search

RfidResearchGroup / proxmark3

Iceman Fork - Proxmark3
http://www.icedev.se
GNU General Public License v3.0
4.08k stars 1.07k forks source link

ISO 14443B simulation does not work #1652

Closed jacopo-j closed 5 months ago

jacopo-j commented 2 years ago

Describe the bug The hf 14b sim feature does not seem to work properly: readers do not detect the simulated tag.

To Reproduce

  1. Run hf 14b sim -u 11AA33BB

Expected behavior External readers detect the presence of a tag.

Desktop (please complete the following information):


 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  Iceman/master/v4.14831-530-g8236de119-dirty-unclean 2022-04-04 00:23:11 917abd9ba
  compiled with............. Clang/LLVM Apple LLVM 13.1.6 (clang-1316.0.21.2)
  platform.................. OSX / aarch64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... absent
  Python script support..... present
  Lua SWIG support.......... present
  Python SWIG support....... present

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: Iceman/master/v4.14831-530-g8236de119-dirty-unclean 2022-04-03 15:24:18 e49e4ed9a
       os: Iceman/master/v4.14831-530-g8236de119-dirty-unclean 2022-04-04 00:23:13 917abd9ba
  compiled with GCC 10.3.1 20210824 (release)

 [ FPGA ]
  LF image 2s30vq100 2022-03-23 17:21:05
  HF image 2s30vq100 2022-03-23 17:21:16
  HF FeliCa image 2s30vq100 2022-03-23 17:21:27
  HF 15 image 2s30vq100 2022-03-23 17:21:38

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 58% used )

hw status

[#] Memory
[#]   BigBuf_size............. 42784
[#]   Available memory........ 42784
[#] Tracing
[#]   tracing ................ 1
[#]   traceLen ............... 0
[#] Current FPGA image
[#]   mode.................... HF image 2s30vq100 2022-03-23 17:21:16
[#] LF Sampling config
[#]   [q] divisor............. 95 ( 125.00 kHz )
[#]   [b] bits per sample..... 8
[#]   [d] decimation.......... 1
[#]   [a] averaging........... yes
[#]   [t] trigger threshold... 0
[#]   [s] samples to skip..... 0
[#]
[#] LF T55XX config
[#]            [r]               [a]   [b]   [c]   [d]   [e]   [f]   [g]
[#]            mode            |start|write|write|write| read|write|write
[#]                            | gap | gap |  0  |  1  | gap |  2  |  3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) |  31 |  20 |  18 |  50 |  15 | N/A | N/A |
[#]     long leading reference |  31 |  20 |  18 |  50 |  15 | N/A | N/A |
[#]               leading zero |  31 |  20 |  18 |  40 |  15 | N/A | N/A |
[#]    1 of 4 coding reference |  31 |  20 |  18 |  34 |  15 |  50 |  66 |
[#]
[#] HF 14a config
[#]   [a] Anticol override.... std    ( follow standard )
[#]   [b] BCC override........ std    ( follow standard )
[#]   [2] CL2 override........ std    ( follow standard )
[#]   [3] CL3 override........ std    ( follow standard )
[#]   [r] RATS override....... std    ( follow standard )
[#] Transfer Speed
[#]   Sending packets to client...
[#]   Time elapsed................... 500ms
[#]   Bytes transferred.............. 300032
[#]   Transfer Speed PM3 -> Client... 600064 bytes/s
[#] Various
[#]   Max stack usage......... 4088 / 8480 bytes
[#]   Debug log level......... 1 ( error )
[#]   ToSendMax............... -1
[#]   ToSend BUFFERSIZE....... 2308
[#]   Slow clock.............. 32120 Hz
[#] Installed StandAlone Mode
[#]  HF 14B SNIFF,  a ISO14443b sniffer

data tune

[=] ---------- HF Antenna ----------
[+] HF antenna: 31,08 V - 13.56 MHz
[+] Approx. Q factor (*): 9,0 by peak voltage measurement
[+] HF antenna is OK

Additional context

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
codecat007 commented 2 years ago

I tested on Raspberry Pi 3B, ISO 14443B simulation also does not work. It seems there is a problem with this feature.

iceman1001 commented 2 years ago

hf 14b commands would need some more love. Feel free to contribute!

ghost commented 2 years ago

I have an emulation system for an srt512 if you wish (the code is not clean at all but functional) Screenshot_16

jacopo-j commented 2 years ago

@valtoo16 that is interesting, can you share a repository or a gist with the complete code?

iceman1001 commented 2 years ago

@valtoo16 If you have a fix for 14b, you are welcome to make a PR

iceman1001 commented 1 year ago

We have better support for shallow mode in 14B reader. Not that it will help for simulation but it will help when developing sim commands.

iceman1001 commented 1 year ago

@valtoo16 your code?

AkechiShiro commented 1 year ago

Hi I'd like to help work on this feature, but I have never contributed to this project, what would be a good way to start making progress for this feature ?

Do I need a reader and a card in order to sniff their communication and see why the emulation is not the same using a Proxmark3RDV4?

iceman1001 commented 1 year ago

There are no implementation of a 14B protocol to start with.
So you would need to first to that, then you would debug with reader/sniffer

iceman1001 commented 1 year ago

I love to see you contribute!

AkechiShiro commented 1 year ago

Is there some documentation on how to add get started adding a new protocol ? (I'll fork the repo for now and start reading the code for a well implemented protocol do you have any recommendation @iceman1001)

iceman1001 commented 1 year ago

you need 14B data sheets, then you can look at armsrc/iso14443b.c to start with...

iceman1001 commented 10 months ago

hf 14b commands have gotten some serious love and works better now.

Feel free to improve the simulation.

AkechiShiro commented 10 months ago

Thanks a lot for letting us know here, I'll try and test it at some point (when I have some free time), I'll report on it when I do and try to see if I we can work on documenting what works and what doesn't, I guess.

michi-jung commented 5 months ago

Dumping the precomputed ATQB response frame from ISO14443-B emulation:

[#] ff ff ff ff ff 00 00 00 00 00 ff 00 00 0f 0f 0f  1111111111 0000000000 11 0 00001010 1
[#] 0f 00 0f 00 0f 00 f0 f0 f0 ff 0f f0 0f f0 0f 0f  0 10001000 1 0 01010101 1 0 11001100 1 0 1
[#] f0 ff f0 ff 00 00 00 f0 0f 00 00 ff f0 0f 0f 00  1011101 1 0 00000100 1 0 00011100 1 0 100
[#] ff 00 0f 00 f0 00 f0 0f 00 00 00 00 0f 0f 00 00  11000 1 0 01000100 1 0 00000000 1 0 10000
[#] f0 0f 0f 0f 00 00 ff 00 ff ff ff 0f 0f 00 ff 0f  100 1 0 10100001 1 0 01111110 1 0 1001101
[#] 0f 00 00 00 00 00                                0 1 0000000000

1111111111 Unmodulated subcarrier (10 ETUs)
0000000000 SoS t_PICC,S,1 (10 ETUs)
11         SoS t_PICC,S,2 (2 ETUs)
0          start bit
00001010   x50
1          stop bit
0          start bit
10001000   x11
1
0
01010101   xAA
1
0
11001100   x33
1
0
11011101   xbb
1
0
00000100   x20
1
0
00011100   x38
1
0
10011000   x19
1
0
01000100   x22
1
0
00000000   x00
1
0
10000100   x21
1
0
10100001   x85
1
0
01111110   x7e
1
0
10011010   x59
1
0000000000 EoS (10 ETU)

Which correlates to the proxmark3 trace:

          0 |      65535 | Rdr |05  00  08  39  73                                                       |     | 
          0 |      65535 | Tag |50! 11! aa! 33! bb! 20  38  19  22! 00! 21! 85  7e! 59!                  |     |

However, on the scope the bit coding is reversed, the TR0 MIN is not respected, and there is a garbage '1' bit at the beginning:

image

iceman1001 commented 5 months ago

@michi-jung That is awesome!

Now if @valtoo16 give access to his simulation setup we can even take 14b sim to the next level