Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Does anyone know what sideband the PM3 transmits on when doing 1443A card emulation? 12.7 MHz or 14.4 MHz?
If I understand the HW correctly the '244 drivers modulate the input square wave by toggling the PWR_OE signals. So a square wave comes in and by turning on/off the '244 drivers, the OOK modulation is added to the signal and sent to the antenna. So does the FPGA generate a 12.7 MHz or 14.4 MHz signal? Or am I missing something and the card emulation response is done totally differently?
Any help is greatly appreciated. I am in the process of trying to measure the input square wave, but this is easier said than done... especially since it seems like the code only wants to transmit a card response after a reader command is received.
OK- so I think I am a LITTLE clearer now... but still confused.
It looks like 'hi14asim' function actually modulates the response message onto a 847.5 kHz carrier in the FPGA, then routes this signal out to PWR_OE4. Then, this is 'mixed' with the 13.56 MHz field through the '244 drivers.
Does PWR_HI actually output a 13.56 MHz waveform during this mode? Or, is the mixing accomplished only by turning onn/off the '244 drivers in the presence of the reader field. This last point is what I cannot quite figure out. From measurements, it doesn't look like the PM3 sends anything out of PWR_HI during 'hi14asim'.
Help from anyone who has investigated the HW and physical layer before would be greatly appreciated.
Thanks!
In the hi14asim the proxmark 3 will emulate a card.
As is usual in passive RFID the tag produces no carrier but gets powered by the field of a reader. The answers of the tag are then modulated in the 847.5kHz subcarriers. In case of ISO14443-A by manchester encoding.
A card itself produces no carrier. So thats why the proxmark also does not output on PWR_HI in this emulation mode.
Yes, indeed by turning on/off the signal on PWR_OE4 the answer is modulated into the field.
I wrote the FPGA modulation for ISO14443-A but do know very little about the hardware. So, I hope this is clear to you. (I do for example not know what you mean by '244, but I guess it has something to do with PWR_OE4?)
Furthermore, the only mode where the Proxmark 3 generates 13.56MHz itself is when it acts like a reader. Also in eavsdropping mode the device does not power PWR_HI. You can find the possible modes in armsrc/apps.h
Regards,
Gerhard
I wrote the FPGA modulation for ISO14443-A but do know very little about the hardware. So, I hope this is clear to you. (I do for example not know what you mean by '244, but I guess it has something to do with PWR_OE4?)
Gerhard,
Thanks for clearing that up- By '244 I just meant the HEX drivers that follow the FPGA to amplify the signal to the antenna.