Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I've changed the way 'list' works, previously it was two very large and very similar functions within iclass and iso1443, now it's instead a more generic function in 'hf'.
So, 'hf list 14a' and 'hf list iclass' are the new replacements. In addition, I added a 'annotation' column, so the user can more easily understand what commands are sent. I picked the most common commands (apdus) from the codebase, but I haven't added all existing commands, so if anyone has a more comprehensive list of commands, please let me know (or add them youselves).
Also, I added loclass functionality to pm3, so now loclass operations can be invoked directly from within pm3. Please let me know if it builds and works ok, someone mentioned that the stat-operation is unavailable on windows (renamed), so we may have to add some preprocessing there.
Offline
And more changes: the 'hf iclass dump' is now fairly stable. And here's an example of the annotated listing:
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr | 52 | | WUPA
2228 | 4596 | Tag | 02 00 | |
7040 | 9504 | Rdr | 93 20 | | SELECT_ALL
10676 | 16500 | Tag | 00 00 00 00 00 | |
18688 | 29216 | Rdr | 93 70 00 00 00 00 00 9c d9 | | SELECT_UID
30388 | 33972 | Tag | 18 37 cd | |
462848 | 467616 | Rdr | e0 80 31 73 | | RATS
470836 | 483572 | Tag | 09 78 00 91 02 da bc 19 10 f0 05 | |
Recorded Activity
Last edited by holiman (2015-01-05 14:45:58)
Offline
Can you try and see if this is working on your linux? It works on my win7 64..
#ifdef _WIN32
struct _stat fileStat;
int result = _stat(filename, &fileStat);
#else
struct stat fileStat;
int result = stat(filename, &fileStat);
#endif
Offline
ISO14443A (usually NFC tags)
26(7bits) = REQA
30 = Read (usage: 30+1byte block number+2bytes ISO14443A-CRC - answer: 16bytes)
A2 = Write (usage: A2+1byte block number+4bytes data+2bytes ISO14443A-CRC - answer: 0A [ACK] or 00 [NAK])
52(7bits) = WUPA (usage: 52(7bits) - answer: 2bytes ATQA)
93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor)
93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK)
95 20 = Anticollision of cascade level2 (if SAK bit3 [counting from bit0] is 1)
95 70 = Select of cascade level2 (if SAK bit3 is still 1)
97 20 = Anticollision of cascade level3
97 70 = Select of cascade level3
50 00 = Halt (usage: 5000+2bytes ISO14443A-CRC - no answer from card)
NTAG213/215/216 (NFC compatible tag)
60 = Get product version (8 bytes answer)
3A = Fast Read (read a range of memeory blocks)
A0 = Compatibility Write (to accomodate MIFARE commands)
39 = Read Counter
1B = Password Authentication (password is 4 bytes)
3C = Read ECC Signature (32 bytes answer)
Mifare
60 = Authenticate with KeyA
61 = Authenticate with KeyB
40(7bits) = Used to put Chinese Changeable UID cards in special mode (must be followed by 43 (8bits) to enter in backdoor mode - answer: 0A)
41 = Used to wipe Chinese Changeable UID cards (all zeroes)
43 = See 40 (7 bits)
A0 = Write
C0 = Decrement
C1 = Increment
C2 = Restore
B0 = Transfer
Mifare Magic 1st gen
40(7bits) = WUP part1
41 = Wipe
43 = WUP part2
Ultralight C
A0 = Compatibility Write (to accomodate MIFARE commands)
1A = Step1 Authenticate
AF = Step2 Authenticate
Ultralight EV1
3E = CHECK TEARING EVENT
4B = VCSL
A5 = INCREMENT COUNTER
ISO14443B
05 = REQB
1D = ATTRIB
50 = HALT
SRIX4K (tag does not respond to 05)
06 00 = INITIATE
0E xx = SELECT ID (xx = Chip-ID)
0B = Get UID
08 yy = Read Block (yy = block number)
09 yy dd dd dd dd = Write Block (yy = block number; dd dd dd dd = data to be written)
0C = Reset to Inventory
0F = Completion
0A 11 22 33 44 55 66 = Authenticate (11 22 33 44 55 66 = data to authenticate)
NFC TYPE 1 (ex. Jewel/Topaz)
78(7bit) = Read ID (usage: 78+000000000000+2bytes ISO14443A-CRC - answer: 8bytes - used to read the metal-mask ROM and UID0-3 from block 0)
00(7bit) = Read All
01(7bit) = Read single byte
53(7bit) = Write with Erase Single Byte
1A(7bit) = Write with NO Erase Single Byte
10(7bit) = Read Segment
02(7bit) = Read (8 bytes)
54(7bit) = Write with Erase 8 bytes
1B(7bit) = Write with NO Erase 8 bytes
ISO15693
MANDATORY COMMANDS (all ISO15693 tags must support those)
01 = Inventory (usage: 260100+2bytes ISO15693-CRC - answer: 12bytes)
02 = Stay Quiet
OPTIONAL COMMANDS (not all tags support them)
20 = Read Block (usage: 0220+1byte block number+2bytes ISO15693-CRC - answer: 4bytes)
21 = Write Block (usage: 0221+1byte block number+4bytes data+2bytes ISO15693-CRC - answer: 4bytes)
22 = Lock Block
23 = Read Multiple Blocks (usage: 0223+1byte 1st block to read+1byte last block to read+2bytes ISO15693-CRC)
24 = Write Multiple Blocks (?up to 2 blocks max?)
25 = Select
26 = Reset to Ready
27 = Write AFI
28 = Lock AFI
29 = Write DSFID
2A = Lock DSFID
2B = Get_System_Info (usage: 022B+2bytes ISO15693-CRC - answer: 14 or more bytes)
2C = Read Multiple Block Security Status (usage: 022C+1byte 1st block security to read+1byte last block security to read+2bytes ISO15693-CRC)
EM Microelectronic CUSTOM COMMANDS
A2 = Set EAS
A3 = Reset EAS
A4 = Lock EAS
A5 = Active EAS
A6 = Protect EAS
A7 = Write EAS ID
A8 = Write EAS Cfg
B4 = Write Password
B6 = Protect Memory Page
B8 = Get Protection Status for a specific block
B9 = Destroy
BA = Enable Privacy
BB = Disable Privacy
BC = Enable Low Security
C3 = Fast Read Multiple Blocks
E4 = Login
NXP/Philips CUSTOM COMMANDS
A0 = Inventory Read
A1 = Fast Inventory Read
A2 = Set EAS
A3 = Reset EAS
A4 = Lock EAS
A5 = EAS Alarm
A6 = Password Protect EAS/AFI
A7 = Write EAS ID
A8 = Read EPC
B0 = Inventory Page Read
B1 = Fast Inventory Page Read
B2 = Get Random Number
B3 = Set Password
B4 = Write Password
B5 = Lock Password
B6 = Bit Password Protection
B7 = Lock Page Protection Condition
B8 = Get Multiple Block Protection Status
B9 = Destroy SLI
BA = Enable Privacy
BB = 64bit Password Protection
40 = Long Range CMD (Standard ISO/TR7003:1990)
Texas Instruments CUSTOM COMMANDS
A2 = Write 2 Blocks
A3 = Lock 2 Blocks
A4 = Kill
A5 = Write Single Block Password
ST Microelectronics
B1 = Write-sector Password
B2 = Lock-sector Password
B3 = Present-sector Password
C0 = Fast Read Single Block
C1 = Fast Inventory Initiated
C2 = Fast Initiate
C3 = Fast Read Multiple Block
D1 = Inventory Initiated
D2 = Initiate
Fujitsu
A0 = Read EAS
A1 = Write EAS
A6 = Kill
B1 = Fast Inventory
C3 = Fast Read Multiple Blocks
C4 = Fast Write Multiple Blocks
ISO14443B
05 = REQB: that is 05, followed by the Application Family Identifier (AFI), that usually is 00 in AFI is not set inside the tag (different from 00 it is set); those 2 bytes are then followed by 1byte parameter and 2bytes ISO14443B CRC.
50 = HALT
xx = SLOT-MARKER: must be coded looking at bits (par. 7.8.1 ISO14443B-3 datasheet)
yy = ATTRIB: must be coded looking at bits (par. 7.10 ISO14443B-3 datasheet)
St Microelectronics
0600 = INITIATE
0E = SELECT
0B = GET UID
08 = READ BLOCK
09 = WRTIE BLOCK
Last edited by asper (2015-09-27 10:20:08)
Offline
Thanks asper!
A few questions. In the code (iso14443a.c), the following block is defined:
if(receivedCmd[0] == 0x30 // read block
|| receivedCmd[0] == 0xA0 // write block
|| receivedCmd[0] == 0xC0 // inc
|| receivedCmd[0] == 0xC1 // dec
|| receivedCmd[0] == 0xC2 // restore
|| receivedCmd[0] == 0xB0) { // transfer
In the codeblock, write block is 0xA0, but you specify it as 0xA2. Can you verify which is correct?
And another thing:
20 = Read Block (usage: 0220+1byte block number+2bytes ISO15693-CRC - answer: 4bytes)
What is the first byte of the command, is it 02 in that case? And e.g inventory, is that 26,01, and if so, what about stay quiet, is that also prepended by 26?
Last edited by holiman (2015-01-07 21:52:22)
Offline
A0 is a proprietary command for write mifare (I forgot to add it), A2 is used to write with NFC standard tags (ex. my-d move or NTAG); inside the ISO14443-3 standard a "universal" write command is not specified but I found that A2 is used for NFC-compliant tags (even from different manufacturers ex. NXP and Infineon).
In ISO15693-3 [Chapter 7.3.1] commands need flags to work; 1st byte (1st 8 bits) represent the flags, the second byte of the command is the "real" command. Here is the full request-flag description:
VICC = Tags/Cards [Vicinity Card]
Here it is the description of the main used ISO15693 commands and their flag:
01 = Inventory (usage: 260100+2bytes ISO15693-CRC - answer: 12bytes)
2B = Get_System_Info (usage: 022B+2bytes ISO15693-CRC - answer: 14 or more bytes)
20 = Read Block (usage: 0220+1byte block number+2bytes ISO15693-CRC - answer: 4bytes)
21 = Write Block (usage: 0221+1byte block number+4bytes data+2bytes ISO15693-CRC - answer: 4bytes)
23 = Read Multiple Blocks (usage: 0223+1byte 1st block to read+1byte last block to read+2bytes ISO15693-CRC)
2C = Read Multiple Block Security Status (usage: 022C+1byte 1st block security to read 1byte last block security to read+2bytes ISO15693-CRC)
Again, each command need a "prepending" flag. You can only read the 2nd command byte to identify the real command or you can also add a flag "decryption" function.
Also the answers (responses) have a prepending flag, which is far easier to decrypt than the commands one (below you can also find the standard error codes):
Last edited by asper (2015-01-07 23:50:19)
Offline
Are you planning on rewriting the "hf 14b list" and move it to "hf list", Holiman ??
Offline
So all the "list" commands will be inside one simple hf list ? This will be fantastic !
Offline
Are you planning on rewriting the "hf 14b list" and move it to "hf list", Holiman ??
Yes, however I don't have any good way to test that. Anyone to help out?
Offline
Ask Asper. I think he has 14b tags laying around.
Offline
I can test iso14443b, link me the branch to compile->test.
Offline
I'll implement the changes in main, add 'hf list 14b', but not remove the old one until you've confirmed it's ok. I'll let you know when you can start testing
Offline
I've pushed some changes now, 'hf list 14b' and 'hf list raw' should work, the latter without any annotations nor CRC-checks.
My idea for CRC texts is that:
* No CRC expected: " "
* CRC ok: " ok "
* CRC error: "!crc"
Offline
Sweet! And when you at it, can you move the "hf list" commands into their own file? ie: cmdhflist.c
Offline
The hf list 14b seems not to work correctly:
proxmark3> #db# Randomly generated UID from tag (+ 2 byte CRC): 2e 4 38
proxmark3> #db# Now SELECT tag:
proxmark3> #db# Tag UID (64 bits): xxxxxxxxxxxxxxxxx
proxmark3> #db# Tag memory dump, block 0 to 127
proxmark3> #db# Address=0, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=1, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=3, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=4, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5, Contents=fffffffe, CRC=fc13
proxmark3> #db# Address=6, Contents=ffffff6b, CRC=6493
.......
proxmark3> #db# Address=28, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=29, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2a, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2b, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2c, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2d, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2e, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2f, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=30, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=31, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=32, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=33, Contents=ffffffff, CRC=470f
........
proxmark3> #db# Address=57, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=58, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=59, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5a, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5b, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5c, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5d, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5e, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5f, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=60, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=61, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=62, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=63, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=64, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=65, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=66, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=67, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=68, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=69, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=6a, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=6b, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=6c, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=6d, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=6e, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=6f, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=70, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=71, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=72, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=73, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=74, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=75, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=76, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=77, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=78, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=79, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=7a, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=7b, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=7c, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=7d, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=7e, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=7f, Contents=ffffffff, CRC=470f
proxmark3> #db# System area block (0xff):
proxmark3> #db# Address=ff, Contents=feffffff, CRC=ce1e
proxmark3> hf list 14b
I sent the built-in command to read the whole tag and it worked (log had been cut); after sending the hf list 14b command the clinet crashed (windows error message). I tested it a second time and the result was this (no crash but it doesn't work):
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 7886 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
16777217 | 16777217 | Rdr | | | ?
196609 | 196612 | Rdr | 03 00 03 | !crc| ?
16973828 | 16973831 | Rdr | 03 00 03 | !crc| ?
17039108 | 17104391 | Rdr | 03 ff 03 | !crc| ?
17039108 | 17039111 | Rdr | 03 ff 03 | !crc| ?
196612 | 261895 | Rdr | 03 00 03 | !crc| ?
proxmark3>
Then I tested the old hf 14b list:
proxmark3> hf 14b list
recorded activity:
time :rssi: who bytes
---------+----+----+-----------
+ 0: 7886: TAG (SHORT)
+-2130706431: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+2130903040: 196611: TAG 00 03 00 **FAIL CRC**
+-2130706429: : 00 03 00 **FAIL CRC**
+ 65280: : ff 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+2130641152: 261891: TAG 00 03 00 **FAIL CRC**
+ 65280: -16580605: TAG ff 03 ff **FAIL CRC**
+-2130771712: : 00 03 00 **FAIL CRC**
+ 65280: : ff 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ -65280: : 00 03 00 **FAIL CRC**
+2130706432: -16580605: TAG ff 03 00 **FAIL CRC**
+ 0: 196611: TAG 00 03 00 **FAIL CRC**
+-2130641152: : ff 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ -65280: : 00 03 ff **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ 65280: : 00 03 ff **FAIL CRC**
+ -65280: : ff 03 ff **FAIL CRC**
+ 65280: : ff 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ -65280: : 00 03 ff **FAIL CRC**
+2130706432: 196611: TAG 00 03 00 **FAIL CRC**
+-2130706432: : 00 03 00 **FAIL CRC**
+2130706432: 261891: TAG 00 03 ff **FAIL CRC**
+-2130706432: : ff 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 65280: : 00 03 00 **FAIL CRC**
+ -65280: : ff 03 00 **FAIL CRC**
+ 65280: : ff 03 00 **FAIL CRC**
+ -65280: : 00 03 00 **FAIL CRC**
+ 65280: : 00 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ 0: : 00 03 ff **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+2130706432: 261891: TAG ff 03 ff **FAIL CRC**
+-2130771712: : 00 03 ff **FAIL CRC**
+2130706432: 261891: TAG 00 03 00 **FAIL CRC**
+-2130641152: : ff 03 ff **FAIL CRC**
+ -65280: : ff 03 00 **FAIL CRC**
+ 0: : 00 03 ff **FAIL CRC**
+2130771712: 261891: TAG 00 03 00 **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+ -65280: : 00 03 00 **FAIL CRC**
+ 65280: : 00 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : 00 03 ff **FAIL CRC**
+2130641152: -16580605: TAG ff 03 00 **FAIL CRC**
+-2130641152: : 00 03 ff **FAIL CRC**
+2130706432: -16515325: TAG ff 03 00 **FAIL CRC**
+ 0: 261891: TAG ff 03 00 **FAIL CRC**
+-2130771712: : ff 03 00 **FAIL CRC**
+2130771712: 196611: TAG ff 03 ff **FAIL CRC**
+-2130771712: : ff 03 00 **FAIL CRC**
+ 65280: : ff 03 00 **FAIL CRC**
+2130706432: 196611: TAG 00 03 ff **FAIL CRC**
+-2130771712: : 00 03 ff **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ 65280: : 00 03 ff **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+2130706432: 261891: TAG ff 03 ff **FAIL CRC**
+-2130706432: : ff 03 00 **FAIL CRC**
+2130641152: -16515325: TAG 00 03 ff **FAIL CRC**
+ 0: -16515325: TAG 00 03 00 **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+ 65280: : 00 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : ff 03 ff **FAIL CRC**
+ -65280: : ff 03 00 **FAIL CRC**
+ 65280: : ff 03 00 **FAIL CRC**
+ -65280: : 00 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
proxmark3>
Then I tryed to ged UID and it worked but listing the results i obtained this:
proxmark3> hf 14b raw -c -p 0B
received 10 octets
XX XX XX XX XX XX XX XX XX XX
CRC OK
proxmark3>
proxmark3> hf 14b list
recorded activity:
time :rssi: who bytes
---------+----+----+-----------
proxmark3>
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
proxmark3>
Another test after succesfully reading 1 single block:
proxmark3> hf 14b raw -c -p 08 04
received 6 octets
FF FF FF FF 47 0F
CRC OK
proxmark3>
proxmark3> hf 14b list
recorded activity:
time :rssi: who bytes
---------+----+----+-----------
+ 0: 3911: TAG (SHORT)
+-2147483647: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+2130903040: -16515325: TAG ff 03 00 **FAIL CRC**
+ 65283: -16580605: TAG ff 03 00 **FAIL CRC**
+ 0: -16515325: TAG ff 03 00 **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+ 0: : ff 03 ff **FAIL CRC**
+2130706432: 261891: TAG ff 03 ff **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+2130706432: -16515325: TAG ff 03 ff **FAIL CRC**
+ -65280: -16515325: TAG ff 03 ff **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+2130771712: -16515325: TAG ff 03 00 **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+ 0: : ff 03 ff **FAIL CRC**
+2130706432: -16515325: TAG ff 03 00 **FAIL CRC**
+ 0: -16515325: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 00 **FAIL CRC**
+ 0: 261891: TAG ff 03 00 **FAIL CRC**
+ 0: -16515325: TAG ff 03 ff **FAIL CRC**
+-2130706432: : ff 03 00 **FAIL CRC**
+ 0: : 00 03 ff **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+2130706432: -16515325: TAG ff 03 ff **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+ 0: : ff 03 ff **FAIL CRC**
+2130706432: 261891: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 00 **FAIL CRC**
+ 0: -16580605: TAG 00 03 ff **FAIL CRC**
+-2130706432: : ff 03 00 **FAIL CRC**
+ -65280: : ff 03 ff **FAIL CRC**
+2130771712: -16515325: TAG ff 03 ff **FAIL CRC**
+-2130771712: : ff 03 ff **FAIL CRC**
+2130771712: 261891: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 ff **FAIL CRC**
+ -65280: -16515325: TAG ff 03 ff **FAIL CRC**
+-2130641152: : ff 03 ff **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+2130706432: 261891: TAG 00 03 00 **FAIL CRC**
+ 0: -16580605: TAG 00 03 ff **FAIL CRC**
+ -65280: -16515325: TAG ff 03 ff **FAIL CRC**
+-2130641152: : ff 03 ff **FAIL CRC**
+2130706432: 196611: TAG ff 03 ff **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+2130706432: -16515325: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 00 **FAIL CRC**
+ 0: -16515325: TAG ff 03 00 **FAIL CRC**
+ 0: -16515325: TAG 00 03 ff **FAIL CRC**
+ -65280: -16515325: TAG ff 03 ff **FAIL CRC**
+-2130641152: : ff 03 ff **FAIL CRC**
+2130706432: 261891: TAG 00 03 00 **FAIL CRC**
+-2130706432: : 00 03 ff **FAIL CRC**
+2130706432: 261891: TAG ff 03 00 **FAIL CRC**
+ 0: -16580605: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 ff **FAIL CRC**
+-2130706432: : ff 03 00 **FAIL CRC**
+ 0: : ff 03 ff **FAIL CRC**
+2130706432: 261891: TAG ff 03 00 **FAIL CRC**
+ 0: -16515325: TAG ff 03 ff **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+2130706432: -16515325: TAG ff 03 ff **FAIL CRC**
+ 0: 261891: TAG ff 03 ff **FAIL CRC**
+-2130706432: : ff 03 00 **FAIL CRC**
+2130706432: 261891: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG 00 03 00 **FAIL CRC**
+ 0: -16580605: TAG ff 03 ff **FAIL CRC**
+ 0: 261891: TAG ff 03 00 **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+2130706432: -16515325: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 00 **FAIL CRC**
+ 0: 261891: TAG ff 03 ff **FAIL CRC**
+ 0: -16515325: TAG ff 03 00 **FAIL CRC**
+ 0: -16515325: TAG ff 03 00 **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+2130641152: 261891: TAG ff 03 00 **FAIL CRC**
+ 65280: -16515325: TAG ff 03 00 **FAIL CRC**
+ 0: 261891: TAG ff 03 ff **FAIL CRC**
+-2130706432: : ff 03 00 **FAIL CRC**
+2130706432: 261891: TAG ff 03 ff **FAIL CRC**
+ 0: 261891: TAG ff 03 ff **FAIL CRC**
proxmark3>
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 3911 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
1 | 1 | Rdr | | | ?
proxmark3>
In the last 2 tests I tested the new and the old list command. PM3 os, fpga and clien were the ones in the holiman trunk.
Last edited by asper (2015-01-18 13:19:29)
Offline
Sorry if I was unclear, the code is in main, that it, pm3 proper. Not my branch, which contains iceman-stuff
Offline
Hm, maybe it doesn't matter. I think the iso14443b-stuff does not use the same raw format for traces, judging by https://github.com/Proxmark/proxmark3/blob/master/armsrc/iso14443.c . I'll have to fix that first, on the arm-side, I guess.
Offline
Ok, waiting for your "go" to further test.
Offline
The raw doesn't even trace, but what was the first command you executed ?
Offline
Dump all data from srix tag ("hf 14b srix4kread" client command).
Last edited by asper (2015-01-18 19:57:04)
Offline
I've added proper tracing to iso14443b-things now. Since I may have broken things, I put it in it's own branch: https://github.com/Proxmark/proxmark3/tree/GenericTracing .
The things that would be good to test are:
- iso14443b raw
- hf 14b snoop
- SRI512 reading
- Srix4k read
Thanks!
Offline
It does not work at all (raw commands, srix reading - no rensponse from tag); snoop not tested.
Last edited by asper (2015-01-20 21:02:48)
Offline
What happens if you do 'hf list 14b' after such a raw or srix-reading ?
Offline
hf list 14b does not exist (14b param is missing), the other one (hf 14b list) all 0.
I used this branch: https://github.com/Proxmark/proxmark3/tree/GenericTracing
proxmark3> hf 14b srix4kread
proxmark3>
proxmark3> #db# No response from tag
proxmark3> hf 14b srix4kread
proxmark3>
proxmark3> #db# No response from tag
proxmark3> hf list 14b
List protocol data in trace buffer.
Usage: hf list [14a|iclass] [f]
14a - interpret data as iso14443a communications
iclass - interpret data as iclass communications
f - show frame delay times as well
example: hf list 14a f
example: hf list iclass
proxmark3>
proxmark3> hf 14b list
recorded activity:
time :rssi: who bytes
---------+----+----+-----------
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
proxmark3>
Offline
I think you're somehow not using that code. Look at https://github.com/Proxmark/proxmark3/blob/master/client/cmdhf.c, the help-text there - it's not the same as you're seeing. Do git status
Offline
And don't you need to do a fpga update?
Offline
Asper, it should look like this.
pm3 --> hf list
List protocol data in trace buffer.
Usage: hf list [14a|14b|iclass] [f]
14a - interpret data as iso14443a communications
14b - interpret data as iso14443b communications
iclass - interpret data as iclass communications
raw - just show raw data
f - show frame delay times as well
Offline
I downloaded the zip file from that link because svn was not working.
I will delete and retry tomorrow.
Offline
Fpga update not necessary, only for iclass tagsim
Offline
Deleted all the folders, redownloaded via svn and flashed fpga+os:
Read all blocks -> list
proxmark3> hf 14b srix4kread
proxmark3>
proxmark3> #db# Randomly generated UID from tag (+ 2 byte CRC): 3c 97 b
proxmark3> #db# Now SELECT tag:
proxmark3> #db# Tag UID (64 bits): xxxxxxxxxxxxx
proxmark3> #db# Tag memory dump, block 0 to 127
proxmark3> #db# Expected 6 bytes from tag, got less...
proxmark3> hf 14b srix4kread
proxmark3>
proxmark3> #db# Randomly generated UID from tag (+ 2 byte CRC): ff 0 ff
proxmark3> #db# Now SELECT tag:
proxmark3> #db# Tag UID (64 bits): xxxxxxxxxxxxxx
proxmark3> #db# Tag memory dump, block 0 to 127
proxmark3> #db# Address=0, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=1, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=3, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=4, Contents=ffffffff, CRC=470f
.......
proxmark3> #db# Address=28, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=29, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2a, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2b, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2c, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2d, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2e, Contents=ffffffff, CRC=470f
.........
proxmark3> #db# Address=58, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=59, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5a, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5b, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5c, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5d, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5e, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5f, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=60, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=61, Contents=ffffffff, CRC=470f
proxmark3> #db# Expected 6 bytes from tag, got less...
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
0 | 0 | Rdr | | | ?
proxmark3>
Raw request UID -> list:
proxmark3> hf 14b raw -c -p 0B
received 10 octets
63 1C 88 39 9F 00 02 D0 B5 C6
CRC OK
proxmark3>
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
proxmark3>
proxmark3> hf 14b list
recorded activity:
time :rssi: who bytes
---------+----+----+-----------
proxmark3>
Last edited by asper (2015-01-21 19:08:06)
Offline
Thanks for testing. Ive now made some major modifications, and also understood how the tracing worked. Remember I said that it wasn't even implemented ? Actually. they had pointed the Demodulation-buffer directly to the trace-memory. Kind of clever, but also means that all data is 'raw data', without timestamps and directions and stuff like that. I've now changed it to be more 'standard'. As far as the tracing is concerned, I'm pretty certain it works now. I just hope that I haven't destroyed any underlying functionality, the actual communications.
I tested it myself using raw iso14443b-writes to a mifare-tag and got expected results (trace results), but of course no actual verification of the comms. So, please test again.
Offline
proxmark3> hf 14b raw -c -p 0B
received 10 octets
xxxxxxxxxxxxxxxxxxx
CRC OK
proxmark3>
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
proxmark3>
proxmark3> hf 14b list
recorded activity:
time :rssi: who bytes
---------+----+----+-----------
proxmark3>
Then, after reading all blocks with the srix command, i have those:
proxmark3> hf 14b list
recorded activity:
time :rssi: who bytes
---------+----+----+-----------
+ 0: 7886: TAG (SHORT)
+-2130706431: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
proxmark3>
proxmark3> hf list 14b
But when I run hf list 14b the client crashes with a windows error referring to an event name problem called BEX, application name proxmark.exe (module error name StackHash_e98d). The error seems not to appear if the amount of data is small (ex after a ged uid command the client never crash).
Also the snoop command:
proxmark3> hf 14b snoop
proxmark3>
proxmark3> #db# Snooping buffers initialized:
proxmark3> #db# Trace: 4096 bytes
proxmark3> #db# Reader -> tag: 2048 bytes
proxmark3> #db# tag -> Reader: 2048 bytes
proxmark3> #db# DMA: 1024 bytes
proxmark3> #db# Snoop statistics:
proxmark3> #db# Max behind by: 419
proxmark3> #db# Uart State: 3
proxmark3> #db# Uart ByteCnt: 4
proxmark3> #db# Uart ByteCntMax: 100
proxmark3> #db# Trace length: 1009
proxmark3> hf 14b list
recorded activity:
time :rssi: who bytes
---------+----+----+-----------
+ 0: : 06 00 97 5b
+ 52686: : 0b ab 4e
+1818580: : 06 00 97 5b
+ 52446: : 0b ab 4e
+1282278: : 06 00 97 5b
+ 59384: : 0b ab 4e
+2634666: : 06 00 97 5b
+ 346: 130: TAG 72 ed a0
+ 630: : 0e 72 c2 c5
+ 346: 132: TAG 72 ed a0
+ 58312: : 0b ab 4e
+ 624: 139: TAG 63 1c 88 39 9f 00 02 d0 b5 c6
+ 58688: : 08 00 87 c1
+ 466: 148: TAG ff ff ff ff 47 0f
+ 13504: : 08 01 0e d0
+ 466: 96: TAG ff ff ff ff 47 0f
+ 12476: : 08 02 95 e2
+ 466: 161: TAG ff ff ff ff 47 0f
+ 12782: : 08 03 1c f3
+ 464: 155: TAG ff ff ff ff 47 0f
x
proxmark3>
there are some problems (the log is cut) but it seems to work.
This is the list with the new hf list 14b:
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr | | | ?
1533963214 | 1533988308 | Rdr | 00 00 00 00 03 0b ab 4e da 21 45 00 00 00 00 00 | |
| | | 04 06 00 97 5b b8 ee 45 00 00 00 00 00 03 0b ab | |
| | | 4e 9e 7f 59 00 00 00 00 00 | !crc| ?
-2636241 | -2636241 | Rdr | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 7 | |
| | | c1 b4 6d 84 80 94 00 00 00 06 ff ff ff ff 47 0f | |
| | | 74 a2 84 00 00 00 00 00 04 08 01 0e d0 46 a4 84 | |
| | | 80 60 00 00 00 06 ff ff ff ff 47 0f 02 d5 84 00 | |
| | | 00 00 00 00 04 08 02 95 e2 d4 d6 84 80 a1 00 00 | |
| | | 00 06 ff ff ff ff 47 0f c2 08 85 00 00 00 00 00 | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | 00 06 69 ff ff ff 12 aa da d6 85 00 00 00 00 00 | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | 80 83 00 00 00 06 ff ff ff ff 47 0f da 72 86 00 | |
| | | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx | |
| | | 20 20 30 30 20 20 30 30 20 20 30 30 20 20 30 30 | |
| | | 20 20 30 30 20 20 30 34 20 20 30 38 20 20 30 39 | |
| | | 20 20 34 36 20 20 35 63 20 20 35 36 20 20 34 30 | |
but data seems not to be all correct (last bytes... dunno what they are).
Last edited by asper (2015-01-22 19:27:54)
Offline
Another snoop test with a different sri tag (512):
proxmark3> hf 14b snoop
proxmark3>
proxmark3> #db# Snooping buffers initialized:
proxmark3> #db# Trace: 4096 bytes
proxmark3> #db# Reader -> tag: 2048 bytes
proxmark3> #db# tag -> Reader: 2048 bytes
proxmark3> #db# DMA: 1024 bytes
proxmark3> #db# blew circular buffer! behindBy=0x3ff
proxmark3> #db# Snoop statistics:
proxmark3> #db# Max behind by: 1023
proxmark3> #db# Uart State: 0
proxmark3> #db# Uart ByteCnt: 0
proxmark3> #db# Uart ByteCntMax: 100
proxmark3> #db# Trace length: 496
proxmark3> hf 14b list
recorded activity:
time :rssi: who bytes
---------+----+----+-----------
+ 0: : 06 00 97 5b
+ 342: 73: TAG d7 4a 52
+ 622: : 0e d7 65 37
+ 340: 82: TAG d7 4a 52
+ 247398: : 0b ab 4e
+ 620: 91: TAG 29 74 91 78 24 18 02 d0 85 b0
+ 216502: : 0b ab 4e
+ 276234: : 08 00 87 c1
+ 460: 83: TAG ff ff ff ff 47 0f
+ 17826: : 08 01 0e d0
+ 460: 94: TAG ff ff ff ff 47 0f
+ 19414: : 08 02 95 e2
+ 460: 96: TAG ff ff ff ff 47 0f
+ 19520: : 08 03 1c f0 **FAIL CRC**
+ 462: 74: TAG ff ff ff ff 47 0f
+ 19324: : 08 04 a3 87
+ 462: 55: TAG ff ff ff ff 47 0f
+ 19540: : 08 04 2a 96 **FAIL CRC**
+ 462: 78: TAG 01 8c 80 1b b4 6b
+ 19324: : 08 06 b1 a4
+ 460: 90: TAG ff ff ff ff 47 0f
+ 19326: : 08 07 38 b5
+ 460: 77: TAG 01 00 42 03 28 a7
+ 19716: : 08 08 cf 4d
+ 462: 104: TAG 09 0a 5e 5a ff c2
+ 19324: : 08 08 46 5c **FAIL CRC**
+ 19918: : 08 0a dd 6e
+ 462: 42: TAG 00 ff 6b 04 f4 fd
+ 19256: : 08 08 54 7f **FAIL CRC**
+ 460: 88: TAG 5e 5c 60 00 9f c4
+ 19478: : 08 0c eb 08 **FAIL CRC**
+ 460: 87: TAG 00 00 00 00 de fc
+ 19414: : 08 0d 62 1a
+ 460: 81: TAG 01 d9 c8 c9 d3 ac
+ 19432: : 08 0e f8 28 **FAIL CRC**
+ 19894: : 08 0f 70 39
proxmark3>
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr | | | ?
1535415494 | 1535443292 | Tag | 49! 00 00! 00 03! d7 4a! 52! 04 6f 12 00! 00! 00 00! 00 | |
| | | 04 0e | !crc|
-2147482344 | -2147482262 | Rdr | 49! 00 00! 00 03! d7 4a! 52! 04 6f 12 00! 00! 00 00! 00 | | ?
-1103110249 | -1103104563 | Rdr | 49! 00 00! 00 03! d7 4a! 52! 04 6f 12 00! 00! 00 00! 00 | | ?
proxmark3>
This is the read:
proxmark3> hf 14b sri512read
proxmark3>
proxmark3> #db# Randomly generated UID from tag (+ 2 byte CRC): ce a df
proxmark3> #db# Now SELECT tag:
proxmark3> #db# Tag UID (64 bits): d0021824 78917429
proxmark3> #db# Tag memory dump, block 0 to 15
proxmark3> #db# Address=0, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=1, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=3, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=4, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5, Contents=1b808c01, CRC=b46b
proxmark3> #db# Address=6, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=7, Contents=3420001, CRC=28a7
proxmark3> #db# Address=8, Contents=5a5e0a09, CRC=ffc2
proxmark3> #db# Address=9, Contents=15, CRC=2851
proxmark3> #db# Address=a, Contents=46bff00, CRC=f4fd
proxmark3> #db# Address=b, Contents=605c5e, CRC=9fc4
proxmark3> #db# Address=c, Contents=0, CRC=defc
proxmark3> #db# Address=d, Contents=c9c8d901, CRC=d3ac
proxmark3> #db# Address=e, Contents=0, CRC=defc
proxmark3> #db# Address=f, Contents=0, CRC=defc
proxmark3> #db# System area block (0xff):
proxmark3> #db# Address=ff, Contents=ffff7fff, CRC=ab03
Last edited by asper (2015-01-22 19:46:23)
Offline
You're still somehow not getting the right code. You shouldn't be able to run ' hf 14b list' - it should tell you it's deprecated.
See here: https://github.com/Proxmark/proxmark3/c … 5e7074bc9e
Last edited by holiman (2015-01-22 22:03:37)
Offline
Hey @asper, I made this branch for you: https://github.com/Proxmark/proxmark3/tree/lf_recorder . It'll enable you to set quantization and decimation of sampling, so you can instead choose to sample e.g. only 4 bits, and only every third sample. (2 * 3 = 6 times longer sample trace). It's only on ARM yet, needs some more code before it can be tested (send to client, unpack into graphbuffer as normal samples)
Offline
You're still somehow not getting the right code. You shouldn't be able to run ' hf 14b list' - it should tell you it's deprecated.
See here: https://github.com/Proxmark/proxmark3/c … 5e7074bc9e
I am using the branch you linked some post above updating via svn... dunno why the old command is still working.
Tell me when i must test the code in th newer link
Offline
By svn you mean git, no?
It is generictraces-branch of the main proxmark account... Are you using zipped download from github or git repo pull/update direct?
Offline
Direct updated (using svn software). I used the zipped one just 1 time becauseautomatic update was not working. Should i re-test with the new branch or you need to make some modifications?
Last edited by asper (2015-01-23 08:39:00)
Offline
UPDATE:
I used this: C:\pmholitest\proxmark3.git\branches\lf_recorder
hf 14b list is still available (it doesn't says "deprecated").
I read all tag blocks -> send hf list 14b -> client crashes.
It also crashes if i send for example: hf 14b raw -c -p 0E FF (where FF is the byte received from the INITIATE command).
EDIT:
Sometimes it seems to work and this is the result:
proxmark3> hf 14b raw -c -p 06 00
received 3 octets
EF 81 EF
CRC OK
proxmark3>
proxmark3> hf 14b raw -c -p 0E EF
received 3 octets
EF 81 EF
CRC OK
proxmark3>
proxmark3> hf 14b raw -c -p 0B
received 3 octets
29 74 91
CRC failed
proxmark3>
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
proxmark3>
It seems to crash if I send commands too quickly...
Another test (no crashing this time after 512read command):
proxmark3> hf 14b sri512read
proxmark3>
proxmark3> #db# Randomly generated UID from tag (+ 2 byte CRC): ce a df
proxmark3> #db# Now SELECT tag:
proxmark3> #db# Tag UID (64 bits): d0021824 78917429
proxmark3> #db# Tag memory dump, block 0 to 15
proxmark3> #db# Address=0, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=1, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=3, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=4, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5, Contents=1b808c01, CRC=b46b
proxmark3> #db# Address=6, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=7, Contents=3420001, CRC=28a7
proxmark3> #db# Address=8, Contents=5a5e0a09, CRC=ffc2
proxmark3> #db# Address=9, Contents=15, CRC=2851
proxmark3> #db# Address=a, Contents=46bff00, CRC=f4fd
proxmark3> #db# Address=b, Contents=605c5e, CRC=9fc4
proxmark3> #db# Address=c, Contents=0, CRC=defc
proxmark3> #db# Address=d, Contents=c9c8d901, CRC=d3ac
proxmark3> #db# Address=e, Contents=0, CRC=defc
proxmark3> #db# Address=f, Contents=0, CRC=defc
proxmark3> #db# System area block (0xff):
proxmark3> #db# Address=ff, Contents=ffff7fff, CRC=ab03
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 939 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
32769 | 32769 | Rdr | | | ?
proxmark3>
proxmark3> hf 14b list
recorded activity:
time :rssi: who bytes
---------+----+----+-----------
+ 0: 939: TAG (SHORT)
+-2147450879: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+2130903040: -16580605: TAG 00 03 00 **FAIL CRC**
+ 65283: 196611: TAG ff 03 ff **FAIL CRC**
+-2130706432: : 00 03 00 **FAIL CRC**
+2130706432: -16515325: TAG ff 03 ff **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+2130706432: 261891: TAG 00 03 00 **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+2130641152: -16515325: TAG ff 03 ff **FAIL CRC**
+ 0: 261891: TAG 00 03 ff **FAIL CRC**
+ 65280: 261891: TAG ff 03 ff **FAIL CRC**
+-2130771712: : 00 03 00 **FAIL CRC**
+2130771712: -16515325: TAG ff 03 00 **FAIL CRC**
+-2130706432: : ff 03 00 **FAIL CRC**
+2130641152: -16515325: TAG ff 03 00 **FAIL CRC**
+ 65280: 261891: TAG ff 03 ff **FAIL CRC**
+-2130771712: : ff 03 00 **FAIL CRC**
+2130706432: 196611: TAG 00 03 00 **FAIL CRC**
+ 0: 196611: TAG 00 03 00 **FAIL CRC**
+ 65280: 261891: TAG 00 03 00 **FAIL CRC**
+ 0: -16515325: TAG ff 03 00 **FAIL CRC**
+-2130706432: : ff 03 ff **FAIL CRC**
+ 0: : ff 03 ff **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+2130641152: -16580605: TAG ff 03 00 **FAIL CRC**
+ 0: -16580605: TAG 00 03 00 **FAIL CRC**
+-2130706432: : 00 03 ff **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ 65280: : ff 03 ff **FAIL CRC**
+2130641152: -16580605: TAG ff 03 ff **FAIL CRC**
+-2130641152: : 00 03 ff **FAIL CRC**
+2130641152: -16515325: TAG ff 03 00 **FAIL CRC**
+ 65280: 261891: TAG ff 03 00 **FAIL CRC**
+-2130771712: : 00 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 65280: : 00 03 ff **FAIL CRC**
+2130641152: 196611: TAG 00 03 ff **FAIL CRC**
+-2130706432: : 00 03 00 **FAIL CRC**
+2130706432: 196611: TAG ff 03 ff **FAIL CRC**
+ 0: 196611: TAG 00 03 ff **FAIL CRC**
+-2130706432: : ff 03 00 **FAIL CRC**
+ 65280: : 00 03 ff **FAIL CRC**
+ 0: : ff 03 ff **FAIL CRC**
+2130706432: -16515325: TAG ff 03 ff **FAIL CRC**
+ 0: 196611: TAG 00 03 ff **FAIL CRC**
+ 0: 196611: TAG 00 03 00 **FAIL CRC**
+-2130771712: : ff 03 00 **FAIL CRC**
+ 65280: : ff 03 00 **FAIL CRC**
+2130641152: -16515325: TAG ff 03 00 **FAIL CRC**
+ 65280: 196611: TAG ff 03 ff **FAIL CRC**
+ -65280: -16580605: TAG ff 03 ff **FAIL CRC**
+-2130706432: : 00 03 ff **FAIL CRC**
+2130771712: 261891: TAG 00 03 00 **FAIL CRC**
+ 0: 261891: TAG 00 03 00 **FAIL CRC**
+-2130771712: : 00 03 00 **FAIL CRC**
+ 65280: : ff 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : 00 03 00 **FAIL CRC**
+ 0: : 00 03 ff **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+2130641152: -16515325: TAG ff 03 ff **FAIL CRC**
+ 65280: 196611: TAG ff 03 ff **FAIL CRC**
+-2130771712: : ff 03 00 **FAIL CRC**
+ 65280: : ff 03 ff **FAIL CRC**
+ 0: : 00 03 ff **FAIL CRC**
+ -65280: : 00 03 00 **FAIL CRC**
+2130706432: -16580605: TAG 00 03 00 **FAIL CRC**
+-2130706432: : 00 03 ff **FAIL CRC**
+ 65280: : ff 03 00 **FAIL CRC**
+ 0: : 00 03 ff **FAIL CRC**
+2130641152: 196611: TAG ff 03 00 **FAIL CRC**
+-2130641152: : ff 03 00 **FAIL CRC**
+2130706432: 196611: TAG 00 03 ff **FAIL CRC**
+-2130706432: : 00 03 ff **FAIL CRC**
+2130706432: -16580605: TAG ff 03 00 **FAIL CRC**
+-2130771712: : ff 03 00 **FAIL CRC**
+ 65280: : ff 03 00 **FAIL CRC**
+2130706432: 261891: TAG ff 03 ff **FAIL CRC**
+ 0: -16580605: TAG 00 03 ff **FAIL CRC**
+-2130706432: : ff 03 00 **FAIL CRC**
+2130641152: -16515325: TAG 00 03 ff **FAIL CRC**
+ 65280: 196611: TAG 00 03 00 **FAIL CRC**
+-2130706432: : ff 03 00 **FAIL CRC**
+ 0: : ff 03 00 **FAIL CRC**
+ -65280: : ff 03 ff **FAIL CRC**
+2130706432: 261891: TAG 00 03 00 **FAIL CRC**
+ 0: 65283: TAG (SHORT)
+-2130903043: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 8192: : (SHORT)
+ -8192: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 16: : (SHORT)
+ -16: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 128: : (SHORT)
+ -128: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+67108864: : (SHORT)
+-67108864: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+1048576: : (SHORT)
+-1048576: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 **FAIL CRC**
+ 0: : (SHORT)
+ 0: : 00 00 (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 16: : (SHORT)
+ -16: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 512: : (SHORT)
+ -512: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 16384: : (SHORT)
+ -16384: : (SHORT)
+ 0: : (SHORT)
+1073741824: : (SHORT)
+-1073741824: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 64: : (SHORT)
+ -64: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 131072: : (SHORT)
+-131072: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 **FAIL CRC**
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+33554432: : (SHORT)
+-33554432: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 **FAIL CRC**
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 64: : (SHORT)
+ -64: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 **FAIL CRC**
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
+ 0: : (SHORT)
proxmark3>
Last edited by asper (2015-01-23 09:10:20)
Offline
Sorry if I confused you. The things to test are in generictracing. Thd recorder is work in progress, not yet testable.
Offline
Using zipped dl should be fine (but *not* releases). If you just clone, you need to explicitly checkout the right branch, otherwise you end up using main branch.
Offline
Finally I got it ! Sorry for the confusion about branches...
It seems to work perfectly with spceific srix client commands ! Last 2 bytes are crc. The only "issue" are reversed bytes from the tag but the communication tag<->reader works this way:
proxmark3> #db# Randomly generated UID from tag (+ 2 byte CRC): 0 78 f0
proxmark3> #db# Now SELECT tag:
proxmark3> #db# Tag UID (64 bits): d0021824 78917429
proxmark3> #db# Tag memory dump, block 0 to 15
proxmark3> #db# Address=0, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=1, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=2, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=3, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=4, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=5, Contents=1b808c01, CRC=b46b
proxmark3> #db# Address=6, Contents=ffffffff, CRC=470f
proxmark3> #db# Address=7, Contents=3420001, CRC=28a7
proxmark3> #db# Address=8, Contents=5a5e0a09, CRC=ffc2
proxmark3> #db# Address=9, Contents=15, CRC=2851
proxmark3> #db# Address=a, Contents=46bff00, CRC=f4fd
proxmark3> #db# Address=b, Contents=605c5e, CRC=9fc4
proxmark3> #db# Address=c, Contents=0, CRC=defc
proxmark3> #db# Address=d, Contents=c9c8d901, CRC=d3ac
proxmark3> #db# Address=e, Contents=0, CRC=defc
proxmark3> #db# Address=f, Contents=0, CRC=defc
proxmark3> #db# System area block (0xff):
proxmark3> #db# Address=ff, Contents=ffff7fff, CRC=ab03
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr | 06! 00! 97! 5b! | ok | ?
0 | 0 | Tag | 00! 78! f0! | ok |
0 | 0 | Rdr | 0e! 00! 57! 95! | ok | ?
0 | 0 | Tag | 00! 78! f0! | ok |
0 | 0 | Rdr | 0b! ab! 4e! | ok | ?
0 | 0 | Tag | 29! 74! 91! 78! 24! 18! 02! d0! 85! b0! | ok |
0 | 0 | Rdr | 08! 00! 87! c1! | ok | ?
0 | 0 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
0 | 0 | Rdr | 08! 01! 0e! d0! | ok | ?
0 | 0 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
0 | 0 | Rdr | 08! 02! 95! e2! | ok | ?
0 | 0 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
0 | 0 | Rdr | 08! 03! 1c! f3! | ok | ?
0 | 0 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
0 | 0 | Rdr | 08! 04! a3! 87! | ok | ?
0 | 0 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
0 | 0 | Rdr | 08! 05! 2a! 96! | ok | ?
0 | 0 | Tag | 01! 8c! 80! 1b! b4! 6b! | ok |
0 | 0 | Rdr | 08! 06! b1! a4! | ok | ?
0 | 0 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
0 | 0 | Rdr | 08! 07! 38! b5! | ok | ?
0 | 0 | Tag | 01! 00! 42! 03! 28! a7! | ok |
0 | 0 | Rdr | 08! 08! cf! 4d! | ok | ?
0 | 0 | Tag | 09! 0a! 5e! 5a! ff! c2! | ok |
0 | 0 | Rdr | 08! 09! 46! 5c! | ok | ?
0 | 0 | Tag | 15! 00! 00! 00! 28! 51! | ok |
0 | 0 | Rdr | 08! 0a! dd! 6e! | ok | ?
0 | 0 | Tag | 00! ff! 6b! 04! f4! fd! | ok |
0 | 0 | Rdr | 08! 0b! 54! 7f! | ok | ?
0 | 0 | Tag | 5e! 5c! 60! 00! 9f! c4! | ok |
0 | 0 | Rdr | 08! 0c! eb! 0b! | ok | ?
0 | 0 | Tag | 00! 00! 00! 00! de! fc! | ok |
0 | 0 | Rdr | 08! 0d! 62! 1a! | ok | ?
0 | 0 | Tag | 01! d9! c8! c9! d3! ac! | ok |
0 | 0 | Rdr | 08! 0e! f9! 28! | ok | ?
0 | 0 | Tag | 00! 00! 00! 00! de! fc! | ok |
0 | 0 | Rdr | 08! 0f! 70! 39! | ok | ?
0 | 0 | Tag | 00! 00! 00! 00! de! fc! | ok |
0 | 0 | Rdr | 08! ff! ff! ce! | ok | ?
0 | 0 | Tag | ff! 7f! ff! ff! ab! 03! | ok |
proxmark3>
proxmark3> hf 14b list
Deprecated command, use 'hf list 14b' instead
proxmark3>
It also works with raw commands:
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr | 06! 00! 97! 5b! | ok | ?
0 | 0 | Tag | 8c! 1c! be! | ok |
0 | 0 | Rdr | 06! 00! 97! 5b! | ok | ?
0 | 0 | Tag | e7! c9! 63! | ok |
0 | 0 | Rdr | 0e! e7! e6! 06! | ok | ?
0 | 0 | Tag | e7! c9! 63! | ok |
0 | 0 | Rdr | 0b! ab! 4e! | ok | ?
0 | 0 | Tag | 29! 74! 91! 78! 24! 18! 02! d0! 85! b0! | ok |
0 | 0 | Rdr | 0b! ab! 4e! | ok | ?
0 | 0 | Tag | 29! 74! 91! 78! 24! 18! 02! d0! 85! b0! | ok |
proxmark3>
This is another snoop test:
(this time only tag answers are identified)
proxmark3> hf 14b snoop
proxmark3>
proxmark3> #db# Snooping buffers initialized:
proxmark3> #db# Trace: 4096 bytes
proxmark3> #db# Reader -> tag: 2048 bytes
proxmark3> #db# tag -> Reader: 2048 bytes
proxmark3> #db# DMA: 1024 bytes
proxmark3> #db# cancelled
proxmark3> #db# Snoop statistics:
proxmark3> #db# Max behind by: 160
proxmark3> #db# Uart State: 0
proxmark3> #db# Uart ByteCnt: 0
proxmark3> #db# Uart ByteCntMax: 100
proxmark3> #db# Trace length: 0
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
20910 | 20910 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
40782 | 40782 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
60656 | 60656 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
80506 | 80506 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
100374 | 100374 | Tag | 01! 8c! 80! 1b! b4! 6b! | ok |
120250 | 120250 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
140078 | 140078 | Tag | 01! 00! 42! 03! 28! a7! | ok |
160214 | 160214 | Tag | 09! 0a! 5e! 5a! ff! c2! | ok |
179976 | 179976 | Tag | 15! 00! 00! 00! 28! 51! | ok |
199848 | 199848 | Tag | 00! ff! 6b! 04! f4! fd! | ok |
219720 | 219720 | Tag | 5e! 5c! 60! 00! 9f! c4! | ok |
239634 | 239634 | Tag | 00! 00! 00! 00! de! fc! | ok |
259488 | 259488 | Tag | 01! d9! c8! c9! d3! ac! | ok |
279978 | 279978 | Tag | 00! 00! 00! 00! de! fc! | ok |
299828 | 299828 | Tag | 00! 00! 00! 00! de! fc! | ok |
1298374 | 1298374 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1316572 | 1316572 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1336448 | 1336448 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1356316 | 1356316 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1376190 | 1376190 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1396038 | 1396038 | Tag | 01! 8c! 80! 1b! b4! 6b! | ok |
1415890 | 1415890 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1435762 | 1435762 | Tag | 01! 00! 42! 03! 28! a7! | ok |
1455832 | 1455832 | Tag | 09! 0a! 5e! 5a! ff! c2! | ok |
1475638 | 1475638 | Tag | 15! 00! 00! 00! 28! 51! | ok |
1495534 | 1495534 | Tag | 00! ff! 6b! 04! f4! fd! | ok |
1515650 | 1515650 | Tag | 5e! 5c! 60! 00! 9f! c4! | ok |
1535322 | 1535322 | Tag | 00! 00! 00! 00! de! fc! | ok |
1555150 | 1555150 | Tag | 01! d9! c8! c9! d3! ac! | ok |
1575594 | 1575594 | Tag | 00! 00! 00! 00! de! fc! | ok |
1595490 | 1595490 | Tag | 00! 00! 00! 00! de! fc! | ok |
2241726 | 2241726 | Tag | 00! 78! f0! | ok |
2242688 | 2242688 | Tag | 00! 78! f0! | ok |
2996638 | 2996638 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
3015500 | 3015500 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
3035350 | 3035350 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
3055350 | 3055350 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
3075182 | 3075182 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
3094966 | 3094966 | Tag | 01! 8c! 80! 1b! b4! 6b! | ok |
3114818 | 3114818 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
3134710 | 3134710 | Tag | 01! 00! 42! 03! 28! a7! | ok |
3154822 | 3154822 | Tag | 09! 0a! 5e! 5a! ff! c2! | ok |
3174546 | 3174546 | Tag | 15! 00! 00! 00! 28! 51! | ok |
3194438 | 3194438 | Tag | 00! ff! 6b! 04! f4! fd! | ok |
3214308 | 3214308 | Tag | 5e! 5c! 60! 00! 9f! c4! | ok |
3234422 | 3234422 | Tag | 00! 00! 00! 00! de! fc! | ok |
3254098 | 3254098 | Tag | 01! d9! c8! c9! d3! ac! | ok |
3274522 | 3274522 | Tag | 00! 00! 00! 00! de! fc! | ok |
3294438 | 3294438 | Tag | 00! 00! 00! 00! de! fc! | ok |
proxmark3>
If you have time you can add those annotations:
06 00 = INITIATE
0E xx = SELECT ID (xx = Chip-ID)
0B = Get UID
08 yy = Read Block (yy = block number)
09 yy dd dd dd dd = Write Block (yy = block number; dd dd dd dd = data to be written)
0C = Reset to Inventory
0F = Completion
0A 11 22 33 44 55 66 = Authenticate (11 22 33 44 55 66 = data to authenticate)
EDIT:
ANTENNA POSITIONING
The problems related to not complete snooped commands and/or answers it is dued to antenna positioning;
after a few tests I obtained this:
proxmark3> hf 14b snoop
proxmark3>
proxmark3> #db# Snooping buffers initialized:
proxmark3> #db# Trace: 4096 bytes
proxmark3> #db# Reader -> tag: 2048 bytes
proxmark3> #db# tag -> Reader: 2048 bytes
proxmark3> #db# DMA: 1024 bytes
proxmark3> #db# cancelled
proxmark3> #db# Snoop statistics:
proxmark3> #db# Max behind by: 458
proxmark3> #db# Uart State: 0
proxmark3> #db# Uart ByteCnt: 0
proxmark3> #db# Uart ByteCntMax: 100
proxmark3> #db# Trace length: 0
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr | 06! 00! 97! 5b! | ok | ?
340 | 340 | Tag | 7b! 2c! 3d! | ok |
964 | 964 | Rdr | 0e! 7b! 03! 58! | ok | ?
1304 | 1304 | Tag | 7b! 2c! 3d! | ok |
303978 | 303978 | Rdr | 0b! ab! 4e! | ok | ?
304600 | 304600 | Tag | 29! 74! 91! 78! 24! 18! 02! d0! 85! b0! | ok |
1109274 | 1109274 | Rdr | 08! 00! 87! c1! | ok | ?
1109736 | 1109736 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1130624 | 1130624 | Rdr | 08! 01! 0e! d0! | ok | ?
1131084 | 1131084 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1150472 | 1150472 | Rdr | 08! 02! 95! e2! | ok | ?
1150936 | 1150936 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1170366 | 1170366 | Rdr | 08! 03! 1c! f3! | ok | ?
1170826 | 1170826 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1190260 | 1190260 | Rdr | 08! 04! a3! 87! | ok | ?
1190724 | 1190724 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1210158 | 1210158 | Rdr | 08! 05! 2a! 96! | ok | ?
1210618 | 1210618 | Tag | 01! 8c! 80! 1b! b4! 6b! | ok |
1229940 | 1229940 | Rdr | 08! 06! b1! a4! | ok | ?
1230402 | 1230402 | Tag | ff! ff! ff! ff! 47! 0f! | ok |
1249790 | 1249790 | Rdr | 08! 07! 38! b5! | ok | ?
1250250 | 1250250 | Tag | 01! 00! 42! 03! 28! a7! | ok |
1269946 | 1269946 | Rdr | 08! 08! cf! 4d! | ok | ?
1270406 | 1270406 | Tag | 09! 0a! 5e! 5a! ff! c2! | ok |
1289668 | 1289668 | Rdr | 08! 09! 46! 5c! | ok | ?
1290130 | 1290130 | Tag | 15! 00! 00! 00! 28! 51! | ok |
1309562 | 1309562 | Rdr | 08! 0a! dd! 6e! | ok | ?
1310022 | 1310022 | Tag | 00! ff! 6b! 04! f4! fd! | ok |
1329412 | 1329412 | Rdr | 08! 0b! 54! 7f! | ok | ?
1329874 | 1329874 | Tag | 5e! 5c! 60! 00! 9f! c4! | ok |
1349306 | 1349306 | Rdr | 08! 0c! eb! 0b! | ok | ?
1349766 | 1349766 | Tag | 00! 00! 00! 00! de! fc! | ok |
1369246 | 1369246 | Rdr | 08! 0d! 62! 1a! | ok | ?
1369710 | 1369710 | Tag | 01! d9! c8! c9! d3! ac! | ok |
1389688 | 1389688 | Rdr | 08! 0e! f9! 28! | ok | ?
1390150 | 1390150 | Tag | 00! 00! 00! 00! de! fc! | ok |
1409538 | 1409538 | Rdr | 08! 0f! 70! 39! | ok | ?
1409998 | 1409998 | Tag | 00! 00! 00! 00! de! fc! | ok |
1429764 | 1429764 | Rdr | 08! 10! 06! d1! | ok | ?
Perfect snoop now.
Last edited by asper (2015-01-25 23:54:22)
Offline
IMPORTANT:
After a while testing the snoop command I always had one of those 2 snooping errors:
proxmark3> data buffclear
proxmark3>
proxmark3> #db# Buffer cleared (40000 bytes)
proxmark3> hf 14b snoop
proxmark3>
proxmark3> #db# Snooping buffers initialized:
proxmark3> #db# Trace: 4096 bytes
proxmark3> #db# Reader -> tag: 2048 bytes
proxmark3> #db# tag -> Reader: 2048 bytes
proxmark3> #db# DMA: 1024 bytes
proxmark3> #db# blew circular buffer! behindBy=0x3ff
proxmark3> #db# Snoop statistics:
proxmark3> #db# Max behind by: 1023
proxmark3> #db# Uart State: 3
proxmark3> #db# Uart ByteCnt: 4
proxmark3> #db# Uart ByteCntMax: 100
proxmark3> #db# Trace length: 0
or this:
proxmark3> hf 14b snoop
proxmark3>
proxmark3> #db# Snooping buffers initialized:
proxmark3> #db# Trace: 4096 bytes
proxmark3> #db# Reader -> tag: 2048 bytes
proxmark3> #db# tag -> Reader: 2048 bytes
proxmark3> #db# DMA: 1024 bytes
proxmark3> #db# Reached trace limit
proxmark3> #db# Snoop statistics:
proxmark3> #db# Max behind by: 463
proxmark3> #db# Uart State: 0
proxmark3> #db# Uart ByteCnt: 0
proxmark3> #db# Uart ByteCntMax: 100
proxmark3> #db# Trace length: 0
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
proxmark3>
And snoop was not working anymore (always one of the 2 errors above)
The only way to solve and make snoop working again was to reflash OS... there must be a bug somewhere.
Last edited by asper (2015-01-24 09:56:21)
Offline
Added other NTAG commands to the specific post.
Offline
Thanks. I'll look into it. Re snoop, reboot the device should fix it, sounds extremely strange that you would have to reflash the os. I wont say impossible... How certain are you?
Offline
Almost 100% sure; I don't remember if disconnect/reconnect usb can be considered "reset" (I tryed it lot of time before reflashing OS); if so reflashing OS was the only way to make it (snoop) to a working state again.
Offline
And what are reversed bytes? Is it ba instead of ab? Or bitwise-reverse? Or abcd instead of cdab?
Offline
When you read a block you have 1b808c01, while when you snoop you have 01! 8c! 80! 1b! b4! 6b! but I don't think this should be modified because snooping consist in recording what is passing by during the communication...
EDIT:
I solved the missing "List" using raw comamnds: I just realized I tested the list after the pm3 got stuck (befor reflashing OS); so raw commands listing is working:
proxmark3> hf list 14b
Recorded Activity
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 0 | Rdr | 06! 00! 97! 5b! | ok | ?
0 | 0 | Tag | 8c! 1c! be! | ok |
0 | 0 | Rdr | 06! 00! 97! 5b! | ok | ?
0 | 0 | Tag | e7! c9! 63! | ok |
0 | 0 | Rdr | 0e! e7! e6! 06! | ok | ?
0 | 0 | Tag | e7! c9! 63! | ok |
0 | 0 | Rdr | 0b! ab! 4e! | ok | ?
0 | 0 | Tag | 29! 74! 91! 78! 24! 18! 02! d0! 85! b0! | ok |
0 | 0 | Rdr | 0b! ab! 4e! | ok | ?
0 | 0 | Tag | 29! 74! 91! 78! 24! 18! 02! d0! 85! b0! | ok |
proxmark3>
I Updated the previous post.
Last edited by asper (2015-01-25 23:57:28)
Offline
Thanks. I noticed that I had neglected to change few memory locations where demodding took place, I don't know if that could cause the issues you noted. I have made some changes, but haven't tested it myself yet. You can either test it, or wait a bit and I can do the "preliminary" testing myself.
Offline
I noticed that start and end are always 0, is this an issue?
Offline