Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi all,
I'm new of PM3, I bought one form xfpga and I'm discovering these days step by step how it works.
I'm trying the client side, but I'm so enthusiastic, I've planend to take a look on the sources and try to understand them and hope to give a contribute.
BTW, by my side normal operations on mifare cards are OK, I read, write, test keys, etc.
Today I tried to launch a "hf mf mifare" in order to try to understand how it works.
When I launch that command, after about 8 seconds, my PM3 turns off, I can hear a relais "click" then all led turns off, the terminal keeps running with his "......".
On the USB I still have the PM3 identified with vendor and product, so I discover that it was rebooted and a new ttyACM was assigned to it (from /dev/ttyACM0 to /dev/ttyACM1), but the console still remains (or thinks to be) connected to the older ttyACM alias...
I tried to upgrade the firmware to the latest version, and flash it, but that not fixed the problem.
I need to understand if i do something wrong, if the FW have some bug (i.e. during the compile procedure) or may be a hw problem.
Suggestions?
I use Linux Debian on a notebook (but with a Y cable with both connectors docked) and this is the hw version:
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 852 2014-04-24 23:50:30
#db# os: svn 852 2014-04-24 23:50:31
#db# FPGA image built on 2014/03/21 at 19:45:15
uC: AT91SAM7S256 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 256K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
Thank you for helping me!
Last edited by MilkThief (2014-04-28 06:55:08)
Hi all,
update to the issue.
I downgraded my PM3 to an oldest version and the command "hf mf mifare" runs without reboot.
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 651 2014-04-24 23:36:02
#db# os: svn 651 2014-04-27 09:03:38
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56
I tried at least 6 different firmwares and discovered that the issue happens with certain mifare keyfobs (with the latest firmware, too).
I tried back those keyfobs with libnfc on my ACR122 and I can access and attack them without problems.
Maybe a PM3 antenna problem?
WITH TAG:
# LF antenna: 0,00 V @ 125.00 kHz
# LF antenna: 0,00 V @ 134.00 kHz
# LF optimal: 0,00 V @ 12000,00 kHz
# HF antenna: 9,05 V @ 13.56 MHz
WITHOUT TAG:
# LF antenna: 0,13 V @ 125.00 kHz
# LF antenna: 0,00 V @ 134.00 kHz
# LF optimal: 0,00 V @ 12000,00 kHz
# HF antenna: 10,67 V @ 13.56 MHz
# Your LF antenna is unusable.
I tried to move the keyfob all around the antenna, bring it at 0,5 - 1 cm and change its angle from 0° to 90°, the best signal (lowes voltage) I can reach is parrallel to the antenna, contact and in a corner on the USB connector side.
But... the other operations are working good...
And a complete reboot (reset) would be excessive for a low rfid signal on the reader side...
(the keyfob is mine, I changed 2 keys and 2 blocks with the PM3, so I know perfectly the content I expect to obtain)
Does nobody here have an idea?
Thank you!
Last edited by MilkThief (2014-04-28 06:54:30)
So, to summarize (and see if I got it)..
With latest firmware, and also a few of the older ones (but not 651), you get hw reset on the device, when you 'hf mf mifare' certain tags.
I don't think it's antenna issues, it's something else, definitely. Don't know what, though...
thank you so much for your reply, holiman!
Yes, your summary is correct.
In the meanwhile I've found some issues with the lf operation, too. The "lf em4x em410xread" cannot produce any output on well working tags (i.e. the one I use everyday at the office building door)... No output with or without clock rate autodetection.
I don't know what else I can do to figure out the nature of the problem.
I suspect it is a hw problem, hope that the producer can help me, and hope he's available for a substitution...
Your EM41x issue:
Sometimes it has issues, you can normally jumpstart it with issuing 'lf read' and 'data samples 16000' first, then run 'lf em4x em410xread'
Last edited by midnitesnake (2014-04-27 22:32:02)
Thank you, midnitesnake!
proxmark3> lf read
#db# buffer samples: 7c 76 7b 7b 5e 45 30 1f ...
proxmark3> data samples 16000
Reading 16000 samples
Done!
proxmark3> lf em4x em410xread
Auto-detected clock rate: 6
proxmark3>
I still suspect is a hw problem...
proxmark3> lf read
#db# buffer samples: a9 a5 a2 3e 9d 9b 78 5c ...
proxmark3> data samples 16000
Reading 16000 samples
Done!
proxmark3> lf em4x em4x50read
No data found!
Try again with more samples.
proxmark3>
This PM3 does nothing in lf and half in hf... Maybe the multiplexer?
With data plot seems to plot noise...
Hi, thank you for the suggestion.
I'll try to find a digital oscilloscope for a day. :-)
Contacted the seller. He's Laser here.
We'll try a teamviewer session in order to check the pm3 functionalities.
Hope he'll understand it's a radio hardware fail...
The proxmark has a WatchDogTimer which needs to be triggered regularily - otherwise it will reset. The resetting therefore needs not to be a hardware issue - could be that the ARM code is in an infinite or at least very long loop without calling WDT_HIT() - the function which triggers the WatchDogTimer.
Hi,
thank you piwi for the details, what you say can explain the reset, but not the impossibility to read any lf tag (and this happens without reset).
I had a teamviewer session with the seller, he tested and watched at the screen.
He said in 3 seconds
I know what it is, it is a hardware problem, I met this problem before: the connection between arm and fpga and ADC chip. This maybe caused by the shipment.
I will receive a total free replacement and send back the broken board.
I'll keep you informed if still have that "reset" problem once the "unreadable lf tag" problem will be fixed.
Last edited by MilkThief (2014-04-29 18:16:12)
like piwi says there are a couple of tight loops in the capture routines that don't hit the watchdog, they can't be cancelled with the button either. If the fpga doesn't send data over the SSC it'll stick in that loop and the watchdog kicks in, if it consistently resets after a few seconds, it's the watchdog. I've added WD_HDT and a check for the button in my local builds, but since i'm still in the make it all work stage i haven't checked the impact on the capture.
most of the time it sends data (if the hardware is working), i've seen instances where it hasn't, but not sure why yet.
here's an example that doesn't hit the watchdog or allow the button to break out of the capture, but only happens if something is wrong.
https://github.com/Proxmark/proxmark3/b … 43.c#L1072
it'll get stuck in that for(;;)
unfortunately adding the wdt/breakout just bypasses the hard watchdog reset, it will help in those situations where it isn't reading data for some yet unknown reason (at least by me), but if there is a hardware issue it won't help.
i just add it because it kills my GUI connection when it hard resets.
Ah, so that's what WDT_HIT is.. I've been wondering.. What's the timeout for that?
Between 12 and 24 seconds (typically 16 seconds). This depends on the frequency of the ARM's internal "slow clock" RC oscillator which is specified to be between 22kHz and 42kHz (typically 32kHz).
I can't believe I have in my hands another broken PM3, the seller sent me another different broken PM3!
I am very angry...
Connected units:
1. SN: ChangeMe [001/003]
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait..
#db# Measuring complete, sending report back to host
# LF antenna: 2,82 V @ 125.00 kHz
# LF antenna: 2,82 V @ 134.00 kHz
# LF optimal: 2,82 V @ 46,88 kHz
# HF antenna: 0,13 V @ 13.56 MHz
# Your LF antenna is marginal.
# Your HF antenna is unusable.
proxmark3>
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait..
#db# Measuring complete, sending report back to host
# LF antenna: 0,00 V @ 125.00 kHz
# LF antenna: 0,00 V @ 134.00 kHz
# LF optimal: 0,00 V @ 12000,00 kHz
# HF antenna: 0,93 V @ 13.56 MHz
# Your LF antenna is unusable.
# Your HF antenna is unusable.
Then:
Connected units:
1. SN: ChangeMe [001/003]
proxmark3> lf em4x em410xwatch
read failed: could not detach kernel driver from interface 0: No data available(-19)!
Trying to reopen device...
Connected units:
1. SN: ChangeMe [001/004]
proxmark3>
Does anybody know where can I buy a proxmark? I'd like to avoid proxmark.com: to high prices and to high duties from USA...
# Your LF antenna is unusable. # Your HF antenna is unusable.
It reports your antennas are unusable. Have you used that lf-antenna before, so you know that's not what's causing the problem?
I ordered my first from proxmark3.com, it was pricey but I've had no problems with it. I ordered a second via gaucho, but he had to spend a *lot* of time getting the hw to work properly.
# LF optimal: 0,00 V @ 12000,00 kHz
# HF antenna: 0,93 V @ 13.56 MHz
# Your LF antenna is unusable.
# Your HF antenna is unusable.
LF optimal at 12000 kHz (12 MHz) ???
EDIT: hm, maybe that's to be expected when the HF antenna is connected. But why try reading an lf tag with hf antenna? Or did I misunderstand what you did there?
Last edited by holiman (2014-05-08 13:56:50)
I have had a couple of proxmark3's from proxmark3.com no problems either. whats your antenna setup look like, if you have a scope or DMM measure the lf antenna, see if its shorted or something. inductance or resistance read would help, scope better
the problem with those tight loops is, if you slow the loop down too much when you are receiving data with very high speed it might miss a sanple. A better solution could be to add a counter and break the loop when txready hasnt been up for a while and reset on txready. fastest should be counting down and check for var == 0, it could still be too much for special cases.
The board is broken. Another teamviewer with the producer revealed that.
I can't figure out how is it possible to have 2 unlucky experiences in both shippings...
some one told me :"he said "hf mf mifare" is never working......"
so i dont think is ur unlucky
some one told me :"he said "hf mf mifare" is never working......"
so i dont think is ur unlucky
No, the board is broken, the lf part is not working, too. You can see that on the "hw tune" resut.
Test points are showing no voltage.
I think this is bad luck and wait for the 3rd shipping. The problem here is that every time I have to pay customs...
It is a stupid law: I receive a replacement and I have to pay again vat and duties!
You shouldn't have to pay if it is marked it as a "replaced/repaired" item. I used to send ECU's i repaired or reflashed all over the world like this, no import duties.
charliex, your avatar is hard stimulating my curiosity... :-)
i just noticed this comment, there is a thread about in the "innovations" section of the forum
the problem with those tight loops is, if you slow the loop down too much when you are receiving data with very high speed it might miss a sanple. A better solution could be to add a counter and break the loop when txready hasnt been up for a while and reset on txready. fastest should be counting down and check for var == 0, it could still be too much for special cases.
yep, some of the areas are time sensitive, i'm wondering if they're dma'ble instead, i know we struggled a lot getting the timing working on the STM32F1 capturing the 13.56Mhz at bit bang, at DMA SPI it went a lot better ( til we realised the 125khz has a 24mhz clocked capture)
i wish i could have slowed it down a few weeks ago, i ended up using the sam7512b temporarily while we figure out the F4, just ran out of time/man power. I think we can get the 24Mhz SPI going on the F4, since its plenty fast enough, but it'd be easier to deal with if it was more like the 13.56Mhz capture speed. the SSC in the sam7 is pretty amazing.
Hello, I'm having the same issue ; the
hw mf mifare
runs during 1h30 and suddently the proxmark turns off ; I have to abort with keyboard after.
Below the execution result :
proxmark3> hf 14a read
ATQA : 04 00
UID : XX XX XX XX
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443a-4 card found, RATS not supported
proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
..................................................
aborted via keyboard!
I have the latest build from SVN :
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 756 2013-07-13 08:11:47
#db# os: svn 852 2014-06-11 18:06:26
#db# FPGA image built on 2014/03/21 at 19:45:15
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
Any clue to progres on it ? thanks
Well, I've just done the test with the latest Github compiled package (pm3-bin-0.0.2) for windows and I have exactly the same issue :
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 0 2014-03-30 07:16:36
#db# os: svn 0 2014-03-30 07:16:40
#db# FPGA image built on 2014/03/24 at 21:54:44
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average :-)
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
....................................
hf mf mifare works fine with other tags.
Well, that is probably a non-vulnerable tag you have there, they fixed the prng in "plus". This thread is about the proxmark turning off in the middle of the operation. You at least seem to be able to run it for more than an hour? If it isn't cracked within a relatively short time, it probably won't crack.
So it works with other tags? ok, what kind of tag is it? It could be one of the new versions where they fixed the entropy in the prng and the current "hf mf mifare" doesn't crack that.
Try the "snoop -x", which Holiman added. Maybe you get lucky. and btw have you tried the "hf mf chk"? or the lua-script version of it?
You're assumption might be right ; it might be a new tag. Is there a way to verify that ?
Regarding snoop -x, I will test it and let you know.
Regarding last point, I do not know how to use the lua script ; where can I can documentation on it ? and which specific lua script are you talking about ?
Thanks for you support,
in general: search the forum, read holimans entries about it.
in short: in the pm3 client prompt, "script" is the command, which tells you more... "script list" to show which scripts exits. "script run nnnnnn" runs a script..
Many thanks Iceman !
I've tried the script
run mifare_autopwn.lua
but we are facing exactly the same issue.
I will have to try with snoop.
Question: I've searched into the forum but found nothing related to "snoop -x" as you've previously mentionned. What is for this -x parameter?
oh oh! script run mfkeys returns some interessting output !
Found a NXP MIFARE CLASSIC 1k | Plus 2k tag
...
________________________________________
|Sector|Block| A | B |
|--------------------------------------|
| 1 | 3 |A0A1A2A3A4A5|B0B1B2B3B4B5|
| 2 | 7 |A0A1A2A3A4A5||
| 3 | 11 |A0A1A2A3A4A5||
| 4 | 15 |A0A1A2A3A4A5||
| 5 | 19 |A0A1A2A3A4A5||
| 6 | 23 |A0A1A2A3A4A5||
| 7 | 27 |A0A1A2A3A4A5|B0B1B2B3B4B5|
| 8 | 31 |A0A1A2A3A4A5|B0B1B2B3B4B5|
| 9 | 35 |A0A1A2A3A4A5|B0B1B2B3B4B5|
| 10 | 39 |A0A1A2A3A4A5|B0B1B2B3B4B5|
| 11 | 43 |A0A1A2A3A4A5|B0B1B2B3B4B5|
| 12 | 47 |A0A1A2A3A4A5|B0B1B2B3B4B5|
| 13 | 51 |A0A1A2A3A4A5|B0B1B2B3B4B5|
| 14 | 55 |A0A1A2A3A4A5|B0B1B2B3B4B5|
| 15 | 59 |A0A1A2A3A4A5|B0B1B2B3B4B5|
| 16 | 63 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|--------------------------------------|
Question: if we do not have any B keys returned for SB 2-7, 3-11, and so one, does it mean that the tag does not have B keys for these Sector/Bloc or that the script was not able to find it ?
In all the case, thanks a lot Iceman !
Question: if we do not have any B keys returned for SB 2-7, 3-11, and so one, does it mean that the tag does not have B keys for these Sector/Bloc or that the script was not able to find it ?
In all the case, thanks a lot Iceman !
As far as I know there is always a B key.
You know at least one key "A0A1A2A3A4A5" which is a "common/known key". From here, it is easy to get the missing ones.
hf mf nested is not helpful ; I think that I will have to snoop to keep progress
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|001| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|002| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|003| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|004| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|005| a0a1a2a3a4a5 | 1 | 000000000000 | 0 |
|006| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|007| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|008| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|009| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|010| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|011| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|012| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|013| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|014| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|015| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|---|----------------|---|----------------|---|
Actually, since you have all A keys, whichs depends on the accessright but you should be able to dump the card with those keys.
I'm not sure what you want to achive, since the original question was that your "hf mf mifare" command timeout and you got an answer to that. If you have a question, better start a new thread since this one more or less finished.
I agree with you the initial question is closed now.
I will keep on trying to get the missing B keys for sectors 1-5 (these sectors are not accessible with Key A) ; if it failed, I will open a noew thread.
Thanks again for your support.