I misunderstand states of GPIO_SSC_CLK when exposed to external field or not?)
I would suggest to invert conditions in while vise versa.
sorry for messy explanation)
Last edited by eug33ne (2017-08-02 23:51:48)
Offline
I believe you are reading the intent of it wrong... Wait until high. So loop while low...
We don't want to wait while it is high (on the first one.)
Offline
that's the point, Marshmellow.
"Wait until high. So loop while low"
So, from my experiments, "loop while low" condition is in work while (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) is true,
not the !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) as now in code.
As I've mentioned - I'd tested with no reader field:
//from the current master:
for(;;)
while(!(...))
...
//emit 1 bit
...
while(...) // <-- loop stops here waiting the field
but it seems to be more correct to stop waiting field in the 1st while.
That's why I propose to invert conditions.
Looks like (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) is actually 1 with NO field and 0 under reader's field.
Last edited by eug33ne (2017-08-03 14:15:34)
Offline
It is not saying the reader field is high, just the value we are reading is high (1 vs 0). Reversing it might require a change in open/short logic. (may result in an inverted signal back to the reader which some modulations won't care about, but others will.)
The sim code isn't currently designed to wait for a reader field before begins modulating, it assumes one is there and attempts to start modulating. If no field is present then yes it will hang up on the lower while loop. I suppose adding that check could be an improvement but with minimal effect as the simulation data just repeats itself.
Offline
...I doubt the simulation is active, with active I mean with the sense that we are powering the antenna.
The simulation should draw power from the presented reader field. So the idea that we shouldn't start sending simulated signal until the reader field is present. Still dark magic of what is used for detection.
If the GPIO_SSC_CLOCK is set (HIGH/1) when there is a reader field
If the GPIO_SSC_CLOCK is unset (LOW/0) when there is a reader field.
That would be nice to know....
Maybe we should have active simulation, to enhance reading distance? Or do we have active simulation already?
Offline
continued here:https://github.com/Proxmark/proxmark3/pull/369
Offline
I am a novice...
I just bought a Jakcom R3 Ring
Based on the instructions online I bought a ACS ACR122U-A9 they reference online
I can not seem to figure out the step by step instructions to program the information from my HID Proximity Card to my Jakcom R3 Ring.
I am MORE THAN happy to pay someone who can help me get this done.
-Adam
Offline
@asmwildcat, your post appears to be off topic and a bit of a thread hijack, please start your own topic for assistance.
Offline
Maybe I am missing something but I am not seeing where to start a NEW thread. But this is my same issue. I am trying to figure a way to program my Jakcom ring using the information from my HID Proximity Card with the ACS ACR1122U-A9 programmer.
Offline
Open a category like "125 kHz Low Frequency", then click post new topic on right... and believe it or not pm3 simulation of hid prox chips has nothing to do with a jakcom ring...
Offline
Pages: 1