iceman1001
commented
5 years ago Output from hw version hw status hw tune
Closed raphCode closed 5 years ago
iceman1001
commented
5 years ago Output from hw version hw status hw tune
raphCode
commented
5 years ago ``` pm3 --> hw version Proxmark3 RFID instrument [ CLIENT ] client: iceman build for RDV40 with flashmem; smartcard; [ ARM ] bootrom: iceman/master/a17bf8e-dirty-unclean 2019-01-08 15:12:19 os: iceman/master/a17bf8e-dirty-unclean 2019-01-08 15:12:23 [ FPGA ] LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23 [ Hardware ] --= uC: AT91SAM7S512 Rev B --= Embedded Processor: ARM7TDMI --= Nonvolatile Program Memory Size: 512K bytes, Used: 248123 bytes (47%) Free: 276165 bytes (53%) --= Second Nonvolatile Program Memory Size: None --= Internal SRAM Size: 64K bytes --= Architecture Identifier: AT91SAM7Sxx Series --= Nonvolatile Program Memory Type: Embedded Flash Memory ```
``` pm3 --> hw status #db# Memory #db# BIGBUF_SIZE.............40000 #db# Available memory........40000 #db# Tracing #db# tracing ................1 #db# traceLen ...............0 #db# Currently loaded FPGA image #db# mode.................... HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23 #db# Flash memory #db# Baudrate................24MHz #db# Init....................OK #db# Memory size.............2 mbits / 256kb #db# Unique ID...............0xd567a882a784b326 #db# Smart card module (ISO 7816) #db# version.................v2.06 #db# LF Sampling config #db# [q] divisor.............95 (125 KHz) #db# [b] bps.................8 #db# [d] decimation..........1 #db# [a] averaging...........Yes #db# [t] trigger threshold...0 #db# LF T55XX config #db# [a] startgap............29*8 (232) #db# [b] writegap............17*8 (136) #db# [c] write_0.............15*8 (120) #db# [d] write_1.............47*8 (376) #db# [e] readgap.............15*8 (120) #db# USB Speed #db# Sending USB packets to client... #db# Time elapsed............1500ms #db# Bytes transferred.......825856 #db# USB Transfer Speed PM3 -> Client = 550570 Bytes/s #db# Various #db# MF_DBGLEVEL.............1 #db# ToSendMax...............-1 #db# ToSendBit...............0 #db# ToSend BUFFERSIZE.......2308 #db# Installed StandAlone Mode #db# LF HID26 standalone - aka SamyRun (Samy Kamkar) ```
``` pm3 --> hw tune [=] measuring antenna characteristics, please wait... .... [+] LF antenna: 73,08 V - 125.00 kHz [+] LF antenna: 42,49 V - 134.00 kHz [+] LF optimal: 74,64 V - 126,32 kHz [+] LF antenna is OK [+] HF antenna: 49,14 V - 13.56 MHz [+] HF antenna is OK [+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz. ```
iceman1001
commented
5 years ago Good start, you have latest firmware from Repo, and your HF antenna works. Just standard questions.
You can read the legic card well? Your eload command seems to be missing the filename.... Is that because you edited your post or did you forgot?
raphCode
commented
5 years ago I could read the card with the info and reader commands and get data in the first two blocks, the rest are 00. I think this is a plausible result because there is not much data that needs to be stored on the card.
Again, I had to increase the timeout in client/cmdhflegic.c:736, function legic_read_mem to not have it abort before the wohle card is read.
I thought I added a filename to the eload in my first post, maybe the edit was not sent properly. I am pretty sure that I did it correctly in the client since a confirmation appeared that 1024 byte were read from the file.
Is there a possibility to use the info command on the emulator memory to confirm dump and eload work as when directly reading the card?
iceman1001
commented
5 years ago hm.. the rdmem ? hf legic dump doesn't use legic_read_mem so that is strange. or did you mean that you tried to just read out all 1024 bytes with rdmem command to look?
You would need to fiddle with the info command in order to look at a dump file / emulator memory
uhei
commented
5 years ago I second this.
I've also had to increase the timeout in the legic_read_mem() and CmdLegicDump() functions from 3000 to 7000 to have stable read success with MIM1024 cards.
Also the simulation fails. After eloading the card dump and starting sim when getting closer to the reader LED B and C flash, but the reader doesn't react.
I'm running RDV 4 with latest RfidResearchGroup/proxmark3 repo (firmware/client/bootrom).
How can I help to debug this issue?
iceman1001
commented
5 years ago I hear ya, I added a long waiting for reading memory. Remember that read mem isn't suppose to read the whole memory, use dump cmd instead. Also adapted the output,
How about you guys show me some output from using legic commands?
uhei
commented
5 years ago Thanks iceman1001!
Just gave it another try with your commits from today. Dump fails with timeout:
██████╗ ███╗ ███╗ ████╗ ...iceman fork
██╔══██╗████╗ ████║ ══█║ ...dedicated to RDV40
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ══█║ iceman@icesql.net
██║ ██║ ╚═╝ ██║ ████╔╝ https://github.com/iceman1001/proxmark3
╚═╝ ╚═╝ ╚═╝ ╚═══╝ pre v4.0
Keep iceman fork alive with a donation! https://paypal.me/iceman1001/
MONERO: 43mNJLpgBVaTvyZmX9ajcohpvVkaRy1kbZPm8tqAb7itZgfuYecgkRF36rXrKFUkwEGeZedPsASRxgv4HPBHvJwyJdyvQuP
[=] UART Setting serial baudrate 115200
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/v1.1.0-616-g13ed4f46 2019-01-19 16:23:29
os: iceman/master/v1.1.0-616-g13ed4f46 2019-01-19 16:23:31
[ FPGA ]
LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 248101 bytes (47%) Free: 276187 bytes (53%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash MemoryInfo command works and shows all data of all three segments (output omitted):
Reading tag memory 1024 b...
.
CDF: System Area
------------------------------------------------------
MCD: xx, MSN: xx xx xx, MCC: xx OK
....Dump fails:
pm3 --> hf legic dump o ../legic_xxx_20190121
[+] TYPE : MIM1024 card (1002 bytes)
[+] Reading tag memory 1024 b...
[!] Command execute time-out
pm3 --> I've tweaked the timeout:
tyrell2:proxmark3 uh$ git diff
diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c
index 0f580da9..63efbdab 100644
--- a/client/cmdhflegic.c
+++ b/client/cmdhflegic.c
@@ -899,7 +899,7 @@ int CmdLegicDump(const char *Cmd){
clearCommandBuffer();
SendCommand(&c);
UsbCommand resp;
- if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) {
+ if (!WaitForResponseTimeout(CMD_ACK, &resp, 7000)) {
PrintAndLogEx(WARNING, "Command execute time-out");
return 1;
}
@@ -1263,4 +1263,4 @@ int CmdHFLegic(const char *Cmd) {
int CmdHelp(const char *Cmd) {
CmdsHelp(CommandTable);
return 0;
-}
\ No newline at end of file
+}and gave it another try:
pm3 --> hf legic dump o ../legic_xxx_20190121
[+] TYPE : MIM1024 card (1002 bytes)
[+] Reading tag memory 1024 b...
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
[+] Wrote 1024 bytes to ../legic_xxx_20190121.bin
pm3 -->I will try the simulation tomorrow.
How can I turn on more verbose/debug logging?
iceman1001
commented
5 years ago You turn on the debugging with hf mf dbg 4 (or 1,2,3,4) I know, not the obvious place..
I missed the timeout for the dump command. I pushed a fix for it. Try again, please!
iceman1001
commented
5 years ago I also changed the timeouts on
Pull and test :)
drandreas
commented
5 years ago Looking at the code:
You wrote, that you see B and C, so that's a good start.
In reply to your Question about debugging:
trace list legicThis will tell you at what point the communication fails.
As a side note, the official repos simulator might be more stable, since that code uses a more precise time source. However, the official repo has no trace function.
iceman1001
commented
5 years ago Any news @uhei @raphCode ?
uhei
commented
5 years ago Yes @iceman1001 , there are news.
Dumping the card works now:
pm3 --> hf legic dump o ../legic_xxx_20190122
[+] TYPE : MIM1024 card (1002 bytes)
[+] Reading tag memory 1024 b...
.
[+] Wrote 1024 bytes to ../legic_xxx_20190122.bin
pm3 --> Simulating the card still fails. LED B and C are flashing fast:
pm3 --> hf legic eload 2 ../legic_xxx_20190122
[+] Loaded 1024 bytes from file: ../legic_xxx_20190122.bin to emulator memory
pm3 --> hf legic sim 2
pm3 --> #db# Starting Legic emulator, press button to end
#db# Stopped
pm3 --> trace list legic
Recorded Activity (TraceLen = 10513 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
LEGIC - Reader Mode: Timings are in ticks (1us == 1.5ticks)
Tag Mode: Timings are in sub carrier periods (1/212 kHz == 4.7us)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 342 | Rdr |16 2a 20 08 | |
1740 | 2082 | Rdr |16 2a 20 08 | |
5493 | 5617 | Rdr |07 61 00 00 | | IV 0x61
5687 | 5813 | Tag |06 3d 00 | | MIM1024
8083 | 8207 | Rdr |07 31 00 00 | | IV 0x31
8277 | 8403 | Tag |06 3d 00 | | MIM1024
16476 | 16818 | Rdr |16 2a 20 08 | |
18216 | 18558 | Rdr |16 2a 20 08 | |
21932 | 22056 | Rdr |07 0b 00 00 | | IV 0x0B
22126 | 22252 | Tag |06 3d 00 | | MIM1024
22305 | 22415 | Rdr |06 39 00 00 | | ACK 256/1024
22473 | 22677 | Rdr |0b 01 00 00 | | READ Byte(0)
22747 | 22999 | Tag |0c 77 02 | |
23223 | 23427 | Rdr |0b 03 00 00 | | READ Byte(1)
23497 | 23749 | Tag |0c 0e 04 | |
23973 | 24177 | Rdr |0b 05 00 00 | | READ Byte(2)
24247 | 24499 | Tag |0c 4c 09 | |
24723 | 24943 | Rdr |0b 07 00 00 | | READ Byte(3)
25013 | 25265 | Tag |0c 5e 09 | |
25489 | 25701 | Rdr |0b 09 00 00 | | READ Byte(4)
25771 | 26023 | Tag |0c 80 06 | |
29748 | 29872 | Rdr |07 45 00 00 | | IV 0x45
29942 | 30068 | Tag |06 3d 00 | | MIM1024
30121 | 30231 | Rdr |06 39 00 00 | | ACK 256/1024
30289 | 30509 | Rdr |0b 01 00 00 | | READ Byte(0)
30579 | 30831 | Tag |0c 77 02 | |
31055 | 31267 | Rdr |0b 03 00 00 | | READ Byte(1)
31337 | 31589 | Tag |0c 0e 04 | |
31813 | 32001 | Rdr |0b 05 00 00 | | READ Byte(2)
32071 | 32323 | Tag |0c 4c 09 | |
32547 | 32767 | Rdr |0b 07 00 00 | | READ Byte(3)
32837 | 33089 | Tag |0c 5e 09 | |
33313 | 33493 | Rdr |0b 09 00 00 | | READ Byte(4)
33563 | 33815 | Tag |0c 80 06 | |
35215 | 35427 | Rdr |0b b6 03 00 | | WRITE Byte(475)
35973 | 36145 | Rdr |0b 05 00 00 | | READ Byte(2)
36691 | 36871 | Rdr |0b a1 00 00 | | READ Byte(80)
37249 | 37461 | Rdr |0b 5d 06 00 | | READ Byte(814)
40859 | 40983 | Rdr |07 31 00 00 | | IV 0x31
41053 | 41179 | Tag |06 3d 00 | | MIM1024
41232 | 41366 | Rdr |06 39 00 00 | | ACK 256/1024
41424 | 41612 | Rdr |0b 01 00 00 | | READ Byte(0)
41682 | 41934 | Tag |0c 77 02 | |
42158 | 42386 | Rdr |0b 03 00 00 | | READ Byte(1)
42456 | 42708 | Tag |0c 0e 04 | |
42932 | 43136 | Rdr |0b 05 00 00 | | READ Byte(2)
43206 | 43458 | Tag |0c 4c 09 | |
43682 | 43870 | Rdr |0b 07 00 00 | | READ Byte(3)
43940 | 44192 | Tag |0c 5e 09 | |
44416 | 44620 | Rdr |0b 09 00 00 | | READ Byte(4)
44690 | 44942 | Tag |0c 80 06 | |
46384 | 46564 | Rdr |0b 89 00 00 | | READ Byte(68)
47110 | 47338 | Rdr |0b f7 05 00 | | READ Byte(763)
47884 | 48064 | Rdr |0b 0d 00 00 | | READ Byte(6)
48442 | 48654 | Rdr |0b 2f 03 00 | | READ Byte(407)
52058 | 52182 | Rdr |07 45 00 00 | | IV 0x45
52252 | 52378 | Tag |06 3d 00 | | MIM1024
52431 | 52541 | Rdr |06 39 00 00 | | ACK 256/1024
52599 | 52819 | Rdr |0b 01 00 00 | | READ Byte(0)
52889 | 53141 | Tag |0c 77 02 | |
53365 | 53577 | Rdr |0b 03 00 00 | | READ Byte(1)
53647 | 53899 | Tag |0c 0e 04 | |
54123 | 54311 | Rdr |0b 05 00 00 | | READ Byte(2)
54381 | 54633 | Tag |0c 4c 09 | |
54857 | 55077 | Rdr |0b 07 00 00 | | READ Byte(3)
55147 | 55399 | Tag |0c 5e 09 | |
55623 | 55803 | Rdr |0b 09 00 00 | | READ Byte(4)
55873 | 56125 | Tag |0c 80 06 | |
57567 | 57763 | Rdr |0b ec 00 00 | | WRITE Byte(118)
58309 | 58473 | Rdr |0b 00 02 00 | | WRITE Byte(256)
59019 | 59199 | Rdr |0b 29 00 00 | | READ Byte(20)
59577 | 59789 | Rdr |0b 96 07 00 | | WRITE Byte(971)
68374 | 68715 | Rdr |16 2a 20 08 | |
70113 | 70455 | Rdr |16 2a 20 08 | |
73832 | 73964 | Rdr |07 71 00 00 | | IV 0x71
74034 | 74160 | Tag |06 3d 00 | | MIM1024
74213 | 74323 | Rdr |06 39 00 00 | | ACK 256/1024
74381 | 74585 | Rdr |0b 01 00 00 | | READ Byte(0)
74655 | 74907 | Tag |0c 77 02 | |
75131 | 75335 | Rdr |0b 03 00 00 | | READ Byte(1)
75405 | 75657 | Tag |0c 0e 04 | |
75881 | 76085 | Rdr |0b 05 00 00 | | READ Byte(2)
76155 | 76407 | Tag |0c 4c 09 | |
76631 | 76835 | Rdr |0b 07 00 00 | | READ Byte(3)
76905 | 77157 | Tag |0c 5e 09 | |
77381 | 77593 | Rdr |0b 09 00 00 | | READ Byte(4)
77663 | 77915 | Tag |0c 80 06 | |
81648 | 81788 | Rdr |07 5d 00 00 | | IV 0x5D
81858 | 81984 | Tag |06 3d 00 | | MIM1024
82037 | 82139 | Rdr |06 39 00 00 | | ACK 256/1024
82197 | 82425 | Rdr |0b 01 00 00 | | READ Byte(0)
82495 | 82747 | Tag |0c 77 02 | |
82971 | 83151 | Rdr |0b 03 00 00 | | READ Byte(1)
83221 | 83473 | Tag |0c 0e 04 | |
83697 | 83877 | Rdr |0b 05 00 00 | | READ Byte(2)
83947 | 84199 | Tag |0c 4c 09 | |
84423 | 84619 | Rdr |0b 07 00 00 | | READ Byte(3)
84689 | 84941 | Tag |0c 5e 09 | |
85165 | 85377 | Rdr |0b 09 00 00 | | READ Byte(4)
85447 | 85699 | Tag |0c 80 06 | |
87141 | 87305 | Rdr |0b 10 00 00 | | WRITE Byte(8)
87851 | 88063 | Rdr |0b f0 07 00 | | WRITE Byte(1016)
88609 | 88813 | Rdr |0b ec 01 00 | | WRITE Byte(246)
89191 | 89395 | Rdr |0b a9 05 00 | | READ Byte(724)
92799 | 92915 | Rdr |07 05 00 00 | | IV 0x05
92985 | 93111 | Tag |06 3d 00 | | MIM1024
93164 | 93282 | Rdr |06 39 00 00 | | ACK 256/1024
93340 | 93504 | Rdr |0b 01 00 00 | | READ Byte(0)
93574 | 93826 | Tag |0c 77 02 | |
94050 | 94238 | Rdr |0b 03 00 00 | | READ Byte(1)
94308 | 94560 | Tag |0c 0e 04 | |
94784 | 94988 | Rdr |0b 05 00 00 | | READ Byte(2)
95058 | 95310 | Tag |0c 4c 09 | |
95534 | 95730 | Rdr |0b 07 00 00 | | READ Byte(3)
95800 | 96052 | Tag |0c 5e 09 | |
96276 | 96488 | Rdr |0b 09 00 00 | | READ Byte(4)
96558 | 96810 | Tag |0c 80 06 | |
98252 | 98472 | Rdr |0b f1 07 00 | | READ Byte(1016)
99018 | 99206 | Rdr |0b 1a 04 00 | | WRITE Byte(525)
99752 | 99980 | Rdr |0b 7f 05 00 | | READ Byte(703)
100358 | 100570 | Rdr |0b 72 07 00 | | WRITE Byte(953)
103973 | 104105 | Rdr |07 1d 00 00 | | IV 0x1D
104175 | 104301 | Tag |06 3d 00 | | MIM1024
104354 | 104472 | Rdr |06 39 00 00 | | ACK 256/1024
104530 | 104718 | Rdr |0b 01 00 00 | | READ Byte(0)
104788 | 105040 | Tag |0c 77 02 | |
105264 | 105452 | Rdr |0b 03 00 00 | | READ Byte(1)
105522 | 105774 | Tag |0c 0e 04 | |
105998 | 106218 | Rdr |0b 05 00 00 | | READ Byte(2)
106288 | 106540 | Tag |0c 4c 09 | |
106764 | 106968 | Rdr |0b 07 00 00 | | READ Byte(3)
107038 | 107290 | Tag |0c 5e 09 | |
107514 | 107742 | Rdr |0b 09 00 00 | | READ Byte(4)
107812 | 108064 | Tag |0c 80 06 | |
109506 | 109694 | Rdr |0b 35 00 00 | | READ Byte(26)
110240 | 110428 | Rdr |0b d8 00 00 | | WRITE Byte(108)
110974 | 111138 | Rdr |0b 01 00 00 | | READ Byte(0)
111516 | 111696 | Rdr |0b 38 00 00 | | WRITE Byte(28)
...Any hints how I can get the time source of the official repo to this one? Which file should I look at?
iceman1001
commented
5 years ago That would be the fpga code...
Looking at your trace shows that the simulation works for some bytes, and the reader seems to both want to read / write to your pm3.
Just try the offical repo and see if that works better against the reader, ie the reader reacts?
uhei
commented
5 years ago I gave it a try today with the official repo.
More or less same behavior: LEC C and D flashing, but reader doesn't react (door doesn't open).
tyrell2:proxmark3 uh$ client/proxmark3 /dev/cu.usbmodem14201
Prox/RFID mark3 RFID instrument
bootrom: iceman/master/v1.1.0-616-g13ed4f46 2019-01-19 16:23:29
os: master/v3.1.0-52-g1511ea2-suspect 2019-01-22 20:45:15
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/11/28 at 08:33:11
SmartCard Slot: available
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 206126 bytes (39). Free: 318162 bytes (61).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf legic reader
proxmark3> #db# Reading card ...
#db# Card (MIM 1024) read, use 'hf legic decode' or
#db# 'data hexsamples 1024' to view results
hf legic sim 2
proxmark3> #db# Starting Legic emulator, press button to end
#db# Stopped
proxmark3> I've also tried to enable more debugging (hf mf dbg 4) but not more output has been shown.
drandreas
commented
5 years ago There is no output that can be enabled with dbg 4, since serial output would make the code too slow.
The trace looks surprisingly clean. But it puzzles me that the received frame length is always 0x0b (11). 11 bits is correct for read, but writes should be 23 bits. I assume one or several bit errors.
Let us look at the timings read of byte 0, 1, 2, 3, 4 look fine, tag to reader frame gabs are constant (224 ticks). But the next gap is significantly longer (1442). My best guess would be that the code handles only gaps up to 840 ticks (RWD_CMD_TIMEOUT * TAG_BIT_PERIOD) and yours is longer. You should double RWD_CMD_TIMEOUT and see if it helps.
iceman1001
commented
5 years ago Pull latest, I added @drandreas suggestion of doubling the timeout.
uhei
commented
5 years ago Pull latest, I added @drandreas suggestion of doubling the timeout.
Some minutes ago I've already modified the code. Now more bytes are read. However door still doesn't open.
tyrell2:proxmark3 uh$ git diff
diff --git a/armsrc/legicrfsim.c b/armsrc/legicrfsim.c
index 1816a29c..7417325a 100644
--- a/armsrc/legicrfsim.c
+++ b/armsrc/legicrfsim.c
@@ -46,7 +46,7 @@ static uint32_t last_frame_end; /* ts of last bit of previews rx or tx frame */
#define RWD_TIME_PAUSE 4 /* 18.9us */
#define RWD_TIME_1 21 /* RWD_TIME_PAUSE 18.9us off + 80.2us on = 99.1us */
#define RWD_TIME_0 13 /* RWD_TIME_PAUSE 18.9us off + 42.4us on = 61.3us */
-#define RWD_CMD_TIMEOUT 40 /* 40 * 99.1us (arbitrary value) */
+#define RWD_CMD_TIMEOUT 80 /* 40 * 99.1us (arbitrary value) */
#define RWD_MIN_FRAME_LEN 6 /* Shortest frame is 6 bits */
#define RWD_MAX_FRAME_LEN 23 /* Longest frame is 23 bits */
----
pm3 --> hf legic eload 2 ../legic_xxx_20190122
[+] Loaded 1024 bytes from file: ../legic_xxx_20190122.bin to emulator memory
pm3 -->
pm3 --> hf legic sim 2
pm3 --> #db# Starting Legic emulator, press button to end
#db# Stopped
pm3 --> trace list legic
Recorded Activity (TraceLen = 19385 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
LEGIC - Reader Mode: Timings are in ticks (1us == 1.5ticks)
Tag Mode: Timings are in sub carrier periods (1/212 kHz == 4.7us)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 140 | Rdr |07 4f 00 00 | | IV 0x4F
210 | 336 | Tag |06 3d 00 | | MIM1024
8418 | 8760 | Rdr |16 2a 20 08 | |
10158 | 10500 | Rdr |16 2a 20 08 | |
13878 | 14002 | Rdr |07 19 00 00 | | IV 0x19
14072 | 14198 | Tag |06 3d 00 | | MIM1024
16468 | 16608 | Rdr |07 4f 00 00 | | IV 0x4F
16678 | 16804 | Tag |06 3d 00 | | MIM1024
24886 | 25228 | Rdr |16 2a 20 08 | |
26626 | 26968 | Rdr |16 2a 20 08 | |
30346 | 30494 | Rdr |07 7d 00 00 | | IV 0x7D
30564 | 30690 | Tag |06 3d 00 | | MIM1024
32959 | 33083 | Rdr |07 23 00 00 | | IV 0x23
33153 | 33279 | Tag |06 3d 00 | | MIM1024
41358 | 41700 | Rdr |16 2a 20 08 | |
43098 | 43440 | Rdr |16 2a 20 08 | |
46819 | 46942 | Rdr |07 51 00 00 | | IV 0x51
47012 | 47138 | Tag |06 3d 00 | | MIM1024
49408 | 49548 | Rdr |07 37 00 00 | | IV 0x37
49618 | 49744 | Tag |06 3d 00 | | MIM1024
57822 | 58164 | Rdr |16 2a 20 08 | |
59562 | 59904 | Rdr |16 2a 20 08 | |
63282 | 63406 | Rdr |07 51 00 00 | | IV 0x51
63476 | 63602 | Tag |06 3d 00 | | MIM1024
63655 | 63773 | Rdr |06 39 00 00 | | ACK 256/1024
63831 | 64059 | Rdr |0b 01 00 00 | | READ Byte(0)
64129 | 64381 | Tag |0c 77 02 | |
64605 | 64833 | Rdr |0b 03 00 00 | | READ Byte(1)
64903 | 65155 | Tag |0c 0e 04 | |
65379 | 65591 | Rdr |0b 05 00 00 | | READ Byte(2)
65661 | 65913 | Tag |0c 4c 09 | |
66137 | 66325 | Rdr |0b 07 00 00 | | READ Byte(3)
66395 | 66647 | Tag |0c 5e 09 | |
66871 | 67051 | Rdr |0b 09 00 00 | | READ Byte(4)
67121 | 67373 | Tag |0c 80 06 | |
71245 | 71377 | Rdr |07 33 00 00 | | IV 0x33
71447 | 71573 | Tag |06 3d 00 | | MIM1024
71626 | 71720 | Rdr |06 39 00 00 | | ACK 256/1024
71778 | 71974 | Rdr |0b 01 00 00 | | READ Byte(0)
72044 | 72296 | Tag |0c 77 02 | |
72520 | 72732 | Rdr |0b 03 00 00 | | READ Byte(1)
72802 | 73054 | Tag |0c 0e 04 | |
73278 | 73466 | Rdr |0b 05 00 00 | | READ Byte(2)
73536 | 73788 | Tag |0c 4c 09 | |
74012 | 74232 | Rdr |0b 07 00 00 | | READ Byte(3)
74302 | 74554 | Tag |0c 5e 09 | |
74778 | 74990 | Rdr |0b 09 00 00 | | READ Byte(4)
75060 | 75312 | Tag |0c 80 06 | |
76754 | 76950 | Rdr |0b 01 00 00 | | READ Byte(0)
77020 | 77272 | Tag |0c 77 02 | |
77496 | 77692 | Rdr |0b 03 00 00 | | READ Byte(1)
77762 | 78014 | Tag |0c 0e 04 | |
78238 | 78442 | Rdr |0b 05 00 00 | | READ Byte(2)
78512 | 78764 | Tag |0c 4c 09 | |
78988 | 79216 | Rdr |0b 07 00 00 | | READ Byte(3)
79286 | 79538 | Tag |0c 5e 09 | |
79762 | 79966 | Rdr |0b 09 00 00 | | READ Byte(4)
80036 | 80288 | Tag |0c 80 06 | |
80554 | 80742 | Rdr |0b 0d 00 00 | | READ Byte(6)
80812 | 81064 | Tag |0c ea 01 | |
81288 | 81484 | Rdr |0b 0b 00 00 | | READ Byte(5)
81554 | 81806 | Tag |0c 60 0c | |
82030 | 82258 | Rdr |0b 0f 00 00 | | READ Byte(7)
82328 | 82580 | Tag |0c 9f 08 | |
82804 | 83000 | Rdr |0b 11 00 00 | | READ Byte(8)
83070 | 83322 | Tag |0c ff 05 | |
83546 | 83742 | Rdr |0b 19 00 00 | | READ Byte(12)
83812 | 84064 | Tag |0c 11 01 | |
84288 | 84484 | Rdr |0b 1b 00 00 | | READ Byte(13)
... So, we're making progress! Thanks so far @iceman1001 and @drandreas
iceman1001
commented
5 years ago good, for the sake of saving the time it takes to scroll those paste, please consider using pastebin.com for it.
I see less and less writes but more and more reads. Try increasing the timeout evermore 120?
uhei
commented
5 years ago I see less and less writes but more and more reads. Try increasing the timeout evermore 120?
Yeah. That's it. Changed timeout to 120 and now it works! Thanks a lot @iceman1001 and @drandreas!
iceman1001
commented
5 years ago I am closing this one even if @raphCode has not confirmed.
raphCode
commented
5 years ago I was busy the last days and also had no possibility to test, but I will try with the updated code and report back here. The recent changes look very promising, thanks to all who contributed to this issue!
raphCode
commented
5 years ago Yep, it works for me too, now! Again thanks @iceman1001 and @drandreas :)
Maybe a good idea to merge the changes also into the official repo or at least the "normal"/non-rdv4 iceman fork?
iceman1001
commented
5 years ago merged to iceman already. will do offical later, feel free to do it.
I have the Proxmark 3 RDV4 and tried simulation of a legic prime card. I used the steps
From older forum posts and issues I saw "timing errors" mentioned, but I thought with https://github.com/RfidResearchGroup/proxmark3/pull/25 this has been fixed.
Can I somehow help with the debugging/development of this feature? I have experience with programming and electronics as well as some tools like oscilloscope. I do not know where to start or what to check because I'm not familiar with the project yet. Maybe someone has an idea?