Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-07-01 01:35:12

doggyhatman
Contributor
Registered: 2018-06-29
Posts: 4

LF HID BruteForce on Iceman Fork, Unexpected Results

Hey everyone!

This is my first post, outside of my introduction post. I've tried to include as much information as I could to demonstrate the issue I am having (or user-error!).  Please let me know if you feel adding any additional information might be helpful to resolve the issue.

I've been using Iceman's fork and absolutely loving all of the great features it introduces compared to the stock PM3 firmware. I am struggling a bit though on one particular feature...and that's the LF HID Brute function. I can't seem to get it working properly.

First of all, I *was* running the following Iceman Fork version on a PM3 purchased from Ryscc:
_____
[ ARM ]
bootrom: iceman// 2018-05-19 14:40:47
      os: iceman// 2018-05-19 14:40:49
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16
         
[ Hardware ]           
  --= uC: AT91SAM7S256 Rev C         
  --= Embedded Processor: ARM7TDMI         
  --= Nonvolatile Program Memory Size: 256K bytes, Used: 239046 bytes (91) Free: 23098 bytes ( 9)         

_____




Then when that wasn't working, I upgraded to the latest version available (from what I could tell), as seen below:
____


[ ARM ]
bootrom: iceman// 2018-06-30 19:55:19
      os: iceman// 2018-06-30 19:55:22
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

____



Now to get to the good stuff...


When I read an LF HID card, I get the following (Everything Looks good here to me):
pm3 --> lf hid read
HID Prox TAG ID: 2a0315c6df (58223) - Format Len: 35bit - FC: 24 - Card: 713583 



When I try to Brute-Force the keyspace for the LF HID card, this is the command that I am using (with and without specifying the optional card number parameter):

COMMAND EXAMPLE 1:
pm3 --> lf hid brute a 35 f 24 c 713583 v
Brute-forcing HID reader         
Press pm3-button to abort simulation or run another command         
Trying FC: 24; CN: 58223         
Trying FC: 24; CN: 58222         
Trying FC: 24; CN: 58224   


COMMAND EXAMPLE 2:
pm3 --> lf hid brute a 35 f 24 v
Brute-forcing HID reader         
Press pm3-button to abort simulation or run another command         
Trying FC: 24; CN: 0         
Trying FC: 24; CN: 1         
Trying FC: 24; CN: 2


COMMAND EXAMPLE 3:
pm3 --> lf hid brute a 35 f 24 c 58223 v
Brute-forcing HID reader         
Press pm3-button to abort simulation or run another command         
Trying FC: 24; CN: 58223         
Trying FC: 24; CN: 58222         
Trying FC: 24; CN: 58224   



From what I can tell, the terminal output appears accurate when using the verbose flag, but when I validate this with an exterior reader (separate from the Proxmark, MaxiProx 5375), the exterior reader continually displays only 00:00:00:00:00, over and over again. hmm


For additional reference, when I'm using the 'lf hid sim' command set... I am able to properly simulate any tag I wish with ease, which can be confirmed by my exterior reader as being read properly.
pm3 --> lf hid sim 2a0315c6df
Emulating tag with ID 2a0315c6df 


Is there something that I am blatantly missing here? Any insight that anyone could provide would be greatly appreciated.


In the meantime, I've written a very sloppy script that essentially runs the 'lf hid sim' command for one second, halts it, then runs the 'lf hid sim' command again with the next card number in the series as a quick and dirty workaround since I am having issues with the brute force functionality.


Thank you very much!

Last edited by doggyhatman (2018-07-01 02:09:17)

Offline

#2 2018-07-01 08:12:05

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: LF HID BruteForce on Iceman Fork, Unexpected Results

First of all,  I'm glad you enjoy it.  Secondly,  no you didn't miss something. It's just iceman fork is having a remake when it comes to LF and its a work-in-progress. Meanwhile this remake is making LF support unstable.

Offline

#3 2018-07-01 16:19:04

doggyhatman
Contributor
Registered: 2018-06-29
Posts: 4

Re: LF HID BruteForce on Iceman Fork, Unexpected Results

Iceman, thanks for your reply. It's much appreciated.


In this case, I have a few follow-up questions for you:

- Do you have a possible ETA for stable LF support? (days, weeks, months?)

- If the ETA is unknown (or too far out), would you have a recommendation on the latest firmware you released that included stable LF support? If I don't lose too much in the way of other features/card types or stability, I might just downgrade to last stable version. Any idea what that version might be?


Thanks again!

Offline

#4 2018-07-01 19:17:50

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: LF HID BruteForce on Iceman Fork, Unexpected Results

The usual recommendation is to try out the latest source from official pm3 repo.

The last stable version of iceman fork is the release v3.1.0 "minor Sweet Lemon"  https://github.com/iceman1001/proxmark3/releases

Offline

#5 2018-07-03 17:41:08

doggyhatman
Contributor
Registered: 2018-06-29
Posts: 4

Re: LF HID BruteForce on Iceman Fork, Unexpected Results

Iceman,

Thanks for your reply and recommendation.

While I believe I was able to successfully flash the latest stable release (3.1.0 - minor Sweet Lemon), it appears that I still receive the same results as my original post in regards to the external MaxiProx reader only reading 00:00:00:00:00.  hmm

My HW Version looks like this now after the flash:
____
[ ARM ]
bootrom: iceman/master/ice_v3.1.0-899-g35b7989b 2018-07-03 11:04:53
      os: iceman/master/ice_v3.1.0-899-g35b7989b 2018-07-03 11:04:57
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2017/11/10 at 19:24:16
         
[ Hardware ]           
  --= uC: AT91SAM7S256 Rev C         
  --= Embedded Processor: ARM7TDMI         
  --= Nonvolatile Program Memory Size: 256K bytes, Used: 241672 bytes (92) Free: 20472 bytes ( 8)         
  --= Second Nonvolatile Program Memory Size: None         
  --= Internal SRAM Size: 64K bytes         
  --= Architecture Identifier: AT91SAM7Sxx Series         
  --= Nonvolatile Program Memory Type: Embedded Flash Memory         
____

In my testing, it appears that the LF HID Brute function in v3.1.0 is still not quite functional, while the LF HID SIM command provides the expected results.

I believe I read that the FPGA is included with FullImage now. Forgive my ultra-noobness here if I am mistaken, but do you think I might still be encountering difficulties due to the FPGA version? If your latest stable Iceman fork is from September 2017, I'm not sure how my FPGA version could show October 2017 if it is included with FullImage. Is that something that I need to/should be flashing separately in this case?

Short of jumping back even further to some 2.x firmware, I'm curious if you have any other recommendations to get an iceman flash on my board with the LF HID BRUTE functionality operational? Or if you have an ETA on when the LF Remake in the newest versions will be completed. I don't mind waiting around for it if it is going to drop sometime this year. smile

Thanks Iceman!

Offline

Board footer

Powered by FluxBB