Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2016-12-27 17:11:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Simulating an active tag?

upon closer inspection of your scope trace, i see our PM3 trace is flawed.  in the center there should be 3 equally spaced dips (dampened frequency).  in our traces the first of those typically appears as a wider area.

Offline

#52 2016-12-27 17:25:07

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Simulating an active tag?

is there anyway to get the duration in microseconds of each section from the scope?
starting high section:
first low:
second high:
second low:
third high:
third low:
fourth high:
fourth low:
fifth high:
fifth low:
final high:

also, are all your pm3 traces read with the 134khz mode?  can you do one at 125khz?

Offline

#53 2016-12-27 19:25:56

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: Simulating an active tag?

@marshmellow Sure, I'll work on getting those timings, and I'll get two traces near the same time in each mode.

Offline

#54 2016-12-27 22:59:34

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: Simulating an active tag?

Okay, here are new `lf read`s and `lf snoop`s, both in `lf config H` and `lf config L`, however these are from a NEW active tag (vehicle). The old one I was testing with is gone (gf drove away:), but I found another vehicle that's same make/model, different year, that ALSO incites my "reader" (keyfob) and causes it to respond in UHF, even though it's not in any way keyed to it.

Although this immediately seems like a vuln, there is clearly less data going back and forth -- normally when both are together, there are more LF + UHF messages getting transmitted back and forth, but for now I'm just trying to get the very first message to produce the fob's first UHF response.

New tag, `lf config H`
https://samy.pl/tilf/H-new-lf-read-1.trace
https://samy.pl/tilf/H-new-lf-read-2.trace
https://samy.pl/tilf/H-new-lf-snoop-1.trace

New tag, `lf config L`
https://samy.pl/tilf/L-new-lf-read-1.trace
https://samy.pl/tilf/L-new-lf-read-2.trace
https://samy.pl/tilf/L-new-lf-snoop-1.trace

Offline

#55 2016-12-28 05:51:49

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Simulating an active tag?

we aren't getting a good read for some reason (some waves are obscured).

how small is the transponder you are trying to read and how large is your antenna?  sometimes small transponders require small diameter (focused) antennas. 

your antenna appeared to be tuned a bit high (better at higher frequencies), yet the Low read appeared to give slightly better results (i think, unless the carrier is bleeding through).  possibly an antenna tuned more towards the 125khz range (though yours isn't bad) would yield cleaner results.

I'm just not sure how to apply the scope results to the modulating of the carrier via the pm3 simulation.  we are at the edge of my understanding there i'm afraid.  if i had a clean signal read on the pm3 i can adjust the sim to mimic it, but i don't think the pm3 is getting everything...

Offline

#56 2016-12-28 06:05:26

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Simulating an active tag?

since your scope suggested 142.8 khz we could try a divisor of 83  `lf config q 83`
and read again.  might show something different...

Offline

#57 2016-12-28 06:21:06

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: Simulating an active tag?

Here is my antenna (HF+LF combined, LF is the red):
antenna

I'm not sure the size of the tag's antenna because it's inside the vehicle. The keyfob can pick up the signal from at least 1 meter away from the vehicle.

I found another chip from TI that has similar capabilities (TMS37F158), and the pseudo-datasheet had a bit more info and suggested a TMS3705 base station on the car side. I'm looking now for some suggested antennas of devkits from TI so we can get an idea of the size.

Offline

#58 2016-12-28 10:06:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Simulating an active tag?

@OP, Does yr datasheet say something about HDX?

Offline

#59 2016-12-28 10:12:13

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: Simulating an active tag?

@iceman yeah, this does say it's HDX http://www.ti.com/lit/ds/scbs879/scbs879.pdf

Offline

#60 2016-12-28 10:36:49

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Simulating an active tag?

I've been reading about FDXB/HDX and HDX states the reader shut of its signal for a while and then listens to the tag reply.
It might not be relevant to this,  but you mention that you have a carrierwave all the time...

Offline

#61 2016-12-28 11:21:37

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: Simulating an active tag?

@iceman No, the carrier wave is only transmitted every few seconds as it appears along with the signal -- you can see clearly from the `lf snoop`s it's no there normally, only to transmit the data

Offline

#62 2017-05-22 09:00:13

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: Simulating an active tag?

I've gotten a full capture of the active LF field transmitted (no "receiver" nearby) using an oscilloscope. I've reformatted into pm3 .trace format.

https://samy.pl/o/scope-big.trace.gz (3.5MB) -- gunzip it first of course

I also adjusted MAX_GRAPH_TRACE_LEN to 10000000 in client/graph.h and client/proxgui.h, otherwise proxmark will crash when loading the file in. Also, `make` isn't enough, you will likely need to `make clean && make` in the client directory, then you can `data load scope-big.trace`.

Anyone suggest another tool to look at data like this? I tried Audacity by reading it as an unsigned 8-bit PCM file, but it doesn't look quite right. It should look like
scope

Offline

#63 2017-05-22 15:32:10

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Simulating an active tag?

what is the time scale of the trace?  (horizontal scale, normal pm3 i think is 8us.)

Offline

#64 2017-05-22 15:45:17

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Simulating an active tag?

Makes me think that when we sample in 134Khz,  do we need to consider that in the plot window?

Offline

#65 2017-05-22 15:58:04

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Simulating an active tag?

iceman wrote:

Makes me think that when we sample in 134Khz,  do we need to consider that in the plot window?

it is automatically sampled at a different rate when the divisor is changed. 
i'd like to know what capture rate his scope was running so i can correctly adjust it for possible emulation.

Offline

#66 2017-05-22 19:49:49

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: Simulating an active tag?

@marshmellow I believe it was recording at 1GS/s.

I have a full 14 million points here (I tried trimming manually before with the last file, but just in case):
https://samy.pl/o/scope-full.trace.gz

In the scope-full CSV (Rigol DS2302A-S), the voltages were between -61.32 to 57.96. In this scope-full, I've scaled it from [-64 to 63] to [-128 to 127]. In the smaller one (scope-big.csv), I've normalized [-62 to 62] to [-128 to 127]

Offline

#67 2017-05-22 20:32:10

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: Simulating an active tag?

Okay, here's a usable trace (in pm3 at least). It would still be nice if there were some other software to get a better look at all the data, but since 8us = 125kS, and 1Gs/125kS = 8000, I've taken one sample every 8000 samples from scope-full and put it here:
https://samy.pl/o/scope-every8k.trace

ss.png

Offline

#68 2017-05-22 20:46:32

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: Simulating an active tag?

This looks like a simple frequency modulation on and off cycling. 
Just have to correctly identify the frequency, set the pm3 to cycle it on and off like this (with the proper divisor set and antenna built for the frequency) and we can then move to the next step.

Offline

#69 2017-05-22 20:54:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Simulating an active tag?

Measure the time for each cycle in us/ms  and you can replicate it as @marshmellow said.

Offline

#70 2017-05-22 21:06:14

samy
Contributor
From: los angeles, california
Registered: 2009-06-18
Posts: 148
Website

Re: Simulating an active tag?

Thanks friends! Investigating further.

Offline

Board footer

Powered by FluxBB