Closed spp2000 closed 1 year ago
@mitmarcus Try it: chameleon_ultra_app_update.zip
tried this one (dev-210-g1dcafce-dirty). Have so far tried with only my uni (HID IClass SE) and it works 📣!
Why using (HID IClass SE) to test? Can this firmware work on your home card reader?
I will be able to do that only later in the day
Why you are (dev-210-g1dcafce-dirty), Are you downloading the firmware I sent:
yup its the zip, I just flash the zip you sent in this chat.
In this firmware, I disabled resetting the NFC core when leaving the Field, which is a critical modification. Please review the code for details. If you test later and it can work on your home card reader, then the problem may be clear.
works on all of them :)
@mitmarcus Try it: chameleon_ultra_app_update.zip
tried this one (dev-210-g1dcafce-dirty). Have so far tried with only my uni (HID IClass SE) and it works 📣!
Why using (HID IClass SE) to test? Can this firmware work on your home card reader?
I will be able to do that only later in the day
Why you are (dev-210-g1dcafce-dirty), Are you downloading the firmware I sent:
yup its the zip, I just flash the zip you sent in this chat.
In this firmware, I disabled resetting the NFC core when leaving the Field, which is a critical modification. Please review the code for details. If you test later and it can work on your home card reader, then the problem may be clear.
works on all of them :)
Perfect.
Do you remember if these last FWs are equal to any of those already present in the table? Or are they "hybrid"? :) Btw, I've tested all the fw from doegox message onwards and with all I have again the "flickering" issue (communication restart after 1st successfull auth). 1st fdt is 868 instead of about 1250 like the next
| | * |30 02 10 8B | ok | READBLOCK(2)
12066160 | 12071380 | |fdt (Frame Delay Time): 5220
12071380 | 12092180 | Tag |a6! d9! ac! 99! b9 99! ab! 2c! a0! 25! 6c! fd! 04! fc! 2b 06 eb 66 | |
| | * |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 49 | ok |
12150064 | 12154768 | Rdr |51 f3! 3c e4 | |
| | * |50 00 57 CD | ok | HALT
12238080 | 12239072 | Rdr |52(7) | | WUPA
12239072 | 12240324 | |fdt (Frame Delay Time): 1252
12240324 | 12242692 | Tag |04 00 | |
12258464 | 12268928 | Rdr |93 70 04 61 56 e5 d6 73 00 | ok | SELECT_UID
12268928 | 12270180 | |fdt (Frame Delay Time): 1252
12270180 | 12273700 | Tag |08 b6 dd | |
12334896 | 12339664 | Rdr |50 00 57 cd | ok | HALT
12386288 | 12387280 | Rdr |52(7) | | WUPA
12387280 | 12388148 | |fdt (Frame Delay Time): 868 <-------- here
12388148 | 12390516 | Tag |04 00 | |
12776368 | 12777360 | Rdr |52(7) | | WUPA
12777360 | 12778612 | |fdt (Frame Delay Time): 1252
12778612 | 12780980 | Tag |04 00 | |
13309936 | 13310928 | Rdr |52(7) | | WUPA
13310928 | 13312180 | |fdt (Frame Delay Time): 1252
13312180 | 13314548 | Tag |04 00 | |
13330368 | 13332832 | Rdr |93 20 anticoll again --------> | | ANTICOLL
updated matrix
@xianglin1998 from which commit do we want to resume our "private" tests to try to improve the compatibility table?
Do you remember if these last FWs are equal to any of those already present in the table? Or are they "hybrid"? :) Btw, I've tested all the fw from doegox message onwards and with all I have again the "flickering" issue (communication restart after 1st successfull auth). 1st fdt is 868 instead of about 1250 like the next
| | * |30 02 10 8B | ok | READBLOCK(2) 12066160 | 12071380 | |fdt (Frame Delay Time): 5220 12071380 | 12092180 | Tag |a6! d9! ac! 99! b9 99! ab! 2c! a0! 25! 6c! fd! 04! fc! 2b 06 eb 66 | | | | * |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 49 | ok | 12150064 | 12154768 | Rdr |51 f3! 3c e4 | | | | * |50 00 57 CD | ok | HALT 12238080 | 12239072 | Rdr |52(7) | | WUPA 12239072 | 12240324 | |fdt (Frame Delay Time): 1252 12240324 | 12242692 | Tag |04 00 | | 12258464 | 12268928 | Rdr |93 70 04 61 56 e5 d6 73 00 | ok | SELECT_UID 12268928 | 12270180 | |fdt (Frame Delay Time): 1252 12270180 | 12273700 | Tag |08 b6 dd | | 12334896 | 12339664 | Rdr |50 00 57 cd | ok | HALT 12386288 | 12387280 | Rdr |52(7) | | WUPA 12387280 | 12388148 | |fdt (Frame Delay Time): 868 <-------- here 12388148 | 12390516 | Tag |04 00 | | 12776368 | 12777360 | Rdr |52(7) | | WUPA 12777360 | 12778612 | |fdt (Frame Delay Time): 1252 12778612 | 12780980 | Tag |04 00 | | 13309936 | 13310928 | Rdr |52(7) | | WUPA 13310928 | 13312180 | |fdt (Frame Delay Time): 1252 13312180 | 13314548 | Tag |04 00 | | 13330368 | 13332832 | Rdr |93 20 anticoll again --------> | | ANTICOLL
updated matrix
doegox disabled fdt_reset in line 678, so problem reappeared on your reader. you can try to clone dxl_patch branch and recover it to test.
In the latest patch branch, I have restored the call to the nfc_fdt_reset
function and disabled the nfc_core_reset
function, which may solve your compatibility issue.
Compile file: chameleon_ultra_app_update.zip
Compile from: 18ea71e
@spp2000 @mitmarcus
Please help me test it, thank you.
Please help me test it, thank you.
works on Salto Modular XS and HID IClass SE! 📣📣📣 same "problem" with distance though. But works nonetheless :)))
Please help me test it, thank you.
works on Salto Modular XS and HID IClass SE! 📣📣📣 same "problem" with distance though. But works nonetheless :)))
Perfect, if @spp2000 doesn't have any problems, then he probably solved it.
In the latest patch branch, I have restored the call to the
nfc_fdt_reset
function and disabled thenfc_core_reset
function, which may solve your compatibility issue.Compile file: chameleon_ultra_app_update.zip
Compile from: 18ea71e
Thank you @xianglin1998! With 18ea71e I have green on Phone and Rdr no.3 Rdrs no. 1-2-4 are not here. I hope I can reach them today
offtopic: @doegox what SDR receiver/antenna did you use to analyse NFC signals? It seems a very interesting tool
offtopic: @doegox what SDR receiver/antenna did you use to analyse NFC signals? It seems a very interesting tool
https://github.com/josevcm/nfc-laboratory
If you want to use it under Linux, compile the master as I pushed a fix for the signal graph right after release 2.8.4
@doegox thanks for opening up a new world for me. I have to stop being so curious or I'll go bankrupt soon! :D After I have studied the basics, in the next few days I guess will want to ask you a couple of questions, to be sure of what I will buy. So, as not to be off-topic here, will you allow me to send you a DM?
Aside from this digression, we have great news! With this change 18ea71e we made a further step forward! Thank you! As you all can see, now we have all green but the Rdr 2 (which has never worked well). Today I got many traces of it, that I will analyze as soon as possible, hoping to be able to give you some useful information.
So, since this change has only brought improvements, I think you could already make it available to everyone. Then, as soon as you can, we can try to fix Rdr 2 too.
Confirm the correct repair before merging the branches.
So we need to continue testing again.
@spp2000 DM: sure no prob
@xianglin1998 I'm not sure to understand your last messages. @spp2000 and @mitmarcus confirmed the branch with https://github.com/RfidResearchGroup/ChameleonUltra/commit/18ea71e5164ce3b076ea62a01680217048471d09 works fine. Do you request more testing before merging?
@spp2000 DM: sure no prob
@xianglin1998 I'm not sure to understand your last messages. @spp2000 and @mitmarcus confirmed the branch with 18ea71e works fine. Do you request more testing before merging?
Sorry, I misunderstood. We can merge now. :)
Sorry, my finger touched involuntary the wrong button!
OK. Do you mean that we have to make a double check on all the reader?
Sorry, my finger touched involuntary the wrong button!
OK. Do you mean that we have to make a double check on all the reader?
There has been significant progress, and if only Rdr2 cannot work now, we can consider fixing it later.
So we can merge it, @doegox Can you help me merge it?
sure I'll do :)
And this issue is too verbose. I suggest starting a new thread next time if similar issues need to be resolved. (Just like writing a paper, this thread.) Hahaha
Thank you all guys! You did a great team work
What changed in between when this was resolved and the current fw (a43f4b9) that it doesnt work again haha
There are several reports (also in other communities) of lack of communication between Ultra/Lite and various OEM readers (for Mifare Classic 1k Full Emulation), so they do not respond at all when an Ultra/Lite approaches. At the same time, not a single case seems to be reported yet where Full Emulation works properly with OEM readers. Conversely, there are no problems if the reading tests are performed with the various tools (Proxmarx3 all versions, Chameleon Ultra as a reader, Flipper zero and smartphones), which would seem to be much more tolerant. But the real purpose of Chameleon is not to use with these devices!
The problem lies in the fact that, while the Anti-collision is completed, the Authentication to the Mifare blocks is not completed (therefore the ReadBlock is not reached). For this reason the issue concerns the Full emulation: if the OEM application needs only the UID there are no problems, while if it requires the reading of a block it fails (no answer at all).
Various traces (Proxmark3 sniff) have been acquired with Ultra/Lite, from which it can be seen that with the current firmware the authentication phase to the Mifare blocks is not completed. To have a reference of how the communication should be, traces were also acquired with a passive tag and Mini Rev.G (which works fine).
The problem seems to be mainly related to the Frame Delay Time (fdt) after AUTH-B (61xx), which seems to be too short so the reader stops communicating.
As suggested by @doegox, mainly two types of tests were done:
Test results:
These tests were performed with Chameleon Lite because with Ultra it isn't possible to sniff, because the field is too weak (small antenna?) to couple reader ad Ultra with the Proxmark3 (Easy) in the middle (white LED doesn't turn on) Furthermore, loading this modified FW on Ultra too, it doesn't work. I do not know why.
Not having all the necessary skills to go further, I submitted this issue to you. I hope it helps as a starting point to get a definitive fix. If you need, I can help by testing the fix (or trials) on 3 different OEM applications with both Ultra and Lite.
Attachments:
Lite with actual FW: too fast/incomplete authentication
Lite with bsp_delay_us(30): quite OK with Lite (still KO with Ultra)
Passive Tags: OK
Mini Rev.G: OK
Comparison of traces with different devices (see 1st column). Last 3 raws are derived from pictures in this repo.
It's interesting (for me) that after AUTH-B(16) we have:
Lite w/ FAST_SIM & no delay: fdt 1444 is too fast Lite w/ FAST_SIM & delay(30): fdt 1924 seems OK! Lite w/ FAST_SIM & delay(42): fdt 2084 KO! ...slow? Lite w/ FAST_SIM & delay(60): fdt 2340 KO! ...slow?
BUT
Passive tag: fdt 2036 is OK! Mini Rev.G: fdt 9332 is OK! See previous picture.
Thank you very much!