Proxmark3 community

rleroy

Contributor

From: Between a REQB and a ATQB

Registered: 2009-03-04

Posts: 61

Need help retrieving the visual signal (waveforms) of a communication

Hi everybody,

I have some trouble communicating with an ISO14443 type B reader using a customized simulate function in my PM3. I actually suspect that the reader is using a modified version of the ISO14443 type B protocol and is probably not compatible with the ISO14443 type B protocol stack inside the PM3's firmware. I suspect that some parts of the protocols ISO14443-3/ISO14443-4 are treated differently. Indeed, I know the reader is replying something, but I don't know what, and the PM3 does not understand it.

Now I want to get my hands dirty and start understanding the waveforms and understand why the PM3 can't parse the signal.

How would you proceed to do such a task?

Many thanks for your help guys!

samy

Contributor

From: los angeles, california

Registered: 2009-06-18

Posts: 148

Website

Re: Need help retrieving the visual signal (waveforms) of a communication

Hey rleroy,

Is the reader communicating to it properly and actually talking the protocol that the card understands and vice versa?

If so, what type of card and reader are they? Are there any software implementations or documentation available?

rleroy

Contributor

From: Between a REQB and a ATQB

Registered: 2009-03-04

Posts: 61

Re: Need help retrieving the visual signal (waveforms) of a communication

Hi Samy,

Yes, the reader is communicating with my PM3 correctly. Basically, I can do all the initialization/anti collision dialogue, but after that, nothing !

What I'm wondering, is if I am unable to demodulate/decode the protocol, is there a special command inside the PM3 that can help me get the visual signal ?

The SOF might be different, and maybe that's why I can not decode the signal ...

rule

Member

Registered: 2008-05-21

Posts: 417

Re: Need help retrieving the visual signal (waveforms) of a communication

A little while ago I was able to make a beautiful ISO14443-B trace. No frames were lost, the complete transaction was there.
Are you sure you are not trying to demodulate the slightly different B' protocol? Check out this post for more info.

rleroy

Contributor

From: Between a REQB and a ATQB

Registered: 2009-03-04

Posts: 61

Re: Need help retrieving the visual signal (waveforms) of a communication

Hi Roel,

You are right. It's probably the ISO14443 Type B' (Innovatron) protocol.

My card is compatible with both protocols, Type B and type B'. When I read my card using my legitimate reader, I can sniff the totality of the transaction, without any problems, because it uses Type B.

When I sniff the communication, or try to communicate to the reader which is not mine, I don't have success! I highly suspect that the reader which is not mine is communicating with my card using type B'.

That's why I want to dig further, and learn what are the differences between both protocols. I am also willing to reverse engineer the waves, and code the missing Type B' part ...

Last edited by rleroy (2009-07-23 22:32:52)

rleroy

Contributor

From: Between a REQB and a ATQB

Registered: 2009-03-04

Posts: 61

Re: Need help retrieving the visual signal (waveforms) of a communication

I have another question here, I'm really confused

ISO 14443 Type B, PCD to PICC communication is 10% ASK modulation, NRZ encoded.
ISO 14443 Type B, PICC to PCD communication is BPSKmodulation of an 847.5mhz subcarrier, NRZ-L encoded.

If I issue the following commands:

hi14read
hisamples
plot

Why do I receive graphics such as these ones?

This is supposed to be PICC to PCD communication, but I don't see any BPSK modulation and no phase shifts. I might recognize some type of SOF and EOF, but I'm not even sure it's that...

Do you guys have any ideas/pointers about these results?

Thanks!

rule

Member

Registered: 2008-05-21

Posts: 417

Re: Need help retrieving the visual signal (waveforms) of a communication

I do not know much about ISO14443-B modulation, I have to dive into that one before I can give you some sensible answers.
But what I do know is that cards that support B' most likely will not support ISO14443-B as well. They are just "slightly" altered to avoid compatibility and keep it proprietary. Of course one of the most clueless thing to do (concerning security I mean, it's only obscurity).

Did you tested to vary your antenna and the position. Since an embedded reader (on a gateway or access door) often has different configuration. It often has a larger field, but I also noticed less punctual modulation precision. According to the ISO documents the modulation could vary a little, but I do not know if the FPGA takes all this for granted.

Well anyway, of course a B + B' card could still be the case, then we could finally start the B' reversing, which would be very interesting. But before diving into this we may want to sort out where we dealing with. Do you have a scope at hand to make some (wave) measurements on the genuine gate?

edo512

Contributor

Registered: 2008-10-07

Posts: 103

Re: Need help retrieving the visual signal (waveforms) of a communication

I have another question here, I'm really confused

If I issue the following commands:

hi14read
hisamples
plot

Why do I receive graphics such as these ones?

Do you guys have any ideas/pointers about these results?

Thanks!

It is normal you are getting these results: unless I am mistaken, all the "B" read commands actually demodulate in the Proxmark3 so downloading and plotting the raw buffer is meaningless, you have to use the "hexsamples" command which prints out the contents of the buffer as hex values.

AFAIK, there is no "raw acquisition" commands in the PM3 to plot a HF dialog between a card & a reader - I doubt there is enough memory on the PM3 to do this, but please someone tell me I'm wrong!

Ed

rleroy

Contributor

From: Between a REQB and a ATQB

Registered: 2009-03-04

Posts: 61

Re: Need help retrieving the visual signal (waveforms) of a communication

roel: I have played a little bit with the antenna position, and I have searched, using the detectreader function, where the field is at its strongest, but I always get bad results ... If you look at http://www.oberthurcs.com/getpage.aspx?id=196, you will see that the platonIC follows the B and Innovatron standards, so my assumptions that the card follows both protocols come from that page. No scope at all, but since I'm planning on being more serious about this, I think it will be mandatory to get a spectrum analyzer one day, but my budget is quite tight ...

edo512: I have came to the same conclusion as you ... After reviewing the code a bit, I noticed that it was not possible to get a raw reading from the antenna, because the function hi14read eventually calls AcquireRawAdcSamplesIso14443 which calls GetSamplesFor14443Demod function that do all the decoding ... Concerning the amount of memory inside the atmel chip, you are very right about it, you bring a very interesting point concerning the memory limitations. But I think that the Atmel has enough memory to store a lot of information since GetSamplesFor14443Demod() is only called once inside the hi14read function and do all the decoding on a single buffer... So in the days to come I will try to skip the decoding function, and just dump the buffer ...I think it was coded that way because it was more user friendly to just use hexsamples to dump the decoded content ... Anyways, a lot of work to do in the days to come So to end the question, there is no sense in trying to understand the waveform, because it is already decoded!

Nice input guys, I really appreciate

edo512

Contributor

Registered: 2008-10-07

Posts: 103

Re: Need help retrieving the visual signal (waveforms) of a communication

rleroy: are your cards transport cards (I suppose so?), and do they have a contact interface too? In that case, you might be interested to use my online tool to read the contents of the cards, depending on where you live in the world, you should be able to get quite a lot of info. Check out my website at https://www.lafargue.name/, in the "Smart Tools" section, the "ATR Tool".

rleroy

Contributor

From: Between a REQB and a ATQB

Registered: 2009-03-04

Posts: 61

Re: Need help retrieving the visual signal (waveforms) of a communication

Hi edo512,

Indeed, my card is a transport card. The card has an interface, but I never was able to communicate with it properly. It looks like the contact interface does not follow the 7816-2 ISO standard. But I can properly communicate with my cards on the CL interface, without problems!

I already tried your tool a couple of months ago, but I was not able to communicate with the CL interface properly, and I didn't dig further... Maybe because your tool works through the contact based interface, and I tried with the CL interface? What are you able to do with your software? Parse the ATR? Parse the contracts, environment, log files?

Interesting