HF 15 read issues since PR #752

[Fl0-0]

hf search and hf 15 reader do not work anymore since #752 .

It does not come from the fpga changes (i have tested reverting d9de20f except fpga_hf.bit).

proxmark3> hf search

no known/supported 13.56 MHz tags found

proxmark3> hf 15 reader
#db# 0 octets read from IDENTIFY request: 
proxmark3>

Reverted:

proxmark3> hf search

Tag UID : E004020052******          
Tag Info: NXP(Philips); IC SL2 ICS53/ICS54(SLI-S) ICS5302/ICS5402(SLIX-S)          

Valid ISO15693 Tag Found - Quiting Search

proxmark3> hf 15 reader
#db# 12 octets read from IDENTIFY request:          
#db# NoErr CrcOK          
#db# 00 01 ** ** ** ** ** 02          
#db# 04 e0 ** **          
#db# UID = E004020052******  

[pwpiwi]

Hmmm. For me it works:

$ client/proxmark3.exe com6
Prox/RFID mark3 RFID instrument
bootrom: mod_list_mf/v3.0.1-341-g9bdd402-dirty-suspect 2018-02-25 11:29:01
os: master/v3.1.0-45-ge59481c-suspect 2019-01-13 15:58:37
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/11/28 at 08:33:11
SmartCard Slot: not available

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 202527 bytes (39%). Free: 321761 bytes (61%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf 15 reader
#db# 12 octets read from IDENTIFY request:
#db# NoErr CrcOK
#db# 00 00 ** ** ** ** ** **
#db# 07 e0 cd ae
#db# UID = E007************
proxmark3> hf search

Tag UID : E007************
Tag Info: Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit

Valid ISO15693 Tag Found - Quiting Search

proxmark3>

Did you do a make clean ?

[Fl0-0]

Yes of course ! make clean && make

[pwpiwi]

OK. Let's check. Can you please do hf 15 read (note: read, not reader), data sample 4000, data plot, data save and provide the result?

[Fl0-0]

OK it is strange: it works on my RDV2 but not anymore on the Easy !

Proxmark3 Easy: https://pastebin.com/raw/hUygdMA3

Proxmark3 RDV2: https://pastebin.com/raw/Hx5pfR19

[pwpiwi]

We see the disadvantage of threshold based decoders. If it is set too low, noise might be interpreted as signal. If it is set too high. weak signals will remain undetected. The previous "moving" correlator didn't use thresholds but it was way too slow for snooping. See the first samples in your trace which displays the subcarrier amplitude divided by 32. On your RDV2 it is 0. On your Easy we see some noise which triggers SOF decoding. Please change

#define NOISE_THRESHOLD    30      // don't try to correlate noise

to some value around 100. Please note that this probably will decrease the maximum read distance.

[Fl0-0]

Exactly ! i have to stick the tag on the antenna, but it works.

[pwpiwi]

Ummm. I didn't think about "stick the tag on the antenna". More about reducing maximum distance from 10cm to e.g 8cm. The signal in both of your traces is quite strong. Can you please repeat the exercise for a distance of 5cm ?

[Fl0-0]

Here it is: https://pastebin.com/raw/ADB0cnL3

[pwpiwi]

Looks like a pretty good signal to me - except the noise. You don't get a result for hf 15 reader in this case? Threshold changed to 100? If it doesn't work, try increasing the threshold to 130.

[Fl0-0]

I have no result with hf 15 reader at 5cm: #db# 0 octets read from IDENTIFY request: with the threshold changed to 100. When i retried with the increasing the threshold to 130, i have no result too at 5cm, it works up to ~3cm. Increasing it to the value 160 it works up to ~8-10cm !

[Fl0-0]

I believe that the Easy is noisy because of the electronic component lower quality and the lack of the relay and the amplifier (i read). The RDV2 has a clearly better reading distance and in my test, i also note that LF tag emulation works much better with it.

Maybe some other users could perform this test to choose a "good" threshold value ?

[Fl0-0]

i don't know the proportion of "old"/custom made/RDV/Easy/RDV2/RDV4 proxmarks but i think this issue could affect many users (maybe i am wrong) because the Easy is the most affordable proxmark.

Maybe we can find a "good" threshold value witch works with most proxmarks in the field or maybe it is possible to use the threshold based decoder for tag simulation and still use the previous slow "moving" correlator for reading, Maybe it is possible to implement a faster "moving" correlator in the FPGA logic, i don't know, just a reflection.

[pwpiwi]

There are many reports about "antenna issues" with PM3 Easy on the forum. If it is really noise which is causing the problems then now we have at least a rough idea what can be done. How does the high threshold affect reading distance on your RDV 2?

I agree with you that all types of proxmarks should be supported but I can test only on the types I own. Your analysis is therefore much appreciated.

[Fl0-0]

OK all tests with the same ISO15693 tag, threshold value on RDV2:

• 30 (default threshold): ~12cm
• 100: ~10cm
• 130: ~10cm
• 160: ~10cm

[pwpiwi]

Confirmed. Same distances with my own two PM3 (an Original with homemade antenna and an RDV2). For the time being I suggest to sacrifice the small difference in reader distance for higher compatibility. There might be a possibility to adjust the threshold on the fly in the future.

Are you going to raise a PR to set the threshold to 160?

[Fl0-0]

Okay i do that !

[Fl0-0]

Thanks for the investigations !