Mfc 1k Full emulation (not UID only) with OEM readers

[spp2000]

There are several reports (also in other communities) of lack of communication between Ultra/Lite and various OEM readers (for Mifare Classic 1k Full Emulation), so they do not respond at all when an Ultra/Lite approaches. At the same time, not a single case seems to be reported yet where Full Emulation works properly with OEM readers. Conversely, there are no problems if the reading tests are performed with the various tools (Proxmarx3 all versions, Chameleon Ultra as a reader, Flipper zero and smartphones), which would seem to be much more tolerant. But the real purpose of Chameleon is not to use with these devices!

The problem lies in the fact that, while the Anti-collision is completed, the Authentication to the Mifare blocks is not completed (therefore the ReadBlock is not reached). For this reason the issue concerns the Full emulation: if the OEM application needs only the UID there are no problems, while if it requires the reading of a block it fails (no answer at all).

Various traces (Proxmark3 sniff) have been acquired with Ultra/Lite, from which it can be seen that with the current firmware the authentication phase to the Mifare blocks is not completed. To have a reference of how the communication should be, traces were also acquired with a passive tag and Mini Rev.G (which works fine).

The problem seems to be mainly related to the Frame Delay Time (fdt) after AUTH-B (61xx), which seems to be too short so the reader stops communicating.

As suggested by @doegox, mainly two types of tests were done:

1. disabling Fast Emulation (NFC_MF1_FAST_SIM in nfc_mf1.h)
2. leaving Fast Emulation active but adding a delay (bsp_delay_us(30); in nfc_mf1.c line 558 + #include bsp_delay.h)

Test results:

1. you get an increase in fdt, communication has improved a bit, but the OEM readers still fail to complete authentication.
2. As suggested, delays from 42 to 50 were tested, without success. The first complete reading was obtained with a delay of 30.

These tests were performed with Chameleon Lite because with Ultra it isn't possible to sniff, because the field is too weak (small antenna?) to couple reader ad Ultra with the Proxmark3 (Easy) in the middle (white LED doesn't turn on) Furthermore, loading this modified FW on Ultra too, it doesn't work. I do not know why.

Not having all the necessary skills to go further, I submitted this issue to you. I hope it helps as a starting point to get a definitive fix. If you need, I can help by testing the fix (or trials) on 3 different OEM applications with both Ultra and Lite.

Attachments:

• Doegox suggestion
• Trace of Lite with actual FW: too fast/incomplete authentication
• Trace of Lite with bsp_delay_us(30): quite ok with Lite, still KO with Ultra (idk)
• Trace of Passive Tags: OK
• Trace of Mini Rev.G: OK
• Comparison of traces with different devices (see 1st column)

Lite with actual FW: too fast/incomplete authentication

Lite with bsp_delay_us(30): quite OK with Lite (still KO with Ultra)

Passive Tags: OK

Mini Rev.G: OK

Comparison of traces with different devices (see 1st column). Last 3 raws are derived from pictures in this repo.

It's interesting (for me) that after AUTH-B(16) we have:

Lite w/ FAST_SIM & no delay: fdt 1444 is too fast Lite w/ FAST_SIM & delay(30): fdt 1924 seems OK! Lite w/ FAST_SIM & delay(42): fdt 2084 KO! ...slow? Lite w/ FAST_SIM & delay(60): fdt 2340 KO! ...slow?

BUT

Passive tag: fdt 2036 is OK! Mini Rev.G: fdt 9332 is OK! See previous picture.

Thank you very much!

[mitmarcus]

@mitmarcus Try it: chameleon_ultra_app_update.zip

tried this one (dev-210-g1dcafce-dirty). Have so far tried with only my uni (HID IClass SE) and it works 📣!

Why using (HID IClass SE) to test? Can this firmware work on your home card reader?

I will be able to do that only later in the day

Why you are (dev-210-g1dcafce-dirty), Are you downloading the firmware I sent:

yup its the zip, I just flash the zip you sent in this chat.

In this firmware, I disabled resetting the NFC core when leaving the Field, which is a critical modification. Please review the code for details. If you test later and it can work on your home card reader, then the problem may be clear.

works on all of them :)

[xianglin1998]

@mitmarcus Try it: chameleon_ultra_app_update.zip

tried this one (dev-210-g1dcafce-dirty). Have so far tried with only my uni (HID IClass SE) and it works 📣!

Why using (HID IClass SE) to test? Can this firmware work on your home card reader?

I will be able to do that only later in the day

Why you are (dev-210-g1dcafce-dirty), Are you downloading the firmware I sent:

yup its the zip, I just flash the zip you sent in this chat.

In this firmware, I disabled resetting the NFC core when leaving the Field, which is a critical modification. Please review the code for details. If you test later and it can work on your home card reader, then the problem may be clear.

works on all of them :)

Perfect.

[spp2000]

Do you remember if these last FWs are equal to any of those already present in the table? Or are they "hybrid"? :) Btw, I've tested all the fw from doegox message onwards and with all I have again the "flickering" issue (communication restart after 1st successfull auth). 1st fdt is 868 instead of about 1250 like the next

            |            |  *  |30  02  10  8B                                                           |  ok | READBLOCK(2)
   12066160 |   12071380 |     |fdt (Frame Delay Time): 5220
   12071380 |   12092180 | Tag |a6! d9! ac! 99! b9  99! ab! 2c! a0! 25! 6c! fd! 04! fc! 2b  06  eb  66   |     |
            |            |  *  |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
   12150064 |   12154768 | Rdr |51  f3! 3c  e4                                                           |     |
            |            |  *  |50  00  57  CD                                                           |  ok | HALT
   12238080 |   12239072 | Rdr |52(7)                                                                    |     | WUPA
   12239072 |   12240324 |     |fdt (Frame Delay Time): 1252
   12240324 |   12242692 | Tag |04  00                                                                   |     |
   12258464 |   12268928 | Rdr |93  70  04  61  56  e5  d6  73  00                                       |  ok | SELECT_UID
   12268928 |   12270180 |     |fdt (Frame Delay Time): 1252
   12270180 |   12273700 | Tag |08  b6  dd                                                               |     |
   12334896 |   12339664 | Rdr |50  00  57  cd                                                           |  ok | HALT
   12386288 |   12387280 | Rdr |52(7)                                                                    |     | WUPA
   12387280 |   12388148 |     |fdt (Frame Delay Time): 868    <-------- here
   12388148 |   12390516 | Tag |04  00                                                                   |     |
   12776368 |   12777360 | Rdr |52(7)                                                                    |     | WUPA
   12777360 |   12778612 |     |fdt (Frame Delay Time): 1252
   12778612 |   12780980 | Tag |04  00                                                                   |     |
   13309936 |   13310928 | Rdr |52(7)                                                                    |     | WUPA
   13310928 |   13312180 |     |fdt (Frame Delay Time): 1252
   13312180 |   13314548 | Tag |04  00                                                                   |     |
   13330368 |   13332832 | Rdr |93  20                              anticoll again -------->             |     | ANTICOLL

updated matrix

[spp2000]

@xianglin1998 from which commit do we want to resume our "private" tests to try to improve the compatibility table?

[xianglin1998]

Do you remember if these last FWs are equal to any of those already present in the table? Or are they "hybrid"? :) Btw, I've tested all the fw from doegox message onwards and with all I have again the "flickering" issue (communication restart after 1st successfull auth). 1st fdt is 868 instead of about 1250 like the next

            |            |  *  |30  02  10  8B                                                           |  ok | READBLOCK(2)
   12066160 |   12071380 |     |fdt (Frame Delay Time): 5220
   12071380 |   12092180 | Tag |a6! d9! ac! 99! b9  99! ab! 2c! a0! 25! 6c! fd! 04! fc! 2b  06  eb  66   |     |
            |            |  *  |00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  37  49   |  ok |
   12150064 |   12154768 | Rdr |51  f3! 3c  e4                                                           |     |
            |            |  *  |50  00  57  CD                                                           |  ok | HALT
   12238080 |   12239072 | Rdr |52(7)                                                                    |     | WUPA
   12239072 |   12240324 |     |fdt (Frame Delay Time): 1252
   12240324 |   12242692 | Tag |04  00                                                                   |     |
   12258464 |   12268928 | Rdr |93  70  04  61  56  e5  d6  73  00                                       |  ok | SELECT_UID
   12268928 |   12270180 |     |fdt (Frame Delay Time): 1252
   12270180 |   12273700 | Tag |08  b6  dd                                                               |     |
   12334896 |   12339664 | Rdr |50  00  57  cd                                                           |  ok | HALT
   12386288 |   12387280 | Rdr |52(7)                                                                    |     | WUPA
   12387280 |   12388148 |     |fdt (Frame Delay Time): 868    <-------- here
   12388148 |   12390516 | Tag |04  00                                                                   |     |
   12776368 |   12777360 | Rdr |52(7)                                                                    |     | WUPA
   12777360 |   12778612 |     |fdt (Frame Delay Time): 1252
   12778612 |   12780980 | Tag |04  00                                                                   |     |
   13309936 |   13310928 | Rdr |52(7)                                                                    |     | WUPA
   13310928 |   13312180 |     |fdt (Frame Delay Time): 1252
   13312180 |   13314548 | Tag |04  00                                                                   |     |
   13330368 |   13332832 | Rdr |93  20                              anticoll again -------->             |     | ANTICOLL

updated matrix

doegox disabled fdt_reset in line 678, so problem reappeared on your reader. you can try to clone dxl_patch branch and recover it to test.

[xianglin1998]

In the latest patch branch, I have restored the call to the nfc_fdt_reset function and disabled the nfc_core_reset function, which may solve your compatibility issue.

Compile file: chameleon_ultra_app_update.zip

Compile from: 18ea71e

@spp2000 @mitmarcus

[xianglin1998]

Please help me test it, thank you.

[mitmarcus]

Please help me test it, thank you.

works on Salto Modular XS and HID IClass SE! 📣📣📣 same "problem" with distance though. But works nonetheless :)))

[xianglin1998]

Please help me test it, thank you.

works on Salto Modular XS and HID IClass SE! 📣📣📣 same "problem" with distance though. But works nonetheless :)))

Perfect, if @spp2000 doesn't have any problems, then he probably solved it.

[spp2000]

In the latest patch branch, I have restored the call to the nfc_fdt_reset function and disabled the nfc_core_reset function, which may solve your compatibility issue.

Compile file: chameleon_ultra_app_update.zip

Compile from: 18ea71e

Thank you @xianglin1998! With 18ea71e I have green on Phone and Rdr no.3 Rdrs no. 1-2-4 are not here. I hope I can reach them today

[spp2000]

offtopic: @doegox what SDR receiver/antenna did you use to analyse NFC signals? It seems a very interesting tool

[doegox]

offtopic: @doegox what SDR receiver/antenna did you use to analyse NFC signals? It seems a very interesting tool

https://github.com/josevcm/nfc-laboratory

If you want to use it under Linux, compile the master as I pushed a fix for the signal graph right after release 2.8.4

[spp2000]

@doegox thanks for opening up a new world for me. I have to stop being so curious or I'll go bankrupt soon! :D After I have studied the basics, in the next few days I guess will want to ask you a couple of questions, to be sure of what I will buy. So, as not to be off-topic here, will you allow me to send you a DM?

Aside from this digression, we have great news! With this change 18ea71e we made a further step forward! Thank you! As you all can see, now we have all green but the Rdr 2 (which has never worked well). Today I got many traces of it, that I will analyze as soon as possible, hoping to be able to give you some useful information.

So, since this change has only brought improvements, I think you could already make it available to everyone. Then, as soon as you can, we can try to fix Rdr 2 too.

[xianglin1998]

Confirm the correct repair before merging the branches.

[xianglin1998]

So we need to continue testing again.

[doegox]

@spp2000 DM: sure no prob

@xianglin1998 I'm not sure to understand your last messages. @spp2000 and @mitmarcus confirmed the branch with https://github.com/RfidResearchGroup/ChameleonUltra/commit/18ea71e5164ce3b076ea62a01680217048471d09 works fine. Do you request more testing before merging?

[xianglin1998]

@spp2000 DM: sure no prob

@xianglin1998 I'm not sure to understand your last messages. @spp2000 and @mitmarcus confirmed the branch with 18ea71e works fine. Do you request more testing before merging?

Sorry, I misunderstood. We can merge now. :)

[spp2000]

Sorry, my finger touched involuntary the wrong button!

OK. Do you mean that we have to make a double check on all the reader?

[xianglin1998]

Sorry, my finger touched involuntary the wrong button!

OK. Do you mean that we have to make a double check on all the reader?

There has been significant progress, and if only Rdr2 cannot work now, we can consider fixing it later.

[xianglin1998]

So we can merge it, @doegox Can you help me merge it?

[doegox]

sure I'll do :)

[xianglin1998]

And this issue is too verbose. I suggest starting a new thread next time if similar issues need to be resolved. (Just like writing a paper, this thread.) Hahaha

[spp2000]

Thank you all guys! You did a great team work

[mitmarcus]

What changed in between when this was resolved and the current fw (a43f4b9) that it doesnt work again haha

https://github.com/RfidResearchGroup/ChameleonUltra/assets/114725463/8a50e981-0a4c-4da1-91ec-80fb469b4c59