Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-07-21 22:12:25

Delphis
Contributor
Registered: 2017-06-09
Posts: 16

Reading CryptoRF

Hi,

I am trying to read what are believed to be CryptoRF tags. ( http://nfc-tools.org/index.php?title=Nfc-cryptorf )

In attempting to use the proxmark3 to scan for these I'm coming up confused as how to do it. I have found lots of resources on scanning for 14a modulations. Does the proxmark3 even support scanning for them? When I do 'hf snoop', a light on the PM3 goes red. It appears to read something and stops recording with 'Trigger kicked!', but it's only captured 1 byte. I repeated this trying the 'skip triggers' parameter but didn't get ANY data then.

When trying to do 'hf 14b snoop', the command states buffers are readied, but no lights light on the PM3. Performing the same operations to (hopefully) get the tag and reader to communicate yields no data is captured. Doing 'hf list 14b' says TraceLen=0.

I know this is a developer forum and not a user help forum but I'm confused if I'm even using the device properly.

In that URL I listed earlier, that's what I'm trying to get. A trace of the communication between the reader and the tag. I just don't know how to get there.

Offline

#2 2017-07-22 13:08:55

iceman
Administrator
Registered: 2013-04-25
Posts: 3,747
Website

Re: Reading CryptoRF

there not much usage nor documentation for CryptoRF.  Its an very old system. Are you sure your are dealing with a CryptoRF?


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2017-08-03 19:11:58

Delphis
Contributor
Registered: 2017-06-09
Posts: 16

Re: Reading CryptoRF

I missed this reply.. I thought I had subscribed to it.. hmm.


Yes, I have it on good authority (research performed by a third party) that the system is Atmel CryptoMemory/CryptoRF based.

Given the information here: http://www.atmel.com/products/security-ics/secure-rf/default.aspx .. it appears it should be 'ISO 14443 Type 13.56MHz RFID'. Doing hf 14b snoop *should* yield data, should it not? I don't know if I'm just messing things up with the proxmark since I'm new to it or if it is shielded in some way. I am working on trying to set up a testbed to eliminate possibility of shielding but I thought I'd ask to see if anyone has tried to eavesdrop this style of communication before.

Offline

#4 2017-08-03 20:09:32

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: Reading CryptoRF

from my limited research a while ago it seems the cryptoRF only supports a bitrate of 106kbit. 

the pm3 currently doesn't support this mode. 
piwi has issued a pull request (here) to fix the fpga to allow this mode but then it will need to be implemented into the armsrc code. 

i intend to look into it but have not found time yet.

Offline

#5 2017-08-03 21:30:26

Delphis
Contributor
Registered: 2017-06-09
Posts: 16

Re: Reading CryptoRF

Ah, ok. Thank you. That does shed more light on it. If there's anything I can do to help development, please let me know. I'm a C programmer of many years. While the Verilog stuff isn't anything I'm familiar with, I'd be happy to help where I can.

Offline

#6 2017-08-04 04:57:18

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: Reading CryptoRF

Thankfully I think piwi did the verilog work, we just need to implement it on the armsrc and client side. 

But his FPGA changes still need to be tested to make sure they don't affect other 14b cmds or 15693 or iclass.  Then I can accept his pull request.
Then we can implement bitrate options for the 14b cmds, using the new half and quarter bit rate fpga signal options.

I'd certainly welcome help.  wink

Offline

#7 2017-08-04 15:05:41

Delphis
Contributor
Registered: 2017-06-09
Posts: 16

Re: Reading CryptoRF

Certainly testing I'm happy to help with. I have a Linux box connected to the Pm3 currently and can compile the source. You can email directly if you'd like to instruct me what to help with.

Offline

#8 2017-08-04 18:53:49

iceman
Administrator
Registered: 2013-04-25
Posts: 3,747
Website

Re: Reading CryptoRF

I don't think piwi's PR is about 106 kHz functionality since we had that before.  I belive that it was the 424 kHz and  212 kHz modes returned into the FPGA but as @marshmellow42 mentioned there is no implementation of it on device-side to deal with it yet.  The software uarts don't handle these optional speeds.

Sadly not to many contributors are able to code a UART.   

Speaking of CryptoRF,  the vinglocks also use it for personel-cards etc.   Which would be nice to support with the PM3.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#9 2017-08-04 18:56:29

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: Reading CryptoRF

not quite.  piwi's pull request re enables quarter bitrate mode.  (was removed a while ago while fixing other bugs..)
we already had 818, and 424, but with quarter mode we can quarter 818 to get 212 and quarter 424 to get 106.

Offline

#10 2017-08-04 18:58:52

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: Reading CryptoRF

also the uart should already exist (14b...)  just need to adjust the speeds i.e. minor mode (add the quarter mode flag)(i think)...

Offline

#11 2017-08-04 19:41:01

Delphis
Contributor
Registered: 2017-06-09
Posts: 16

Re: Reading CryptoRF

I am a bit confused as to how the PM3 doesn't support scanning for CryptoRF when the wiki page on nfc tools says the trace was obtained with a 'Proxmark RFID Research Tool' , what I assume to be a Proxmark3 .. Or was it supported in the past on older models?

It's probably a moot point but I'm just curious.

Offline

#12 2017-08-04 19:47:35

marshmellow
Moderator
From: US
Registered: 2013-06-10
Posts: 2,007

Re: Reading CryptoRF

A lot of code for the pm3 has never been shared...

That said it may be possible an old version may have partially supported it.

Offline

#13 2017-08-04 21:11:02

iceman
Administrator
Registered: 2013-04-25
Posts: 3,747
Website

Re: Reading CryptoRF

there is no command set in current pm3 impl that support cryptorf to my knowledge.
That Roel might have done it 2009,  doesn't mean that code ever got into pm3 master.

The cryptorf commands / protocol is also quite unknown. 

@marshmellow42   so the quarter idea was to divide it by four..   That would explain things.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#14 2017-08-14 22:01:21

Delphis
Contributor
Registered: 2017-06-09
Posts: 16

Re: Reading CryptoRF

It's ok if there's no command set in pm3, it's obtaining a trace of the handshake at the right bitrate that I'm most interested in. Once I can get that I can decode the key and use it with an atmel development kit.

Offline

#15 2017-08-15 07:14:03

iceman
Administrator
Registered: 2013-04-25
Posts: 3,747
Website

Re: Reading CryptoRF

The trace on nfc-tools wiki is a HF 14b snoop output.  So building the needed commands for easy access to tag shouldn't be too hard. You would need to identify all commands, maybe you have a full datasheet aswell..


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#16 2017-08-15 15:01:16

Delphis
Contributor
Registered: 2017-06-09
Posts: 16

Re: Reading CryptoRF

That's good to have it confirmed what that output looks like, thank you. I guessed at trying the 14b snoop. I have an atmel development kit for accessing cryptorf cards, just need that key smile

Offline

Board footer

Powered by FluxBB