Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#51 2019-09-25 14:18:18

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 51

Re: tag simulation...

piwi wrote:

I feel that a combination of your and my code should do the trick...

May be... Unfortunately, this takes a lot of time and effort. Just in case, I whipped up my own repository https://github.com/sherhannn79/proxmark3_sher (I'm new to github). All changes to speed up work are contained in the iclass.c.

Offline

#52 2019-09-25 17:46:06

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: tag simulation...

I found UPDATE and CHECK[Kc] implemented in your branch. I tried to merge this. Can you please review?

Offline

#53 2019-09-25 18:26:26

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 51

Re: tag simulation...

https://github.com/sherhannn79/proxmark3_sher
Fix bugs
Add comment to UPDATE command

CHECK_KC is no different from CHECK. I just added it so that there were no question marks in hf list iClass.

Last edited by sherhannn79 (2019-09-25 18:29:05)

Offline

#54 2019-09-25 19:10:21

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: tag simulation...

... except that Kc needs to be used to calculate the MAC response instead of Kd....

Offline

#55 2019-09-25 19:20:36

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: tag simulation...

If you do your next tests then please run 'hf list iclass f' in order to see the fdt (frame delay times, the time between reader command and tag response). They should all be 4224. Possible that we need to do adjust the timing for the lengthy UPDATE code.

Offline

#56 2019-09-26 01:49:28

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 51

Re: tag simulation...

piwi wrote:

... except that Kc needs to be used to calculate the MAC response instead of Kd....

Perhaps you mean the READCHECK_KD and READCHECK_KC. If so, then they certainly differ.

Last edited by sherhannn79 (2019-09-26 01:49:47)

Offline

#57 2019-09-26 01:50:54

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 51

Re: tag simulation...

piwi wrote:

If you do your next tests then please run 'hf list iclass f' in order to see the fdt (frame delay times, the time between reader command and tag response). They should all be 4224. Possible that we need to do adjust the timing for the lengthy UPDATE code.

https://www.sendspace.com/file/3813ez

Offline

#58 2019-09-26 02:11:08

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 51

Re: tag simulation...

@piwi
I push my complete repository based on your branch. Made corrections to the iclass.c because it did not work properly and fix some staff. https://github.com/sherhannn79/proxmark3_sher

Offline

#59 2019-09-26 07:54:38

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: tag simulation...

Travelling for the next days. Will check on weekend.

Offline

#60 2019-09-30 07:26:48

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: tag simulation...

I see some changes/additions which are unrelated to authentication:

  • simulating multiple pages

  • simulating personalization

  • a fix to hf iclass eload (I have added a separate PR for this)

Otherwise you have moved around the MAC calculations and the cipher state is passed by reference instead of by value. None of these changes should affect the authentication. Or did I miss something? Does it work for your old reader now?

Offline

#61 2019-09-30 08:15:27

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 51

Re: tag simulation...

None of these changes affect authentication with a tag that has only one page. I made these changes to possibly increase the response speed, but I did not achieve the result.
For reader rev. 1, none of my builds work well. I come to the conclusion that this is probably a very non-standard reader.
The build based on the original repository with the 'GetIClassCommandFromReader', 'uart_samples' functions from the Iceman repository and my little optimizations works well on revision 2 reader. On the reader rev. 1, this assembly is authenticated with 6 attempts.
Your assembly is not authenticated with the reader of revision 2. After a little analysis, I realized that the problem is in the responce for READ4. After the proxmark responds to this command (with 8 * 4 + 2 data), the reader for some reason does not recognize the answer (although the answer looks correct in the 'hf iclass list') and breaks the session.  With the reader rev.1 (which does not have the 0x26 and READ4 commands) using your assembly, I could not achieve any successful authentication (in this case, in my opinion, the reason is the speed of the responce to the CHECK).

Offline

#62 2019-09-30 15:07:57

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: tag simulation...

I am not sure to which releases you are referring in your comparison and if they includes your and my latest changes.

Specifically: what works and what doesn't work with the release on your github repository?

Offline

#63 2019-10-04 15:07:35

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 51

Re: tag simulation...

Well, I have done last tests and will try to most clearly explain the result.

To start:
    We have two releases, let's call them Release0 and Release1.
    Release0 (https://github.com/sherhannn79/proxmark3_sher) is a repository
    based on the piwi's repository (https://github.com/pwpiwi/proxmark3/tree/fix_iclass_sim)
    with some changes in 'iclass.c', in the 'doIClassSimulation' function ,
    mainly for the ability to work with the Key Credit     and multypages tags.
    Release1 (https://github.com/sherhannn79/proxmark3_sher_1) is a repository
    based on the official proxmark3 repository (https://github.com/Proxmark/proxmark3)
    which includes the following main changes:
        1.1 'GetIClassCommandFromReader' works with the functions 'uart_init', 'uart_samples', 'uart_bit'
            from Iceman's repository (https://github.com/iceman1001/proxmark3) which, in turn, are slightly optimized.
         1.2 Slightly optimized functions 'CodeIClassTagAnswer', 'encode4Bits',  'SendIClassAnswer'.
        1.3 In several functions, the ability to work with multi-pages tags has been added.
        1.4 In the 'doIClassSimulation' added the ability to work with the Credit Key.
   
    We also have three readers. Two of them are of different versions and one of them is another manufacturer.
    In order of increasing production date, we will call these readers: reader0, reader1 and reader2.
    Please note that reader0 is presented here for comparison only, since in practice it is not suitable for my purposes.
    I also note that all of the readers listed are functional and always work correctly with the genuine HID tags.
   
    We have three installed official software for working with the corresponding readers.
    All tests were carried out as follows: in the software of the corresponding reader,
    a function was selected for reading a new card, after which a proxmark3 was brought to the corresponding reader.
   
    Proxmark3 was preconfigured as follows:
    with the 'hf iclass eload' command, a dump copy of one genuine blank card was loaded
    (the same dump was used in all tests).
    Then, command 'hf iclass sim 3' was launched.

So:
    Test0_0 (reader0 + release0): https://www.sendspace.com/file/dxecs0
        Official software answered operation error.
   
    Test0_1 (reader0 + release1): https://www.sendspace.com/file/54p3fz
        Official software answered operation error.
        Please note that earlier, in the first stages of changing my repositories,
        I was able to correctly authenticate with this reader.
        Unfortunately, I did not notice a change, after which my assemblies stopped,
        in principle, interacting with this reader,
        and now I do not have enough time to find a bug.
   
    Test1_0 (reader1 + release0): https://www.sendspace.com/file/bp8pap
        Official software answered operation error.
        In this case, in my opinion, authentication fails,
        because the response to the 'check' reader command is exceeded.
   
    Test1_1 (reader1 + release1): https://www.sendspace.com/file/qfrded
        Official software responded with the success of the operation.
        I note that only one successful example is presented here,
        which is obtained from about six unsuccessful ones.
   
    Test2_0 (reader2 + release0): https://www.sendspace.com/file/9g4hpk
        Official software answered operation error.
        After analyzing the trace, I come to the conclusion that authentication is successful here,
        however, after several responses from the proxmark to the 'read4' reader command,
        the reader interrupts the session.
   
    Test2_1 (reader2 + release1): https://www.sendspace.com/file/wdylqf
        Official software responded with the success of the operation.

Last edited by sherhannn79 (2019-10-04 20:52:35)

Offline

#64 2019-10-04 19:34:21

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: tag simulation...

Can you please provide (on some filesharer)

  • the traces (hf list) of your tests

  • the dump file you used for your tests

Offline

#65 2019-10-04 20:28:04

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 51

Re: tag simulation...

piwi wrote:

Can you please provide (on some filesharer)

  • the traces (hf list) of your tests

  • the dump file you used for your tests

mail me, please

Last edited by sherhannn79 (2019-10-04 21:41:39)

Offline

#66 2019-10-08 11:07:20

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: tag simulation...

THANKS! Your simulation file finally allowed me to do some tests on my own and confirm the issues you have. It was indeed a timing problem (response on CHECK too slow). Speeding up some functions helped. Simulated card now authenticates every time to my reader. If you can verify, I will merge the changes to master.

Offline

#67 2019-10-08 21:34:08

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 51

Re: tag simulation...

I will try to check the other day.
I would like to clarify one point in advance. When using your release, my reader2 interrupts the session after the 'read4' command, is this also due to a timing problem, or is there another reason?

Offline

#68 2019-10-09 06:44:05

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: tag simulation...

That is possible. I was fooled by the fdt times displayed with 'hf list iclass f' which showed OK and the same for all commands. But there still was a bug with the numbers, which showed the intended instead of the measured timings (this has been fixed now as well). The delay was biggest for CHECK (due to the MAC calculation) and READ4 (due to the coding of the 34 byte response).

With the latest changes all delays are the same and within the specification.

Offline

#69 2019-10-10 17:22:58

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 51

Re: tag simulation...

I have made tests with the latest piwi's release. There is some progress.
1. Reader0. Not successful: https://www.sendspace.com/file/it6yut
2. Reader 1. Not successful: https://www.sendspace.com/file/bc1uy8
3. Reader 2. Successfully: https://www.sendspace.com/file/utsx1e

As for reader1, in this case the reader interrupts the session not only after the check command, but also after other commands randomly. Can I somehow adjust the response time of the proxmark to the reader commands in this release?

Offline

#70 2019-10-10 21:02:37

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: tag simulation...

yes, you just need to modify this line in iclass.c:

#define DELAY_ICLASS_VCD_TO_VICC_SIM     140

Offline

#71 2019-11-13 18:14:02

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: tag simulation...

There is now a working 'hf iclass reader' and 'hf iclass snoop' (not yet merged) on official repository. This should help to identify the differences between your readers.

Offline

#72 2020-01-01 13:42:27

hayabusa
Contributor
From: Australia
Registered: 2019-08-27
Posts: 12

Re: tag simulation...

Happy New Year to all of you guys!

Last edited by hayabusa (2020-06-13 17:26:59)

Offline

#73 2020-04-19 20:19:27

sherhannn79
Contributor
Registered: 2019-04-13
Posts: 51

Re: tag simulation...

After a long break and "thanks" to all the known world events, I got some free time and I had a need to carry out some of the procedures described in this topic. I decided to take the last official repo for testing. I did the test with my most problematic reader (reader1). The result surprised me a little. If you recall, with this reader I was able to carry out only one successful simulation of the proxmark as a tag from six unsuccessful attempts. However, now I can do the simulation with almost no errors. In fairness, I must say that all the same, the original tag works more reliably, but this is not so important.
I want to thank @Piwi. Good job!

Last edited by sherhannn79 (2020-04-19 20:28:02)

Offline

Board footer

Powered by FluxBB