Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Committed as SVN 839:
increased reader sensitivity for ISO 14443A cards (for my antenna/card: maximum possible reading distance increased from 52 to 70 mm). Note: this is a FPGA change. You have to flash the FPGA as well.
implemented anticollision loop. PM3 now can cope with multiple cards present in the antenna field.
Details:
The modulation detector in the FPGA took the average of 16 samples of the A/D converter. This average voltage (i.e. the DC part of the signal) is lower if there is a modulation compared to the unmodulated signal. Only changes above a certain (dynamically adjusted) difference had been evaluated to cope with the slowly decreasing DC level after switching from sending to receiving mode.
This dynamic threshold adjustment prevented anticollision detection. If there is more than one card in the field, there is a strong modulation if both cards are sending the same bit (modulating in sync), but a much weaker modulation if they are sending different bits (collision). The modulation of a single card could not be detected because it is much below the threshold of the common (in sync) modulation. This is especially true for the far away cards because they are additionaly "shielded" by the other card(s).
If there is a modulation, there is a falling and a rising edge within the 16 samples. I therefore have implemented a gaussian derivative filter to detect the edges (and filter noise and eliminate the DC part). Because the filtered signal is independent of the absolute voltage level (DC part), a fixed threshold can be used for edge detection.
On the ARM side I have changed the Manchester Decoder. It is now able to detect a collision (stores the collision position), can handle anticollision commands (where the first parity bit can appear at an arbitrary position (after the first 1 to 8 data bits)), and does a majority decision on three out of four bits of the FPGA bitstream instead of evaluating just every fourth bit.
The anti collision loop itself is implemented within iso14443a_select_card and is straight forward (see the ISO spec). As is common practice, in case of a collision the card with a '1' at the collision position is selected.
Offline
As always, great work piwi!
Offline
Good job!
Can you commit your testbench for iso14443a.v module?
Offline
Can you commit your testbench for iso14443a.v module?
No, there is (still) none.
Offline
Great work you did there, thank you!
Last edited by ikarus (2013-11-22 10:00:18)
Offline
How are you developing FPGA code? Do you use oscilloscope, or logic analyzer? How do you read ADC data while writing your code? Do you use simulator software(i.e. Modelsim)?
Offline
Scope and LA wouldn't be of much use - you would only be able to monitor signals at the FPGA's in/outputs but nowhere in between. In general, the FPGA data outputs are inputs to the ARM - you can monitor at this side. The inputs are either coming from the ARM (again, you can monitor at this side) or the ADC. I modelled and simulated the PM3 RF part with LTSpice - in order to understand what appears at the analogue side of the ADC.
Offline
I modelled and simulated the PM3 RF part with LTSpice - in order to understand what appears at the analogue side of the ADC.
Can you share your project?
Offline
Sure. Here is my modeling of the HF receiver part (save as <anyname>.asc and open in LTSpice):
Version 4
SHEET 1 880 680
WIRE 448 -32 448 -64
WIRE 448 -32 416 -32
WIRE 480 -32 448 -32
WIRE 480 -16 480 -32
WIRE 416 64 416 -32
WIRE 480 80 480 64
WIRE 592 80 480 80
WIRE 704 80 672 80
WIRE 560 96 560 -48
WIRE 480 112 480 80
WIRE 528 112 480 112
WIRE 704 128 704 80
WIRE 704 128 592 128
WIRE 752 128 704 128
WIRE -432 144 -496 144
WIRE -304 144 -352 144
WIRE -240 144 -304 144
WIRE -160 144 -176 144
WIRE -128 144 -160 144
WIRE -16 144 -64 144
WIRE 80 144 -16 144
WIRE 176 144 80 144
WIRE 240 144 176 144
WIRE 320 144 240 144
WIRE 416 144 384 144
WIRE 528 144 416 144
WIRE -1200 160 -1200 112
WIRE -1056 160 -1056 112
WIRE -912 160 -912 112
WIRE 80 160 80 144
WIRE 176 160 176 144
WIRE 240 160 240 144
WIRE -304 192 -304 144
WIRE -160 192 -160 144
WIRE -16 192 -16 144
WIRE 80 256 80 240
WIRE 176 256 176 224
WIRE 240 256 240 240
WIRE 560 256 560 160
WIRE -1200 304 -1200 240
WIRE -1056 304 -1056 240
WIRE -912 304 -912 240
FLAG -304 256 0
FLAG -160 256 0
FLAG -16 256 0
FLAG 80 256 0
FLAG 176 256 0
FLAG 240 256 0
FLAG 752 128 Out
IOPIN 752 128 Out
FLAG -496 144 In
IOPIN -496 144 In
FLAG 448 -64 Vmid
FLAG 560 256 0
FLAG 560 -48 VDD
FLAG -1200 304 0
FLAG -1056 304 0
FLAG -912 304 0
FLAG -1200 112 Vmod
FLAG -1056 112 VBit
FLAG -912 112 Vcarrier
SYMBOL cap -320 192 R0
SYMATTR InstName C1
SYMATTR Value 47E-12
SYMBOL cap -176 128 R90
WINDOW 0 0 32 VBottom 2
WINDOW 3 32 32 VTop 2
SYMATTR InstName C2
SYMATTR Value 22E-12
SYMBOL cap -32 192 R0
SYMATTR InstName C3
SYMATTR Value 130p
SYMBOL schottky -144 256 R180
WINDOW 0 24 64 Left 2
WINDOW 3 24 0 Left 2
SYMATTR InstName D1
SYMATTR Value DI_BAS70
SYMATTR Description Diode
SYMATTR Type diode
SYMBOL schottky -128 160 R270
WINDOW 0 32 32 VTop 2
WINDOW 3 0 32 VBottom 2
SYMATTR InstName D2
SYMATTR Value DI_BAS70
SYMATTR Description Diode
SYMATTR Type diode
SYMBOL res 64 144 R0
SYMATTR InstName R1
SYMATTR Value 10k
SYMBOL res 224 144 R0
SYMATTR InstName R2
SYMATTR Value 11E6
SYMBOL cap 384 128 R90
WINDOW 0 0 32 VBottom 2
WINDOW 3 32 32 VTop 2
SYMATTR InstName C4
SYMATTR Value 1E-9
SYMBOL res 400 48 R0
SYMATTR InstName R3
SYMATTR Value 10k
SYMBOL res 464 -32 R0
SYMATTR InstName R4
SYMATTR Value 10k
SYMBOL res 688 64 R90
WINDOW 0 0 56 VBottom 2
WINDOW 3 32 56 VTop 2
SYMATTR InstName R5
SYMATTR Value 10k
SYMBOL voltage -1200 144 R0
WINDOW 3 -58 215 Left 2
WINDOW 123 0 0 Left 2
WINDOW 39 0 0 Left 2
SYMATTR Value PULSE(0 1 0 10ns 10ns 580ns 1180ns)
SYMATTR InstName V1
SYMBOL voltage -1056 144 R0
WINDOW 3 -97 278 Left 2
WINDOW 123 0 0 Left 2
WINDOW 39 0 0 Left 2
SYMATTR Value PULSE(0 1 0 10ns 10ns 4.7198us 29.4395us)
SYMATTR InstName V2
SYMBOL voltage -912 144 R0
WINDOW 3 45 64 Left 2
WINDOW 123 0 0 Left 2
WINDOW 39 0 0 Left 2
SYMATTR Value SINE(0 6.5 13.56E6)
SYMATTR InstName V3
SYMBOL Diodes\\BZX84C47 192 224 R180
WINDOW 0 24 64 Left 2
WINDOW 3 -42 -108 Left 2
SYMATTR InstName D4
SYMBOL Opamps\\UniversalOpamp2 560 128 R0
SYMATTR InstName U1
SYMBOL res -336 128 R90
WINDOW 0 0 56 VBottom 2
WINDOW 3 32 56 VTop 2
SYMATTR InstName R7
SYMATTR Value 50
TEXT 488 -120 Left 2 !BVmid Vmid 0 V=2.5V
TEXT -432 280 Left 2 !.tran 0 140us 100us
TEXT 592 -64 Left 2 !BVDD VDD 0 V=5V
TEXT -488 -24 Left 2 !BVin In 0 V = V(Vcarrier) - 0.03*V(Vmod) * V(Vcarrier) * V(Vbit)
Offline
I have installed latest version 4.20C on WinXP, then I followed your instructions, but it gives me error "Couldn't find symbols BZX84C47". When I run the project, LTspice shows error "Couldn't find symbols DI_BAS70" and "Can't find definition of model DI_BAS70".
Then LTspice starts simulation, scope-like window occurs with no waves on it and finally error log shown:
Circuit: * C:\Proxmark3.asc
Error on line 5 : d1 0 n003 di_bas70
Unable to find definition of model "di_bas70"
Error on line 6 : d2 n003 n004 di_bas70
Unable to find definition of model "di_bas70"
Direct Newton iteration for .op point succeeded.
Date: Fri Dec 06 13:02:05 2013
Total elapsed time: 23.594 seconds.
tnom = 27
temp = 27
method = modified trap
totiter = 364204
traniter = 364193
tranpoints = 96423
accept = 65383
rejected = 31040
matrix size = 19
fillins = 1
solver = Normal
Matrix Compiler1: 652 aaeo object code size 3.2/2.6/[1.9]
Matrix Compiler2: 1,25 EA object code size 2.2/3.1/[1.7]
Offline
Please add (use an editor) the following Diode-Model (source: http://www.diodes.com/catalog/schottky_ … bas70.html) to C:\Program Files (x86)\LTC\LTspiceIV\lib\cmp\standard.dio:
*SRC=BAS70;DI_BAS70;Diodes;Si; 70.0V 70.0mA 5.00ns Diodes Inc. -
.MODEL DI_BAS70 D ( IS=99.5p RS=0.600 BV=70.0 IBV=10.0u
+ CJO=2.00p M=0.333 N=1.70 TT=7.20n )
The following needs to be copied to a new file C:\Program Files (x86)\LTC\LTspiceIV\lib\sym\Diodes\BZX84C47.asy:
Version 4
SymbolType CELL
LINE Normal 0 44 -4 48
LINE Normal 32 44 36 40
LINE Normal 0 44 32 44
LINE Normal 0 20 32 20
LINE Normal 32 20 16 44
LINE Normal 0 20 16 44
LINE Normal 16 0 16 20
LINE Normal 16 44 16 64
WINDOW 0 24 0 Left 2
WINDOW 3 24 64 Left 2
SYMATTR Value DI_BZX84C47
SYMATTR Prefix X
SYMATTR Description Zener Diode
SYMATTR SpiceModel BZX84C47.sub
SYMATTR Value2 DI_BZX84c47
PIN 16 0 NONE 0
PINATTR PinName +
PINATTR SpiceOrder 1
PIN 16 64 NONE 0
PINATTR PinName -
PINATTR SpiceOrder 2
and the following (source: http://www.diodes.com/catalog/zener_dio … 84c47.html) to a new file C:\Program Files (x86)\LTC\LTspiceIV\lib\sub\BZX84C47.sub:
*SRC=BZX84C47;DI_BZX84C47;Diodes;Zener 10V-50V; 47.0V 0.350W Diodes Inc. -
*SYM=HZEN
.SUBCKT DI_BZX84C47 1 2
* Terminals A K
D1 1 2 DF
DZ 3 1 DR
VZ 2 3 43.9
.MODEL DF D ( IS=3.07p RS=27.6 N=1.10
+ CJO=22.1p VJ=1.00 M=0.330 TT=50.1n )
.MODEL DR D ( IS=6.14e-016 RS=154 N=3.00 )
.ENDS
Offline
This commit breaks mifare classic snoop.
I have a test setup with a normal reader I use to read a mifare classic card.
Then I use the proxmark3 with the antenna in between to sniff on data.
I am using the command: hf 14a snoop
With revision 838 and before it, nothing will then happen before I use my read command on the reader.
When using revision 839 and 840, the snoop exits right away with no data.
Pre 839:
proxmark3> hf 14a snoop
#db# COMMAND FINISHED
#db# maxDataLen=21, Uart.state=0, Uart.byteCnt=8
#db# Uart.byteCntMax=20, traceLen=bb8, Uart.output[0]=0000000f
proxmark3> hf 14a list
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: : 26
+ 63: 0: TAG 02 00
...
From revsion 839:
proxmark3> hf 14a snoop
#db# COMMAND FINISHED
#db# maxDataLen=21, Uart.state=0, Uart.byteCnt=0
#db# Uart.byteCntMax=20, traceLen=cb0, Uart.output[0]=000000ff
proxmark3> hf 14a list
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
proxmark3>
I have tried adding the c and/or r trigger options, but it makes no difference.
I was very much hoping to use this new version as I have problems with not getting all data and I hope the better sensitivity in the new revision will help.
I have tried to look at the diff in the c files, but can not spot anything there making the difference. However I am not used to look at fpga code and do not know much about hardware, so that part I have a hard time to check.
Offline
Should be fixed in r845. See http://www.proxmark.org/forum/viewtopic … 9721#p9721.
Offline