Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2019-01-16 21:16:41

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Iso15693 snooping now possible

For those who are interested in snooping Iso15693 traffic (and are planning to go Skiing smile ): commands hf 15 snoop and hf list 15 are now available with the latest client and firmware from official repository.

Offline

#2 2019-03-04 23:14:52

Florin_escu
Contributor
From: Bucharest / Romania / Europe
Registered: 2019-02-13
Posts: 6

Re: Iso15693 snooping now possible

Hello.
I have a strange behavior with "hf 15 snoop" command, first the return is zero, but strange is that the green and the yellow LED are off all the time!

The tag is:

proxmark3> hf searc

UID:               E00401006AC6BB4F
Manufacturer byte: 04, NXP Semiconductors Germany
Chip ID:           01, IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)

Valid ISO15693 Tag Found - Quiting Search


If I give "hf iclass snoop", the green LED turn on, and after reading the card with my phone, the yellow LED is on, after pm3 button is pressed the LEDs are off and the "hf list iclass" command returns only something (UID and some blocks) from the TAG and nothing from the reader (Xperia X phone):

proxmark3> hf list iclass 
Recorded Activity (TraceLen = 150 bytes)         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
iso14443a - All times are in carrier periods (1/13.56Mhz)         
iClass    - Timings are not as accurate         
        Start |         End | Src | Data (! denotes parity error)                                       | CRC | Annotation
------------|------------|-----|---------------------------------------------------------------|-----|------------         
             0 |        208 | Tag | bb  33  bb  00  00  00  02  bb                                       |  ok |           
     137280 |     137488 | Tag | bb  d4  bb  00  01  04  04  bb                                     |  ok |           
    -257968 |    -257824 | Tag | 00  00  4f  bb  c6  6a  00  01  04  e0  ce  b9                  |  ok |           
      61904 |      62048 | Tag | 00  0f  4f  bb  c6  6a  00  01  04  e0  00  00  1b  03  01  71  |     |           
                 |                 |     | 75                                                                              |  ok |           
    -582528 |    -582368 | Tag | 00  80  81  82  83  c6  bd                                          |  ok |           
    -305248 |    -305104 | Tag | 00  00  4f  bb  c6  6a  00  01  04  e0  ce  b9                |  ok |           
    -764816 |    -764672 | Tag | 00  0f  4f  bb  c6  6a  00  01  04  e0  00  00  1b  03  01  71  |     |           
                 |                  |     | 75                                                                              |  ok |           
proxmark3>


I have:

D:\Proxmark3\DOC Proxmark\official-64-20190304-1338d245c2ff5930a059d3d1fdea93a535fe6e61\win64>proxmark3 COM11
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-70-g1338d24-suspect 2019-03-04 13:25:10
os: master/v3.1.0-70-g1338d24-suspect 2019-03-04 13:25:13
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/02/15 at 20:40:32
SmartCard Slot: not available

uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 205228 bytes (78%). Free: 56916 bytes (22%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hw tune

Measuring antenna characteristics, please wait.........
# LF antenna: 18.56 V @   125.00 kHz
# LF antenna: 21.31 V @   134.00 kHz
# LF optimal: 21.17 V @   130.43 kHz
# HF antenna: 23.89 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

Offline

#3 2019-03-05 10:19:00

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Iso15693 snooping now possible

Well, this is not too strange. Obviously you have trouble picking up the reader signal. And 'hf 15 snoop' waits for a reader command before it even starts recording a trace...

'hf iclass snoop' on the other hand could need some improvements (friendly speaking). The patterns 'bb xx bb xx xx xx xx bb' indicate errors during tag answer decoding.

Can you successfully simulate a tag ('hf 15 sim E00401006AC6BB4F')? Of course this would require picking up the reader signal as well, but it is usually easier than snooping.

Offline

#4 2019-03-06 20:00:02

Florin_escu
Contributor
From: Bucharest / Romania / Europe
Registered: 2019-02-13
Posts: 6

Re: Iso15693 snooping now possible

Hello, i have used "M24LR Discovery Kit" with CR95HF chip as a reader and everything works like a charm:

proxmark3> hf 15 snoop
#db# Snoop started. Press button to stop.
#db# Snoop stopped.
#db# Snoop statistics:
#db#   ExpectTagAnswer: 0
#db#   DecodeTag State: 0
#db#   DecodeTag byteCnt: 12
#db#   DecodeReader State: 0
#db#   DecodeReader byteCnt: 5
#db#   Trace length: 216
proxmark3> hf list 15
Recorded Activity (TraceLen = 216 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

        Start |         End | Src | Data (! denotes parity error)                                          | CRC | Annotation         |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
              0 |            0 | Rdr | 26  01  00  f6  0a                                                          |  ok | INVENTORY
          889 |        889  | Tag | 00  00  4f  bb  c6  6a  00  01  04  e0  ce  b9                    |  ok |
     322476 |     322476 | Rdr | 26  01  00  f6  0a                                                        |  ok | INVENTORY
     323365 |     323365 | Tag | 00  00  4f  bb  c6  6a  00  01  04  e0  ce  b9                  |  ok |
     586474 |     586474 | Rdr | 26  01  00  f6  0a                                                        |  ok | INVENTORY
     587363 |     587363 | Tag | 00  00  4f  bb  c6  6a  00  01  04  e0  ce  b9                  |  ok |
     809793 |     809793 | Rdr | 26  01  00  f6  0a                                                         |  ok | INVENTORY
     810682 |     810682 | Tag | 00  00  4f  bb  c6  6a  00  01  04  e0  ce  b9                  |  ok |
    1089470 |    1089470 | Rdr | 26  01  00  f6  0a                                                        |  ok | INVENTORY
    1090359 |    1090359 | Tag | 00  00  4f  bb  c6  6a  00  01  04  e0  ce  b9                  |  ok |
    1479748 |    1479748 | Rdr | 26  01  00  f6  0a                                                        |  ok | INVENTORY
    1480637 |    1480637 | Tag | 00  00  4f  bb  c6  6a  00  01  04  e0  ce  b9                  |  ok |
proxmark3>

I am interested in some LED light feedback from PM3 board, I have noticed the following behavior in "hf 15 snoop":
- command send from the reader to tag and no tag found -- then YELLOW LED lit up briefly;
- command send from the reader to tag and valid answer from the tag -- then RED & YELLOW LEDs lit up briefly;

Is there any way to extend LED light feedback even more, like in "hf 14a snoop" when the behavior is like this:
- lancing the snoop command will lit the GREEN LED (and remain lit until button pressed);
- command send from the reader to tag and no valid tag found -- then RED LED lit up (and remain lit until button pressed or valid tag found);
- command send from the reader to tag and valid tag found -- then YELLOW LED lit up (and remain lit until button pressed or no valid tag found);

Offline

#5 2019-03-07 09:02:23

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Iso15693 snooping now possible

Thanks for noticing the inconsistent LED handling. Indeed every function may use the LEDs different. I have submitted a Pull Request to the Github repository to adjust the hf 15 snoop and hf 14a snoop to what I think is the most common LED signalling:

  • LED A (yellow): PM3 is active (snooping)

  • LED B (green): reader is sending a command

  • LED C (red): tag is sending a response

  • LED D (red): PM3 is emiting an HF field (not relevant for snooping)

Colours are for the original PM3 board only. For whatever reason on newer boards all LEDs are the same colour.

Offline

#6 2019-03-12 07:52:21

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Iso15693 snooping now possible

The Pull Request has been merged and LED signalling should now be more consistent.

Offline

Board footer

Powered by FluxBB