search

RfidResearchGroup / proxmark3

Iceman Fork - Proxmark3
http://www.icedev.se
GNU General Public License v3.0
4k stars 1.05k forks source link

Sending Mifare Increment Command Actually Decrements block when using simulated card #1172

Closed zachary822 closed 3 years ago

zachary822 commented 3 years ago

Things to try before submitting bug report read the troubleshooting guide

Compilation problems Try compiling with verbose. make VERBOSE=1 with main makefile or make V=1 with cmake.

flashing problems Have you followed the instructions properly? ie, flashed bootrom seperately first if you are going from Offical repo to RRG/Iceman repo.

-

Describe the bug

When sending an increment command from an RC522 board I have. The simulated card using hf mf eload xxx.bin hf mf sim actually decrements the value stored inside the block.

Below is a copy/paste of the relevant trace.

92632262 |   92636966 | Rdr |d3  ec  84  73                                                           |     | 
            |            |  *  |C1  08  9A  41                                                           |  ok | DEC(8)

You can see the mifare increment being sent by reader 0xC1 to block 8, but it says ok | DEC(8) on the right.

Relevant datasheet of mifare (linked below p. 13) also indicates C1 is an increment command.

https://www.nxp.com/docs/en/data-sheet/MF1S50YYX_V1.pdf

Not sure what is going on, maybe there is an issue with my code rather than proxmark3.

I'm using a python library that I modified on my raspberry pi zero. (linked below)

https://github.com/zachary822/MFRC522-python/

To Reproduce

  1. Write a block that is used to store a value. Or create a mifare 1k bin file with a value block.
  2. Simulate the card with hf mf eload card.bin hf mf sim.
  3. Configure a mifare reader (rc522 board in this case) to send Increment command to the block.
  4. read the trace and see that the increment command to the block C1 is indicated as decrement on the right column of the trace.
  5. dumping the contents of the simulated card also indicates the value being decremented instead of incremented.

Expected behavior

Should increment the block rather than decrement.

Screenshots

Desktop (please complete the following information):

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  client: RRG/Iceman/master/release (git) 
  compiled with Clang/LLVM Apple LLVM 12.0.0 (clang-1200.0.32.28) OS:OSX ARCH:x86_64

 [ PROXMARK3 RDV4 ]
  external flash:                  present
  smartcard reader:                present

 [ PROXMARK3 RDV4 Extras ]
  FPC USART for BT add-on support: absent

 [ ARM ]
  bootrom: RRG/Iceman/master/release (git) 
       os: RRG/Iceman/master/release (git) 
  compiled with GCC 10.2.1 20201103 (release)

 [ FPGA ]
  LF image built for 2s30vq100 on 2020-02-22 at 12:51:14
  HF image built for 2s30vq100 on 2020-01-12 at 15:31:16

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev A
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 288579 bytes (55%) Free: 235709 bytes (45%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory
#db# Memory
#db#   BIGBUF_SIZE.............40000
#db#   Available memory........35848
#db# Tracing
#db#   tracing ................0
#db#   traceLen ...............1129
#db# Currently loaded FPGA image
#db#   mode.................... HF image built for 2s30vq100 on 2020-01-12 at 15:31:16
#db# Flash memory
#db#   Baudrate................24 MHz
#db#   Init....................OK
#db#   Memory size.............2 mbits / 256 kb
#db#   Unique ID...............0xD5697C3097B76C23
#db# Smart card module (ISO 7816)
#db#   version.................v3.11
#db# LF Sampling config
#db#   [q] divisor.............95 ( 125.00 kHz)
#db#   [b] bits per sample.....8
#db#   [d] decimation..........1
#db#   [a] averaging...........Yes
#db#   [t] trigger threshold...0
#db#   [s] samples to skip.....0 
#db# LF T55XX config
#db#            [r]               [a]   [b]   [c]   [d]   [e]   [f]   [g]
#db#            mode            |start|write|write|write| read|write|write
#db#                            | gap | gap |  0  |  1  | gap |  2  |  3
#db# ---------------------------+-----+-----+-----+-----+-----+-----+------
#db# fixed bit length (default) |  29 |  17 |  15 |  47 |  15 | N/A | N/A | 
#db#     long leading reference |  29 |  17 |  18 |  50 |  15 | N/A | N/A | 
#db#               leading zero |  29 |  17 |  18 |  40 |  15 | N/A | N/A | 
#db#    1 of 4 coding reference |  29 |  17 |  15 |  31 |  15 |  47 |  63 | 
#db# 
#db# Transfer Speed
#db#   Sending packets to client...
#db#   Time elapsed............500ms
#db#   Bytes transferred.......294912
#db#   Transfer Speed PM3 -> Client = 589824 bytes/s
#db# Various
#db#   DBGLEVEL................1
#db#   ToSendMax...............165
#db#   ToSendBit...............8
#db#   ToSend BUFFERSIZE.......2308
#db#   Slow clock..............30992 Hz
#db# Installed StandAlone Mode
#db#   HF - Reading Visa cards & Emulating a Visa MSD Transaction(ISO14443) - (Salvador Mendoza)
#db# Flash memory dictionary loaded
#db#   Mifare..................920 keys
#db#   T55x7...................109 keys
#db#   iClass..................7 keys
Screen Shot 2021-01-25 at 02 16 19

Additional context Add any other context about the problem here.

iceman1001 commented 3 years ago

Solved with #1092
The release is about seven months old.