hydrabus / hydrafw

HydraBus HydraFW official firmware for open source multi-tool for anyone interested in learning/developping/debugging/hacking/Penetration Testing for basic or advanced embedded hardware
https://hydrabus.com/hydrabus-1-0-specifications
Apache License 2.0
370 stars 92 forks source link

Issue with sniffer which seems to sniff the wrong data #112

Closed pmathelin closed 4 years ago

pmathelin commented 5 years ago

Hi,

I am working on Hydrabus with hydra NFC and trying to use the sniffer mode. I followed the documentation to start sniffing: https://github.com/hydrabus/hydrafw/wiki/HydraFW-HydraNFC-guide#autonomousstand-alone-sniffer-mode

My issue there, is that it seems that the data I sniff is not the correct one. Most of the time I have a write_file() error and sometimes I have write_file() OK but with some data from I don't know where. I am using a tag iso 14443-3A MIFARE Ultralight and I have no problem with scaning this tag. This tag is not empty. There is a text "Hello world!" saved on it.

To do the sniffing, I putted the HydraNFC between my tag and the phone used as reader, by spacing them to each other. I don't find what am i doing wrong. Can anyone help me with my issue please ? :)

EDIT: The data I sniff is saved on my SD card. This part works correctly.

Thank you in advance, Pierre

bvernoux commented 5 years ago

The important point for good sniffing is to be not too far (less than 2cm) and not too near(sometimes depending on reader/tag) between the tag & reader.

1) What is the firmware you are using ?

2) Could you provide which command you have entered for the sniff ?

3) Could you take a short video of your setup during sniffing and provide corresponding sniff results with what is expected/obtained on the reader ?

pmathelin commented 5 years ago

Hi, Thank you for your answer. So, I tried to use an SMA instead of the UFL connector. I still have some issue while sniffing using hydratool and nfc sniff bin frame-time command.

Hydratool response of the FTDI is

Frame size error resync data: 00 00 00 00

Do you have any idea of what am I doing wrong? Following, you can find a screenshot of my windows:

image

The FTDI that I use is the same as in the tutorial. I plugged the yellow to PA9 and the black to GND. The FW version is the last one build_HydraFW_v0.9-beta-65-g55e5dbe_HydraBus_HydraNFC.zip

For the FTDI port config: image

I also saw this post because it seemed to be the same issue than mine, but using HydraFW v9.0 didn't fix my issue.

Thank you for your help

bvernoux commented 5 years ago

1) I suspect the issue could be due to your build of hydratool v0.3.2.0 built with Qt 5.12.6 see my build I use with MSVC2013 32bits and Qt 5.9.1 hydratool_win32_Qt5_9_1.zip See also latest firmware built build_HydraFW_v0.9-beta-93-gabad2b2_HydraBus_HydraNFC.zip

Note: I have tested it with success on Windows7 Pro SP1 (native OS) exactly with build_HydraFW_v0.9-beta-93-gabad2b2_HydraBus_HydraNFC.zip and hydratool_win32_Qt5_9_1.zip (using SCL3711 as reader and with a Mifare UL tag with sniff bin frame-time)

2) Are you using a native Windows OS (if yes which one ?) as FTDI High Speed under a VM does not work correctly (maybe because of USB HS emulation which is not fast enough ...) ?

pmathelin commented 5 years ago

Thanks for your answer,

I am using a Windows 10 professional native OS. I tried to use your build of hydratool and the firmware that you linked me to have the same basis as you. So i used putty for the commands and hydratool for the FTDI. My tag is also a Mifare UL but my reader is a smartphone samsung which have an NFC reader/writer.

image

I still have the same issue, so maybe that's come from my reader?

EDIT: my tag is not empty. There is a text "test" saved.

bvernoux commented 5 years ago

Thanks for the details

It will be interesting that you validate the sniffer work fine with a normal reader like SCL3711 and a MifareUL or MifareClassic Credit Card size ... (I use it for my own test and even with a small antenna the signal is very good and sniffing is very stable even on very long session and full dump without any error...) Also thanks to check the size of your Tag as the best are Credit Card size Tag else it is harder on small tag especially with reader with limited antenna and power like Phone.

In your case the main issue is probably the phone NFC which is too far (and probably limited in power) or and without enough power (too small antenna) from sniffer, so it is very hard to sniff if there is not enough power. Anyway it is very strange that you always have some "00 "as in case power is not good enough it shall show some invalid values like FF ... and also you shall see Reader Query (as the Reader Query are very strong with ASK 100%/Modified Miller with datarate @106kb/s) and potentially not TAG as the tag answer is the hardest to sniff (with ISO14443A) as the TAG signal is modulated using OOK Manchester (only about 10% of signal on top/bottom with Subcarrier @847KHz / 106 kb/s) and so sensitivity/good signal is critical to correctly decode TAG Answer ...

In paste I had validated the HydraNFC sniffer work with phone but only on a Samsung Nexus S (but I cannot test anymore on this one as it does not power on anymore since few years ...) and only on few specific position directly on antenna with big tag credit card size...

You could change the RX gain for your usage (with a low power field and small antenna like there is on phone) see file https://github.com/hydrabus/hydrafw/blob/master/src/hydranfc/hydranfc_cmd_sniff.c#L267 (By default it is Gain reduction for 5 dB B2=1&B3=0) See datasheet https://www.ti.com/document-viewer/TRF7970A/datasheet/detailed-description#SLOS7431033 "RX Special Setting Register (0x0A)" B2 & B3 => Sets the RX gain reduction and reduces sensitivity,.

Sniffer sensitivity /range is one of the drawback of TRF7970A when used as passive sniffer (which is a mode not documented when used to sniff both Reader/TAG) and the AGC is not very good too (it is why I have decreased the Gain to 5dB to avoid saturation....) and sensitivity is not very good too.

A dedicated NFC Sniffer Antenna (like ISO 10373-6 / Calibration Coil tuned for sniffing purpose) should improve that as default HydraNFC Antenna is designed to be used as Active Reader and so when used as Passive sniffer (or also Card Emulator) it attenuate (detuning effect because of 3 antennas Reader/Sniffer/Tag) the sniffed signal which also explain that the sensitivity/range is very short (max 4cm in best conditions with Credit Card size Tag).

pmathelin commented 5 years ago

First of all, thank you for your time.

I tried to do the same manipulation with another NFC reader. Unfortunately, nothing changes.. Just for your info and to check if I am doing it well, please find some media below: IMG_0224 IMG_0225 IMG_0226 IMG_0227

I hope that my Tag is enough large. I'll continue my researches and keep you in touch if I find anything.

Thank you for your help

bvernoux commented 5 years ago

Thanks for the photos

1) Could you confirm that when using the hydrafw nfc> scan on Mifare UL and MifareClassic all work fine ?

2) Could you also test with a Vicinity tag with hydrafw nfc> scan ? As if I'm right and some capacitor are wrong on Antenna or even on the HydraNFC in that case hydrafw nfc scan shall not read correctly Tags especially at different distance to check sensitivity ...

3) Could you test sniffer with internal file ? If test 1), 2) and 3) works it means there is no issue with HydraNFC but maybe an issue with FTDI to be checked with scope... (maybe it is not working at the right frequency ...)

4) Could you test FTDI work like expected (thanks to check you the FTDI is using USB 2.0 HS as if you use an USB 2.0 FS Hub or something like that it will prevent FTDI to work correctly especially at 8.4Mbauds...) In hydratool v0.3.2.0 open 2nd Terminal and connect to the FTDI Interface (BaudRate:FTDI8.4M Data bits:8 Parity:None Sop bits:1 Flow control:None)

Launch Putty and connect to HydraBus console and type commands in bold:

> uart

> Device: UART1
> Speed: 9600 bps
> Parity: none
> Stop bits: 1

uart1> speed 8400k

Final speed: 8400000 bps(0.00% err)

uart1> show

Device: UART1
Speed: 8400000 bps
Parity: none
Stop bits: 1

uart1> "hello world 122222222222223333333333333344444444444"

WRITE: 0x68 0x65 0x6C 0x6C 0x6F 0x20 0x77 0x6F 0x72 0x6C 0x64 0x20 0x31 0x32 0x32 0x32 0x32 0x32 0x32 0x32 0x32 0x32 0x32 0x32 0x32 0x32 0x33 0x33 0x33 0x33 0x33 0x33 0x33 0x33 0x33 0x33 0x33 0x33 0x33 0x33 0x34 0x34 0x34 0x34 0x34 0x34 0x34 0x34 0x34 0x34 0x34

In hydratool you shall see characters sent from HydraBus uart1 image

Thanks to provide the output you have and confirm you receive the same characters you can try to send very long (like 100chars) string multiple times to check all work fine between HydraBus UART1 @8.4MBauds and FTDI on PC

5) Could you provide me (on my Email bvernoux@gmail.com) hi-definition photo (if possible with correct color with white balancing...) of top of HydraNFC and the same for HydraNFC Antenna ? We will continue by Email as it seems you have something defective

We can continue the tests on IRC server chat.freenode.net channel #hydrabus my nickname is bvernoux

bvernoux commented 4 years ago

This issue is related to FTDI interface when pushed to limit @8.4Mbauds

So far there is no workaround when FTDI does not work @8.4MBauds as anyway it is not designed to go so fast