Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I gaucho
thanks for the pictures
as i have been making home-made coil for different 125Khz RFID project , i have noticed that the resonating frequency is very sensitive ( a few Picofarad drift make difference )
so may be the capacitors in this PCB make the antena device ( in fact coil + capacitor ) not resonating .
here is the picture of my chinese Proxmark as you see some antenna capacitors are not all presents. ( depend on the coil ..)oups ! i did not see at first glance C36 and C20 are not present just like my chinese proxmark
and it looks like there are connection on the 4 Test Point TP2/3/4/5
Offline
I have checked C39 and C43 on my board they match the schematic they are 1 Nano
Offline
@benoit: the missing capacitors are "do not populate" components. It is correct that they are not present.
Offline
gaucho
You didn't post here your antenna voltage here. Plus which svn revision have you flashed? I would recommend to flash r838(or older) svn rev. because after r839+ have broken iso14443A snoop and simulator. Did you try to read some mifare cards with our proxmarks? Simulate it? Snoop?
What is voltage on "reference" pm3 board that you borrowed from your friend?
IMHO FPGA+ARM, power is OK; analog rx/tx path needs additional tests. Can you also wash the boards with isopropyl spirit and check it again?
P.S. It can be a C35 incorrect value problem-In BOM excel file it's value is 100 pf, but it's 47 on schematics. Can you measure it's value?
Last edited by vivat (2014-02-07 10:31:35)
Offline
Vivat,
as i wrote on the other post the voltage for HF antenna is between 0 and 2.5V.
the voltage of the antenna on the pm board of my friend was about 30V.
I say "was" because today, comparing the signals between our board and the reference board, i burned a power regulator of my friend board. i will replace that component for him, the ground of the oscilloscope probe touched a pin (the 3,3V) of the SV5 connector. the 3,3V regulator is burned now and the arm doesn't power on.
Asper helped me on chat during the flash phase.
...proxmark3 COM28
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 842 2014-02-01 12:49:37
#db# os: svn 842 2014-02-01 12:49:41
#db# FPGA image built on 2013/11/19 at 18:17:10
uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
#db# Measuring complete, sending report back to host
# LF antenna: 0.00 V @ 125.00 kHz
# LF antenna: 0.00 V @ 134.00 kHz
# LF optimal: 0.00 V @ 12000.00 kHz
# HF antenna: 0.00 V @ 13.56 MHz
# Your LF antenna is unusable.
# Your HF antenna is unusable.
proxmark3>
is this version not good to make the tests on the signals?
I found 2 shorted pins on one FPGA and i found that it was due to dirty. after washing it, the problem is solved.
Now, for each board that i analyze, i first start washing it. your hint was good.
I'm washing it with alcool and a brush.
EDIT: i can not measure a capacitor, at least i can replace it. Effectively you are right, on BOM there is different value for C35 capacitor than the one reported on schematic. There are also other differences but i stated that the excel bom is more updated than the schematic. Effectively the different C35 capacitor changes the resonant frequency of the HF antenna... but may be that changing the inductance of the antenna the resonant frequency returns to the expected value. It is possible that there was an error in the original project schematic, or may be it is changed the way to realize the antenna and then someone decided to update the capacitor in order to make an easier antenna. This is just an assumption.
Also check the measurements made today on the other thread: http://www.proxmark.org/forum/viewtopic … 9555#p9555
EDIT: how should i make a LF antenna? i made 100 rounds (6cm diameter), but the result seems to be not good. is it correct?
Last edited by gaucho (2014-02-07 19:49:33)
Offline
hw tune will surely work fine in r842 so I don't think it is a "firmware issue", only an hardware one.
Offline
can you say the same for the command HF READ?
Offline
just checked on my working pm3 C35 is 47 pf
i get 1.53 millihenry for home made LF coil ( about 20 volt when resonating )
and 1.63 microHenry for home made HF coil ( about 11 Volt when resonating )
Offline
Here are high-res pics of a proxmark3.com naked proxmark3; surely machine-soldered. You can notice the "clean" differences on various pins (look at the example below).
left -> proxmark3.com / right -> chinese pcb:
Gaucho spent lot of time in making those very-low-cost boards available and everyone here knows that pcb china-market can be "problematic"... I think he did a great job.
Last edited by asper (2014-02-09 10:01:57)
Offline
about solderings: i'm checking them and correcting where i see dirty or bad solderings on fpga and arm. this is a slow work, also cause i'm not a specialist of it.
please consider that the picture is low resolution and it is affected by light reflections. this doesn't means that the solderings are wrong. it's just a matter of appereance in most of the cases.
anyway there are even bad solderings and dirty, and as i said i'm working to correct the problem. also consider that after washing the pcb, component's signs and solderings "appears" really better.
i've seen that many components are well sodered. most of the bad solderings are related to fpga and arm.
your picture is taken with microscope, mine with a camera.
Last edited by gaucho (2014-02-08 09:08:10)
Offline
Can you add C36 capacitor 47pf or replace C35 with 100pf and try to execute hf tune command? Can you also post here screenshot from your oscilloscope for both crystals XT1&XT2?
Did you try to read LF tags?
i burned a power regulator of my friend board. i will replace that component for him, the ground of the oscilloscope probe touched a pin (the 3,3V) of the SV5 connector. the 3,3V regulator is burned now and the arm doesn't power on.
What probes do you use? I would recommend to buy Pomona SMD hooks or E-Z micro hooks.
Last edited by vivat (2014-02-08 13:13:09)
Offline
about solderings: i'm checking them and correcting where i see dirty or bad solderings on fpga and arm. this is a slow work, also cause i'm not a specialist of it.
please consider that the picture is low resolution and it is affected by light reflections. this doesn't means that the solderings are wrong. it's just a matter of appereance in most of the cases.
anyway there are even bad solderings and dirty, and as i said i'm working to correct the problem. also consider that after washing the pcb, component's signs and solderings "appears" really better.
i've seen that many components are well sodered. most of the bad solderings are related to fpga and arm.
your picture is taken with microscope, mine with a camera.
In fact I posted the above pictures to say that you had been really good in polish that !
Anyway the pics are not microscope made, only digital-camera-zoom made !
Last edited by asper (2014-02-08 18:44:28)
Offline
Gaucho spent lot of time in making those very-low-cost boards available and everyone here knows that pcb china-market can be "problematic"... I think he did a great job.
+1.
If these boards turn out to be unusable, and the money is forfeit - no shadow on Gaucho, you've done good!
Offline
asper wrote:Gaucho spent lot of time in making those very-low-cost boards available and everyone here knows that pcb china-market can be "problematic"... I think he did a great job.
+1.
If these boards turn out to be unusable, and the money is forfeit - no shadow on Gaucho, you've done good!
You are wrong. The pcbs seems to be OK, but chinese manufacturers don't wash the pcb to save the money and make lowest price possible. It is very common situation.
Right now I see following problems:
1. Dirty pcbs with tons on flux on them.
2. C35 value. Gaucho still didn't answer about it's value. Some proxmarks have unusable HF antenna with 100 pf. Example 1; Example 2; Example 3. Cable length is also very sensitive.
3. Crystals. Also waiting for reply from gaucho.
Offline
Sorry vivat but I don't agree with you (I am also waiting a pm3 from gaucho too):
1) no gaucho's fault
3) he used an hf antenna which was perfectly working with another "good" pm3 so it is not a "cable lenght problem"
About 2&4: gaucho is still making tests so I think that patience (and not "pressing") will surely help him find the problems.
Gaucho can you test what vivat is asking aout xtals ? (about C35 he said he cannot mesure it).
In any case i don't think he is working badly/lazely at all. If you do not want to wait anymore gaucho can send you a non working pm3 so you will be able to test it yourself helping all of us to receive a good board
Last edited by asper (2014-02-09 11:04:54)
Offline
according to the last post of this thread http://www.proxmark.org/forum/viewtopic … d=412#p412 i can try to make an antenna in order to make it resonant at the right frequency or i can change the capacitor. there is no difference apart the fact that i have to buy/find a 47pF capacitor while i still have the wire to make an inductance.
could we agree on the shape of an adeguate antenna for the 100pF capacitor?
supposing i use a square shape, using the info found on the 6° post of this thread http://www.proxmark.org/forum/viewtopic.php?id=1110 , i should make an antenna where a=2,5cm, b=0,1cm c=0,1cm and Number of turns=3,31. Correct? the diameter of the wire makes difference? i did'n find it in the linked datasheet with formulas (i read it very fast).
About the other components different value i'm quite disappointed since i asked on this thread to you all, confirmation about the fact that the BOM is the most updated list, cause i wrote that some components were with different value than the shematic. no one wrote dubts about this. and, moreover, why there is an updated BOM with wrong component's value? i think that may be we should ask to the person who compiled the BOM, may be we are focusing on the wrong point.
on your linked thread http://www.proxmark.org/forum/viewtopic … 9576#p9576 i asked some reference signal measurements, in order to compare with mine. I ask the same here, if someone has a scope and a pm3, post here the reference signals according to my questions on that thread.
@vivat:yes i can share a snapshot of aquired signals, i didn't do it cause i don't want to loose time, i wrote the characteristics of the aquired signals on the other thread http://www.proxmark.org/forum/viewtopic … 9555#p9555, anyway i will do it as you required. we have a very good scope in our lab and i can use it quite fine (on monday). the probes are ok, they have a metal ground plate cause it's componible, now i placed a adesive protection on that ground point in order to avoid shorts, i'm not a newbye about rf measurements, please trust me.
@holiman: i feel responsible of this project, i'll do everything to make them working, i don't like to loose money.
EDIT: i also wrote here: http://www.proxmark.org/forum/viewtopic … 9579#p9579
Last edited by gaucho (2014-02-09 10:27:48)
Offline
asper suggested me to write here my measures since the other thread is really old and noone read it, so, i copy paste the content of the other thread here, to be sure that you read it:
dear all,
i have the same problem on more than one board: low voltage value (between 2 volt and zero volt).
with a working proxmark (a friend of mine lent me its pm3 board) i checked that the used HF antenna is good, because it has high voltage ( he don't have LF antenna, but i will manufacture one ASAP).i used the d18c7db hints and i verified the following:
1) VDD=5V
2) IC3 output=3,3V
3) ARM voltage= 3,3V
4) ARM pin 61= signal at 16MHz, only 570mVpp with 400mV of positive offset (i stated it is correct, isn't it?)
5) IC13 output(3V3-FPGA) = 3,4V
6) IC12 output(+2V5)= 2,5V
7) ARM pin 34 (PCKO)= signal at 24MHz, 6,7Vpp with 1,86V of positive offset (i stated it is correct, isn't it?)
8) the power on led sequence seems to be ok.
9)when i power on the proxmark and then read the signal on IC10 pin2(PWR_LO) i see the following signal: 12MHz frequency with 4,3Vpp amplitude.
10) when i send the command "lf read" and then i read the signal on IC10 pin2 (PWR_LO) i see the following signal: square waveform, 125KHz frequency, 5Vpp amplitude.i tested 3 boards (they all have low voltage on HF antenna), the only difference is that on test 7 the PCKO read amplitude has differents values: 6,7Vpp, 7,9Vpp and 4,5Vpp (i stated it could be ok, isn't it?)
Note: in the d18c7db hints i read the command "lo read", but i suppose that the client now is changed and that the correct command is "lf read"
PLEASE, give me some more tests to perform, in order to understand which is the broken component.
thank you.
today i made other measurements:
i powered on the board and checked the IC1 pin80 (PWR_HI) and i found no clear signal, only noise.
i sent the command HF READ and no signal appears on pin80. I was expecting a square waveform signal.
I unsoldered the pin 80 of the IC1 and i tried again. nothing changes, it means that the FPGA don't generate that signal.
Does the FPGA needs some external signal in order to generate the PWR_HI ? may be the oscilator?I checked the oscillator XT1 and i found a 5Vpp good sine signal ( 13,5MHz)
I checked the oscillator XT2 (it is the IC2 pin 61) and i found a really low signal, too much low to be ok in my opinion (read on my previous post the characteristics of this signal).
The oscillators are:
XT1: TXC 7A-13.560MAAJ-T
XT2: TXC 7A-16.000MAAJ-Tused capacitors on XT2 are C6 and C7 and their value is 22pF.
On the ARM DATASHEET ( http://www.atmel.com/Images/doc6175.pdf ) i found that at page 569 para.37.4.4 the oscillator signal should oscillate between a high voltage of minimum 1,26V and a low voltage of maximum 0,54V. stated this, my signal is not ok.. but if the arm has no clock as it seems to be, should it talk on usb port? could it be possible or should i check again?
Offline
@holiman: i feel responsible of this project, i'll do everything to make them working, i don't like to loose money.
That's great (neither do I)! What I meant was that as I see it, you have fulfilled your obligations. I'm grateful for everything you're doing now to get the devices working though, but no pressure. Shit happens..
And sorry, I don't have any oscilloscope and my low-level electronics-skill are a bit rusty, don't think I can help out much..
Offline
update: benoit made some measurements on its board, finding some good starting point measurements, these are te measures made on a working board:
-about 3 Volt peak to peak on XT1
-about less than 0,4 Volt peak to peak on XT2
-about 3.5 volt peak to peak on pin 13 IC10 with HF TUNE running ( about 11 volt on antenna)
so, our xt2 seems to be ok.
I will repeat, monday, measurements on IC10 pin 13 with the command used by benoit.
Enio asked me to send its board as it is. If even some one else want the board as it is, just ask for it and i will send it, otherwise i will continue the troubleshooting.
bye.
Last edited by gaucho (2014-02-09 22:37:02)
Offline
To make a good LF 125 and 134 khz antennas you need a used fishing line:
with internal diameter ~ 7 cm. And very thin enameled cable. Start with ~ 160 turns around and launch hw tune comand then slowly removing the turns and see what happens. You need to find that number of turns, where you will get stable 125 khz(see LF OPTMIMAL).
For HF antenna you can use old CD case and 3 turns of 0.5 mm enameled cable.
Offline
ok, thinkgs are coming clear:
i repeated some measurements.
you can see in the bottom right side of each screenshot the automatic measures taken by the oscilloscope (freq., rms and peak to peak).
the output of oscillator XT1:
It's 4Vpp (the mean value measure is wrong since the scope was integrating a previous measured signal). Quite good.
the output of oscillator XT2:
It's 214mVpp, really low but may be it's correct since it is near Benoit measures and the arm is working.
the output of the fpga LO_PWR (after issuing the command LF READ)):
It's 3,6Vpp. quite good.
the output of the fpga HI_PWR (after issuing the command HF TUNE):
It's 3,45Vpp. Quite good.
With the command HF TUNE, i connected an HF antenna made for a pm3 built with 47pF capacitor and i saved the signal obtained on TP3:
It's 4,7Vpp. mmm..this is too much low. corresponds to about 2V on the client
Then i changed the HF antenna while i obtained the max voltage value (may be i didn't found the best value, but i tried a lot).
the antenna is made by 2 rounds of wire AWG24 diameter 8,5cm. you will see it in the following images.
this is the screenshot taken with this antenna, with the probe on TP3 (with HF TUNE running):
it's 20Vpp. Is it good enough? If we will obtain a higher voltage by changing value of the capacitor, will this improoves the performances of the board?, or it's just a reference value and performances will not change? let's speak about this in order to decide if is it needed to change this capacitor. think about it cause may be that it's just a scale, and it's not less radiated energy.
Then i made a LF antenna. You can find it in the following images.
I used a plastic object found in the lab. Internal diameter about 44mm, width about 17mm. wire type: 0,4mm diameter. number of rounds: 145
this is the screenshot taken with the probe on TP2 (proxmark with the command LF READ running)
It's 58,4Vpp. Is it good?
the following image shows the 2 connected antennas.
the following image shows the voltages obtained with these 2 connected antenns:
the best values obtained on the client are: 26V for LF antenna and 8V for HF antenna
Last edited by gaucho (2014-02-10 17:38:31)
Offline
Thanks for good waveforms! See mine
XT1:
XT2:
Tomorrow I'll try to find difference between your and mine measurements. Your LF antenna seems to be usable. Keep on practicing and you will reach 40+volts!
P.S. Just sent you the money for cards.
Last edited by vivat (2014-02-10 18:00:20)
Offline
Great work gaucho ! The HF antenna should be over 10v to be quite good, over 13v to be really good (6-8v can produce bad behaviour reading/writing tags).
LF is surely usable but, as vivat said, it can get better
Offline
we should decide if we need to change the capacitor. I couldn't obtain higher value for HF antenna. It is possible that no one knows why that capacitor changed value and how should the antenna be made now?. I tried changing the diameter, the number of rounds, but i never get more than that voltage value for HF antenna..
about the LF antenna: i started with 150 rounds then i made some "hw tune" then i read the "optimal frequency value" and i had to remove some rounds to obtain the "optimal" frequency @ 125KHz. then i suppose that it is the best signal. why you said that i can obtain 40V?
Last edited by gaucho (2014-02-10 23:49:47)
Offline
why you said that i can obtain 40V?
You will get it with used fishing line(see picture on previous page) and thin 0.1 mm cable. Just try it.
If you can't measure C35, did you try to replace it? What is the resistance of your antennas? Did you try to change the cable diameter/material? Can you also measure the inductance (L) with this formula:
https://code.google.com/p/proxmark3/wiki/Antennas#Roel%E2%80%99s_Hirose_antenna
Please keep in mind that adding/removing even 1 cm of cable changes antenna inductance.
Did you try to read some LF tags? Can you also try to test HF tag simulation mode against your SL-500 reader?
Last edited by vivat (2014-02-11 09:07:45)
Offline
we should decide if we need to change the capacitor. I couldn't obtain higher value for HF antenna. It is possible that no one knows why that capacitor changed value and how should the antenna be made now?. I tried changing the diameter, the number of rounds, but i never get more than that voltage value for HF antenna..
about the LF antenna: i started with 150 rounds then i made some "hw tune" then i read the "optimal frequency value" and i had to remove some rounds to obtain the "optimal" frequency @ 125KHz. then i suppose that it is the best signal. why you said that i can obtain 40V?
If I understood you right your PM3 has a 100pF capacitor instead of the 47pF fitted on PM3 boards that can be found on internet.
If this is right I suggest to change the capacitor, as if you keep the 100pF value you will need an antenna with too low inductance (as capacitor is more or less double the 47pF value, you will need an antena with more or less half the inductance required for the 47pF capacitor).
This means either less turns of wire, or smaller diameter of the coil.
Taking into account that the HF antenna is usually formed of a very few turns of wire, this could lead to an antenna generating too low magnetic field, unable to power up the tag (even if its inductance is OK to be resonant at the required frecquency).
For tests you can try with an standard thru-hole capacitor soldered to PCB pads (or remove the capacitor on PCB and solder the standard 47pF capacitor on antenna wires or TP3 test point) and check if then the PM3 works. Then you can source the SMD parts form whereever you are able to do it (RS, farnell, Digikey, eBay...).
Hope this helps.
Regards,
Cex.
Offline
If this is right I suggest to change the capacitor, as if you keep the 100pF value you will need an antenna with too low inductance (as capacitor is more or less double the 47pF value, you will need an antena with more or less half the inductance required for the 47pF capacitor).
This means either less turns of wire, or smaller diameter of the coil.
Taking into account that the HF antenna is usually formed of a very few turns of wire, this could lead to an antenna generating too low magnetic field, unable to power up the tag (even if its inductance is OK to be resonant at the required frecquency).
This have sense. I agree with your reasoning.
Just i can't understand why this BIG change is not well documented and accompanied by a deep discussion thread.
Google code is unuseful if you don't share detailed "change notes" about the choices.
Today i used a 0,1mm diameter wire to make a hf antenna using a smaller diameter (about 3cm diameter, and few rounds) but i could'nt obtain good voltage even unwiring the turns one by one.
Then i made another HF antenna like the one posted yesterday but using AWG26 wire. The obtained voltage is a little bit higher (8,5V on client) but nothing else.
I will try with 47pF capacitor but i first need to get it, this can take up to 1 week if we have it in our depot.
keep in touch and let me know if you want me to send the board now as it is.
vivat wrote "Did you try to read some LF tags?"
Answer: i suppose i don't have lf tags, i have only badge, coffe key and skipass (they're all HF)
vivat wrote: "Can you also try to test HF tag simulation mode against your SL-500 reader?"
Answer: yes i can, i just need some hints about how to do it. the sl500 is here, ready to be used. why you ask this question? is it a particular mode that can not work even if the common "read command" is working?
anyway i tried to read a mifare classic 1k with this low 8V voltage and the result is that the card can't be detected.
EDIT: today i continued to watch the cards on the microscope finding some false soldering and some pins soldered together on fpga and arm, even if the client is working. i solved the found problems personally but i also wrote to manufacturer (consider that i have to order another personal project PCBA within few weeks) to complain about its bad work.
Last edited by gaucho (2014-02-11 15:14:38)
Offline
why you ask this question? is it a particular mode that can not work even if the common "read command" is working?
anyway i tried to read a mifare classic 1k with this low 8V voltage and the result is that the card can't be detected.
Because fake tag simulator mode doesn't require good voltage on antenna.
I want to make sure that analog transmit/receive path is working. You can launch iso14443A tag simulator by sending command:
hf 14a sim
then hf 14a list to see the data exchange
Or launch iso14443B simulator
hf 14b sim
Don't forget that PM3 antenna position against reader very depends on your simulation. I usually place my antenna nearly around 45 degree from reader.
Did you try to read that mifare ultralights?
Offline
Update: i found a 47pF capacitor, soldered, tested with new antenna, 3 rounds, wire type AWG26, diameter 7cm. obtained voltage on HW TUNE command 11,38V.
This is better than the previous obtained values.
I couldn't obtain a greater value.
If i well remember, the minimum recommended voltage value for HF antenna is 10V. correct?
well, i tried to read a mifare 1k and a srix4k but the first is never found on command "hf 14a reader" while the second one, answers only once upon 10 tries to the command "hf 14b raw -c -p 06 00". I also tried moving the tag around the antenna.
Is it there a problem in the boards?
EDIT: i tried the following commands:
hf 14a sim 1 8bd88888
hf 14a list
the client answered with "waiting for a response from the proxmark..." and then "don't forget to cancel its operation first by pressing on the button"
then i placed the antenna near the SL500, i requested the uid of the tag with the sl500 software (i don't have dubt about the sl500) but the pm3 board doesn't scroll anything on it and the sl500 can't find the emulated tag.
i tested only one board today, give me your opinion and i will continue with the other boards.
Last edited by gaucho (2014-02-11 18:08:10)
Offline
question: which is the analog signal sampled by the DAC? i can start watching it on the scope.
after digitalization it is sent to fpga. could i check it in any way?
Offline
vivat, you wrote "I usually place my antenna nearly around 45 degree from reader.".
what do you mean? i didin't read this sentence before, may be i read it too much fast.
i placed the antenna over the SL500.
anyway i think that now that the voltage is ok, the tag should be read, but it's not working.
i suspect a problem. no? give me some hint about possible measure to perform.
Offline
srix4k but the first is never found on command "hf 14a reader" while the second one, answers only once upon 10 tries to the command "hf 14b raw -c -p 06 00". I also tried moving the tag around the antenna.
If the size of your srix4k is small and not standard smartcard maybe are "MyK", you need a small antenna for power it. asper has a good experience on it.
I maked an antenna with diameter about 2 cm.
Last edited by jonor (2014-02-11 20:55:52)
Offline
11,38V is good for HF. You need to test analog RX path with scope. See ./doc/proxmark3_schema.pdf page 4. Let's think that you launch hf 14a reader or hf 14a sim. Signal comes from HF antenna coil to ANT_HI then goes through relay(which is set to PEAK-DETECTED mode MUXSEL_HIPKD) being filtered and then amplified by AD8052. Then it goes to ADC TLC5540. There is TP1 test point on ADC_IN input. You can check it with scope.
Easier test is to sniff communication between card and reader. Place PM3 antenna between SL-500 reader and Mifare tag, then launch hf 14a snoop or hf mf snoop command. After it launch reader's software and scan for tags. Stop the sniffer by pressing the button on PM3 board and launch hf 14a list. Make sure you are using r838(or older) svn revision, as I posted above.
MUXSEL_HIRAW path is not used at all in latest firmware.
Last edited by vivat (2014-02-12 04:45:51)
Offline
EDIT: i tried the following commands:
hf 14a sim 1 8bd88888
hf 14a listthe client answered with "waiting for a response from the proxmark..." and then "don't forget to cancel its operation first by pressing on the button"
I don't know exactly what software revision you are using, but when the pm3 is in simulator mode, it does not listen to commands from the USB - it's fully occupied simulating. At least that's the case for 'hf mf sim', but I believe it's the case also for 'hf 14a sim'. Thus, before you do 'hf 14a list', you need to press the pm3-button to abort the simulation.
Edit - clarification: That's why you get "waiting for a response.. ", because the host does not get any response back when the 'hf 14a list' command is sent (since the device is not listening to USB)
Last edited by holiman (2014-02-12 09:10:12)
Offline
i see you write some posts. i will read and reply later, first i report my last tests.
the second parcel with "accessories" is arrived.
i connected the LF antenna, i made a lf tune obtaining about 26V, as it was yesterday. i placed a 125KHz tag (one of the ordered tags). it's a T55X7.
i tried to read it but i didn't get answer from it.
this is the log (it doesn't change with or without the tag near the antenna:
proxmark3> lf t55xx readblock 1
Reading block 1
proxmark3>
proxmark3> #db# DONE!
i couldn't read it with the SL500 cause i don't know how to do (if i can do it), then as you see i have few stable points in my mind.
when the pm3 is in simulator mode, it does not listen to commands from the USB - it's fully occupied simulating
yes but the SL500 reader was not able to read the simulated tag. there is something wrong.
@jonor: ok, let's not consider the srix test.
As vivat suggested, i will make some more measurements on the rx part and i'll share here the recorded signals.
also arrived the customs, but the price is really low: 11,71€
Last edited by gaucho (2014-02-12 15:32:45)
Offline
SL500 is 13.56 mhz reader, it doesn't support 125 khz.
i connected the LF antenna, i made a lf tune obtaining about 26V, as it was yesterday. i placed a 125KHz tag (one of the ordered tags). it's a T55X7.
i tried to read it but i didn't get answer from it.
how about lf read
data samples 4000
data plot
yes but the SL500 reader was not able to read the simulated tag. there is something wrong.
OK, waiting your results from simulator and sniffer.
Offline
SL500 is 13.56 mhz reader, it doesn't support 125 khz.
oh shit! what a newbye am i?
how about lf read
look this:
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 842 2014-02-01 12:49:37
#db# os: svn 842 2014-02-01 12:49:41
#db# FPGA image built on 2013/11/19 at 18:17:10
uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> lf read
#db# buffer samples: 9f 98 72 9a 93 70 91 90 ...
proxmark3> lf read
#db# buffer samples: 77 9d 90 6f 96 91 74 7c ...
proxmark3> lf read
#db# buffer samples: 71 7f 90 91 74 9b 92 70 ...
proxmark3> lf read
#db# buffer samples: 92 73 7d 9f 98 71 99 92 ...
proxmark3>
first 2 "lf read" commands are without tags, last 2 "lf read" commands are with the T55X7 tag. bytes changes apparently like noise. is it wrong?
i will upload the fw version suggested by you for the tests with the scope.
now the lab is closed and i couldn't perform measures before. tomorrow i'll be in austria(wien) for a meeting and i'll be back the day after. but the return flight is late and saturday I don't work. next measures on monday. also about the shipments requested by enio and benoit: i can't do it today. today i'll prepare the parcel and i'll send them when i'll be back, let's say saturday.
by this way we can do more measures and tests together in order to solve the problem.
data samples 4000
data plot
the following log is taken with a T55X7 over the lf antenna (only lf antenna connected):
is it a sine waveform? correct? is it ok in your experience? can i do the same on the hf path? which commands?
Last edited by gaucho (2014-02-12 19:19:45)
Offline
You need to test analog RX path with scope. See ./doc/proxmark3_schema.pdf page 4. Let's think that you launch hf 14a reader or hf 14a sim. Signal comes from HF antenna coil to ANT_HI then goes through relay(which is set to PEAK-DETECTED mode MUXSEL_HIPKD) being filtered and then amplified by AD8052. Then it goes to ADC TLC5540. There is TP1 test point on ADC_IN input. You can check it with scope.
good. i'l do it.
should i send particular command before to do this measure?
Easier test is to sniff communication between card and reader. Place PM3 antenna between SL-500 reader and Mifare tag, then launch hf 14a snoop or hf mf snoop command. After it launch reader's software and scan for tags. Stop the sniffer by pressing the button on PM3 board and launch hf 14a list. Make sure you are using r838(or older) svn revision, as I posted above.
MUXSEL_HIRAW path is not used at all in latest firmware.
ok, i don't have the right FW version now, i will upload and do this test but,
does it have sense to do it if i'm not able to simulate and read a tag?
for sure the most important measure is on the ADC input, then we should continue..
it is important to understand if we are sampling correctly the signal.
i could inject a well known signal (amplitude and shape) and then check if on "data plot" the signal is shown as it is.
did someone performed this task in the past? can you do it? can i do it? are levels shown on data plot correspondant to effective signal level?
consider that in the previous sampled signal (i posted a screenshot of the data plot) the period of that signal is 32 samples. wich is the sampling rate?
why i see a sine while it should be a 125khz square waveform as i've seen on the scope? am i right?
Last edited by gaucho (2014-02-12 19:18:41)
Offline
This is a T5567 waveform (a little zoomed out):
there seems to be problems in your one... even if the signal is present it seems to be "non-costant" and low...
Last edited by asper (2014-02-12 19:33:47)
Offline
now the lab is closed and i couldn't perform measures before. tomorrow i'll be in austria(wien) for a meeting and i'll be back the day after. but the return flight is late and saturday I don't work. next measures on monday.s?
You can read the proxmark wiki during your flight to know the commands syntax/usage.
Why you didn't try to launch HF simulator or sniffer again? It is a simple and easy to perform test.
why i see a sine while it should be a 125khz square waveform as i've seen on the scope? am i right?
Can you upload your trace that you have recorded to some file-hosting. This is commands sequence:
lf read
data samples 16000
data save any_file_name.pm3
Saved .pm3 files are located in ./traces. And upload it to somewhere.
You can also do this test. First PM3 will act as LF reader, second as LF tag. Place both antennas on each other.
1. Take 2 proxmarks with 2 LF antennas
2. On PM3-LF simulator launch command lf em410x sim
3. On PM3-LF reader execute lf em410x reader
4. Launch data samples on both PM3
5. data save somefile.pm3
wich is the sampling rate?
In general the raw sample rate will be at whatever rate the ADC (IC8) is being clocked at on pin 12. This signal comes from the FPGA (IC1) pin 46, so I assume it changes based on mode (e.g. slower sample rate for LF operation). Assuming the FPGA doesn't decimate or throw away samples, the plot sample period should be the period of the ADC clock signal.
ADC reads incoming signal with the frequency 125 khz. This frequency is generated by FPGA from PCK0 signal divided by divisor. For lf read command(125 khz) it is set to 95. 12mhz/95=???
For lf read h (134 khz) it is 89. 12/89=???
Offline
Any news?
I have launched command hf 14a reader against my mifare card. Measures taken from TP1.
Offline
i made some measurements:
i connected the hf antenna without tags (all these measures are taken in this condition) i connected the usb cable to the board and sent the command hf tune.
i understood that in this moment the Peak Detect is actuated and the TP1 shows the same signal coming from ic6 pin 8. correct?. do you agree with me?
this is the TP3:
it's about 13,7MHz sine with about 25,5Vpp. there is an offset.
this is the TP1:
it's a 2,5V DC voltage with noise (maybe it's a unwanted ripple. could it be correct? could you make this measure on working board?
then i sent the command hf 14a reader
if i well understood, in this situation the signal TP1 has the same signal found on IC14 pin 1. correct?
this is the output on TP1:
it's a 2,5V signal with a ripple of about 350mVpp and a frequency of about 470KHz. (or a 470KHz with a offset of 2,5V)
this signal is always present after the first issue of the command, i didn't checked during the transition time, may be there is something similar to your last measure? can you see it like me?
i also checked that the sampling clock is present.
i noted that the clock is present only when you issue the command:
this is the clock (ic8 pin 12) during the command " hf 14a reader ":
it's about 3,5Vpp square waveform with frequency of 13,5MHz
this is the clock (ic8 pin 12) during the command " lf t55xx readblock 1":
it's about 3,4Vpp square waveform with frequency of 246KHz.
Last edited by gaucho (2014-02-17 19:13:15)
Offline
these are the Enio and Benoit parcels:
on one picture there is a magic card and a hirose connector, it is made by 3 pieces.
parcel1:
parcel2:
sorry for the bad quality.
they are both fully checked. solderings are ok.
capacitor is the original 100pF. i suppose first thing you should do is to mount the 47pF.
EDIT: i can read the cards on my SL500 as mifare 1k, but its software can't write the block0 (the write button is disabled). i didn't had the time to investigate if i can write that block with a custom (mine) software or if there is a phisical limit of my reader that will not allow me to do it.
Last edited by gaucho (2014-02-17 19:35:56)
Offline
This is a T5567 waveform (a little zoomed out):
http://i.imgur.com/LyAAQLd.png
there seems to be problems in your one... even if the signal is present it seems to be "non-costant" and low...
may be i use the plot in the wrong way. when i hit the command "hf 14a reader" the signal is aquired for small amount of time. how could i sample that signal ? when i send the command "data sample 4000" it takes only 4000 samples while there is no "hf 14a reader" running. did i was clear in my question?
Last edited by gaucho (2014-02-17 19:34:44)
Offline
Great, looking forward to it! Thanks for the update!
Offline
also SFiCl asked the parcel, this is the SFiCl parcel:
Last edited by gaucho (2014-02-22 15:17:49)
Offline
Dear fucking experts,
today i had the time to upload a previous firmware version.
It should be a unuseful test in my mind since i suppose that the last version is the best..
anyway i uploaded the revision 834. i uploaded bootloader, os and fpga.
i did a hw tune with a HF antenna and without the tag, then i placed a mifare 1k on the middle of the antenna and the tag was read.
this is the log:
C:\Users\operator\Desktop\win32 (client)>proxmark3 COM9
proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 834 2013-11-01 11:34:14
#db# os: svn 834 2013-11-01 11:34:18
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56
uC: AT91SAM7S512 Rev A
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait...
#db# Measuring complete, sending report back to host
# LF antenna: 0.00 V @ 125.00 kHz
# LF antenna: 0.00 V @ 134.00 kHz
# LF optimal: 0.00 V @ 12000.00 kHz
# HF antenna: 11.02 V @ 13.56 MHz
# Your LF antenna is unusable.
proxmark3> hf 14a reader
ATQA : 04 00
UID : b4 58 94 38
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443a-4 card found, RATS not supported
proxmark3> hf 14a reader
ATQA : 04 00
UID : b4 58 94 38
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443a-4 card found, RATS not supported
proxmark3> hf 14a reader
ATQA : 04 00
UID : b4 58 94 38
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443a-4 card found, RATS not supported
proxmark3>
please, explain it.
after this, i flashed this FW on another board, i tested it in the same manner and i obtained the same result.
Offline
I suppose that i successful cracked a mifare1k.
on the following log i made a hw tune with a tag on the antenna, then i launched the crack.
proxmark3> hw tune
proxmark3>
proxmark3> #db# Measuring antenna characteristics, please wait...
proxmark3> #db# Measuring complete, sending report back to host
proxmark3>
proxmark3> # LF antenna: 0.00 V @ 125.00 kHz
proxmark3> # LF antenna: 0.00 V @ 134.00 kHz
proxmark3> # LF optimal: 0.00 V @ 12000.00 kHz
proxmark3> # HF antenna: 9.86 V @ 13.56 MHz
proxmark3> # Your LF antenna is unusable.
proxmark3> script run mifare_autopwn
--- Executing: ./scripts/mifare_autopwn.lua, args''
Card found, commencing crack B4589438
uid(b4589438) nt(2e0cc166) par(ca02e26aa2fafa82) ks(050604060509070a) nr(2a1f67800000000)
|diff|{nr} |ks3|ks3^5|parity |
+----+--------+---+-----+---------------+
| 00 |00000000| 5 | 0 |0,1,0,1,0,0,1,1|
| 20 |00000020| 6 | 3 |0,1,0,0,0,0,0,0|
| 40 |00000040| 4 | 1 |0,1,0,0,0,1,1,1|
| 60 |00000060| 6 | 3 |0,1,0,1,0,1,1,0|
| 80 |00000080| 5 | 0 |0,1,0,0,0,1,0,1|
| a0 |000000a0| 9 | c |0,1,0,1,1,1,1,1|
| c0 |000000c0| 7 | 2 |0,1,0,1,1,1,1,1|
| e0 |000000e0| a | f |0,1,0,0,0,0,0,1|
key_count:1
Key A0A1A2A3A4A5
--block no:00 key type:00 key:a0 a1 a2 a3 a4 a5 etrans:0
Block shift=0
Testing known keys. Sector count=16
nested...
-----------------------------------------------
uid:b4589438 len=2 trgbl=48 trgkey=1
Found valid key:removedAgainstLamers
-----------------------------------------------
uid:b4589438 len=2 trgbl=52 trgkey=1
-----------------------------------------------
uid:b4589438 len=2 trgbl=56 trgkey=1
Found valid key:removedAgainstLamers
-----------------------------------------------
uid:b4589438 len=2 trgbl=60 trgkey=1
Found valid key:removedAgainstLamers
-----------------------------------------------
uid:b4589438 len=2 trgbl=52 trgkey=1
-----------------------------------------------
uid:b4589438 len=2 trgbl=52 trgkey=1
Found valid key:removedAgainstLamers
Time in nested: 10.717 (1.786 sec per key)
-----------------------------------------------
Iterations count: 6
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|001| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|002| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|003| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|004| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|005| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|006| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|007| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|008| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|009| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|010| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|011| a0a1a2a3a4a5 | 1 | b0b1b2b3b4b5 | 1 |
|012| a0a1a2a3a4a5 | 1 | removedAgainstLamers | 1 |
|013| a0a1a2a3a4a5 | 1 | removedAgainstLamers | 1 |
|014| a0a1a2a3a4a5 | 1 | removedAgainstLamers | 1 |
|015| a0a1a2a3a4a5 | 1 | removedAgainstLamers | 1 |
|---|----------------|---|----------------|---|
Printing keys to bynary file dumpkeys.bin...
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
#db# READ BLOCK FINISHED
Dumped card data into 'dumpdata.bin'
Wrote a HTML dump to the file B4589438.html
Wrote an emulator-dump to the file B4589438.eml
Last edited by gaucho (2014-02-18 20:06:45)
Offline
Ouch. Good news, pity you had so much trouble. Is this with 47pf capacitor?
Offline
Great ! Now it works !! It was "only" a firmware problem !!!
Try with an ISO15693 card, it should works too ! (but it should works also with the latest revision if it was an ISO14443-only problem)... any suggestion about this ?
Last edited by asper (2014-02-18 11:37:34)
Offline