search

Proxmark / proxmark3

Proxmark 3
http://www.proxmark.org/
GNU General Public License v2.0
3.17k stars 910 forks source link

hf mf sim bug #412

Closed maxben14 closed 6 years ago

maxben14 commented 7 years ago

I try to emulate the mifare classic and read through my smartphone with android MCT apk. proxmark3> hf mf sim n 0 mf 1k sim uid: N/A, numreads:0, flags:0 (0x00)

db# 7B UID: 04 53 5d 42 a7 49 80

db# Reader tried to operate (0x30) on out of range block: 222 (0xde), nacking

db# Emulator stopped. Tracing: 1 trace length: 27908

proxmark3> hf list 14a ....... 188213078 | 188215446 | Tag | 44 00 | | 188224958 | 188235486 | Rdr | 93 70 88 04 53 5d 82 17 d3 | ok | SELECT_UID
188236978 | 188240498 | Tag | 04 da 17 | | 188243234 | 188245698 | Rdr | 95 20 | | ANTICOLL-2
188247382 | 188253270 | Tag | 42 a7 49 80 2c | | 188257314 | 188267842 | Rdr | 95 70 42 a7 49 80 2c 2d 5e | ok | ANTICOLL-2
188269398 | 188272918 | Tag | 08 b6 dd | | 188503146 | 188507914 | Rdr | 61 00 2d 62 | ok | AUTH-B(0)
188512414 | 188517150 | Tag | 01 02 03 04 | | 188521244 | 188530620 | Rdr |95! cb! 40 8c 0f! 84 ec 75 | !crc| ANTICOLL-2
188539152 | 188543824 | Tag | e7 86 42 2d | | 188614336 | 188619104 | Rdr | 30 de 37 97 | !crc| READBLOCK(222) 188622644 | 188623284 | Tag | 07 | | 188826048 | 188827040 | Rdr | 52 | | WUPA 188828596 | 188830964 | Tag | 44 00 | | 188839586 | 188850114 | Rdr | 93 70 88 04 53 5d 82 17 d3 | ok | SELECT_UID
188851670 | 188855190 | Tag | 04 da 17 | | 188857926 | 188860390 | Rdr | 95 20 | | ANTICOLL-2
188862074 | 188867962 | Tag | 42 a7 49 80 2c | | 188872006 | 188882534 | Rdr | 95 70 42 a7 49 80 2c 2d 5e | ok | ANTICOLL-2
188884090 | 188887610 | Tag | 08 b6 dd | | 188977072 | 188981840 | Rdr | 50 00 57 cd | ok | HALT ................

I try decrypt this with mfkey32 C:\prox\ProxSpace\pm3\tools\mfkey>mfkey64 42a74980 01020304 95cb408c 0f84ec75 e786422d 30de3797 MIFARE Classic key recovery - based on 64 bits of keystream Recover key from only one complete authentication!

Recovering key for: uid: 42a74980 nt: 01020304 {nr}: 95cb408c {ar}: 0f84ec75 {at}: e786422d {enc0}: 30de3797

LFSR successors of the tag challenge: nt' : 20f8ed56 nt'': 3c2bcdad Time spent in lfsr_recovery64(): 0.14 seconds

Keystream used to generate {ar} and {at}: ks2: 2f7c0123 ks3: dbad8f80

Decrypted communication: {dec0}: 500057cd

Found Key: [a0a1a2a3a4a5]

I found bug in this command. Why proxmark think that 30 de 37 97 this is decrypt communication ? After authorization, all communication is encrypted. And this is actually the halt command 50 00 57 cd.

And 2 problem with MCT: Error: None of the keys were valid for reading. The MCT often returns an error when authorizing, when I attach a proxmark simulating a classic card to the phone. I tried it on acr122, everything works well there.

pwpiwi commented 7 years ago

The hf mf sim command needs some work for the real simulation part (e.g. reading a block, writing a block - I don't think that this ever worked). However, WUPA, REQA, SELECT, HALT and the crypto1 authentication should work (i.e. those parts required to collect data for mfkey 🙁 ).

Which version do you use? Please post the output of hw ver.

maxben14 commented 7 years ago

proxmark3> hw version [[[ Cached information ]]]

Prox/RFID mark3 RFID instrument bootrom: master/v3.0.1-94-g77aecdd2-dirty-suspect 2017-10-06 12:33:13 os: master/v3.0.1-94-g77aecdd2-dirty-suspect 2017-10-06 18:09:22 LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04 HF FPGA image built for 2s30vq100 on 2017/07/13 at 08:44:13

uC: AT91SAM7S256 Rev D Embedded Processor: ARM7TDMI Nonvolatile Program Memory Size: 256K bytes. Used: 198800 bytes (76%). Free: 63344 bytes (24%). Second Nonvolatile Program Memory Size: None Internal SRAM Size: 64K bytes Architecture Identifier: AT91SAM7Sxx Series Nonvolatile Program Memory Type: Embedded Flash Memory

maxben14 commented 7 years ago

Before command hf mf sim n 0, i load dump 1k card in ff.eml file this comand hf mf eload ff. proxmark3> hf mf eload ff ................................................................ Loaded 64 blocks from file: ff.eml proxmark3> hf mf sim n 0 mf 1k sim uid: N/A, numreads:0, flags:0 (0x00)

db# 4B UID: 0eb7d9b7

ff.eml file content: 0EB7D9B7D70804006263646566676869 00000000000000000000000000000000 00000000000000000000000000000000 A0A1A2A3A4A578778800A0A1A2A3A4A5 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF078069FFFFFFFFFFFF 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 FFFFFFFFFFFFFF0780BCFFFFFFFFFFFF

pwpiwi commented 7 years ago

You indeed discovered two bugs. This is what happened:

So there are two bugs I am going to fix:

I stand corrected: the Mifare Classic commands simulation (read/write block, INC, DEC, etc) should work.

ToDo: Take Access Conditions into account when simulating. Currently they are ignored.

maxben14 commented 7 years ago

Okay, it's good. @pwpiwi , But how to deal with the smartphone reader, why he sent a HALT. This is a timings problem, is it possible to somehow speed up the implementation of the algorithm crypto1, for example OpenMP?

pwpiwi commented 7 years ago

I don't think that it is a timing problem. The only critical timings are during the anticollision phase when all cards in the reader field must respond at the same time. The responses during the authentication have to be send between 71us and 1ms after the reader command is received.

The AUTH-B command ended at 188507914 and tag started to respond at 188512414. This is a delay of 4500 * 1/13,56MHz = 332us which is well within the specified limits.

The reader challenge ended at 188530620 and the tag started to respond at 188539152, Again, the delay of 8532 * 1/13,56MHz = 629us is absolutely compliant with the specs.

You wrote that the simulation works against an ACR122. Wouldn't that indicate that the fault is with MCT? Did you compare the ACR122 and MCT traces?

maxben14 commented 7 years ago

Yes, i did compare with acr122 and MCT. acr122

23858198 | 23860566 | Tag | 04 00 | | 23873862 | 23884326 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
23886010 | 23889530 | Tag | 08 b6 dd | | 26918380 | 26919372 | Rdr | 52 | | WUPA 26920928 | 26923296 | Tag | 04 00 | | 26936640 | 26947104 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
26948596 | 26952116 | Tag | 08 b6 dd | | 29981000 | 29981992 | Rdr | 52 | | WUPA 29983548 | 29985916 | Tag | 04 00 | | 29999276 | 30009740 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
30011360 | 30014880 | Tag | 08 b6 dd | | 33043746 | 33044738 | Rdr | 52 | | WUPA 33046294 | 33048662 | Tag | 04 00 | | 33061958 | 33072422 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
33074106 | 33077626 | Tag | 08 b6 dd | | 35303750 | 35308454 | Rdr | 60 00 f5 7b | ok | AUTH-A(0)
35312954 | 35317690 | Tag | 01 02 03 04 | | 35319084 | 35328396 | Rdr | c9 95! 90! 5d! 71! ec f1 df! | !crc| ? 35337056 | 35341728 | Tag | 84 35 42 93 | | 35546696 | 35551464 | Rdr |30! 00! 02 a8 | ok | READBLOCK(0)
35565884 | 35586684 | Tag |ce! bc! f5 34! df! ee 09! 78 bc 1f b5 f3! 59! 88! 54 2f! | | | | | a6 36 | !crc| 46721152 | 46722144 | Rdr | 52 | | WUPA 46723700 | 46726068 | Tag | 04 00 | | 46739428 | 46749892 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
46751384 | 46754904 | Tag | 08 b6 dd | | 49783722 | 49784714 | Rdr | 52 | | WUPA 49786334 | 49788702 | Tag | 04 00 | | 49801870 | 49812334 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48

nfc console, i try command 60 00 key uid & 30 00 and in console android apk this work.

10816438 | 10818806 | Tag | 04 00 | | 10827366 | 10837830 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
10839514 | 10843034 | Tag | 08 b6 dd | | 11064064 | 11068832 | Rdr | 50 00 57 cd | ok | HALT 11111676 | 11112668 | Rdr | 52 | | WUPA 11114224 | 11116592 | Tag | 04 00 | | 11126056 | 11136520 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
11138140 | 11141660 | Tag | 08 b6 dd | | 12974336 | 12979104 | Rdr | 50 00 57 cd | ok | HALT 13021288 | 13022280 | Rdr | 52 | | WUPA 13023836 | 13026204 | Tag | 04 00 | | 13035650 | 13046114 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
13047734 | 13051254 | Tag | 08 b6 dd | | 14619024 | 14635248 | Rdr | 60 00 a0 a1 a2 a3 a4 a5 0e b7 d9 b7 e3 a0 | ok | AUTH-A(0)
19298428 | 19303196 | Rdr | 30 00 02 a8 | ok | READBLOCK(0)
19315568 | 19336368 | Tag | 0e b7 d9 b7 d7 08 04 00 62 63 64 65 66 67 68 69 | | | | | 9c 1e | ok | 19564136 | 19568904 | Rdr | 30 01 8b b9 | ok | READBLOCK(1)
19581148 | 19602012 | Tag | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | | | | | 37 49 | ok | 19798366 | 19803070 | Rdr | 30 02 10 8b | ok | READBLOCK(2)
19815442 | 19836306 | Tag | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | | | | | 37 49 | ok | 20024580 | 20029284 | Rdr | 30 03 99 9a | ok | READBLOCK(3)
20041784 | 20062584 | Tag | a0 a1 a2 a3 a4 a5 78 77 88 00 a0 a1 a2 a3 a4 a5 | | | | | f3 c3 | ok | 21818864 | 21823632 | Rdr | 50 00 57 cd | ok | HALT 21866498 | 21867490 | Rdr | 52 | | WUPA 21869110 | 21871478 | Tag | 04 00 | | 21881056 | 21891520 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
21892884 | 21896404 | Tag | 08 b6 dd | | 23645472 | 23650240 | Rdr | 50 00 57 cd | ok | HALT 23693854 | 23694846 | Rdr | 52 | | WUPA 23696402 | 23698770 | Tag | 04 00 | | 23708348 | 23718812 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
23720176 | 23723696 | Tag | 08 b6 dd | | 25472816 | 25477584 | Rdr | 50 00 57 cd | ok | HALT 25520458 | 25521450 | Rdr | 52 | | WUPA 25523198 | 25525566 | Tag | 04 00 | | 25534888 | 25545352 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
25546972 | 25550492 | Tag | 08 b6 dd | | 27298960 | 27303728 | Rdr | 50 00 57 cd | ok | HALT 27346598 | 27347590 | Rdr | 52 | | WUPA 27349210 | 27351578 | Tag | 04 00 | | 27361028 | 27371492 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
27373112 | 27376632 | Tag | 08 b6 dd

mct

25587658 |   25590026 | Tag | 04  00                                                          |     |

25598650 | 25609114 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
25610734 | 25614254 | Tag | 08 b6 dd | | 25698752 | 25703520 | Rdr | 50 00 57 cd | ok | HALT 25746418 | 25747410 | Rdr | 52 | | WUPA 25749030 | 25751398 | Tag | 04 00 | | 25760976 | 25771440 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
25772804 | 25776324 | Tag | 08 b6 dd | | 25843180 | 25847948 | Rdr | 61 00 2d 62 | ok | AUTH-B(0)
25852256 | 25856992 | Tag | 01 02 03 04 | | 25861108 | 25870420 | Rdr | b6 bf 11! 46 0f! 3a 42 e4 | !crc| ? 25879080 | 25883752 | Tag | 1e d6 bc fa | | 25927952 | 25932720 | Rdr |a7! bb c0! db! | !crc| ? 25936260 | 25936900 | Tag | 07 | | 26034064 | 26035056 | Rdr | 52 | | WUPA 26036612 | 26038980 | Tag | 04 00 | | 26047574 | 26058038 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
26059722 | 26063242 | Tag | 08 b6 dd | | 26129632 | 26134400 | Rdr | 50 00 57 cd | ok | HALT 26177330 | 26178322 | Rdr | 52 | | WUPA 26179878 | 26182246 | Tag | 04 00 | | 26191666 | 26202130 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
26203814 | 26207334 | Tag | 08 b6 dd | | 27957072 | 27961840 | Rdr | 50 00 57 cd | ok | HALT 28004786 | 28005778 | Rdr | 52 | | WUPA 28007334 | 28009702 | Tag | 04 00 | | 28019122 | 28029586 | Rdr | 93 70 0e b7 d9 b7 d7 dc 48 | ok | SELECT_UID
28031270 | 28034790 | Tag | 08 b6 dd | | 29783968 | 29788736 | Rdr | 50 00 57 cd | ok | HALT 29832372 | 29833364 | Rdr | 52

I see in logs from MCT and android console apk many comand HALT and don't see HALT in log ACR122.

iceman1001 commented 7 years ago

SIM Not sure if I agree about the idea of sim trace should always show raw data.

HALT The concept that a mifare reader sends a un-encrypted HALT while been in the authenticated state, seems more like a implementation bug in the reader software than a PM3 bug. It comes down to protocol, iso14443a it should be un-encrypted, but Mifare addition protocl above 14a protocol has its own quirks. So to find the answer in how a HALT command should be implemented for mifare should be in their documents. Not sure Mifare implementations is following protocol.

maxben14 commented 7 years ago

@iceman1001 , The main question is, why does not any android application want to read proxmark in the classic emulation mode?

pwpiwi commented 7 years ago

@maxben14: your traces show two more bugs in hf mf sim:

@iceman1001: A trace should always be raw data because it can be interpreted in different ways. Interpreting traces is the task of the hf list commands. Decrypting encrypted data should be done there if necessary (e.g. with a new hf list mf)

iceman1001 commented 7 years ago

hf list mf yeap, that would be good, been thinking on it for some years, never got around to do it. The problem would be that the list command does have the key needed to decrypt while the sim has it. and starting calling list with a key seems not optimal. I do agree with "hf list 14a" or "hf 14a reader" does too much. A "hf mf info" command would also be better. A side note to the actual subject.

-- crc check to the decrypted command will solve the wrong answer to HALT. That will ensure PM3 doesn't do wrong. We can NOT garantue the Android or ACR122 implementations is correct as it looks now.

merlokk commented 7 years ago

As i remembered there is no problem to decrypt first Authentication command, but a problem with decryption the next

pwpiwi commented 7 years ago

I have raised PR #419 which should fix the issues I have mentioned above. Please give it a try.

pwpiwi commented 7 years ago

@maxben14: could you please run your tests again with PR #419 and post the results here?

pwpiwi commented 7 years ago

@maxben14: changes are committed. Looking forward to your results...

cjbrigato commented 7 years ago

So far so good it works very well ... **depending on the device.**

Same device from same manufacturer same year... same firwmare...

Anyway, the fix from @pwpiwi is absolutely crazy on my side... I'm able to chain succesffull Readers attacks in the wild in 1~3 try with less than 1 sec communication, ensuring a good 20% succes into finding at least a B-Key (depending on the UID chosen, because of vigik system, if it can't authenticate with A key, it will try RSA-signed services-codes/values from B block., whatever).

However, still it will ALWAYS fail to face a standard reader because of a very simple thing 👍 - When authenticated, wheter it be from B or A key, hf mf simALWAYS gives something like 

 a6 7f 8b f5 a7 88 04 00 46 8e 45 59 61 10 50 04
 01 07 4e 00 00 00 00 00 00 00 00 00 00 00 00 00
 55 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 88 29 da 9d af 76 7f 07 88 00 88 29 da 9d af 76

So yes, @pwpiwi , Access bit condition are not followed... If i'm not mistaken, whatever would Acess bits be for any sector, the A key can Never be read. At the very least, the device should Never send a sector trailer which doesn't start by "00 00 00 00 00 00 " ...

This little fix should be enough to make the device work in more than 50% classic residential and standard implementations (Well at least here in france).

I've hoped that I could just blank the A key from emulator memory, however it makes the reader failing to authenticate with such a key so...

Also timing are very very important here too for first successu full authentification : Reader will immediately try an A key auth on sector 0 (for residentials), and upon fail will ONLY loop againts Bkey value block (for VIGIK Services codes/temporary"master keys" as mentioned above.) An A key auth will not be attempted again without the tag being out of the field for at least a few seconds (on vigik systems this state is indicated by a little red light instead of green, flashing with the same speed as the Auth are tryed). Also a note here it is quite easy on these systems to find suitable UID's for reader attacks : they are making the reader behave differently. As a master-key rsa-signe temporary masterkey could have any uid, an unknown uid will be challenged againts that behavior, creating flashing light. However a falining real candidate fro uid will trigger a "shutdown" or so of the filed , the red light will not flash, then shutdown and nothing will happen without Tag being out of the field + quick timeout.

Quite a bit of digression here, but anyway information worth the knowledge since it points towards specific needs on the Simulation side behavior. Which, again, seems to be able to become like a bright sunday on some device since your patch.

Anyway thanks again @pwpiwi ... and please don't give up on this one because from now eventual fixes should be negligible compared to the work you've done for these two P.R.; or at least can be partially mimicked with small fixes (like the never send A key...)

maxben14 commented 7 years ago

@pwpiwi , i try new version but comand "hf mf sim n 0" have again problems with auth on android smartphone. 9829638 | 9832006 | Tag | 44 00 | | 9841036 | 9851564 | Rdr | 93 70 88 04 53 5d 82 17 d3 | ok | SELECT_UID
9852736 | 9856256 | Tag | 04 da 17 | | 9858974 | 9861438 | Rdr | 95 20 | | ANTICOLL-2
9862610 | 9868498 | Tag | 42 a7 49 80 2c | | 9872524 | 9883052 | Rdr | 95 70 42 a7 49 80 2c 2d 5e | ok | ANTICOLL-2
9884224 | 9887744 | Tag | 08 b6 dd | | 10608680 | 10613384 | Rdr | 60 00 f5 7b | ok | AUTH-A(0)
10618012 | 10622748 | Tag | 01 02 03 04 | | 10626782 | 10636094 | Rdr | b7 76 2e 8e! 6e ae! 8a! fe! | !crc| ? 10644690 | 10649362 | Tag | b4 7e 61 24 | | 10698634 | 10703402 | Rdr | 50 00 57 cd | ok | HALT 10707134 | 10707774 | Tag |03! | | 10890486 | 10891478 | Rdr | 52 | | WUPA 10892714 | 10895082 | Tag | 44 00 | | 10903288 | 10913816 | Rdr | 93 70 88 04 53 5d 82 17 d3 | ok | SELECT_UID
10914988 | 10918508 | Tag | 04 da 17 | | 10921210 | 10923674 | Rdr | 95 20 | | ANTICOLL-2

I see after good auth my android send HALT in tag. Is it problem timing android ?

iceman1001 commented 7 years ago

...some information seems missing. In order to make use the "hf mf sim" command with authentication, you would need to load a proper dump into the device first. With correct keys etc..

From your trace its not much to deduct.

maxben14 commented 7 years ago

@iceman1001 , Of course, i before write Before command hf mf sim n 0, i load dump 1k card in ff.eml file this comand hf mf eload ff. proxmark3> hf mf eload ff

iceman1001 commented 7 years ago

and all correct keys are in it?

maxben14 commented 7 years ago

@iceman1001 , yes in 0 sector key a0a1a2a3a4a5 and in mct in key file this key, but acr122 good read when i do hf mf sim n 0

pwpiwi commented 7 years ago

I think that there is still room for improvement regarding timing. Will try to get hold of a DSO to check.

cjbrigato commented 6 years ago

I have a very strange addition but might be insightfull.. (if anyone could test this further I would be glad..)

I have three pm3 here (all are based on Elechouse V2 dev kit from different years and different quality) but they all act the same. Also this has been tested on several [french vigik residential] readers with consistent repeatable behavior.

So the "quality" of simulation seems to depend on UID Somehow****

I made a lot of tests like that and whatever a UID is know to work with such Residential Readers or not, the behavior of the simulation drastically change with UID... two UID unknown to the Residential system can work very well or not at all, two Known UID can work very well or not at all... But this is all consistent : a "not working" UID like 4285BA87 will never work with any of such reader (but still work with e.g. nfc android phones) and UID 0A0A0A0A will always work with any of such reader (and also work with nfc android phones)...

@iceman1001 , @pwpiwi what's your opinion on this ?

pwpiwi commented 6 years ago

This is an interesting observation. I had noticed that 4 byte UID works, but 7 byte UID didn't. But I didn't try different 4Byte and 7Byte UIDs. Your observation might direct us to find the still existing (or yet another) hf mf sim bug.

merlokk commented 6 years ago

It needs to sniff bad communication with 2nd proxmark. Maybe there are some timing Issues or anthenna quality issues

pwpiwi commented 6 years ago

Good idea, but I am lacking the 2nd proxmark. Trying to get hold of a DSO.

merlokk commented 6 years ago

@cjbrigato have) @cjbrigato can you sniff and POST here the results? P. S. I have only one too

iceman1001 commented 6 years ago

i do have several pm3, i also has a vigik reader at home with tags, so it would be possible to look at it, however Im busy with fixing up the firmware for chameleon mini.
Im certain @cjbrigato will figure it out.

iceman1001 commented 6 years ago

now, is problems solved?
time to close?

maxben14 commented 6 years ago

@iceman1001, no, proxmark in mode emulator 1k work with android very bad, only acr122 good read,write emulator 1k proxmark.

pwpiwi commented 6 years ago

"very bad" and "good read,write" is a bit vague :smile:. Can you please provide some traces again?

maxben14 commented 6 years ago

Sniff beetwen real tag and android: proxmark3> hf list 14a Recorded Activity (TraceLen = 2051 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer iso14443a - All times are in carrier periods (1/13.56Mhz) iClass - Timings are not as accurate

```
Start End Src Data (! denotes parity error) CRC Annotation
0 38112 Rdr f0 1e d4 00 66 20 62 03 aa e7 65 9a 8b 59 00 00
00 32 46 66 6d 01 01 11 03 02 00 13 04 01 96 25
c0 ok ?
141744 142800 Rdr 26 REQA
143988 146356 Tag 04 00
153968 156432 Rdr 93 20 ANTICOLL
157620 163508 Tag 01 02 03 04 04
167504 178032 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
179220 182740 Tag 08 b6 dd
790368 795136 Rdr 50 00 57 cd ok HALT
837888 838880 Rdr 52 WUPA
840132 842500 Tag 04 00
851504 862032 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
863220 866740 Tag 08 b6 dd
1065872 1070640 Rdr 50 00 57 cd ok HALT
1114096 1115088 Rdr 52 WUPA
1116340 1118708 Tag 04 00
1127728 1138256 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
1139444 1142964 Tag 08 b6 dd
1242528 1247296 Rdr 50 00 57 cd ok HALT
1290048 1291040 Rdr 52 WUPA
1292292 1294660 Tag 04 00
1303680 1314208 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
1315396 1318916 Tag 08 b6 dd
1414688 1419392 Rdr 60 01 7c 6a ok AUTH-A(1)
1421412 1426084 Tag 15 80 12 e4
1430176 1439552 Rdr bb fa! ae! cf! ab! 9f 52! 32 !crc ?
1440740 1445412 Tag bc! 85! b1 c2!
1574480 1579184 Rdr 25! 89 5c d0! !crc ?
1580436 1601236 Tag 0a! 17 ba a3! 93! 6f 13 98 e4! a7 b5! 43! 6b! 06 58! 72
e1 3f !crc
1684144 1688848 Rdr d6 34! 18! 76! !crc ?
1690100 1710900 Tag df! 02 0b db! e7 38 03! 2b c8! 8a! 4c! a4 6d 69! 31 13!
17 06 !crc
1819152 1823856 Rdr 3a da! 97! 9c !crc READ RANGE (218-151)
1825108 1845972 Tag 9c 14! 2d 2e 64 df! 7c 43! d8! 6a 14 4e 92 1d 18! 5b!
1d f5! !crc
1949984 1954752 Rdr 9f! 3b! 0f! 15 !crc ?
1997520 1998512 Rdr 52 WUPA
1999764 2002132 Tag 04 00
2011152 2021680 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
2022868 2026388 Tag 08 b6 dd
2148400 2153168 Rdr 50 00 57 cd ok HALT
2195936 2196928 Rdr 52 WUPA
2198196 2200564 Tag 04 00
2209568 2220096 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
2221284 2224804 Tag 08 b6 dd
2526368 2531072 Rdr 60 01 7c 6a ok AUTH-A(1)
2533092 2537828 Tag ea 55 82 98
2541872 2551184 Rdr aa 93! f8! a2 38! 80! 64 07! !crc ?
2552436 2557172 Tag 32 15 f6 ff!
2690784 2695552 Rdr fc e9! 29 c1 !crc ?
2696740 2717604 Tag 21 8a 67! 76! 88! 45 88 a7! 69! f1! 60 c5! ba! d8 c8! 6a!
44! d0 !crc
2794272 2798976 Rdr b1! 3c 5e! 71 !crc ?
2800228 2821092 Tag 5f 96 24! 9f! cb! 94 95 0c! b3 9b! 2a 8d! 3d! e8! 83! 0a!
9a 14! !crc
2917696 2922400 Rdr 8f! b2 65 20! !crc ?
2923652 2944516 Tag 54! 36 68! 6e 1d! f7 ef 8d 64 7c dd! 43 8b 6a! 83! ae
98 54 !crc
3077664 3082368 Rdr ff! a5 53! 79! !crc ?
3124512 3125504 Rdr 52 WUPA
3126756 3129124 Tag 04 00
3138144 3148672 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
3149860 3153380 Tag 08 b6 dd
3792080 3796848 Rdr 50 00 57 cd ok HALT
3840352 3841344 Rdr 52 WUPA
3842596 3844964 Tag 04 00
3853984 3864512 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
3865700 3869220 Tag 08 b6 dd
3990688 3995456 Rdr 50 00 57 cd ok HALT
4038944 4039936 Rdr 52 WUPA
4041204 4043572 Tag 04 00
4052592 4063120 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
4064308 4067828 Tag 08 b6 dd
4270912 4275680 Rdr 60 08 bd f7 ok AUTH-A(8)
4277636 4282308 Tag 01 f2 51 3f
4286416 4295792 Rdr 08 ac! ef! b3 1c d5! 3a 5c! !crc ?
4296980 4301652 Tag 04! d5! 8a! 7e
4652048 4656752 Rdr fc! f6 8f! c9 !crc ?
4658004 4678868 Tag 70! 4e! f1 81 1e d6! 86! dc 0b! a2! 08 45 ff! c1 7b! 55
7f! f8 !crc
4832032 4836736 Rdr 34 d9 1c! c0 !crc ?
4880304 4881296 Rdr 52 WUPA
4882548 4884916 Tag 04 00
4893936 4904464 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
4905652 4909172 Tag 08 b6 dd
5015024 5019792 Rdr 50 00 57 cd ok HALT
5063296 5064288 Rdr 52 WUPA
5065540 5067908 Tag 04 00
5076928 5087456 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
5088644 5092164 Tag 08 b6 dd
5375696 5380464 Rdr 50 00 57 cd ok HALT
5423264 5424256 Rdr 52 WUPA
5425524 5427892 Tag 04 00
5436912 5447440 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
5448628 5452148 Tag 08 b6 dd
5708928 5713696 Rdr 30 ff 7a a7 ok READBLOCK(255)
5714900 5715540 Tag 04
5860448 5865216 Rdr 30 e0 0c 4f ok READBLOCK(224)
12114096 12118864 Rdr 50 00 57 cd ok HALT
12160992 12161984 Rdr 52 WUPA
12163236 12165604 Tag 04 00
12174640 12185168 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
12186356 12189876 Tag 08 b6 dd
13954624 13959392 Rdr 50 00 57 cd ok HALT
14002928 14003920 Rdr 52 WUPA
14005172 14007540 Tag 04 00
14016592 14027120 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
14028308 14031828 Tag 08 b6 dd
15861552 15866320 Rdr 50 00 57 cd ok HALT
15909168 15910160 Rdr 52 WUPA
15911412 15913780 Tag 04 00
15922816 15933344 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
15934532 15938052 Tag 08 b6 dd
17794288 17799056 Rdr 50 00 57 cd ok HALT
17841904 17842896 Rdr 52 WUPA
17844148 17846516 Tag 04 00
17855552 17866080 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
17867284 17870804 Tag 08 b6 dd
19687280 19692048 Rdr 50 00 57 cd ok HALT
19734912 19735904 Rdr 52 WUPA
19737156 19739524 Tag 04 00
19748560 19759088 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
19760292 19763812 Tag 08 b6 dd
21568576 21573344 Rdr 50 00 57 cd ok HALT
21616208 21617200 Rdr 52 WUPA
21618452 21620820 Tag 04 00
21629872 21640400 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
21641588 21645108 Tag 08 b6 dd
23490000 23494768 Rdr 50 00 57 cd ok HALT
23536928 23537920 Rdr 52 WUPA
23539188 23541556 Tag 04 00
23550592 23561120 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
23562308 23565828 Tag 08 b6 dd
25389056 25393824 Rdr 50 00 57 cd ok HALT
25436704 25437696 Rdr 52 WUPA
25438948 25441316 Tag 04 00
25450352 25460880 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
25462084 25465604 Tag 08 b6 dd
27267056 27271824 Rdr 50 00 57 cd ok HALT
27313984 27314976 Rdr 52 WUPA
27316228 27318596 Tag 04 00
27327648 27338176 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
27339364 27342884 Tag 08 b6 dd
29118112 29122880 Rdr 50 00 57 cd ok HALT
29166448 29167440 Rdr 52 WUPA
29168692 29171060 Tag 04 00
29180128 29190656 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
29191844 29195364 Tag 08 b6 dd
31066720 31071488 Rdr 50 00 57 cd ok HALT
31113664 31114656 Rdr 52 WUPA
31115908 31118276 Tag 04 00
31127328 31137856 Rdr 93 70 01 02 03 04 04 8e 25 ok SELECT_UID
31139060 31142580 Tag 08 b6 dd 

My android read 8 block in 1k.

4270912 |    4275680 | Rdr | 60  08  bd  f7                                                  |  ok | AUTH-A(8)      
4277636 |    4282308 | Tag | 01  f2  51  3f                                                  |     |
4286416 |    4295792 | Rdr | 08 ac! ef!  b3  1c d5!  3a 5c!                                  | !crc| ?
4296980 |    4301652 | Tag |04! d5! 8a!  7e                                                  |     |
4652048 |    4656752 | Rdr |fc!  f6 8f!  c9                                                  | !crc| ?
4658004 |    4678868 | Tag |70! 4e!  f1  81  1e d6! 86!  dc 0b! a2!  08  45 ff!  c1 7b!  55  |     |
        |            |     |7f!  f8                                                          | !crc|
4832032 |    4836736 | Rdr | 34  d9 1c!  c0              

Sniff beetwen my emulator and android:

proxmark3> hf list 14a
Recorded Activity (TraceLen = 1448 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

  Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

------------|------------|-----|-----------------------------------------------------------------|-----|--------------------| 0 | 2368 | Tag | 04 00 | | 14032 | 19920 | Tag | 01 02 03 04 04 | | 35648 | 39168 | Tag | 08 b6 dd | | 658972 | 663740 | Rdr | 50 00 57 cd | ok | HALT 708016 | 710384 | Tag | 04 00 | | 730288 | 733808 | Tag | 08 b6 dd | | 897964 | 902732 | Rdr | 50 00 57 cd | ok | HALT 946156 | 947148 | Rdr | 52 | | WUPA 948400 | 950768 | Tag | 04 00 | | 959756 | 970284 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
971488 | 975008 | Tag | 08 b6 dd | | 1121020 | 1122012 | Rdr | 52 | | WUPA 1123264 | 1125632 | Tag | 04 00 | | 1134620 | 1145148 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
1146352 | 1149872 | Tag | 08 b6 dd | | 1234928 | 1239600 | Tag | 00 00 00 00 | | 1243692 | 1253004 | Rdr |2d! 40! 17 ab! 2c e1! 2d 22 | !crc| ? 1262496 | 1267168 | Tag | b2 c1 95 7b | | 1322988 | 1327756 | Rdr | 50 00 57 cd | ok | HALT 1373440 | 1375808 | Tag | 04 00 | | 1384796 | 1395324 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
1396528 | 1400048 | Tag | 08 b6 dd | | 1517664 | 1520032 | Tag | 04 00 | | 1540768 | 1544288 | Tag | 08 b6 dd | | 1671264 | 1673632 | Tag | 04 00 | | 1694336 | 1697856 | Tag | 08 b6 dd | | 1786940 | 1791708 | Rdr | 50 00 57 cd | ok | HALT 1836688 | 1839056 | Tag | 04 00 | | 1848060 | 1858588 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
1859792 | 1863312 | Tag | 08 b6 dd | | 1941196 | 1945964 | Rdr | 50 00 57 cd | ok | HALT 1988716 | 1989708 | Rdr | 52 | | WUPA 1990944 | 1993312 | Tag | 04 00 | | 2014032 | 2017552 | Tag | 08 b6 dd | | 2317984 | 2320352 | Tag | 04 00 | | 2341072 | 2344592 | Tag | 08 b6 dd | | 2585532 | 2590236 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
2591488 | 2596160 | Tag | 00 00 00 00 | | 2619056 | 2623728 | Tag | c2 4b 53 5a | | 2802896 | 2805264 | Tag | 04 00 | | 2825984 | 2829504 | Tag | 08 b6 dd | | 3012844 | 3017612 | Rdr | 50 00 57 cd | ok | HALT 3060380 | 3061372 | Rdr | 52 | | WUPA 3062624 | 3064992 | Tag | 04 00 | | 3085728 | 3089248 | Tag | 08 b6 dd | | 3322844 | 3327612 | Rdr | 50 00 57 cd | ok | HALT 3370380 | 3371372 | Rdr | 52 | | WUPA 3372624 | 3374992 | Tag | 04 00 | | 3384012 | 3394540 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
3395744 | 3399264 | Tag | 08 b6 dd | | 4135216 | 4137584 | Tag | 04 00 | | 4158320 | 4161840 | Tag | 08 b6 dd | | 4254140 | 4258908 | Rdr | 50 00 57 cd | ok | HALT 4303936 | 4306304 | Tag | 04 00 | | 4315324 | 4325852 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
4327040 | 4330560 | Tag | 08 b6 dd | | 4495888 | 4500560 | Tag | 00 00 00 00 | | 4523472 | 4528144 | Tag | ba 73 cd 18 | | 4644508 | 4649276 | Rdr | 50 00 57 cd | ok | HALT 4694304 | 4696672 | Tag | 04 00 | | 4717424 | 4720944 | Tag | 08 b6 dd | | 4897964 | 4902732 | Rdr | 50 00 57 cd | ok | HALT 4947760 | 4950128 | Tag | 04 00 | | 4970880 | 4974400 | Tag | 08 b6 dd | | 5144988 | 5149756 | Rdr | 50 00 57 cd | ok | HALT 5193244 | 5194236 | Rdr | 52 | | WUPA 5195504 | 5197872 | Tag | 04 00 | | 5218608 | 5222128 | Tag | 08 b6 dd | | 5356220 | 5360988 | Rdr | 50 00 57 cd | ok | HALT 5406016 | 5408384 | Tag | 04 00 | | 5417420 | 5427948 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
5429152 | 5432672 | Tag | 08 b6 dd | | 5570556 | 5571548 | Rdr | 52 | | WUPA 5572800 | 5575168 | Tag | 04 00 | | 5584204 | 5594732 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
5595936 | 5599456 | Tag | 08 b6 dd | | 12075776 | 12078144 | Tag | 04 00 | | 12087196 | 12097724 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
12098928 | 12102448 | Tag | 08 b6 dd | | 13913680 | 13916048 | Tag | 04 00 | | 13936816 | 13940336 | Tag | 08 b6 dd | | 15814224 | 15816592 | Tag | 04 00 | | 15837376 | 15840896 | Tag | 08 b6 dd | | 17688364 | 17693132 | Rdr | 50 00 57 cd | ok | HALT 17738224 | 17740592 | Tag | 04 00 | | 17749660 | 17760188 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
17761376 | 17764896 | Tag | 08 b6 dd | | 19585056 | 19587424 | Tag | 04 00 | | 19596492 | 19607020 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
19608208 | 19611728 | Tag | 08 b6 dd | | 21400860 | 21405628 | Rdr | 50 00 57 cd | ok | HALT 21451440 | 21453808 | Tag | 04 00 | | 21474592 | 21478112 | Tag | 08 b6 dd | | 23306652 | 23311420 | Rdr | 50 00 57 cd | ok | HALT 23356528 | 23358896 | Tag | 04 00 | | 23379680 | 23383200 | Tag | 08 b6 dd | | 25246528 | 25248896 | Tag | 04 00 | | 25269664 | 25273184 | Tag | 08 b6 dd | | 27134832 | 27137200 | Tag | 04 00 | | 27146252 | 27156780 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
27157968 | 27161488 | Tag | 08 b6 dd | | 28964652 | 28969420 | Rdr | 50 00 57 cd | ok | HALT 29012300 | 29013292 | Rdr | 52 | | WUPA 29014528 | 29016896 | Tag | 04 00 | | 29025964 | 29036492 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
29037696 | 29041216 | Tag | 08 b6 dd | | 30923744 | 30926112 | Tag | 04 00 | | 30935180 | 30945708 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
30946912 | 30950432 | Tag | 08 b6 dd | | 32760540 | 32765308 | Rdr | 50 00 57 cd | ok | HALT 32810432 | 32812800 | Tag | 04 00 | | 32833568 | 32837088 | Tag | 08 b6 dd | | 34690064 | 34692432 | Tag | 04 00 | | 34713216 | 34716736 | Tag | 08 b6 dd


Proxmark have problem sniff beetwen my device and android only.
But proxmark correct read my device:

proxmark3> hf mf rdbl 9 a a0a1a2a3a4a5
--block no:9, key type:A, key:a0 a1 a2 a3 a4 a5
#db# READ BLOCK FINISHED
isOk:01 data:01 02 03 04 04 08 04 00 62 63 64 65 66 67 68 69
proxmark3> hf mf rdbl 9 a a0a1a2a3a4a5
--block no:9, key type:A, key:a0 a1 a2 a3 a4 a5
#db# READ BLOCK FINISHED
isOk:01 data:01 02 03 04 04 08 04 00 62 63 64 65 66 67 68 69
proxmark3> hf list 14a
Recorded Activity (TraceLen = 188 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer iso14443a - All times are in carrier periods (1/13.56Mhz) iClass - Timings are not as accurate

  Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

------------|------------|-----|-----------------------------------------------------------------|-----|--------------------| 0 | 992 | Rdr | 52 | | WUPA 2228 | 4596 | Tag | 04 00 | | 7040 | 9504 | Rdr | 93 20 | | ANTICOLL
10692 | 16580 | Tag | 01 02 03 04 04 | | 19072 | 29600 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
30788 | 34308 | Tag | 08 b6 dd | | 35968 | 40736 | Rdr | 60 09 34 e6 | ok | AUTH-A(9)
41924 | 46596 | Tag | 00 00 00 00 | | 56320 | 65632 | Rdr | c1 f4! 5f 1b 25! a0! 69! 61! | !crc| DEC(244)
75124 | 79796 | Tag | 62 92 09 6c | | 85760 | 90464 | Rdr |5e! 23! 73 3e! | !crc| ? 121508 | 142372 | Tag | 89 18! 09! c3! 1a 7c a6 f7! f8 a5! f7! c6 94 28! 5a! 31! | | | | | 4e 12! | !crc| 155520 | 160288 | Rdr |30! ef 54! be! | !crc| READBLOCK(239)

pwpiwi commented 6 years ago

Please have a look at the topic of this issue. I don't see a trace of hf mf sim?

maxben14 commented 6 years ago

@pwpiwi , proxmark3> hf mf eload 98 ..#db# Emulator stopped. Tracing: 1 trace length: 0 .............................................................. Loaded 64 blocks from file: 98.eml proxmark3> hf mf sim n 0 mf 1k sim uid: N/A, numreads:0, flags:0 (0x00)

db# 4B UID: 01020304

iceman1001 commented 6 years ago

...this issue is starting to become very unclear. I suggest we close it and when someone actually has problems with "hf mf sim", with provided needed information, they can open a new issue.

pwpiwi commented 6 years ago

@maxben14 : still no trace? You need to run hf list 14a after hf mf sim.

maxben14 commented 6 years ago

@pwpiwi, i see in log after correct AUTH i see android send HALT. my log proxmark how emulator 1k. proxmark3> hf list 14a Recorded Activity (TraceLen = 1670 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer iso14443a - All times are in carrier periods (1/13.56Mhz) iClass - Timings are not as accurate

  Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

------------|------------|-----|-----------------------------------------------------------------|-----|--------------------| 0 | 38112 | Rdr | f0 1e d4 00 9a 17 98 87 0d 3f 1c 88 68 19 00 00 | | | | | 00 32 46 66 6d 01 01 11 03 02 00 13 04 01 96 6f | | | | | c6 | ok | ? 141712 | 142768 | Rdr | 26 | | REQA 143940 | 146308 | Tag | 04 00 | | 154128 | 156592 | Rdr | 93 20 | | ANTICOLL
157764 | 163652 | Tag | 01 02 03 04 04 | | 6031184 | 6069296 | Rdr | f0 1e d4 00 50 67 79 6d b7 7e 9e 43 9f 17 00 00 | | | | | 00 32 46 66 6d 01 01 11 03 02 00 13 04 01 96 71 | | | | | 05 | ok | ? 6172908 | 6173964 | Rdr | 26 | | REQA 6175136 | 6177504 | Tag | 04 00 | | 6185522 | 6187986 | Rdr | 93 20 | | ANTICOLL
6189158 | 6195046 | Tag | 01 02 03 04 04 | | 6199106 | 6209634 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
6210806 | 6214326 | Tag | 08 b6 dd | | 6651568 | 6656336 | Rdr | 50 00 57 cd | ok | HALT 6698472 | 6699464 | Rdr | 52 | | WUPA 6700700 | 6703068 | Tag | 04 00 | | 6712132 | 6722660 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
6723832 | 6727352 | Tag | 08 b6 dd | | 6861712 | 6866480 | Rdr | 50 00 57 cd | ok | HALT 6909342 | 6910334 | Rdr | 52 | | WUPA 6911570 | 6913938 | Tag | 04 00 | | 6922984 | 6933512 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
6934684 | 6938204 | Tag | 08 b6 dd | | 6993904 | 6998672 | Rdr | 50 00 57 cd | ok | HALT 7041514 | 7042506 | Rdr | 52 | | WUPA 7043742 | 7046110 | Tag | 04 00 | | 7055206 | 7065734 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
7066906 | 7070426 | Tag | 08 b6 dd | | 7213456 | 7218160 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
7222724 | 7227396 | Tag | 00 00 00 00 | | 7231512 | 7240824 | Rdr | 38 ea! ca! 56 09! 5f! cd! b8 | !crc| ? 7249548 | 7254220 | Tag | 48 79 15 09 | | 7332986 | 7337754 | Rdr | 50 00 57 cd | ok | HALT 7341486 | 7342126 | Tag |03! | | 7456032 | 7457024 | Rdr | 52 | | WUPA 7458260 | 7460628 | Tag | 04 00 | | 7468868 | 7479396 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
7480568 | 7484088 | Tag | 08 b6 dd | | 7682382 | 7687086 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
7691586 | 7696258 | Tag | 00 00 00 00 | | 7700366 | 7709742 | Rdr |b1! e5 38 7a! 2c! c4 bd 42! | !crc| ? 7718338 | 7723010 | Tag | e5 16 5f 36 | | 7826298 | 7831066 | Rdr | 50 00 57 cd | ok | HALT 7834798 | 7835374 | Tag | 0e | | 7931900 | 7932892 | Rdr | 52 | | WUPA 7934128 | 7936496 | Tag | 04 00 | | 7944734 | 7955262 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
7956434 | 7959954 | Tag | 08 b6 dd | | 8685040 | 8689808 | Rdr | 50 00 57 cd | ok | HALT 8731972 | 8732964 | Rdr | 52 | | WUPA 8734200 | 8736568 | Tag | 04 00 | | 8745632 | 8756160 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
8757332 | 8760852 | Tag | 08 b6 dd | | 8854032 | 8858800 | Rdr | 50 00 57 cd | ok | HALT 8901662 | 8902654 | Rdr | 52 | | WUPA 8903890 | 8906258 | Tag | 04 00 | | 8915322 | 8925850 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
8927022 | 8930542 | Tag | 08 b6 dd | | 9062872 | 9067640 | Rdr | 60 08 bd f7 | ok | AUTH-A(8)
9072140 | 9076812 | Tag | 00 00 00 00 | | 9080920 | 9090296 | Rdr |40! cb! 73! 0b 44 ac! b5! 00! | !crc| MAGIC WUPC1
9098892 | 9103628 | Tag | 7b a4 5a 98 | | 9170646 | 9175414 | Rdr | 50 00 57 cd | ok | HALT 9179018 | 9179594 | Tag | 08 | | 20113072 | 20151184 | Rdr | f0 1e d4 00 c1 80 6c c0 75 ca 2d e4 cf e4 00 00 | | | | | 00 32 46 66 6d 01 01 11 03 02 00 13 04 01 96 0f | | | | | de | ok | ? 20254808 | 20255864 | Rdr | 26 | | REQA 20257036 | 20259404 | Tag | 04 00 | | 20267022 | 20269486 | Rdr | 93 20 | | ANTICOLL
20270658 | 20276546 | Tag | 01 02 03 04 04 | | 20280572 | 20291100 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
20292272 | 20295792 | Tag | 08 b6 dd | | 20652176 | 20656944 | Rdr | 50 00 57 cd | ok | HALT 20699806 | 20700798 | Rdr | 52 | | WUPA 20702034 | 20704402 | Tag | 04 00 | | 20713450 | 20723978 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
20725150 | 20728670 | Tag | 08 b6 dd | | 20794400 | 20799168 | Rdr | 50 00 57 cd | ok | HALT 20841320 | 20842312 | Rdr | 52 | | WUPA 20843548 | 20845916 | Tag | 04 00 | | 20854980 | 20865508 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
20866680 | 20870200 | Tag | 08 b6 dd | | 20972768 | 20977536 | Rdr | 50 00 57 cd | ok | HALT 21020394 | 21021386 | Rdr | 52 | | WUPA 21022622 | 21024990 | Tag | 04 00 | | 21034086 | 21044614 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
21045786 | 21049306 | Tag | 08 b6 dd | | 21152918 | 21157622 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
21162250 | 21166922 | Tag | 00 00 00 00 | | 21171086 | 21180398 | Rdr | 22 26 c6 e6 f5 20 0b 31! | !crc| ? 21188930 | 21193602 | Tag | 68 c0 03 30 | | 21274382 | 21279150 | Rdr | 50 00 57 cd | ok | HALT 21282754 | 21283394 | Tag | 04 | | 21427178 | 21428170 | Rdr | 52 | | WUPA 21429406 | 21431774 | Tag | 04 00 | | 21440030 | 21450558 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
21451730 | 21455250 | Tag | 08 b6 dd | | 21662998 | 21667702 | Rdr | 60 01 7c 6a | ok | AUTH-A(1)
21672330 | 21677002 | Tag | 00 00 00 00 | | 21681166 | 21690478 | Rdr | 89 1c 4a! 5d ee! 0f a4! d2 | !crc| ? 21699010 | 21703682 | Tag | 96 f9 87 7e | | 21812012 | 21816780 | Rdr | 50 00 57 cd | ok | HALT 21820320 | 21820896 | Tag |0a! | | 21967904 | 21968896 | Rdr | 52 | | WUPA 21970132 | 21972500 | Tag | 04 00 | | 21980740 | 21991268 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
21992440 | 21995960 | Tag | 08 b6 dd | | 22620224 | 22624992 | Rdr | 50 00 57 cd | ok | HALT 22668574 | 22669566 | Rdr | 52 | | WUPA 22670802 | 22673170 | Tag | 04 00 | | 22682234 | 22692762 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
22693934 | 22697454 | Tag | 08 b6 dd | | 22751984 | 22756752 | Rdr | 50 00 57 cd | ok | HALT 22799646 | 22800638 | Rdr | 52 | | WUPA 22801874 | 22804242 | Tag | 04 00 | | 22813290 | 22823818 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
22824990 | 22828510 | Tag | 08 b6 dd | | 22959064 | 22963832 | Rdr | 60 08 bd f7 | ok | AUTH-A(8)
22968204 | 22972876 | Tag | 00 00 00 00 | | 22976976 | 22986288 | Rdr |82! da db a8 9e! 8e! 1b! 0f | !crc| ? 22994884 | 22999556 | Tag | 56 94 5a 21 | | 23099770 | 23104538 | Rdr | 50 00 57 cd | ok | HALT 23108270 | 23108846 | Tag |0a!

maxben14 commented 6 years ago
  1. Why android send HALT after succesfull AUTH and second question why android send HALT decrypt 50 00, after correct AUTH communication need be encrypt but android decrypt command HALT send.
iceman1001 commented 6 years ago

so, to make sure, are you running the latest source code (flashed and compiled) from pm3 offical github? It contains some fixes the last week.

merlokk commented 6 years ago

android decrypt command HALT send - this is an android problem. send commands wo authentication. cards just leaves field in this case. It have no sense)

as for here

7231512 | 7240824 | Rdr | 38 ea! ca! 56 09! 5f! cd! b8 | !crc| ?
7249548 | 7254220 | Tag | 48 79 15 09 | |
7332986 | 7337754 | Rdr | 50 00 57 cd | ok | HALT

1unit-74ns 7249548 - 7240824 = 8724 = 0.6ms (it seems that it good, but not so good as real card.) 7332986 -7254220 = 78766 = 5.8ms

so it may be just timeout. and im sure that android dont see authentication. here also may be problems with field (and to be sure it needs to sniff communication with 2nd proxmark or another sniffer)

maxben14 commented 6 years ago

@iceman1001, my version is last. proxmark3> hw version [[[ Cached information ]]]

Prox/RFID mark3 RFID instrument bootrom: master/v3.0.1-191-g1497150-suspect 2017-11-26 08:37:57 os: master/v3.0.1-191-g1497150-suspect 2017-11-26 08:38:01 LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04 HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59

uC: AT91SAM7S256 Rev D Embedded Processor: ARM7TDMI Nonvolatile Program Memory Size: 256K bytes. Used: 199396 bytes (76%). Free: 62748 bytes (24%). Second Nonvolatile Program Memory Size: None Internal SRAM Size: 64K bytes Architecture Identifier: AT91SAM7Sxx Series Nonvolatile Program Memory Type: Embedded Flash Memory

maxben14 commented 6 years ago

@pwpiwi , i think basic problem in hf mf sim is that the algorithm calculates the filter function not according to tables, but by formulas. I think the calculation on the tables will speed up the emulator.

merlokk commented 6 years ago

will, or calculating in FPGA.... but there is no room for that.

pwpiwi commented 6 years ago

@maxben14 : Can you please do the same with your ACR122 reader?

maxben14 commented 6 years ago

@pwpiwi , beetwen my emulator and acr122: 0 | 2560 | Tag | d1 ff 00! | | 21435424 | 21437792 | Tag | 04 00 | | 21511440 | 21513808 | Tag | 04 00 | | 21587488 | 21589856 | Tag | 04 00 | | 22174224 | 22176592 | Tag | 04 00 | | 22249744 | 22252112 | Tag | 04 00 | | 22325264 | 22327632 | Tag | 04 00 | | 26007436 | 26008492 | Rdr | 26 | | REQA 26009680 | 26012048 | Tag | 04 00 | | 26020732 | 26023196 | Rdr | 93 20 | | ANTICOLL
26024400 | 26030288 | Tag | 01 02 03 04 04 | | 26051580 | 26062108 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
26063312 | 26066832 | Tag | 08 b6 dd | | 30179244 | 30180236 | Rdr | 52 | | WUPA 30181488 | 30183856 | Tag | 04 00 | | 30197148 | 30207676 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
30208880 | 30212400 | Tag | 08 b6 dd | | 33241196 | 33242188 | Rdr | 52 | | WUPA 33243440 | 33245808 | Tag | 04 00 | | 33259100 | 33269628 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
33270816 | 33274336 | Tag | 08 b6 dd | | 36303132 | 36304124 | Rdr | 52 | | WUPA 36305376 | 36307744 | Tag | 04 00 | | 36320908 | 36331436 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
36332624 | 36336144 | Tag | 08 b6 dd | | 39364940 | 39365932 | Rdr | 52 | | WUPA 39367200 | 39369568 | Tag | 04 00 | | 39382716 | 39393244 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
39394448 | 39397968 | Tag | 08 b6 dd | | 42426748 | 42427740 | Rdr | 52 | | WUPA 42429008 | 42431376 | Tag | 04 00 | | 42444524 | 42455052 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
42456240 | 42459760 | Tag | 08 b6 dd | | 45488556 | 45489548 | Rdr | 52 | | WUPA 45490800 | 45493168 | Tag | 04 00 | | 45506460 | 45516988 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
45518176 | 45521696 | Tag | 08 b6 dd | | 48550508 | 48551500 | Rdr | 52 | | WUPA 48552752 | 48555120 | Tag | 04 00 | | 48568284 | 48578812 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
48580000 | 48583520 | Tag | 08 b6 dd | | 51612316 | 51613308 | Rdr | 52 | | WUPA 51614560 | 51616928 | Tag | 04 00 | | 51630092 | 51640620 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
51641824 | 51645344 | Tag | 08 b6 dd | | 54674124 | 54675116 | Rdr | 52 | | WUPA 54676384 | 54678752 | Tag | 04 00 | | 54691900 | 54702428 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
54703648 | 54707168 | Tag | 08 b6 dd | | 57735948 | 57736940 | Rdr | 52 | | WUPA 57738192 | 57740560 | Tag | 04 00 | | 57753724 | 57764252 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
57765440 | 57768960 | Tag | 08 b6 dd | | 60797756 | 60798748 | Rdr | 52 | | WUPA 60800016 | 60802384 | Tag | 04 00 | | 60815532 | 60826060 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
60827264 | 60830784 | Tag | 08 b6 dd | | 63859580 | 63860572 | Rdr | 52 | | WUPA 63861824 | 63864192 | Tag | 04 00 | | 63877356 | 63887884 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
63889088 | 63892608 | Tag | 08 b6 dd | | 66921388 | 66922380 | Rdr | 52 | | WUPA 66923632 | 66926000 | Tag | 04 00 | | 66939164 | 66949692 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
66950880 | 66954400 | Tag | 08 b6 dd | | 69983212 | 69984204 | Rdr | 52 | | WUPA 69985456 | 69987824 | Tag | 04 00 | | 70000988 | 70011516 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
70012704 | 70016224 | Tag | 08 b6 dd | | 73045020 | 73046012 | Rdr | 52 | | WUPA 73047264 | 73049632 | Tag | 04 00 | | 73062796 | 73073324 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
73074528 | 73078048 | Tag | 08 b6 dd | | 75966460 | 75967516 | Rdr | 26 | | REQA 75968704 | 75971072 | Tag | 04 00 | | 75979628 | 75982092 | Rdr | 93 20 | | ANTICOLL
75983296 | 75989184 | Tag | 01 02 03 04 04 | | 76010476 | 76021004 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
76022192 | 76025712 | Tag | 08 b6 dd | | 76362588 | 76367292 | Rdr | 60 3f 81 b2 | ok | AUTH-A(63)
76368544 | 76373216 | Tag | 00 00 00 00 | | 76374620 | 76383932 | Rdr | bd 57! ae 81! 3e e3 03 f2! | !crc| ? 76391536 | 76396208 | Tag | d8 39 78 de | | 76550684 | 76551676 | Rdr | 52 | | WUPA 76552928 | 76555296 | Tag | 04 00 | | 76568588 | 76579116 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
76580304 | 76583824 | Tag | 08 b6 dd | | 76760700 | 76765404 | Rdr | 60 3f 81 b2 | ok | AUTH-A(63)
76766656 | 76771328 | Tag | 00 00 00 00 | | 76772732 | 76782108 | Rdr | c3 cd e9 c4! 9b ef! ea d9 | !crc| ? 76789728 | 76794400 | Tag | 50 d4 ed 4d | | 76950524 | 76951516 | Rdr | 52 | | WUPA 76952784 | 76955152 | Tag | 04 00 | | 76968428 | 76978956 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
76980160 | 76983680 | Tag | 08 b6 dd | | 77171052 | 77175756 | Rdr | 60 3f 81 b2 | ok | AUTH-A(63)
77177008 | 77181680 | Tag | 00 00 00 00 | | 77183084 | 77192396 | Rdr | 57 3f! 3a 08! 94! 00! 9f! 7b | !crc| ? 77200000 | 77204672 | Tag | c4 85 5b e2 | | 77293852 | 77298556 | Rdr |b4! 74! b7 be | !crc| ? 77324432 | 77345296 | Tag | 9b 7a! 0d 89 c7 0d! d7 a3! 1c! 82! e9! fe ad 4a! 2b 5f | | | | | 67 9a! | !crc| 77471292 | 77475996 | Rdr |90! 71! d7! 65 | !crc| ? 77501856 | 77522720 | Tag |a2! 9f 16! 2e 8b 69 15 de 2e 22 d4! c1! 66! 4a! 51 c3 | | | | | 18 32 | !crc| 77648076 | 77652844 | Rdr |2c! b5 0c! 90! | !crc| ? 77678704 | 77699504 | Tag |28! e8 06! e1! 4a! b5! c5! 84! 4d! 7f e5 51 75! 41! c0! f9 | | | | | 20 af | !crc| 77827228 | 77831996 | Rdr |1b! 9f! 8a! c1 | !crc| PWD-AUTH
77857856 | 77878656 | Tag |62! e1! 6b! a4 12! a2 8c! 9d! 08 f9 b0 47! d7 af! f4! a4! | | | | |ec! e2 | !crc| 78042476 | 78047244 | Rdr |1f! 57! 5a 0a! | !crc| ? 78904284 | 78905276 | Rdr | 52 | | WUPA 78906528 | 78908896 | Tag | 04 00 | | 78922188 | 78932716 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
78933920 | 78937440 | Tag | 08 b6 dd | | 79125452 | 79130220 | Rdr | 60 3b a5 f4 | ok | AUTH-A(59)
79131408 | 79136080 | Tag | 00 00 00 00 | | 79137484 | 79146796 | Rdr | 95 7e! cf! b5 d0! 0a! b7 08! | !crc| ANTICOLL-2
79154400 | 79159136 | Tag | 41 10 86 f2 | | 79316748 | 79317740 | Rdr | 52 | | WUPA 79318992 | 79321360 | Tag | 04 00 | | 79334668 | 79345196 | Rdr | 93 70 01 02 03 04 04 8e 25 | ok | SELECT_UID
79346384 | 79349904 | Tag | 08 b6 dd | | 79529980 | 79534748 | Rdr | 60 3b a5 f4 | ok | AUTH-A(59)
79535936 | 79540608 | Tag | 00 00 00 00 | | 79542012 | 79551388 | Rdr | e8 6e! ed 98! 94 01 e3 87! | !crc| ? 79558992 | 79563728 | Tag | e3 35 09 7f | | 79644044 | 79648748 | Rdr | da 70! 85 89! | !crc| ? 79674592 | 79695392 | Tag | 8e a1 00! 3d 8f! 04! 41! 14 01! 4c! d2! b9 8f! 97 58 c0 | | | | |17! e0! | !crc| 79813388 | 79818156 | Rdr |59! af 73! 68 | !crc| ? 79844032 | 79864896 | Tag |58! fd f7 b9! a7! 55! 7c! 2b 48 90! 77! ff 62! 9b c0! cb | | | | | ff fa! | !crc| 101814028 | 101815020 | Rdr | 52 | | WUPA 101816272 | 101818640 | Tag | 04 00

pwpiwi commented 6 years ago

@maxben14: sorry, I wasn't clear enough. Can you please run hf mf sim (after you have loaded a card content with hf eload) against your ACR122. Then run hf list 14a and provide the output here.

maxben14 commented 6 years ago

1.txt

My log beetwen acr122 and proxmark as emulator 1k.

pwpiwi commented 6 years ago

The initially identified bugs have been fixed. The trace with hf mf simshows no incorrect tag responses.

Both traces (with @maxben14 's simulator and with hf mf sim) show a consistent behaviour: it always takes three attempts to authenticate. The trace of the third attempt can be used to extract the key with mfkey64: a0a1a2a3a4a5. The first two attempts cannot be used to extract a key with mfkey32. Hence we can assume that the reader tries three different keys before succeeding.

@maxben14: your simulator has timing issues. The response to a REQA must start after exactly 1172 carrier clock cycles, the response to a WUPA must start after exactly 1236 clock cycles.

cjbrigato commented 6 years ago

Everything IS working as expected. Great work @pwpiwi

maxben14 commented 6 years ago

@pwpiwi , "it always takes three attempts to authenticate." android system takes 2 attempts AUTH in 0 sector, my app takes only one attempt AUTH.