Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
For those who are interested in snooping Iso15693 traffic (and are planning to go Skiing ): commands hf 15 snoop and hf list 15 are now available with the latest client and firmware from official repository.
Offline
Hello.
I have a strange behavior with "hf 15 snoop" command, first the return is zero, but strange is that the green and the yellow LED are off all the time!
The tag is:
proxmark3> hf searc
UID: E00401006AC6BB4F
Manufacturer byte: 04, NXP Semiconductors Germany
Chip ID: 01, IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)
Valid ISO15693 Tag Found - Quiting Search
If I give "hf iclass snoop", the green LED turn on, and after reading the card with my phone, the yellow LED is on, after pm3 button is pressed the LEDs are off and the "hf list iclass" command returns only something (UID and some blocks) from the TAG and nothing from the reader (Xperia X phone):
proxmark3> hf list iclass
Recorded Activity (TraceLen = 150 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------|------------|-----|---------------------------------------------------------------|-----|------------
0 | 208 | Tag | bb 33 bb 00 00 00 02 bb | ok |
137280 | 137488 | Tag | bb d4 bb 00 01 04 04 bb | ok |
-257968 | -257824 | Tag | 00 00 4f bb c6 6a 00 01 04 e0 ce b9 | ok |
61904 | 62048 | Tag | 00 0f 4f bb c6 6a 00 01 04 e0 00 00 1b 03 01 71 | |
| | | 75 | ok |
-582528 | -582368 | Tag | 00 80 81 82 83 c6 bd | ok |
-305248 | -305104 | Tag | 00 00 4f bb c6 6a 00 01 04 e0 ce b9 | ok |
-764816 | -764672 | Tag | 00 0f 4f bb c6 6a 00 01 04 e0 00 00 1b 03 01 71 | |
| | | 75 | ok |
proxmark3>
I have:
D:\Proxmark3\DOC Proxmark\official-64-20190304-1338d245c2ff5930a059d3d1fdea93a535fe6e61\win64>proxmark3 COM11
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-70-g1338d24-suspect 2019-03-04 13:25:10
os: master/v3.1.0-70-g1338d24-suspect 2019-03-04 13:25:13
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/02/15 at 20:40:32
SmartCard Slot: not available
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 205228 bytes (78%). Free: 56916 bytes (22%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 18.56 V @ 125.00 kHz
# LF antenna: 21.31 V @ 134.00 kHz
# LF optimal: 21.17 V @ 130.43 kHz
# HF antenna: 23.89 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
Offline
Well, this is not too strange. Obviously you have trouble picking up the reader signal. And 'hf 15 snoop' waits for a reader command before it even starts recording a trace...
'hf iclass snoop' on the other hand could need some improvements (friendly speaking). The patterns 'bb xx bb xx xx xx xx bb' indicate errors during tag answer decoding.
Can you successfully simulate a tag ('hf 15 sim E00401006AC6BB4F')? Of course this would require picking up the reader signal as well, but it is usually easier than snooping.
Offline
Hello, i have used "M24LR Discovery Kit" with CR95HF chip as a reader and everything works like a charm:
proxmark3> hf 15 snoop
#db# Snoop started. Press button to stop.
#db# Snoop stopped.
#db# Snoop statistics:
#db# ExpectTagAnswer: 0
#db# DecodeTag State: 0
#db# DecodeTag byteCnt: 12
#db# DecodeReader State: 0
#db# DecodeReader byteCnt: 5
#db# Trace length: 216
proxmark3> hf list 15
Recorded Activity (TraceLen = 216 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr | 26 01 00 f6 0a | ok | INVENTORY
889 | 889 | Tag | 00 00 4f bb c6 6a 00 01 04 e0 ce b9 | ok |
322476 | 322476 | Rdr | 26 01 00 f6 0a | ok | INVENTORY
323365 | 323365 | Tag | 00 00 4f bb c6 6a 00 01 04 e0 ce b9 | ok |
586474 | 586474 | Rdr | 26 01 00 f6 0a | ok | INVENTORY
587363 | 587363 | Tag | 00 00 4f bb c6 6a 00 01 04 e0 ce b9 | ok |
809793 | 809793 | Rdr | 26 01 00 f6 0a | ok | INVENTORY
810682 | 810682 | Tag | 00 00 4f bb c6 6a 00 01 04 e0 ce b9 | ok |
1089470 | 1089470 | Rdr | 26 01 00 f6 0a | ok | INVENTORY
1090359 | 1090359 | Tag | 00 00 4f bb c6 6a 00 01 04 e0 ce b9 | ok |
1479748 | 1479748 | Rdr | 26 01 00 f6 0a | ok | INVENTORY
1480637 | 1480637 | Tag | 00 00 4f bb c6 6a 00 01 04 e0 ce b9 | ok |
proxmark3>
I am interested in some LED light feedback from PM3 board, I have noticed the following behavior in "hf 15 snoop":
- command send from the reader to tag and no tag found -- then YELLOW LED lit up briefly;
- command send from the reader to tag and valid answer from the tag -- then RED & YELLOW LEDs lit up briefly;
Is there any way to extend LED light feedback even more, like in "hf 14a snoop" when the behavior is like this:
- lancing the snoop command will lit the GREEN LED (and remain lit until button pressed);
- command send from the reader to tag and no valid tag found -- then RED LED lit up (and remain lit until button pressed or valid tag found);
- command send from the reader to tag and valid tag found -- then YELLOW LED lit up (and remain lit until button pressed or no valid tag found);
Offline
Thanks for noticing the inconsistent LED handling. Indeed every function may use the LEDs different. I have submitted a Pull Request to the Github repository to adjust the hf 15 snoop and hf 14a snoop to what I think is the most common LED signalling:
LED A (yellow): PM3 is active (snooping)
LED B (green): reader is sending a command
LED C (red): tag is sending a response
LED D (red): PM3 is emiting an HF field (not relevant for snooping)
Colours are for the original PM3 board only. For whatever reason on newer boards all LEDs are the same colour.
Offline
The Pull Request has been merged and LED signalling should now be more consistent.
Offline
Pages: 1