Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-06-29 10:02:16

abdo79
Contributor
Registered: 2017-06-18
Posts: 22

HID simulation

hi;
am trying to simulate HID card after i read its ID
proxmark3> lf hid fskdemod 1
proxmark3>
proxmark3> #db# TAG ID: 20065a92b6 (18779) - Format Len: 26bit - FC: 45 - Card: 18779                 
proxmark3> #db# Stopped   
then i simulated it using the following command:
         
proxmark3> lf hid sim 20065a92b6
Emulating tag with ID 20         65a92b6         
Press pm3-button to abort simulation         
proxmark3>
A led is green and D is blue
i disconnected the PROXMARK after connecting external power source to it and tried to use it with the reader but it didn't work. any help?
i wonder if the proxmark emulated the wrong ID " 20         65a92b6"
the following is the version:
Prox/RFID mark3 RFID instrument         
bootrom: iceman/master/v1.1.0-2051-ge82496ca 2017-06-17 15:11:42
os: iceman/master/v1.1.0-2051-ge82496ca 2017-06-17 15:11:47
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8
uC: AT91SAM7S256 Rev D         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes. Used: 216650 bytes (83%). Free: 45494 bytes (17%).         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory

Offline

#2 2017-06-29 13:24:00

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: HID simulation

Do you have the same problem if you use the official version instead of Iceman's?

Offline

#3 2017-06-29 19:54:20

abdo79
Contributor
Registered: 2017-06-18
Posts: 22

Re: HID simulation

thanks for your reply.
yes it is the same with the official version as well. but the main reason i changed to ice man instead of official is that the HW tune command doesn't work as well while in iceman copy it works fine


Prox/RFID mark3 RFID instrument         
bootrom: master/v2.2.0-528-g2a7861e-suspect 2017-06-27 09:17:15
os: master/v2.2.0-528-g2a7861e-suspect 2017-06-27 09:17:19
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
uC: AT91SAM7S256 Rev D         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes. Used: 192561 bytes (73%). Free: 69583 bytes (27%).         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory         
proxmark3> lf hid sim 20065a92b6
Emulating tag with ID 20         65a92b6         
Press pm3-button to abort simulation         
proxmark3>
proxmark3> #db# Stopped                 
proxmark3> hw tune
Measuring antenna characteristics, please wait...         
# LF antenna:  0.00 V @   125.00 kHz         
# LF antenna:  0.00 V @   134.00 kHz         
# LF optimal:  0.00 V @ 12000.00 kHz         
# HF antenna:  0.00 V @    13.56 MHz         
# Your LF antenna is unusable.         
# Your HF antenna is unusable.         
proxmark3>


thanks

Offline

#4 2017-07-28 17:32:40

eug33ne
Contributor
Registered: 2017-07-17
Posts: 11

Re: HID simulation

```
# Your LF antenna is unusable.         
# Your HF antenna is unusable.         
```
the same I've faced when flashed image from official but used client from iceman and vice versa.
please try to use client and firmware built from one source.


```
i disconnected the PROXMARK after connecting external power source to it and tried to use it with the reader but it didn't work
```
Tried to simulate HID yesterday on the latest official build - no reaction from my office's wall-mounted reader.
Weak antenna?
How does pm3 emulate from hardware perspective? Maybe too low power is emitting? Our readers could even see my tiny nfc-ring with very little antenna.

Offline

#5 2017-07-28 19:10:46

iceman
Administrator
Registered: 2013-04-25
Posts: 3,747
Website

Re: HID simulation

check your antenna cable?


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2017-07-28 21:01:42

eug33ne
Contributor
Registered: 2017-07-17
Posts: 11

Re: HID simulation

iceman wrote:

check your antenna cable?

Yeap, classic. "One old sysadm always told me - check cables first."
I'm personally using /pm3 v3 easy/ from china - LF antenna is attached to board with screws, no cables at all.
like this one https://images-na.ssl-images-amazon.com/images/I/51ojySkuwlL.jpg

Just right now played around hid reader rotating antenna - no luck:(
Will do some experiments today.

Last edited by eug33ne (2017-07-28 21:02:08)

Offline

#7 2017-07-28 21:52:37

eug33ne
Contributor
Registered: 2017-07-17
Posts: 11

Re: HID simulation

Well, pm3 detects reader's field:

proxmark3> #db# LF 125/134kHz Field Change: 10862mV
proxmark3> #db# LF 125/134kHz Field Change:  1375mV
proxmark3> #db# LF 125/134kHz Field Change:  4537mV
proxmark3> #db# LF 125/134kHz Field Change: 16087mV
proxmark3> #db# LF 125/134kHz Field Change:  3162mV

and so on.

tune:
Measuring antenna characteristics, please wait.........
# LF antenna: 25.16 V @   125.00 kHz
# LF antenna: 16.77 V @   134.00 kHz
# LF optimal: 28.88 V @   120.00 kHz
# HF antenna: 21.27 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.


but reader doesn't react to:
proxmark3> lf hid sim <tagID>

(A led stays ON while emulation, D led blinks near the reader, but no reaction from reader.)

I just can't believe that this little buddy http://www.jakcom.com/ins/R3/JAKCOM_R3.files/image002.jpg has more inducted power or clearer modulation than fpga-driven proxmark with several times bigger antenna.

Offline

#8 2017-07-28 22:49:54

iceman
Administrator
Registered: 2013-04-25
Posts: 3,747
Website

Re: HID simulation

looks like your antenna is no long "unusable", which is good.
Are you using the sim command correct?  Using the raw output from lf search  ?


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#9 2017-07-28 23:03:49

eug33ne
Contributor
Registered: 2017-07-17
Posts: 11

Re: HID simulation

thanks for your reply, Iceman. Topic starter has had troubles with antenna - my was good )

Not sure about *raw* output. I've used

proxmark3> lf search
lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag
False Positives ARE possible


Checking for known tags:

HID Prox TAG ID: 2004fc614e (12455) - Format Len: 26bit - FC: 126 - Card: 12455

Valid HID Prox ID Found!

then

lf hid sim 2004fc614e

btw, "lf hid clone 2004fc614e" works perfect.

Offline

#10 2017-07-29 00:10:57

iceman
Administrator
Registered: 2013-04-25
Posts: 3,747
Website

Re: HID simulation

sorry,  missed that little info. 
ok,   I see that the source doesn't have the correct fix in iceman fork.  Offical PM3 Master should have worked.
https://github.com/iceman1001/proxmark3 … f93417c517


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#11 2017-07-29 00:35:27

eug33ne
Contributor
Registered: 2017-07-17
Posts: 11

Re: HID simulation

iceman wrote:

sorry,  missed that little info. 
ok,   I see that the source doesn't have the correct fix in iceman fork.  Offical PM3 Master should have worked.
https://github.com/iceman1001/proxmark3 … f93417c517

Hm, that's the issue:
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-62-g6f7a0f7-dirty-suspect 2017-07-27 18:18:30
os: master/v3.0.1-63-g8cf533f-suspect 2017-07-27 19:28:56
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26

from official git. I see code from your fork and official/master slightly different for armsrc/lfops.c @SimulateTagLowFrequency()
will try to go deeper in difference.

Offline

#12 2017-07-29 00:51:59

iceman
Administrator
Registered: 2013-04-25
Posts: 3,747
Website

Re: HID simulation

I got the hid-sim to work with two pm3, running iceman fork with fix.
Will need some testing with the offical pm3 master to see whats up.

[edit] yep,  sneaky old problem.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#13 2017-07-31 23:37:19

eug33ne
Contributor
Registered: 2017-07-17
Posts: 11

Re: HID simulation

Well, I've tried last build from Iceman, latest official and marshmallow builds- results are the same.
Reader HID doesn't respond to simulation via lf hid sim.
Even to lf simfsk with various clockings from demodbuff.

Offline

#14 2017-08-01 16:19:46

eug33ne
Contributor
Registered: 2017-07-17
Posts: 11

Re: HID simulation

OMG! Just for lolz I flashed back the old 'stock' firmware from unknown source (marked as 2.0.0) that came with my pm3

#db# bootrom: /-suspect 2015-05-24 09:54:53
#db# os: /-suspect 2015-05-24 09:56:23
#db# LF FPGA image built on 2015/03/06 at 07:38:04

and LF simulation surprisingly managed to work.

Did some digging in blame and history on lfops.c, seems like it was
https://github.com/Proxmark/proxmark3/commit/83f3f8ac40b47e220954e620a5ecbe41f54f4dc7
that might broke sim.

I afraid usb_poll_validate_length() in the loops waiting until SSC_CLK goes HIGH or LOW induces some delays breaking modulation timings.

if(BUTTON_PRESS() || (usb_poll_validate_length() )) {

long story short - recompiled last Iceman's code excluding usb_poll_validate_length() from that "if" - LF simulation is working now. Hm.
Need review from wise comrades.

Offline

#15 2017-08-02 09:03:04

ntk
Contributor
Registered: 2015-05-24
Posts: 690

Re: HID simulation

I don't have real reader to test and report back, but LF HID simulation is working again is very good news.

Hope this find will be confirmed soon by Marshmellow, iceman, piwi, Holiman, app-01 ets and by other testers against real reader.


modhex(ichbifhkhghuhehghkiehbihhkidifighgebecedfchihthbhkhrduhehvht)

Offline

#16 2017-08-02 15:35:19

eug33ne
Contributor
Registered: 2017-07-17
Posts: 11

Re: HID simulation

Yeah, I gonna perform some additional testings to leave usb loop-break ability and will wrap my thoughts to git PR for review

Offline

#17 2017-08-02 16:39:07

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: HID simulation

add a counter and only check button/usbpol every 1000th iteration.

it is interesting that i can get it to work as is on my pm3, but i agree it is not very consistent.
adding my suggestion above makes it more consistent with my pm3. 

i also noticed there is a bug somewhere that makes the first attempt to sim always fail but the second attempt works.

Offline

#18 2017-08-02 17:15:23

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: HID simulation

// set LF so we don't kill the bigbuf we are setting with simulation data.
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);

needs to be added to cure the bug that makes the first attempt fail.  (for each lf simulation)

Offline

#19 2017-08-02 17:23:16

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: HID simulation

see https://github.com/Proxmark/proxmark3/pull/369

and let me know if it fixes your issues.

Offline

#20 2017-08-02 23:40:17

eug33ne
Contributor
Registered: 2017-07-17
Posts: 11

Re: HID simulation

marshmellow wrote:

...
i also noticed there is a bug somewhere that makes the first attempt to sim always fail but the second attempt works.

I've also noticed this bug.
But from my point of view, after some debugging, I've found out that conditions are not correctly used in "while".
"// wait until SSC_CLK goes HIGH"
is really

while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {

, not inverted,
and condition "//wait until SSC_CLK goes LOW" is really

while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {

, really inverted!

so, following the code that is now in master:
when there is no external reader, the first run of loop "for" skips first "while(!(...))", emits 1 bit from buf, jump into second "while(..)" and waits reader field here. That is not OK btw. (or do I misunderstand states of GPIO_SSC_CLK when exposed to external field or not?)
I would suggest to invert conditions in while vise versa.

sorry for messy explanation)

Last edited by eug33ne (2017-08-02 23:51:48)

Offline

#21 2017-08-03 05:15:41

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: HID simulation

I believe you are reading the intent of it wrong...  Wait until high. So loop while low...
We don't want to wait while it is high (on the first one.)

Offline

#22 2017-08-03 14:10:15

eug33ne
Contributor
Registered: 2017-07-17
Posts: 11

Re: HID simulation

that's the point, Marshmellow.
"Wait until high. So loop while low"
So, from my experiments, "loop while low" condition is in work while (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) is true,
not the !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) as now in code.

As I've mentioned - I'd tested with no reader field:

//from the current master:

for(;;)
    while(!(...))
...
//emit 1 bit
...
    while(...) // <-- loop stops here waiting the field

but it seems to be more correct to stop waiting field in the 1st while.

That's why I propose to invert conditions.
Looks like (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) is actually 1 with NO field and 0 under reader's field.

Last edited by eug33ne (2017-08-03 14:15:34)

Offline

#23 2017-08-03 14:21:55

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: HID simulation

It is not saying the reader field is high, just the value we are reading is high (1 vs 0).   Reversing it might require a change in open/short logic.  (may result in an inverted signal back to the reader which some modulations won't care about, but others will.)

The sim code isn't currently designed to wait for a reader field before begins modulating, it assumes one is there and attempts to start modulating.  If no field is present then yes it will hang up on the lower while loop.  I suppose adding that check could be an improvement but with minimal effect as the simulation data just repeats itself.

Offline

#24 2017-08-04 14:13:07

iceman
Administrator
Registered: 2013-04-25
Posts: 3,747
Website

Re: HID simulation

...I doubt the simulation is active,  with active I mean with the sense that we are powering the antenna.
The simulation should draw power from the presented reader field.  So the idea that we shouldn't start sending simulated signal until the reader field is present.   Still dark magic of what is used for detection.

If the GPIO_SSC_CLOCK is set (HIGH/1) when there is a reader field 
If the GPIO_SSC_CLOCK is unset (LOW/0) when there is a reader field.

That would be nice to know....


Maybe we should have active simulation, to enhance reading distance?   Or do we have active simulation already?


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#25 2017-08-04 16:08:40

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: HID simulation

Offline

Board footer

Powered by FluxBB