Proxmark developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2017-02-14 10:41:40

osys
Contributor
From: Nearby
Registered: 2016-03-28
Posts: 62

HF EMV implemenation for payPass, payWave

Thanks to Iceman, now his fork can be build with EMV support even on 256k device:

Nonvolatile Program Memory Size: 256K bytes. Used: 222420 bytes (85%). Free: 39724 bytes (15%).

Transaction goes well

pm3 --> hf emv trans
#db# SELECT AID COMPLETED          
#db# EMV TRANSACTION FINISHED          
pm3 --> hf 14a list
Recorded Activity (TraceLen = 211 bytes)          
          
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
iso14443a - All times are in carrier periods (1/13.56Mhz)          
          
      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|          
          0 |        992 | Rdr |52                                                               |     | WUPA          
       2228 |       4596 | Tag |04  00                                                           |     |           
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL          
      10676 |      16564 | Tag |ef  91  43  88  b5                                               |     |           
      18816 |      29344 | Rdr |93  70  ef  91  43  88  b5  ca  23                               |  ok | SELECT_UID          
      30516 |      34036 | Tag |28  b4  fc                                                       |     |           
      35584 |      40352 | Rdr |e0  80  31  73                                                   |  ok | RATS          
      49460 |      70324 | Tag |10  78  80  70  02  00  31  c0  64  1f  27  01  00  00  90  00   |     |           
            |            |     |38  57                                                           |  ok |           
      74880 |     102688 | Rdr |0a  00  00  a4  04  00  0e  32  50  41  59  2e  53  59  53  2e   |     |           
            |            |     |44  44  46  30  31  00  b0  54                                   |  ok |           
     333236 |     382836 | Tag |0a  00  6f  23  84  0e  32  50  41  59  2e  53  59  53  2e  44   |     |           
            |            |     |44  46  30  31  a5  11  bf  0c  0e  61  0c  4f  07  a0  00  00   |     |           
            |            |     |00  04  10  10  87  01  01  90  00  86  5f                       |  ok |           

But unfortunately dumping EMV tag values is not working, seems that some code adjustments required as the array of card data is not filled in:

pm3 --> hf emv dump
#db# currentcard->ATQA=          
#db# 00 00          
#db# currentcard->UID=          
#db# currentcard->SAK1=          
#db# 00          
#db# currentcard->SAK2=          
#db# 00          
#db# currentcard->ATS=          
#db# currentcard->tag_4F=          
....

As an outcome of some investigations, EMV cards can also provide transaction history, that's might be an interesting stuff to implement as well.

Last edited by osys (2017-02-14 10:42:09)


There is no security at the end, only human factor.

Offline

#2 2017-02-14 11:03:53

iceman
Administrator
Registered: 2013-04-25
Posts: 4,070
Website

Re: HF EMV implemenation for payPass, payWave

I've created a new category and moved it there.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#3 2017-02-14 13:16:50

osys
Contributor
From: Nearby
Registered: 2016-03-28
Posts: 62

Re: HF EMV implemenation for payPass, payWave

Came across an interesting C implementation for EMV - emv-tools is a set of tools to handle EMV (Europay, MasterCard, Visa) chip cards. Tools are based on the EMV v4.3 standard. 

The code can be found here: https://github.com/lumag/emv-tools/

I may assume that this handling should also apply for NFC way of communication.


There is no security at the end, only human factor.

Offline

#4 2017-02-14 13:23:08

iceman
Administrator
Registered: 2013-04-25
Posts: 4,070
Website

Re: HF EMV implemenation for payPass, payWave

The AID and commands should be similar.  In Peter Fillmores imp, its placed on device side. We should move it over to the client.  That will free a lot of space on device again.


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#5 2017-02-14 13:35:20

iceman
Administrator
Registered: 2013-04-25
Posts: 4,070
Website

Re: HF EMV implemenation for payPass, payWave

My mastercard is ISO14b, so the hf emv * doesnt work.  The current imp is using 14a.
I also needed a strong HF antenna to power/read card.

pm3 -_> hw tune
# HF antenna: 34.60 V @    13.56 MHz

pm3 --> hf search

 UID    : xx xx xx 00
 ATQB   : 00 00 00 00 00 81 71
 CHIPID : 00
      App Data: 00 00 00 00
      Protocol: 00 81 71
      Bit Rate: 106 kbit/s only PICC <-> PCD
Max Frame Size: 256 bytes
 Protocol Type: Protocol is compliant with ISO/IEC 14443-4
Frame Wait Integer: 7 - 4096 ETUs | 38656 us
 App Data Code: Application is Proprietary
 Frame Options: NAD is not supported
 Frame Options: CID is supported
Tag :
  Max Buf Length: 0 (MBLI) chained frames not supported
  CDI : 0

Valid ISO14443-B Tag Found - Quiting Search

pm3 --> hf emv trans
#db# Can't select card
#db# EMV TRANSACTION FINISHED

Running on a RDV2.0,  512 Kb, latest source from icemanfork, in a docker container.
This incl "with_LF", nothing is removed yet when compiling.

pm3 --> hw version
[[[ Cached information ]]]

Proxmark3 RFID instrument
bootrom: iceman/master/release-build(no_git)-suspect 2016-10-28 12:50:01
os: iceman/master/ 2017-02-14 11:57:31
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 241067 bytes (46%). Free: 283221 bytes (54%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#6 2017-02-14 22:00:41

iceman
Administrator
Registered: 2013-04-25
Posts: 4,070
Website

Re: HF EMV implemenation for payPass, payWave

I've made a clip showing how to enable EMV on my docker container 

Youtube: https://youtu.be/Naw5qo8UOLE


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#7 2017-02-15 03:28:54

iceman
Administrator
Registered: 2013-04-25
Posts: 4,070
Website

Re: HF EMV implemenation for payPass, payWave

Coverity Scan found some bugs inside EMV source,  I've pushed some fixes.  @osys, would you mind testing?


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

#8 2017-11-10 18:49:12

iceman
Administrator
Registered: 2013-04-25
Posts: 4,070
Website

Re: HF EMV implemenation for payPass, payWave

The new EMV command implemented by Merlokk in  PM3 Offical should be helpful


modhex(hkhehghthbhudcfcdchkigiehgduiehg)

Offline

Board footer

Powered by FluxBB