hf mf sim after r845

[holiman]

With r844 and later, I am unable to do 'hf mf sim' and related commands (snoop) on one type of readers found in 'real-world'. The yellow led blinks, but nothing happens and even with 'hf mf dbg 4', there is nothing sent back from the device.

[pwpiwi]

Because you are reporting issues with snoop as well, I would expect a problem with receiving the reader commands. Do you have the possibility to measure the signal at TP1 while snooping? Or can you try Enio's "PM3 as Digital Storage Oscilloscope" hack? Does hf 14a snoop give you any results?

Can you clarify which version did work last for you (you mention "after r845" in the subject and "with r844 and later" in your comment)

[holiman]

r844 was just cosmetics, what I mean is r845 and later does not work. Some background: A while ago, I was working a bit with 'hf mf sim' r840-r844 for a pen-test on mifare-based access control system. It worked fine on their readers. Today I got the chance to test the same reader again, and confirmed that any version post r844 did not work anymore (for that reader).

Some more context: At that place, they have three readers, all are same model and make. Reader 1: No commuication with either pre-845 or post-845. No led-light.
Reader 2: pre-845 works, post-845 blinks yellow. Reader 3: pre-845 works, post-845 blinks yellow.

I will be able to test again thursday and friday, after that it will be difficult to perform tests. I'll try get the time to make a special debug-build and get some more info on what is happening.

Does hf 14a snoop give you any results?

Not that I can recall, I can test that tomorrow. hf mf sniff with a legitimate card does not produce anything. I have actually never gotten anything out of hf mf sniff, so I don't even know what to expect :)

Do you have the possibility to measure the signal at TP1 while snooping? No.

Or can you try Enio's "PM3 as Digital Storage Oscilloscope" hack? What do I have to do? Is there a codebase somewhere I can use to just flash the device, or is it something more complicated? I can do tests the next two days.

[holiman]

Some more thoughts, it's the yellow light that blinks, (LED_A), and that light is really only used at one place in Mifare1kSim:

    if (cardSTATE == MFEMUL_NOFIELD) {
        vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
        if (vHf > MF_MINFIELDV) {
            cardSTATE_TO_IDLE();
            LED_A_ON();
        }
    } 

So, my feeling is that somehow the readers sensitivity got worse, and it does not even leave go into the simulation-logic. I'll add some debug printouts and check that later.

[holiman]

I did a modification to print out the measured reader field:

    // find reader field
    // Vref = 3300mV, and an 10:1 voltage divider on the input
    // can measure voltages up to 33000 mV
    if (cardSTATE == MFEMUL_NOFIELD) {
        vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
        if (vHf > MF_MINFIELDV) {
            cardSTATE_TO_IDLE();
            LED_A_ON();
        }else
        {
            if(i++ % 10 == 0) Dbprintf("No field found, vhf = %d", vHf);
        }
    } 

results:

#db# No field found, vhf = 3125                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 64                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 3544                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 3512                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 193                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 2739                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 805                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 2126                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 1579                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 1385                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 2255                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 741                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 2803                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 64                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 3287                 
#db# No field found, vhf = 64                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 3319                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 2932                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 515                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 2320                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 64                 
#db# No field found, vhf = 1160                 
#db# No field found, vhf = 96                 
#db# No field found, vhf = 1708                 
#db# No field found, vhf = 64                 
#db# No field found, vhf = 96                 
[...]     

Next modification, ignore vHf value, rely only on the reader-field check which is built into EmGetCmd:

    // find reader field
    // Vref = 3300mV, and an 10:1 voltage divider on the input
    // can measure voltages up to 33000 mV
    if (cardSTATE == MFEMUL_NOFIELD) {
        vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
        if (vHf > MF_MINFIELDV || true) {
            cardSTATE_TO_IDLE();
            LED_A_ON();
        }else
        {
            if(i++ % 10 == 0) Dbprintf("No field found, vhf = %d", vHf);
        }
    } 
    if(cardSTATE == MFEMUL_NOFIELD) continue;
    DbpString("Field found, commencing sampling");
    //Now, get data

    res = EmGetCmd(receivedCmd, &len);
    if (res == 2) { //Field is off!
        cardSTATE = MFEMUL_NOFIELD;
        LEDsoff();
        DbpString("EmGetCmd returned 2: no field");
        continue;
    } else if (res == 1) {
        break;  //return value 1 means button press
    }
    DbpString("EmGetCmd ok, continuing");

results

#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing                 
#db# Field found, commencing sampling                 
#db# EmGetCmd ok, continuing             
[...]

db# Emulator stopped. Tracing: 0  trace length: 2994                  
proxmark3> hf 14a list
Recorded Activity          

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
All times are in carrier periods (1/13.56Mhz)          

     Start |       End | Src | Data          
-----------|-----------|-----|--------          
         0 |       992 | Rdr | 52              
     11508 |     13876 | Tag | 04  00              
    680226 |    681218 | Rdr | 52              
    691606 |    693974 | Tag | 04  00              
    727040 |    729504 | Rdr | 93  20              
    740724 |    746612 | Tag | e6  84  87  f3  16              
    785152 |    795616 | Rdr | 93  70  e6  84  87  f3  16  5e  35              
    807156 |    811828 | Tag | 08  b6  dd  00              
   1500160 |   1501152 | Rdr | 52              
   1512692 |   1515060 | Tag | 04  00              
   1547136 |   1549600 | Rdr | 93  20              
   1560180 |   1566068 | Tag | e6  84  87  f3  16              
   1605198 |   1615662 | Rdr | 93  70  e6  84  87  f3  16  5e  35              
   1626370 |   1631042 | Tag | 08  b6  dd  00              
   2319104 |   2320096 | Rdr | 52              

That looks good. Next change:

    // find reader field
    // Vref = 3300mV, and an 10:1 voltage divider on the input
    // can measure voltages up to 33000 mV
    /**
      Ignore this: EmGetCmd checks for a field internally
    if (cardSTATE == MFEMUL_NOFIELD) {
        vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
        if (vHf > MF_MINFIELDV || true) {
            cardSTATE_TO_IDLE();
            LED_A_ON();
        }else
        {
            if(i++ % 10 == 0) Dbprintf("No field found, vhf = %d", vHf);
        }
    } 
    if(cardSTATE == MFEMUL_NOFIELD) continue;
    DbpString("Field found, commencing sampling");
    //Now, get data
    **/
    res = EmGetCmd(receivedCmd, &len);
    if (res == 2) { //Field is off!
        cardSTATE = MFEMUL_NOFIELD;
        LEDsoff();
        DbpString("EmGetCmd returned 2: no field");
        continue;
    } else if (res == 1) {
        break;  //return value 1 means button press
    }else
    {// Read ok
        DbpString("EmGetCmd ok, continuing");
        cardSTATE_TO_IDLE();
    }

Result:

#db# EmGetCmd ok, continuing                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd returned 2: no field                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd returned 2: no field                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd returned 2: no field                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd returned 2: no field                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd returned 2: no field                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd returned 2: no field                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd ok, continuing                 
#db# EmGetCmd returned 2: no field    
[...]

proxmark3> hf 14a list
Recorded Activity          

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer          
All times are in carrier periods (1/13.56Mhz)          

     Start |       End | Src | Data          
-----------|-----------|-----|--------          
         0 |       992 | Rdr | 52              
     11380 |     13748 | Tag | 04  00              
    679522 |    680514 | Rdr | 52              
    691094 |    693462 | Tag | 04  00              
   1361956 |   1362948 | Rdr | 52              
   1374616 |   1376984 | Tag | 04  00              
   1409024 |   1411488 | Rdr | 93  20              
   2179426 |   2180418 | Rdr | 52              
   2192150 |   2194518 | Tag | 04  00              
   2226560 |   2229024 | Rdr | 93  20              
   2996834 |   2997826 | Rdr | 52              
   3008278 |   3010646 | Tag | 04  00              
   3043696 |   3046160 | Rdr | 93  20              
   3815936 |   3816928 | Rdr | 52              
   3828212 |   3830580 | Tag | 04  00              
   3862768 |   3865232 | Rdr | 93  20              
   4632960 |   4633952 | Rdr | 52              
   4645620 |   4647988 | Tag | 04  00              
   4680160 |   4682624 | Rdr | 93  20              
   5452030 |   5453022 | Rdr | 52             
[...]

It appears that we're just on the edge of detecting the field. Sometimes it works, sometimes it does not. I'll try to test more later, with the older fpga-setup.

[holiman]

Interestingly, hf 14a sim 1 45454545 worked like a charm...

[pwpiwi]

It appears that we're just on the edge of detecting the field. Sometimes it works, sometimes it does not. I'll try to test more later, with the older fpga-setup.

Detecting the field has nothing to do with the FPGA. This is measured by the ARM's internal A/D Converter. Did you try to lower MF_MINFIELDV ?

[holiman]

I'll try that. Related question; the hf 14a sim uses static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen) and does not bother to even check the field. Seems much simpler to me.. :) I don't know why we would keep static int EmGetCmd(uint8_t *received, int *len) at all. I'll see if I can test a bit more tomorrow.

[holiman]

I replaced the EmGetCmd and field-detection with GetIso14443aCommandFromReader. Relevant parts:

while (!BUTTON_PRESS() && !finished) {
    WDT_HIT();

    if(!GetIso14443aCommandFromReader(receivedCmd, &len, 0))
    {
        break;// Button press
    }
    //cardSTATE_TO_IDLE();

    // REQ or WUP request in ANY state and WUP in HALTED state
    if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {

EDIT; made an error when compiling/flashing. Here are the results:

proxmark3> hf mf sim i x uid:N/A, numreads:0, flags:9 (0x09)
Press pm3-button to abort simulation

db# 4B UID: 246c828a

db# Failed to obtain two AR/NR pairs!

db# Emulator stopped. Tracing: 0 trace length: 2994

proxmark3> hf 14a list Recorded Activity

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
All times are in carrier periods (1/13.56Mhz)

Start	End	Src	Data
0	992	Rdr	52
2548	4916	Tag	04 00
682082	683074	Rdr	52
684694	687062	Tag	04 00
718050	720514	Rdr	93 20
722070	727958	Tag	24 6c 82 8a 40
768000	778528	Rdr	93 70 24 6c 82 8a 40 21 10
780020	784692	Tag	08 b6 dd 00
1500386	1501378	Rdr	52
1502998	1505366	Tag	04 00
1536512	1538976	Rdr	93 20
1540468	1546356	Tag	24 6c 82 8a 40
1586750	1597278	Rdr	93 70 24 6c 82 8a 40 21 10
1598834	1603506	Tag	08 b6 dd 00
2319296	2320288	Rdr	52
2321780	2324148	Tag	04 00
2355392	2357856	Rdr	93 20
2359412	2365300	Tag	24 6c 82 8a 40
2405694	2416222	Rdr	93 70 24 6c 82 8a 40 21 10
2417778	2422450	Tag	08 b6 dd 00
3137342	3138334	Rdr	52
3139954	3142322	Tag	04 00
3173566	3176030	Rdr	93 20
3177586	3183474	Tag	24 6c 82 8a 40
3224028	3234556	Rdr	93 70 24 6c 82 8a 40 21 10
3236048	3240720	Tag	08 b6 dd 00
3955902	3956894	Rdr	52
3958386	3960754	Tag	04 00
3992284	3994748	Rdr	93 20
3996240	4002128	Tag	24 6c 82 8a 40
4042524	4053052	Rdr	93 70 24 6c 82 8a 40 21 10
4054608	4059280	Tag	08 b6 dd 00
4775644	4776636	Rdr	52
4778192	4780560	Tag	04 00
4811932	4814396	Rdr	93 20
4815952	4821840	Tag	24 6c 82 8a 40
4862106	4872634	Rdr	93 70 24 6c 82 8a 40 21 10
4874190	4878862	Tag	08 b6 dd 00
5594010	5595002	Rdr	52
5596494	5598862	Tag	04 00
5630362	5632826	Rdr	93 20
5634382	5640270	Tag	24 6c 82 8a 40
5680696	5691224	Rdr	93 70 24 6c 82 8a 40 21 10
5692716	5697388	Tag	08 b6 dd 00
6412186	6413178	Rdr	52

So, it looks pretty good. Not quite there, fr some reason the reader does not like the rSAK or we are not picking up the answer quickly enough..

[holiman]

Btw, I like it that the new trace-format is github-flavored-markdown-friendly :)

[buggii]

I think that user Jonor may be a good help in this kind of discussions; can someone please add him? I don't know if the mail he used to register on the forum is active but what i know is that he is good at arm programming.

-----Original Message----- From: Martin Holst Swende notifications@github.com To: Proxmark/proxmark3 proxmark3@noreply.github.com Sent: ven, 04 apr 2014 11:23 Subject: Re: [proxmark3] hf mf sim after r845 (#11)

Btw, I like it that the new trace-format is github-flavored-markdown-friendly :)

---

Reply to this email directly or view it on GitHub: https://github.com/Proxmark/proxmark3/issues/11#issuecomment-39546258

[pwpiwi]

Related question; the hf 14a sim uses static int GetIso14443aCommandFromReader(uint8_t received, int len, int maxLen) and does not bother to even check the field. Seems much simpler to me.. :)

Detecting the reader field is required to reset the card state when a field loss is detected.

[holiman]

I dont thinks so, a wupa will reset the state for US anyway...

[holiman]

Clarification. Latest code, which produced the listing above.

    if(!GetIso14443aCommandFromReader(receivedCmd, &len, 0))
    {
        break;// Button press
    }
    //cardSTATE_TO_IDLE();
    // REQ or WUP request in ANY state and WUP in HALTED state
    if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
        selTimer = GetTickCount();
        EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
        cardSTATE = MFEMUL_SELECT1;

        // init crypto block
        LED_B_OFF();
        LED_C_OFF();
        crypto1_destroy(pcs);
        cardAUTHKEY = 0xff;
        continue;
    }

[pwpiwi]

I dont thinks so, a wupa will reset the state for us anyway...

Yes, but a field loss should do so as well. E.g. If the "card" is temporarily removed.

[holiman]

I don't think I understand why. If the card is removed,

1. Without field-detecion, it will stall in GetIso14443aCommandFromReader until either button is pressed, or the card is put in the field again, and read is successfull. The read will most probably be a wup, and the algo will continue.
2. WIth field-detection, it will stall in field-detector, until either button is pressed or card is put in the field again. And then it will read.

To me, it seems the exact same things will happen, but in the first case we will always read if possible, and in the second case we will only read if the signal strength is above a certain (arbitrary) threshold.

[pwpiwi]

The read will most probably be a wup

... which would indeed not be a problem. But often it will be REQA, which would be ignored in HALTED state. (quite unlikely) it could even be any other command - which should be ignored after a field interruption.

if the signal strength is above a certain (arbitrary) threshold.

We only need to detect a field loss, not to measure its strength. An arbitrary threshold indeed simulates "real life". Some real cards would work with weaker fields than others.

[holiman]

If we should have field detection (I'm still not fully convinced), it should be set to only signal field loss when there's absolutely no chance of false positive (i.e, when we actually may perform a successfull read). So, we'll just lower the threshold then? I'll make some measurements, and maybe add a 'measure'-command so people can try with different pm3:s and antennas, to make sure we find a good value.

Also, I've ordered an acr122u reader now, to be able to experiment more thoroughly with simulation.

[buggii]

http://item.taobao.com/item.htm?spm=2013.1.0.0.4zTeH4&scm=1007.10009.518.0&id=37210916744&pvid=14d6b057-4f34-4b87-961a-9b9fa407ece1 I think it is an interface in which you put a contact smartcard and the chip inside an NFC card log "something" (only pin?all the transaction?); in practice you use the interface together with a blank rfid card (which contains a memory chip or some more complex cpu <-- more probable) and then you put in the contact smartcard; so the interface is composed by the contact smartcard hardware+rfid card in which you put a contact smartcard and then you put everything inside a contact smartacrd reader. If it logs transactions (and not only pins) it will be a great product (logging pin only is possible because the card can be programmed to log only pin-related commands).

It is produced (apparently) by the same guy who made the 1st mifare changeable UID cards (the ones requiring special command to be sector0-written).

Asper

__ Information from ESET NOD32 Antivirus, version of virus signature database 9670 (20140412) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

[iceman1001]

Buming this issue again. I tried the "hf mf sim" and it's not working. If that has something to do with the discussions about field-detecting or not I leave to the hardware gurus.
But its not working.

[holiman]

If you'd like to help out, you could experiment with setting MF_MINFIELDV to a lower value, first much lower, and see if it works. Then set it back up, and find out where it stops working. When you have found that, post both your antenna characteristics (voltage) and what the MF_MINFIELDV threshold for working/not working is.

[iceman1001]

OK, I tried: 1000, 500, 200 It detects the tag & reader trafic but it only captures 37 bytes. Its not the detection that is the major issue. It is the sniffing. It should have been sniffing several kb of traffic.

pm3 --> hf mf sniff l e

Executing command. Press the key on the proxmark3 device to abort both proxmark3 and client. Press the key on pc keyboard to abort the client. ...> received trace len: 37 packages: 1 tag select uid:46 b8 77 b1 atqa:0x0f01 sak:0x01 RDR(1):50 00 57 cd

[holiman]

This bug is about hf mf sim. It would be good if we could keep different issues apart...

[holiman]

The reason being that for sim, the issue may be that the simulator finds the reader-field to be too weak, and does not start simming (or aborts sim). For sniffing, I think the mechanism is a bit different, probably with a different root cause. If we could

a) verify that MF_MINFIELDV is indeed the problem and
b) find a empirically good value which works for most common antennas,

Then we could probably close this.

[holiman]

Oh, and don't forget to submit your antenna characteristics.

[iceman1001]

The detection is working with piwi's 4000. The problem with "hf mf sim" is that it doesn't capture all traffic between reader and tag. When I compare a trace from hf14asim vs hfmfsim there is several commands that the "hfmfsim" missed. When I look at the response on the reader, the reaction is much faster with "hf14asim".. I'm sniffing a wii-portal (skylanders) and a toytag. So the visual response from the reader is shown on the screen. You can see the difference. I'm guessing here, but could it be that the "hfmfsim" is slower with the decoding parts?

MF_MINFIELDV 500, 1000, 2000, 4000

LF antenna: 0.00 V @ 125.00 kHz LF antenna: 0.00 V @ 134.00 kHz LF optimal: 0.00 V @ 12000.00 kHz HF antenna: 11.73 V @ 13.56 MHz

[iceman1001]

You can see from the tag-response (01020304) nonce that there is reader/tag communication missing. And the time is off, so it looks like the "auth" part of the "hfmfsim" code is too slow but the reader seems to accept it and tries to read a block.

-- trace snippet --

0 | 992 | Rdr | 52 | | WUPA 2612 | 4980 | Tag | 01 0f | | 11806 | 14270 | Rdr | 93 20 | | ANTICOLL 15890 | 21714 | Tag | 46 b2 77 01 82 | | 31782 | 42246 | Rdr | 93 70 46 b2 77 01 82 d3 c9 | | ANTICOLL 43866 | 47450 | Tag | 01 77 40 | | 53454 | 58222 | Rdr | 50 00 57 cd | | HALT 200686 | 201742 | Rdr | 26 | | REQA 472450 | 473442 | Rdr | 52 | | WUPA 475062 | 477430 | Tag | 01 0f | | 485946 | 496410 | Rdr | 93 70 46 b2 77 01 82 d3 c9 | | ANTICOLL 497902 | 501486 | Tag | 01 77 40 | | 516702 | 521406 | Rdr | 60 00 f5 7b | | AUTH-A 525714 | 530450 | Tag | 01 02 03 04 | | 683342 | 688110 | Rdr | 30 00 02 a8 | | READBLOCK(0) 2321694 | 2322686 | Rdr | 52 | | WUPA 2324242 | 2326610 | Tag | 01 0f | | 2335204 | 2345668 | Rdr | 93 70 46 b2 77 01 82 d3 c9 | | ANTICOLL

[buggii]

Well after the auth there must be the crypto sequence, not 01020304...

-----Original Message----- From: Iceman notifications@github.com To: Proxmark/proxmark3 proxmark3@noreply.github.com Cc: buggii buggii@hotmail.com Sent: Dom, 18 Gen 2015 22:52 Subject: Re: [proxmark3] hf mf sim after r845 (#11)

You can see from the tag-response (01020304) nonce that there is reader/tag communication missing. And the time is off, so it looks like the "auth" part of the "hfmfsim" code is too slow but the reader seems to accept it and tries to read a block.

-- trace snippet --

Start | End | Src | Data (! denotes parity error) | CRC | Annotation |

---------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|

   0 |       992 | Rdr | 52                                                              |     | WUPA
2612 |      4980 | Tag | 01  0f                                                          |     |

11806 | 14270 | Rdr | 93 20 | | ANTICOLL 15890 | 21714 | Tag | 46 b2 77 01 82 | | 31782 | 42246 | Rdr | 93 70 46 b2 77 01 82 d3 c9 | | ANTICOLL 43866 | 47450 | Tag | 01 77 40 | | 53454 | 58222 | Rdr | 50 00 57 cd | | HALT 200686 | 201742 | Rdr | 26 | | REQA 472450 | 473442 | Rdr | 52 | | WUPA 475062 | 477430 | Tag | 01 0f | | 485946 | 496410 | Rdr | 93 70 46 b2 77 01 82 d3 c9 | | ANTICOLL 497902 | 501486 | Tag | 01 77 40 | | 516702 | 521406 | Rdr | 60 00 f5 7b | | AUTH-A 525714 | 530450 | Tag | 01 02 03 04 | | 683342 | 688110 | Rdr | 30 00 02 a8 | | READBLOCK(0) 2321694 | 2322686 | Rdr | 52 | | WUPA 2324242 | 2326610 | Tag | 01 0f | | 2335204 | 2345668 | Rdr | 93 70 46 b2 77 01 82 d3 c9 | | ANTICOLL

---

Reply to this email directly or view it on GitHub: https://github.com/Proxmark/proxmark3/issues/11#issuecomment-70427981

[pwpiwi]

@iceman: just to be sure: your hf list is after hf mf sim? missing tag responses (like in your case) could indeed be an indicator of a false positive field loss detection.

hf mf sim is indeed "slower". hf 14a sim uses "precompiled" responses (see prepare_tag_modulation()).

Oh, and btw, the 4000 are not "mine". They had been there before I started digging into the code and I still try to understand what the correct value would be.

[marshmellow42]

is it possible to either, log when a tag disconnects (drops below 4000) or make a command to read out that value so we can do some "testing" on the value to see if it should be adjusted ( and/or see if one antenna works a lot differently than another )?

[iceman1001]

@buggii , the tag-nonce can be anything. especially since we are in control of it.
@pwpiwi yes, the list is after the sim. and you made a compelling argument for the 4000 so I consider it yours ;) even if it was there since Roel.
@marshmellow42 the print if drops below is a good suggestion. I will try that.

[iceman1001]

Now, thats interesting. The value is no towards zero, Holiman. Good to know.

pm3 --> hf mf sim u 46b877b1 uid:46 b8 77 b1 , numreads:0, flags:2 (0x02)

db# 4B UID: 46b877b1

db# field dropped below limit 4000 - value 9990

db# field dropped below limit 4000 - value 9990

db# field dropped below limit 4000 - value 8475

db# field dropped below limit 4000 - value 10022

db# field dropped below limit 4000 - value 10022

db# field dropped below limit 4000 - value 5639

db# field dropped below limit 4000 - value 9603

db# field dropped below limit 4000 - value 9603

db# field dropped below limit 4000 - value 9055

db# field dropped below limit 4000 - value 7541

db# field dropped below limit 4000 - value 9055

db# field dropped below limit 4000 - value 6638

db# field dropped below limit 4000 - value 7541

db# field dropped below limit 4000 - value 4737

db# field dropped below limit 4000 - value 9603

db# field dropped below limit 4000 - value 4253

db# field dropped below limit 4000 - value 9055

db# field dropped below limit 4000 - value 7218

db# field dropped below limit 4000 - value 9055

db# field dropped below limit 4000 - value 9055

db# field dropped below limit 4000 - value 4576

db# field dropped below limit 4000 - value 8733

db# field dropped below limit 4000 - value 9055

db# field dropped below limit 4000 - value 8991

db# field dropped below limit 4000 - value 9055

db# Emulator stopped. Tracing: 0 trace length: 2997

[iceman1001]

Tried: 6000.

pm3 --> hf mf sim u 46b877b1 x uid:46 b8 77 b1 , numreads:0, flags:10 (0x0a)

db# 4B UID: 46b877b1

db# field dropped below limit 6000 - value 9796

db# field dropped below limit 6000 - value 8701

db# field dropped below limit 6000 - value 8991

db# Failed to obtain two AR/NR pairs!

db# Emulator stopped. Tracing: 0 trace length: 2994

pm3 --> hf list 14a Recorded Activity

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer iso14443a - All times are in carrier periods (1/13.56Mhz) iClass - Timings are not as accurate

 Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|

     0 |       992 | Rdr | 52                                                              |     | WUPA
  2612 |      4980 | Tag | 01  0f                                                          |     |
 12450 |     14914 | Rdr | 93  20                                                          |     | ANTICOLL
 16598 |     22486 | Tag | 46  b8  77  b1  38                                              |     |
 32292 |     42756 | Rdr | 93  70  46  b8  77  b1  38  c2  35                              |     | ANTICOLL
 44376 |     47960 | Tag | 01  77  40                                                      |     |
 54508 |     59276 | Rdr | 50  00  57  cd                                                  |     | HALT
200748 |    201804 | Rdr | 26                                                              |     | REQA
472640 |    473632 | Rdr | 52                                                              |     | WUPA
475188 |    477556 | Tag | 01  0f                                                          |     |
485978 |    496442 | Rdr | 93  70  46  b8  77  b1  38  c2  35                              |     | ANTICOLL
497934 |    501518 | Tag | 01  77  40                                                      |     |
517054 |    521758 | Rdr | 60  00  f5  7b                                                  |     | AUTH-A
526258 |    530994 | Tag | 01  02  03  04                                                  |     |
683964 |    688732 | Rdr | 30  00  02  a8                                                  |     | READBLOCK(0)

2308316 | 2309308 | Rdr | 52 | | WUPA 2310928 | 2313296 | Tag | 01 0f | | 2321600 | 2332064 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 2333748 | 2337332 | Tag | 01 77 40 | | 2352420 | 2357124 | Rdr | 60 00 f5 7b | | AUTH-A 2361560 | 2366296 | Tag | 01 02 03 04 | | 2518812 | 2523580 | Rdr | 30 00 02 a8 | | READBLOCK(0) 4143650 | 4144642 | Rdr | 52 | | WUPA 4146262 | 4148630 | Tag | 01 0f | | 4157084 | 4167548 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 4169104 | 4172688 | Tag | 01 77 40 | | 4188294 | 4192998 | Rdr | 60 00 f5 7b | | AUTH-A 4197498 | 4202234 | Tag | 01 02 03 04 | | 4355164 | 4359932 | Rdr | 30 00 02 a8 | | READBLOCK(0) 5979262 | 5980254 | Rdr | 52 | | WUPA 5981874 | 5984242 | Tag | 01 0f | | 5992612 | 6003076 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 6004696 | 6008280 | Tag | 01 77 40 | | 6023744 | 6028448 | Rdr | 60 00 f5 7b | | AUTH-A 6032948 | 6037684 | Tag | 01 02 03 04 | | 6190028 | 6194796 | Rdr | 30 00 02 a8 | | READBLOCK(0) 7814776 | 7815768 | Rdr | 52 | | WUPA 7817324 | 7819692 | Tag | 01 0f | | 7828352 | 7838816 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 7840436 | 7844020 | Tag | 01 77 40 | | 7859932 | 7864636 | Rdr | 60 00 f5 7b | | AUTH-A 7868816 | 7873552 | Tag | 01 02 03 04 | | 8026300 | 8031068 | Rdr | 30 00 02 a8 | | READBLOCK(0) 9650210 | 9651202 | Rdr | 52 | | WUPA 9652822 | 9655190 | Tag | 01 0f | | 9664348 | 9674812 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 9676304 | 9679888 | Tag | 01 77 40 | | 9695032 | 9699736 | Rdr | 60 00 f5 7b | | AUTH-A 9704044 | 9708780 | Tag | 01 02 03 04 | | 9861452 | 9866220 | Rdr | 30 00 02 a8 | | READBLOCK(0) 11485950 | 11486942 | Rdr | 52 | | WUPA 11488562 | 11490930 | Tag | 01 0f | | 11499556 | 11510020 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 11511640 | 11515224 | Tag | 01 77 40 | | 11530176 | 11534880 | Rdr | 60 00 f5 7b | | AUTH-A 11539380 | 11544116 | Tag | 01 02 03 04 | | 11696428 | 11701196 | Rdr | 30 00 02 a8 | | READBLOCK(0) 14534014 | 14535006 | Rdr | 52 | | WUPA 14536626 | 14538994 | Tag | 01 0f | | 14546040 | 14548504 | Rdr | 93 20 | | ANTICOLL 14550124 | 14556012 | Tag | 46 b8 77 b1 38 | | 14566022 | 14576486 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 14578170 | 14581754 | Tag | 01 77 40 | | 14587996 | 14592764 | Rdr | 50 00 57 cd | | HALT 14735522 | 14736514 | Rdr | 52 | | WUPA 14738134 | 14740502 | Tag | 01 0f | | 14749404 | 14759868 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 14761360 | 14764944 | Tag | 01 77 40 | | 14770700 | 14775468 | Rdr | 50 00 57 cd | | HALT 14912060 | 14913116 | Rdr | 26 | | REQA 15184290 | 15185282 | Rdr | 52 | | WUPA 15186902 | 15189270 | Tag | 01 0f | | 15198108 | 15208572 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 15210128 | 15213712 | Tag | 01 77 40 | | 15219516 | 15224284 | Rdr | 50 00 57 cd | | HALT 15360812 | 15361868 | Rdr | 26 | | REQA 15496924 | 15497916 | Rdr | 52 | | WUPA 15499536 | 15501904 | Tag | 01 0f | | 15503614 | 15504606 | Rdr | 52 | | WUPA 15506226 | 15508594 | Tag | 01 0f | | 15517504 | 15527968 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 15529652 | 15533236 | Tag | 01 77 40 | | 15538956 | 15543724 | Rdr | 50 00 57 cd | | HALT 15687052 | 15688108 | Rdr | 26 | | REQA 15959324 | 15960316 | Rdr | 52 | | WUPA 15961872 | 15964240 | Tag | 01 0f | | 15973092 | 15983556 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 15985240 | 15988824 | Tag | 01 77 40 | | 15995084 | 15999852 | Rdr | 50 00 57 cd | | HALT 16135804 | 16136860 | Rdr | 26 | | REQA 16272070 | 16273062 | Rdr | 52 | | WUPA 16274682 | 16277050 | Tag | 01 0f | | 16278692 | 16279684 | Rdr | 52 | | WUPA 16281304 | 16283672 | Tag | 01 0f | | 16292572 | 16303036 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 16304528 | 16308112 | Tag | 01 77 40 | | 16313916 | 16318684 | Rdr | 50 00 57 cd | | HALT 16462252 | 16463308 | Rdr | 26 | | REQA 16734308 | 16735300 | Rdr | 52 | | WUPA 16736856 | 16739224 | Tag | 01 0f | | 16748058 | 16758522 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 16760078 | 16763662 | Tag | 01 77 40 | | 16769468 | 16774236 | Rdr | 50 00 57 cd | | HALT 16910796 | 16911852 | Rdr | 26 | | REQA 17047160 | 17048152 | Rdr | 52 | | WUPA 17049708 | 17052076 | Tag | 01 0f | | 17053944 | 17054936 | Rdr | 52 | | WUPA 17056492 | 17058860 | Tag | 01 0f | | 17067812 | 17078276 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 17079896 | 17083480 | Tag | 01 77 40 | | 17089980 | 17094748 | Rdr | 50 00 57 cd | | HALT 17237148 | 17238204 | Rdr | 26 | | REQA 17509496 | 17510488 | Rdr | 52 | | WUPA 17512044 | 17514412 | Tag | 01 0f | | 17523042 | 17533506 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 17535190 | 17538774 | Tag | 01 77 40 | | 17544428 | 17549196 | Rdr | 50 00 57 cd | | HALT 17685740 | 17686796 | Rdr | 26 | | REQA 17821988 | 17822980 | Rdr | 52 | | WUPA 17824600 | 17826968 | Tag | 01 0f | | 17828642 | 17829634 | Rdr | 52 | | WUPA 17831254 | 17833622 | Tag | 01 0f | | 17842458 | 17852922 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 17854478 | 17858062 | Tag | 01 77 40 | | 17864124 | 17868892 | Rdr | 50 00 57 cd | | HALT 18012188 | 18013244 | Rdr | 26 | | REQA 18284444 | 18285436 | Rdr | 52 | | WUPA 18286992 | 18289360 | Tag | 01 0f | | 18298074 | 18308538 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 18310030 | 18313614 | Tag | 01 77 40 | | 18319420 | 18324188 | Rdr | 50 00 57 cd | | HALT 18460876 | 18461932 | Rdr | 26 | | REQA 18732992 | 18733984 | Rdr | 52 | | WUPA 18735540 | 18737908 | Tag | 01 0f | | 18746780 | 18757244 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 18758800 | 18762384 | Tag | 01 77 40 | | 18768172 | 18772940 | Rdr | 50 00 57 cd | | HALT 18909516 | 18910572 | Rdr | 26 | | REQA 19045724 | 19046716 | Rdr | 52 | | WUPA 19048336 | 19050704 | Tag | 01 0f | | 19052378 | 19053370 | Rdr | 52 | | WUPA 19054990 | 19057358 | Tag | 01 0f | | 19066240 | 19076704 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 19078324 | 19081908 | Tag | 01 77 40 | | 19088428 | 19093196 | Rdr | 50 00 57 cd | | HALT 19235852 | 19236908 | Rdr | 26 | | REQA 19508094 | 19509086 | Rdr | 52 | | WUPA 19510706 | 19513074 | Tag | 01 0f | | 19521982 | 19532446 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 19534130 | 19537714 | Tag | 01 77 40 | | 19544572 | 19549340 | Rdr | 50 00 57 cd | | HALT 19684636 | 19685692 | Rdr | 26 | | REQA 19820800 | 19821792 | Rdr | 52 | | WUPA 19823412 | 19825780 | Tag | 01 0f | | 19827584 | 19828576 | Rdr | 52 | | WUPA 19830196 | 19832564 | Tag | 01 0f | | 19841414 | 19851878 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 19853562 | 19857146 | Tag | 01 77 40 | | 19862860 | 19867628 | Rdr | 50 00 57 cd | | HALT 20010892 | 20011948 | Rdr | 26 | | REQA 20283170 | 20284162 | Rdr | 52 | | WUPA 20285782 | 20288150 | Tag | 01 0f | | 20297016 | 20307480 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 20308972 | 20312556 | Tag | 01 77 40 | | 20318396 | 20323164 | Rdr | 50 00 57 cd | | HALT 20459724 | 20460780 | Rdr | 26 | | REQA 20595802 | 20596794 | Rdr | 52 | | WUPA 20598414 | 20600782 | Tag | 01 0f | | 20602458 | 20603450 | Rdr | 52 | | WUPA 20605070 | 20607438 | Tag | 01 0f | | 20616162 | 20626626 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 20628310 | 20631894 | Tag | 01 77 40 | | 20638028 | 20642796 | Rdr | 50 00 57 cd | | HALT 20772380 | 20773436 | Rdr | 26 | | REQA 21044570 | 21045562 | Rdr | 52 | | WUPA 21047182 | 21049550 | Tag | 01 0f | | 21058402 | 21068866 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 21070550 | 21074134 | Tag | 01 77 40 | | 21080380 | 21085148 | Rdr | 50 00 57 cd | | HALT 21221116 | 21222172 | Rdr | 26 | | REQA 21357220 | 21358212 | Rdr | 52 | | WUPA 21359832 | 21362200 | Tag | 01 0f | | 21364002 | 21364994 | Rdr | 52 | | WUPA 21366614 | 21368982 | Tag | 01 0f | | 21377818 | 21388282 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 21389838 | 21393422 | Tag | 01 77 40 | | 21399228 | 21403996 | Rdr | 50 00 57 cd | | HALT 21547484 | 21548540 | Rdr | 26 | | REQA 21819556 | 21820548 | Rdr | 52 | | WUPA 21822168 | 21824536 | Tag | 01 0f | | 21833400 | 21843864 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 21845356 | 21848940 | Tag | 01 77 40 | | 21854764 | 21859532 | Rdr | 50 00 57 cd | | HALT 21996092 | 21997148 | Rdr | 26 | | REQA 22132316 | 22133308 | Rdr | 52 | | WUPA 22134928 | 22137296 | Tag | 01 0f | | 22138970 | 22139962 | Rdr | 52 | | WUPA 22141582 | 22143950 | Tag | 01 0f | | 22152832 | 22163296 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 22164916 | 22168500 | Tag | 01 77 40 | | 22174956 | 22179724 | Rdr | 50 00 57 cd | | HALT 22322540 | 22323596 | Rdr | 26 | | REQA 22594686 | 22595678 | Rdr | 52 | | WUPA 22597298 | 22599666 | Tag | 01 0f | | 22608574 | 22619038 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 22620722 | 22624306 | Tag | 01 77 40 | | 22630588 | 22635356 | Rdr | 50 00 57 cd | | HALT 22771212 | 22772268 | Rdr | 26 | | REQA 22907390 | 22908382 | Rdr | 52 | | WUPA 22910002 | 22912370 | Tag | 01 0f | | 22914174 | 22915166 | Rdr | 52 | | WUPA 22916786 | 22919154 | Tag | 01 0f | | 22928056 | 22938520 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 22940012 | 22943596 | Tag | 01 77 40 | | 22949692 | 22954460 | Rdr | 50 00 57 cd | | HALT 23097420 | 23098476 | Rdr | 26 | | REQA 23369692 | 23370684 | Rdr | 52 | | WUPA 23372304 | 23374672 | Tag | 01 0f | | 23383352 | 23393816 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 23395308 | 23398892 | Tag | 01 77 40 | | 23404972 | 23409740 | Rdr | 50 00 57 cd | | HALT 23546188 | 23547244 | Rdr | 26 | | REQA 23682340 | 23683332 | Rdr | 52 | | WUPA 23684952 | 23687320 | Tag | 01 0f | | 23688902 | 23689894 | Rdr | 52 | | WUPA 23691514 | 23693882 | Tag | 01 0f | | 23702718 | 23713182 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 23714866 | 23718450 | Tag | 01 77 40 | | 23724412 | 23729180 | Rdr | 50 00 57 cd | | HALT 23872492 | 23873548 | Rdr | 26 | | REQA 24144674 | 24145666 | Rdr | 52 | | WUPA 24147286 | 24149654 | Tag | 01 0f | | 24158336 | 24168800 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 24170420 | 24174004 | Tag | 01 77 40 | | 24180220 | 24184988 | Rdr | 50 00 57 cd | | HALT 24321228 | 24322284 | Rdr | 26 | | REQA 24457342 | 24458334 | Rdr | 52 | | WUPA 24459954 | 24462322 | Tag | 01 0f | | 24464034 | 24465026 | Rdr | 52 | | WUPA 24466646 | 24469014 | Tag | 01 0f | | 24477752 | 24488216 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL pm3 -->

[iceman1001]

the more I look at it, the more it looks like somewhere the happenings just after Auth-A, since the reader is responding very fast. (when I look at a sniffed trace) It seems to be too slow.

[holiman]

Hmm... " field dropped below limit 4000 - value 9990"

I don't understand.. 9990 is above 4000... ?? Or is one of them hex and the other base10 ? Also, one thing to be aware of is debug printouts in the middle of tag to reader communications. The usb operation stalls the arm for a while, so be careful not to disturb the sequence with too many of those.

Also.. My original report is that this happened after r845. r845 had nothing to do with HF_MINFIELD, but something else appears to have happened there.

[iceman1001]

Looking at the Google.code svn.. It looks like Holimans r841 -> r842 made some major changes in the "hf mf sim".. the r843,r844, r845 is minor changes.

[holiman]

r845 is minor?? https://code.google.com/p/proxmark3/source/detail?r=845

Anyway, I don't want to blame piwi or something, but I tested each revision and came to that conclusion. Don't have any more notes/evidence than are already in this bug report though. It's great if more minds are focusing on it.

[iceman1001]

Well, it is minor if you look inside the "Mifare1ksim" function compared to your r842 :) It is major looking at other stuff.. However, he added traces... it could be that which is messing with the timing. Or the "Emxxxxx" sending commands...

[holiman]

There's quite some FPGA-action aswell....

[iceman1001]

Looking at the frame-delay-times.. A) hf mf sim B) hf 14a sim

For A it's around an average 1620, but for the Auth is 4500 For B it's around an average 1200, even for a Auth..

It looks like the Auth-response takes too long time

--- SNIPP A Start	End	Src	Data (! denotes parity error)	CRC	Annotation

     0 |       992 | Rdr | 52                                                              |     | WUPA
   992 |      2548 |     | fdt (Frame Delay Time): 1556
  2548 |      4916 | Tag | 01  0f                                                          |     |
 11710 |     14174 | Rdr | 93  20                                                          |     | ANTICOLL
 14174 |     15858 |     | fdt (Frame Delay Time): 1684
 15858 |     21746 | Tag | 46  b8  77  b1  38                                              |     |
 31778 |     42242 | Rdr | 93  70  46  b8  77  b1  38  c2  35                              |     | ANTICOLL
 42242 |     43926 |     | fdt (Frame Delay Time): 1684
 43926 |     47510 | Tag | 01  77  40                                                      |     |
 53436 |     58204 | Rdr | 50  00  57  cd                                                  |     | HALT
200704 |    201696 | Rdr | 52                                                              |     | WUPA
201696 |    203252 |     | fdt (Frame Delay Time): 1556
203252 |    205620 | Tag | 01  0f                                                          |     |
214436 |    224900 | Rdr | 93  70  46  b8  77  b1  38  c2  35                              |     | ANTICOLL
224900 |    226584 |     | fdt (Frame Delay Time): 1684
226584 |    230168 | Tag | 01  77  40                                                      |     |
236700 |    241468 | Rdr | 50  00  57  cd                                                  |     | HALT
377150 |    378142 | Rdr | 52                                                              |     | WUPA
378142 |    379762 |     | fdt (Frame Delay Time): 1620
379762 |    382130 | Tag | 01  0f                                                          |     |
513030 |    514022 | Rdr | 52                                                              |     | WUPA
514022 |    515642 |     | fdt (Frame Delay Time): 1620
515642 |    518010 | Tag | 01  0f                                                          |     |
526554 |    537018 | Rdr | 93  70  46  b8  77  b1  38  c2  35                              |     | ANTICOLL
537018 |    538574 |     | fdt (Frame Delay Time): 1556
538574 |    542158 | Tag | 01  77  40                                                      |     |
557474 |    562178 | Rdr | 60  00  f5  7b                                                  |     | AUTH-A
562178 |    566678 |     | fdt (Frame Delay Time): 4500
566678 |    571414 | Tag | 01  02  03  04                                                  |     |
724236 |    729004 | Rdr | 30  00  02  a8                                                  |     | READBLOCK(0)

1410872 | 1411864 | Rdr | 52 | | WUPA 1411864 | 1413420 | | fdt (Frame Delay Time): 1556 1413420 | 1415788 | Tag | 01 0f | | 1424638 | 1435102 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 1435102 | 1436658 | | fdt (Frame Delay Time): 1556 1436658 | 1440242 | Tag | 01 77 40 | | 1446348 | 1451116 | Rdr | 50 00 57 cd | | HALT 1587372 | 1588428 | Rdr | 26 | | REQA 1723710 | 1724702 | Rdr | 52 | | WUPA 1724702 | 1726322 | | fdt (Frame Delay Time): 1620 1726322 | 1728690 | Tag | 01 0f | | 1730752 | 1731744 | Rdr | 52 | | WUPA 1731744 | 1733364 | | fdt (Frame Delay Time): 1620 1733364 | 1735732 | Tag | 01 0f | | 1744376 | 1754840 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 1754840 | 1756332 | | fdt (Frame Delay Time): 1492 1756332 | 1759916 | Tag | 01 77 40 | | 1766316 | 1771084 | Rdr | 50 00 57 cd | | HALT 1900108 | 1901164 | Rdr | 26 | | REQA 2171968 | 2172960 | Rdr | 52 | | WUPA 2172960 | 2174580 | | fdt (Frame Delay Time): 1620 2174580 | 2176948 | Tag | 01 0f | | 2185508 | 2195972 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 2195972 | 2197656 | | fdt (Frame Delay Time): 1684 2197656 | 2201240 | Tag | 01 77 40 | | 2216190 | 2220894 | Rdr | 60 00 f5 7b | | AUTH-A 2220894 | 2225266 | | fdt (Frame Delay Time): 4372 2225266 | 2230002 | Tag | 01 02 03 04 | | 2382940 | 2387708 | Rdr | 30 00 02 a8 | | READBLOCK(0) 4021020 | 4022012 | Rdr | 52 | | WUPA 4022012 | 4023632 | | fdt (Frame Delay Time): 1620 4023632 | 4026000 | Tag | 01 0f | | 4034588 | 4045052 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 4045052 | 4046544 | | fdt (Frame Delay Time): 1492 4046544 | 4050128 | Tag | 01 77 40 | | 4065508 | 4070212 | Rdr | 60 00 f5 7b | | AUTH-A 4070212 | 4074648 | | fdt (Frame Delay Time): 4436 4074648 | 4079384 | Tag | 01 02 03 04 | | 4232236 | 4237004 | Rdr | 30 00 02 a8 | | READBLOCK(0) 5870342 | 5871334 | Rdr | 52 | | WUPA 5871334 | 5872954 | | fdt (Frame Delay Time): 1620 5872954 | 5875322 | Tag | 01 0f | | 5883846 | 5894310 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 5894310 | 5895994 | | fdt (Frame Delay Time): 1684 5895994 | 5899578 | Tag | 01 77 40 | | 5915298 | 5920002 | Rdr | 60 00 f5 7b | | AUTH-A 5920002 | 5924502 | | fdt (Frame Delay Time): 4500 5924502 | 5929238 | Tag | 01 02 03 04 | | 6081804 | 6086572 | Rdr | 30 00 02 a8 | | READBLOCK(0) 7719460 | 7720452 | Rdr | 52 | | WUPA 7720452 | 7722008 | | fdt (Frame Delay Time): 1556 7722008 | 7724376 | Tag | 01 0f | | 7732862 | 7743326 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 7743326 | 7745010 | | fdt (Frame Delay Time): 1684 7745010 | 7748594 | Tag | 01 77 40 | | 7882624 | 7883616 | Rdr | 52 | | WUPA 7883616 | 7885172 | | fdt (Frame Delay Time): 1556 7885172 | 7887540 | Tag | 01 0f | | 7896100 | 7906564 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 7906564 | 7908248 | | fdt (Frame Delay Time): 1684 7908248 | 7911832 | Tag | 01 77 40 | | 7927004 | 7931708 | Rdr | 60 00 f5 7b | | AUTH-A 7931708 | 7936080 | | fdt (Frame Delay Time): 4372 7936080 | 7940816 | Tag | 01 02 03 04 | | 8093532 | 8098300 | Rdr | 30 00 02 a8 | | READBLOCK(0) 9731682 | 9732674 | Rdr | 52 | | WUPA 9732674 | 9734294 | | fdt (Frame Delay Time): 1620

------ SNIPPET B 567480 | 568472 | Rdr | 52 | | WUPA 568472 | 569708 | | fdt (Frame Delay Time): 1236 569708 | 572076 | Tag | 01 0f | | 703634 | 704626 | Rdr | 52 | | WUPA 704626 | 705862 | | fdt (Frame Delay Time): 1236 705862 | 708230 | Tag | 01 0f | | 717190 | 727654 | Rdr | 93 70 46 b8 77 b1 38 c2 35 | | ANTICOLL 727654 | 728826 | | fdt (Frame Delay Time): 1172 728826 | 732410 | Tag | 01 77 40 | | 748096 | 752800 | Rdr | 60 00 f5 7b | | AUTH-A 752800 | 753972 | | fdt (Frame Delay Time): 1172 753972 | 758708 | Tag | 01 01 01 01 | | 911644 | 916412 | Rdr | 30 00 02 a8 | | READBLOCK(0) 916412 | 918928 | | fdt (Frame Delay Time): 2516 918928 | 937424 | Tag | 46 b8 77 b1 38 81 01 0f c3 85 14 96 59 10 18 12 | !crc| 1070740 | 1071732 | Rdr | 52 | | WUPA

[pwpiwi]

Its a bit off topic, but nevertheless: fdt needs to be exact for WUPA, REQA, SELECT and ANTICOLL only (1172 or 1236). For all other commands (e.g. AUTH) it can be n * 64 + 20. Any n>18 is OK.

hf 14a sim is faster because it uses pre-encoded tag answers (even for AUTH, which it doesn't fully support). hf mf sim encodes on the fly - which is too slow.

This would only be a problem if the reader is very fishy about the tag's answer timing on WUPA, REQA, SELECT and ANTICOLL.

[iceman1001]

Is there no upper limit for ( n * 64 + 20 ) before the reader resets the communication and starts over?

I don't think the reader is very strict, seeing that it continue down the select-path. However our simulated response to the reader and answer is never caught in the trace. I can't figure out if it is sent or the reader resets before it receives it.

[pwpiwi]

You are trailing off again. This is about hf mf sim and MF_MINFIELDV, not about the Skylander toy.

[iceman1001]

Well, I disagree with you there. It is about "hf mf sim" not working. the mf_ minfieldv issue is the sidethread.

When I test the "hf mf sim" against a reader (in this case the portal) the command is not working. No more to it. It seems to be like that since r845, I can't verify it so I let that stand for @holiman

I only want the "hf mf sim" command to work against any random selected reader. If someone here who can give insights to get it back to working that would be nice.

[pwpiwi]

@iceman0001: I just want to propose not to use tags and readers which we currently don't fully unterstand if we are looking for sim or snoop issues. How should we know if unexpected behaviour isn't caused by tag or reader?

[iceman1001]

Well, given that this issue was registrated on the 2 april 2014, I would like to wait for someone who has a standard reader available and wants to look into it but it seems not to be too much interest in it given the start date. But I guess you are right, I'll wait until someone else looks into this issue again. However, meanwhile it sure would be nice of the one who did r845 to give some feedback on what was done.

[holiman]

I re-read my original report, and the steps I took to investigate. I found one odd thing, which I also mentioned earlier, but which we kind of dropped.

Currently, in mf sim. We do a field-detection:

    // find reader field
    // Vref = 3300mV, and an 10:1 voltage divider on the input
    // can measure voltages up to 33000 mV
    if (cardSTATE == MFEMUL_NOFIELD) {
        vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
        if (vHf > MF_MINFIELDV) {
            cardSTATE_TO_IDLE();
            LED_A_ON();
        }
    } 

If the field detection is ok, it continues: reading the tag, using the method EmGetCmd:

    res = EmGetCmd(receivedCmd, &len, receivedCmd_par);

The method EmGetCmd also checks the reader field, using what appears to be a more complex/elaborate construct:

// Set ADC to read field strength
AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
AT91C_BASE_ADC->ADC_MR =
            ADC_MODE_PRESCALE(32) |
            ADC_MODE_STARTUP_TIME(16) |
            ADC_MODE_SAMPLE_HOLD_TIME(8);
AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
// start ADC
AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
 [...] 
if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
        analogCnt++;
        analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
        AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
        if (analogCnt >= 32) {
            if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
                vtime = GetTickCount();
                if (!timer) timer = vtime;
                // 50ms no field --> card to idle state
                if (vtime - timer > 50) return 2;
            } else
                if (timer) timer = 0;
            analogCnt = 0;
            analogAVG = 0;
        }
    } 

Thus, for some reason, we are using two different implementations of checking if the field exists. If a field-loss is detected by EmGetCmd, we continue with the same (?) state as if it had been happened in the check before:

    res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
    if (res == 2) { //Field is off!
        cardSTATE = MFEMUL_NOFIELD;
        LEDsoff();
        continue;

From what I could tell in my earlier comment on April 3rd, I got better results with only the latter field-check.

Any ideas why there are two such checks?

I'm a bit busy with other parts of the code now, but I'll try to experiment a bit more with this when I get the time.

[iceman1001]

I've divided into the EmSendCmd route.

EmSendCmd -> EmSendCmdExPar -> EmSendCmd14443aRaw.. Where I find https://github.com/Proxmark/proxmark3/blob/master/armsrc/iso14443a.c#L1513 What is the purpose of this double while?

// clear receiving shift register and holding register while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)); b = AT91C_BASE_SSC->SSC_RHR; (void) b; while(!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)); b = AT91C_BASE_SSC->SSC_RHR; (void) b;

[pwpiwi]

@holiman: in fact both checks are implemented roughly the same way. Have a look at AvgAdc(). However AvgAdc() waits for 32 samples before it returns the average. The implementation in EmGetCmd doesn't.

@iceman1001: both while loops do the same: they wait for the READY signal, the following command then reads the holding register. Both shift and holding register may contain rubbish which is cleared by two reads.

[iceman1001]

@pwpiwi but why are they the same? On other places I've seen "SSC_RHR" / "SSC_THR" being cleared.

[pwpiwi]

On other places we just clear the already triggered RDY signals to get the timing right. Here we want to get rid of void data in the registers.