Sniff Both Way problem - Githubissues

banannd commented 5 years ago

HI, I have uploaded Firmware from #180 and in my log file I have only RX transmission. 00000 ms < +0 ms>:BOOT (0 bytes) [] 26881 ms <+26881 ms>:CODEC RX SNI READER (1 bytes) [52] 27401 ms < +520 ms>:CODEC RX SNI READER (1 bytes) [52] 27917 ms < +516 ms>:CODEC RX SNI READER (1 bytes) [52] 28437 ms < +520 ms>:CODEC RX SNI READER (1 bytes) [52] 28953 ms < +516 ms>:CODEC RX SNI READER (1 bytes) [52] 29475 ms < +522 ms>:CODEC RX SNI READER (1 bytes) [52] 29993 ms < +518 ms>:CODEC RX SNI READER (1 bytes) [52] 31050 ms < +1057 ms>:CODEC RX SNI READER (1 bytes) [52] 31567 ms < +517 ms>:CODEC RX SNI READER (1 bytes) [52] 32088 ms < +521 ms>:CODEC RX SNI READER (1 bytes) [52] 32609 ms < +521 ms>:CODEC RX SNI READER (1 bytes) [52] what should I do to have TX transmission ?

banannd commented 5 years ago

Ok I've resolved this.

ghost commented 5 years ago

@banannd how you resolve it? Remember - sharing is caring. Bring something back to the community. ;)

banannd commented 5 years ago

I set slot 1 like as mifare classic card, and then i have in log TX and RX CODEC.

sp4rrows commented 5 years ago

Hi I get the same issue.

MF Classic Card 1k Smartphone nfc Tag Info as Reader ChameleonMini slot1: config=Mfclassic Slot2: configure=ISO14443A_SNIFF

Slot 2 active.

Hold between reader and tag.

Minicom: Logdownload

Cham log: Python chamlog.py -f

Could only get RX and no TX. Setting slot1 to mifare classic don’t solve the problem. Has anyone a idea how it works better.

fptrs commented 5 years ago

Hi @sp4rrows, you need to use the 'autocalibrate' cmd to calibrate the ISO14443A_SNIFF application. So launch the cmd and hold the ChameleonMini between reader and tag. After a successful calibration the sniffer also receives transmissions from PICC to PCD.

sp4rrows commented 5 years ago

hi @fptrs I tried it, but autocalibrate only works with the iso14443a_reader mode not with the sniff mode. Didn't get the TX signals from PICC

banannd commented 5 years ago

HI, try upgrade firmware from: https://github.com/gypsophlia/ChameleonMini i test this on physical reader.

sp4rrows commented 5 years ago

HI, try upgrade firmware from: https://github.com/gypsophlia/ChameleonMini i test this on physical reader.

Hi @banannd I tried the firmware from @gypsophlia too. Used master branch, but no success with my android smartphone and acr122u as reader to get the TX.

Card:

[usb] pm3 --> hf search [=] Checking for known tags... UID : 2D 63 32 49 ATQA : 00 04 SAK : 08 [2] TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1 [=] proprietary non iso14443-4 card found, RATS not supported [=] Answers to magic commands: NO [+] Prng detection: HARD [+] Valid ISO14443-A tag found

PM3 Sniff:

[usb] pm3 --> hf 14a sniff #db# Starting to sniff #db# maxDataLen=3, Uart.state=0, Uart.len=0 #db# traceLen=2743, Uart.output[0]=00000026 [usb] pm3 --> hf list [+] Recorded Activity (TraceLen = 2743 bytes) [=] Start = Start of Start Bit, iso14443a - All times are Start | End ------------+------------+-----+-- 0 | 1056 | Rdr |26 75904 | 76960 | Rdr |26 574704 | 575760 | Rdr |26 650352 | 651408 | Rdr |26 4206928 | 4207984 | Rdr |26 4282960 | 4284016 | Rdr |26 4781776 | 4782832 | Rdr |26 4857424 | 4858480 | Rdr |26 8414000 | 8415056 | Rdr |26 8489904 | 8490960 | Rdr |26 8988704 | 8989760 | Rdr |26 9064352 | 9065408 | Rdr |26 12620928 | 12621984 | Rdr |26 12696832 | 12697888 | Rdr |26 13195648 | 13196704 | Rdr |26 13197892 | 13200260 | Tag |04 00 13216240 | 13216656 | Rdr |01 13220592 | 13221008 | Rdr |01 13229296 | 13230480 | Rdr |00! 13233648 | 13234832 | Rdr |00! 13238000 | 13239184 | Rdr |2d! 13242352 | 13243536 | Rdr |58 13247088 | 13248208 | Rdr |b6 13946224 | 13947280 | Rdr |26 13948468 | 13950836 | Tag |04 00 13962592 | 13963584 | Rdr |78! 13966816 | 13968000 | Rdr |01 13971168 | 13972352 | Rdr |01 13975520 | 13976704 | Rdr |00! 13979872 | 13981056 | Rdr |00! 13984224 | 13985408 | Rdr |00! 13988576 | 13989760 | Rdr |2d! 13992928 | 13994112 | Rdr |58 13997664 | 13998784 | Rdr |b6 18177728 | 18178784 | Rdr |26 18179988 | 18182356 | Tag |04 00 18191024 | 18193488 | Rdr |93 20 18194692 | 18200516 | Tag |2d 18221856 | 18222080 | Rdr |01 18233588 | 18237108 | Tag |08 b6 dd 21267456 | 21268448 | Rdr |52 21343360 | 21344352 | Rdr |52 21345620 | 21347988 | Tag |04 00 21361264 | 21371728 | Rdr |93 21372996 | 21376516 | Tag |08 b6 dd 24406224 | 24407216 | Rdr |52 24482256 | 24483248 | Rdr |52 End = End of last modulation. Src = Source of Transfer in carrier periods (1/13.56Mhz) | Src | Data (! denotes parity error) | CRC | Annotation -----------------------------------------------------------------------+-----+-------------------- | | REQA | | REQA | | REQA | | REQA | | REQA | | REQA | | REQA | | REQA | | REQA | | REQA | | REQA | | REQA | | REQA | | REQA | | REQA | | | | | | | | | | | | | | | | | | REQA | | | | | | | | | | | | | | | | | | | | | | REQA | | | | ANTICOLL 63 32 49 35 | | | | | | | | WUPA | | WUPA | | 70 2d 63 32 49 35 16 bd | ok | SELECT_UID | | | | WUPA | | WUPA

Log ACR122U: 00000 ms < +0 ms>:BOOT (0 bytes) [] 07516 ms < +7516 ms>:CODEC RX (1 bytes) [26] 07522 ms < +6 ms>:CODEC RX (1 bytes) [26] 07559 ms < +37 ms>:CODEC RX (1 bytes) [26] 07565 ms < +6 ms>:CODEC RX (1 bytes) [26] 07581 ms < +16 ms>:CODEC RX (1 bytes) [5a] 07586 ms < +5 ms>:CODEC RX (1 bytes) [5a] 07601 ms < +15 ms>:CODEC RX (2 bytes) [1001] 07606 ms < +5 ms>:CODEC RX (1 bytes) [02] 07831 ms < +225 ms>:CODEC RX (1 bytes) [26] 07837 ms < +6 ms>:CODEC RX (1 bytes) [26] 07874 ms < +37 ms>:CODEC RX (1 bytes) [26] 07880 ms < +6 ms>:CODEC RX (1 bytes) [26] 07896 ms < +16 ms>:CODEC RX (1 bytes) [5a] 07901 ms < +5 ms>:CODEC RX (1 bytes) [5a] 07916 ms < +15 ms>:CODEC RX (1 bytes) [02] 07916 ms < +0 ms>:CODEC RX (2 bytes) [1c01] 08146 ms < +230 ms>:CODEC RX (1 bytes) [26] 08152 ms < +6 ms>:CODEC RX (1 bytes) [26] 08189 ms < +37 ms>:CODEC RX (1 bytes) [26] 08195 ms < +6 ms>:CODEC RX (1 bytes) [26] 08211 ms < +16 ms>:CODEC RX (1 bytes) [5a] 08216 ms < +5 ms>:CODEC RX (1 bytes) [5a] 08461 ms < +245 ms>:CODEC RX (1 bytes) [26] 08467 ms < +6 ms>:CODEC RX (1 bytes) [26] 08504 ms < +37 ms>:CODEC RX (1 bytes) [26] 08510 ms < +6 ms>:CODEC RX (1 bytes) [26] 08526 ms < +16 ms>:CODEC RX (1 bytes) [5a] 08531 ms < +5 ms>:CODEC RX (1 bytes) [5a] 08546 ms < +15 ms>:CODEC RX (1 bytes) [00] 08550 ms < +4 ms>:CODEC RX (1 bytes) [10] 08776 ms < +226 ms>:CODEC RX (1 bytes) [26] 08781 ms < +5 ms>:CODEC RX (1 bytes) [26] 08819 ms < +38 ms>:CODEC RX (1 bytes) [26] 08824 ms < +5 ms>:CODEC RX (1 bytes) [26] 08840 ms < +16 ms>:CODEC RX (1 bytes) [5a] 08845 ms < +5 ms>:CODEC RX (1 bytes) [5a] 08865 ms < +20 ms>:CODEC RX (2 bytes) [0b03] 09090 ms < +225 ms>:CODEC RX (1 bytes) [26] 09092 ms < +2 ms>:CODEC RX (2 bytes) [9320] 09094 ms < +2 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 09322 ms < +228 ms>:CODEC RX (1 bytes) [52] 09327 ms < +5 ms>:CODEC RX (1 bytes) [52] 09328 ms < +1 ms>:CODEC RX (2 bytes) [fd3f] 09329 ms < +1 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 09330 ms < +1 ms>:CODEC RX (3 bytes) [fb0000] 09556 ms < +226 ms>:CODEC RX (1 bytes) [52] 09562 ms < +6 ms>:CODEC RX (1 bytes) [52] 09562 ms < +0 ms>:CODEC RX (2 bytes) [fd3f] 09564 ms < +2 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 09564 ms < +0 ms>:CODEC RX (3 bytes) [fb0000] 09791 ms < +227 ms>:CODEC RX (1 bytes) [52] 09797 ms < +6 ms>:CODEC RX (1 bytes) [52] 09797 ms < +0 ms>:CODEC RX (2 bytes) [fd3f] 09799 ms < +2 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 09799 ms < +0 ms>:CODEC RX (3 bytes) [fb0000] 10026 ms < +227 ms>:CODEC RX (1 bytes) [52] 10031 ms < +5 ms>:CODEC RX (1 bytes) [52] 10032 ms < +1 ms>:CODEC RX (2 bytes) [fd3f] 10033 ms < +1 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 10034 ms < +1 ms>:CODEC RX (3 bytes) [fb0000] 10260 ms < +226 ms>:CODEC RX (1 bytes) [52] 10266 ms < +6 ms>:CODEC RX (1 bytes) [52] 10266 ms < +0 ms>:CODEC RX (2 bytes) [0140] 10268 ms < +2 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 10269 ms < +1 ms>:CODEC RX (3 bytes) [02ad77] 10495 ms < +226 ms>:CODEC RX (1 bytes) [52] 10501 ms < +6 ms>:CODEC RX (1 bytes) [52] 10501 ms < +0 ms>:CODEC RX (2 bytes) [0140] 10503 ms < +2 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 10503 ms < +0 ms>:CODEC RX (3 bytes) [02ad77] 10730 ms < +227 ms>:CODEC RX (1 bytes) [52] 10736 ms < +6 ms>:CODEC RX (1 bytes) [52] 10736 ms < +0 ms>:CODEC RX (2 bytes) [ff0f] 10738 ms < +2 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 10738 ms < +0 ms>:CODEC RX (3 bytes) [81563b] 10965 ms < +227 ms>:CODEC RX (1 bytes) [52] 10970 ms < +5 ms>:CODEC RX (1 bytes) [52] ...

Log Smartphone: 28105 ms <+28105 ms>:SETTING SET (1 bytes) [?] 59519 ms <+31414 ms>:CONFIG SET (13 bytes) [MF_CLASSIC_1K] 62511 ms < +2992 ms>:SETTING SET (1 bytes) [2] 08230 ms <+11255 ms>:CONFIG SET (15 bytes) [ISO14443A_SNIFF] 63037 ms <+54807 ms>:CODEC RX (29 bytes) [f025d400fc7b4a68a5623d86cdee0000003246666d010112020207ff03] 63038 ms < +1 ms>:CODEC RX (11 bytes) [0038401040731030084a08] 63050 ms < +12 ms>:CODEC RX (1 bytes) [26] 63051 ms < +1 ms>:CODEC RX (2 bytes) [9320] 63053 ms < +2 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 63073 ms < +20 ms>:CODEC RX (4 bytes) [500057cd] 63078 ms < +5 ms>:CODEC RX (1 bytes) [52] 63080 ms < +2 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 63091 ms < +11 ms>:CODEC RX (4 bytes) [500057cd] 63094 ms < +3 ms>:CODEC RX (1 bytes) [52] 63095 ms < +1 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 63100 ms < +5 ms>:CODEC RX (4 bytes) [6000f57b] 63102 ms < +2 ms>:CODEC RX (8 bytes) [a0c028d535d256ce] 63105 ms < +3 ms>:CODEC RX (4 bytes) [500057cd] 63109 ms < +4 ms>:CODEC RX (1 bytes) [52] 63110 ms < +1 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 63114 ms < +4 ms>:CODEC RX (4 bytes) [6000f57b] 63116 ms < +2 ms>:CODEC RX (8 bytes) [9e665fef9f17ba7f] 63120 ms < +4 ms>:CODEC RX (4 bytes) [500057cd] 63123 ms < +3 ms>:CODEC RX (1 bytes) [52] 63124 ms < +1 ms>:CODEC RX (9 bytes) [93702d6332493516bd] 63128 ms < +4 ms>:CODEC RX (4 bytes) [6000f57b] 63130 ms < +2 ms>:CODEC RX (8 bytes) [8c576eaa295edb7d] 63133 ms < +3 ms>:CODEC RX (4 bytes) [500057cd] 63137 ms < +4 ms>:CODEC RX (1 bytes) [52] ...

Couldn't find a reason why it doesn't work with smartphone or ACR. I'll try it next day on real readers.

zt-chen commented 5 years ago

It can do auto calibrate in sniffing mode, the steps are:

Reset threshold to the default value
put the ChameleonMini between the reader and the card
Use the following script for sending anticollision commands continuously, this is required since the implementation of sniffing function tracks the anticollision process.

while true
do
nfc−list −t 1
sleep 0.5
done

Issue command “timeout=600” and “autocalibrate” to ChameleonMini for extending the timeout and executing autocalibrate function.
Check the response in the ChameleonMini terminal to determine if the autocalibrate have found a threshold that works for sniffing.
After the autocalibrate is success, issue “nfc-list -t 1” command to the reader to see if ChameleonMini can successfully sniff the communication under the threshold set by autocalibrate

Also, you could try different thresholds manually.

And I think you should use either SniffBothWay14443-pr branch of gypsophlia/ChameleonMini or master branch of emsec/ChameleonMini as it has been merged to the master branch of the original repo. But I'm not sure if there are any commit that breaks the sniffing function after the merge.

sp4rrows commented 5 years ago

@gypsophlia I tried your steps. autocalibrate return 512 Used nfc-list -t 1 and sniff the traffic.

Logdownload: python chamlog.py -f abc

Note: If parityBit check failed, '!' is appended to the decoded data and raw data with parity bit is displayed.

Traceback (most recent call last): File "chamlog.py", line 109, in main() File "chamlog.py", line 102, in main log = Chameleon.Log.parseBinary(handle, args.decode) File "/home/git/ChameleonMini_upstream/ChameleonMini/Software/Chameleon/Log.py", line 130, in parseBinary logData = eventTypes[event]'decoder' File "/home/git/ChameleonMini_upstream/ChameleonMini/Software/Chameleon/Log.py", line 51, in binaryParityDecoder isValid, checkedData = checkParityBit(data) File "/home/git/ChameleonMini_upstream/ChameleonMini/Software/Chameleon/Log.py", line 23, in checkParityBit bit = (data[byteIndex] >> bitIndex) & 0x01 TypeError: string indices must be integers, not float

Will try it even more times but I don't understand why it not work every time.

sp4rrows commented 5 years ago

Ok was my fault. used python 2.7

With python3 it looks like this: python3 chamlog.py -f abc

Note: If parityBit check failed, '!' is appended to the decoded data and raw data with parity bit is displayed.

17982 ms <+17982 ms>:CODEC RX SNI READER (1 bytes) [26 ]
17982 ms < +0 ms>:CODEC RX SNI CARD W/PARITY (3 bytes) [0400 ]
17983 ms < +1 ms>:CODEC RX SNI READER (2 bytes) [9320 ]
17984 ms < +1 ms>:CODEC RX SNI CARD W/PARITY (6 bytes) [1122334444 ]
17986 ms < +2 ms>:CODEC RX SNI READER (9 bytes) [93701122334444519c ]
17986 ms < +0 ms>:CODEC RX SNI CARD W/PARITY (4 bytes) [08b6dd ]
17996 ms < +10 ms>:CODEC RX SNI READER (4 bytes) [500057cd ]
18007 ms < +11 ms>:CODEC RX SNI READER (1 bytes) [26 ]
18012 ms < +5 ms>:CODEC RX SNI READER (1 bytes) [26 ]
18018 ms < +6 ms>:CODEC RX SNI READER (1 bytes) [26 ]
19381 ms < +1363 ms>:CODEC RX SNI READER (1 bytes) [26 ]
19381 ms < +0 ms>:CODEC RX SNI CARD W/PARITY (3 bytes) [0400 ]
19382 ms < +1 ms>:CODEC RX SNI READER (2 bytes) [9320 ]
19382 ms < +0 ms>:CODEC RX SNI CARD W/PARITY (6 bytes) [1122334444 ]
19385 ms < +3 ms>:CODEC RX SNI READER (9 bytes) [93701122334444519c ]
19385 ms < +0 ms>:CODEC RX SNI CARD W/PARITY (4 bytes) [08b6dd ]

geo-rg commented 5 years ago

@sp4rrows Glad to see you figured it out yourself. :)

emsec / ChameleonMini

Sniff Both Way problem #220