Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi buddies,
I am trying to sniff an exchange between a MiFare Card (a badge) and its reader.
It's RFID so I use the HF antenna with the proxmark3.
After I type in the proxmark3 command line : "hf mf sniff",
but It detects absolutely nothing...
I think it's not a distance problem because I put the HF antenna between the reader and the badge.
I know that the exchange between the badge and the reader is made because the reader 's Led become red (bad badge for this door).
I know that the antenna is OK because I can read the badge easily with the command "hf mf dump".
Somebody can help me please ?
Thanks a lot
looking forward to your reply,
Poly.
Hi,
First thank you for your interest,
I'm working with Poly, and here is the version we're using:
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 486-unclean 2011-08-28 18:52:03
#db# os: svn 651-suspect 2013-01-25 15:52:19
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56
Looking forward,
Sboudjem.
Finally we found how to listen to a communication using the "hf 14a snoop" and "hf 14a list" commands.
We obtained these results :
recorded activity:
ETU :rssi: who bytes
---------+----+----+-----------
+ 0: 0: TAG 02
+ 152797: 0: TAG 00!
+ 289126: 0: TAG 02
+ 147123: 0: TAG 01
+ 147462: 0: TAG 05!
+ 147290: 0: TAG 02
+ 441954: 0: TAG 02
+ 441954: 0: TAG 02
+ 531882: 0: TAG 04 00
+ 746: 0: TAG 4e 46 7e 16 60
+ 2048: 0: TAG 08 b6 dd
+ 120402: 0: TAG 02
+ 21846: 0: TAG 04 00
+ 744: 0: TAG 4e 46 7e 16 60
+ 2052: 0: TAG 08 b6 dd
+ 142234: 0: TAG 04 00
+ 746: 0: TAG 4e 46 7e 16 60
+ 2048: 0: TAG 08 b6 dd
+ 142220: : 26
+ 4752: : 26
+ 142579: : 26
+ 4751: : 26
+ 142578: : 26
+ 4750: : 26
+ 142576: : 26
+ 4752: : 26
+ 142579: : 26
+ 4751: : 26
Does someone knows how to interpret it?
Following the official ISO144443-3A scheme:
ATQA+UID+SAK = 0004 4e467e16 08: it probably is a Mifare 1K card with UID = 4e467e16.
Last edited by asper (2013-11-26 17:04:17)
Ok,
btw i have some questions, please tell me if you know the answer, i'll be glad,
1/ what is ETU ?
2/ I know that rssi is the intensity oof the signal, but why is it 0? does it mean that the signal is very very weak ?
3/ what doest
+ 152797: 0: TAG 00!
+ 289126: 0: TAG 02
+ 147123: 0: TAG 01
+ 147462: 0: TAG 05!
+ 147290: 0: TAG 02
+ 441954: 0: TAG 02
+ 441954: 0: TAG 02
mean ? is it a bad exchange ? a noisy exchange ?
4/ Do you know how to simulate this recorded exchange with the proxmark ?
Thanks a lot
1) An elementary time unit (ETU) is the nominal bit duration used in the character frame.
2) Dunno.
3) Probably non-meaningful bad exchanges (need a dev confirmation).
4) You cannot simulate a transaction, you can emulate a tag or a reader, not both at the same time; using bytes aboce you can make pm3 act as a mifare card with that UID; if you need to know how to emulate or how to act as a reader have a look at pm3 documentation pages (for example here).
Last edited by asper (2013-11-26 19:26:08)
Thanks a lot for all your informations.
I want to rise the distance of the proxmark when I'm snooping an exchange between a mi fare card and a reader.
How can I do that ?
Is it enough to rise the alimentation of the card by using a battery ? but what is the maximum voltage ? or maybe there is another solutions ?
Thanks for your help