Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi all,
I have recently purchased a new Proxmark3 RDV4 and after following all of the guidelines to upgrade it to the RRG / Iceman repo (which appears to have gone well), the LF_SAMYRUN standalone mode isnt or doesn't appear to be working via the button commands. I can run lf sim and it will read a card and simulate it fine. Have I missed something?
Below are the outputs:
HW STATUS
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........40000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............0
#db# Currently loaded FPGA image
#db# mode.................... LF image built for 2s30vq100 on 2019-07-31 at 15:57:16
#db# Flash memory
#db# Baudrate................24 MHz
#db# Init....................OK
#db# Memory size.............2 mbits / 256 kb
#db# Unique ID...............0xD567A882A7887325
#db# Smart card module (ISO 7816)
#db# version.................v3.11
#db# LF Sampling config
#db# [q] divisor.............95 ( 125 kHz )
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# LF T55XX config
#db# [r] [a] [b] [c] [d] [e] [f] [g]
#db# mode |start|write|write|write| read|write|write
#db# | gap | gap | 0 | 1 | gap | 2 | 3
#db# ---------------------------+-----+-----+-----+-----+-----+-----+------
#db# fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | N/A | N/A |
#db# long leading reference | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
#db# leading zero | 31 | 20 | 18 | 40 | 15 | N/A | N/A |
#db# 1 of 4 coding reference | 29 | 17 | 15 | 31 | 15 | 47 | 63 |
#db#
#db# Transfer Speed
#db# Sending packets to client...
#db# Time elapsed............500ms
#db# Bytes transferred.......27648
#db# Transfer Speed PM3 -> Client = 55296 bytes/s
#db# Various
#db# DBGLEVEL................1
#db# ToSendMax...............-1
#db# ToSendBit...............0
#db# ToSend BUFFERSIZE.......2308
#db# Slow clock..............31924 Hz
#db# Installed StandAlone Mode
#db# LF HID26 standalone - aka SamyRun (Samy Kamkar)
#db# Flash memory dictionary loaded
#db# Mifare..................857 keys
#db# T55x7...................109 keys
#db# iClass..................7 keys
HW VERSION
[ CLIENT ]
client: RRG/Iceman
compiled with GCC 9.2.1 20190821 OS:Linux ARCH:x86_64
[ PROXMARK RDV4 ]
external flash: present
smartcard reader: present
[ PROXMARK RDV4 Extras ]
FPC USART for BT add-on support: present
[ ARM ]
bootrom: RRG/Iceman/master/d3651cc0-dirty-unclean 2019-09-18 06:13:05
os: RRG/Iceman/master/d3651cc0-dirty-unclean 2019-09-18 06:13:30
compiled with GCC 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907]
[ FPGA ]
LF image built for 2s30vq100 on 2019-07-31 at 15:57:16
HF image built for 2s30vq100 on 2018-09-03 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 271519 bytes (52%) Free: 252769 bytes (48%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
HW TUNE
[=] Measuring antenna characteristics, please wait...
..
[+] LF antenna: 31.02 V - 125.00 kHz
[+] LF antenna: 50.84 V - 134.00 kHz
[+] LF optimal: 61.75 V - 137.93 kHz
[+] LF antenna is OK
[+] HF antenna: 19.75 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 89 is 134kHz, 95 is 125kHz.
Any help would be appreciated.
I have scrutinised the standalone section from your link above, I have spent days looking in to this, but still have no idea why it isn't working.
Everything compiles ok, I have even changed the standalone mode, but the buttons are still the same! I would really appreciate some help here please?
When I long press the button all of the LED's flash to enter standalone mode, then LED D stays lit for a split second, if I press again LED A stays lit, another press LED A flashes for a second or so then goes off. Nothing after that, all LED's are off.
Last edited by DerbyDale (2019-09-18 20:14:11)
I just had a quick play and used the wiki and image (from a link on the wiki) as a guide.
Latest from the RRG repo.
It can be a little tricky as you need to work though all the button presses.
I have not confirmed things 100%, just had a play and could clone a HID 26 bit card.
I suggest you run the client and connect to the proxmark3, then while the client is connected press and hold to go into stand alone mode.
The client will display debug messages. This will help you know what stage you are at.
Sample debug messages
#db# Stand-alone mode, no computer necessary
#db# >> LF HID Read/Clone/Sim a.k.a SamyRun Started <<
#db# [=] start recording
#db# DEBUG: (preambleSearchEx) preamble found at 74
#db# DEBUG: (preambleSearchEx) preamble 2 found at 170
#db# TAG ID: xxxxxxxxxx (xxxxx) - Format Len: 26bit - FC: xx - Card: xxxxx
#db# HID fsk demod stopped
#db# [=] recorded 0 | xxxxxxxxxx
#db# [=] simulating 0 | xxxxxxxxxx
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, STT: 0, n: 4800
#db# [=] simulating done
#db# [=] cloning 0 | xxxxxxxxxx
#db# [=] cloned done
Hi,
Below is the result that I get... very baffling. The card used during this test can be simulated using LF SIM and works just fine at giving me swipe access.
#db# Stand-alone mode, no computer necessary
#db# >> LF HID Read/Clone/Sim a.k.a SamyRun Started <<
#db# [=] start recording
#db# HID fsk demod stopped
#db# [=] recorded 0 | 000000000
#db# [=] only got zeros, retry recording after click
#db# [=] start recording
#db# HID fsk demod stopped
#db# [=] recorded 0 | 000000000
#db# [=] only got zeros, retry recording after click
[usb] pm3 -->
The standalone output comes after a long button press, 'start recording' runs after a further short press, finally another third short press creates the 'only got zeros, retry recording after click' (This is all with the card resting on the Proxmark).
None of the above is automated, it all required button presses!
Could it be a faulty device?
Last edited by DerbyDale (2019-09-19 08:41:50)
Not sure whats going on.
What I did (with the debug was)
1. With no card on the proxmark... long press , released with the leds start to "scan" (all leds scan on/off) the debug shows
#db# Stand-alone mode, no computer necessary
#db# >> LF HID Read/Clone/Sim a.k.a SamyRun Started <<
2. With no card on the proxmark - press and hold until led A is on
#db# [=] start recording
3. Move the original code over the reader
The Proxmark, reads the card and displays the output (all leds go off)
#db# DEBUG: (preambleSearchEx) preamble found at 38
#db# DEBUG: (preambleSearchEx) preamble 2 found at 134
#db# TAG ID: xxxxxxxxxx (xxxxx) - Format Len: 26bit - FC: xx - Card: xxxxx
#db# HID fsk demod stopped
#db# [=] recorded 0 | xxxxxxxxxx
... then the sim and clone bits (clone needs the "blank" cards on the PM3 prior to cloning.
I also tested the above with the card on the reader the whole time and it seemed to work as well.
Thanks for the reply.
Below is the full output using lf search, this is the original card.
[usb] pm3 --> lf search
[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[+] EM410x pattern found
EM TAG ID : 5F00267990
Possible de-scramble patterns
Unique TAG ID : FA00649E09
HoneyWell IdentKey {
DEZ 8 : 02521488
DEZ 10 : 0002521488
DEZ 5.5 : 00038.31120
DEZ 3.5A : 095.31120
DEZ 3.5B : 000.31120
DEZ 3.5C : 038.31120
DEZ 14/IK2 : 00408024414608
DEZ 15/IK3 : 001073748418057
DEZ 20/ZK : 15100000060409140009
}
Other : 31120_038_02521488
Pattern Paxton : 1597683600 [0x5F3AB790]
Pattern 1 : 1691723 [0x19D04B]
Pattern Sebury : 31120 38 2521488 [0x7990 0x26 0x267990]
[+] Valid EM410x ID found!
OK, that tag is showing as and EM410x tag.
SamyRun is for HID cards.
From the debug output
#db# >> LF HID Read/Clone/Sim a.k.a SamyRun Started <<
As per the link from iceman
LF_SAMYRUN (def) HID26 read/clone/sim Samy Kamkar
If you have some t55xx cards you could try this.
Create a 26 bit hid card
lf hid clone 20041accab
Confirm it was created ok
lf search
Then try the standalone samyrun again with that card as the source card.