proxmark3 gerbers and bill of material

vivat · 2014-03-16 15:01:17

Enio
Did you try to replace D1, D11?
Did you try to solder tuning/trimmer cap instead of C39?
Can you get/rent an oscilloscope?

Enio · 2014-03-16 15:27:37

vivat wrote:

Enio
Did you try to replace D1, D11?
Did you try to solder tuning/trimmer cap instead of C39?
Can you get/rent an oscilloscope?

No not yet. Ill check my local supplier the next days.

I had put a 47pf in parallel a while ago, but that was when my R30 was wrong - ill play with it and antenna later today.
Sadly i wont have access to an oscilloscope in the near future. I would love it though!

Edit: Couldnt i just temove D11 for a test? Its supposed to be a 47v zener - my antenna is far less V. 22v - peaks probably not exceed 47v..

Last edited by Enio (2014-03-16 15:48:33)

vivat · 2014-03-16 16:17:50

OK, try to remove it

gaucho · 2014-03-16 18:35:52

my only suggestion is: desolder the catode of D11 (just to be fast).
if you can't do this test today, i'll do it tomorrow.
Then the last involved component is D1.

D1 is a fast switching diode, this is the datasheet: http://www.infineon.com/dgdl/bas21serie … ed353f040f

what if i replace it with the schottky diode D2? it's a ST electronics BAR18FILM and i have some spares. could it be equivalent? i don't remember the schottky characteristics but i remember that it's a fast switching diode.. correct?

EDIT: this is the datasheet of D2: http://www.st.com/web/en/resource/techn … 000762.pdf

Last edited by gaucho (2014-03-16 18:39:23)

gaucho · 2014-03-16 18:51:16

Enio wrote:

.... but that was when my R30 was wrong

Enio, R30 was wrong? what value did you read on the multimeter before to remove it? i think it is only needed to take a part of the signal and to send it to the arm (AMPL_LO). So this resistor should only change the value read by HW TUNE.

Enio · 2014-03-16 20:59:21

gaucho wrote:

Enio wrote:
.... but that was when my R30 was wrong
Enio, R30 was wrong? what value did you read on the multimeter before to remove it? i think it is only needed to take a part of the signal and to send it to the arm (AMPL_LO). So this resistor should only change the value read by HW TUNE.

I think i read 10k on it - my multimeter sucks, not sure exactly what it showed, was way too low though, incl. parallel ones.

<lf read back then showed a mess, most lkely as i couldnt tune antenna due to wrong results at ampl_lo and also - with low total R on R30,31&11 pkd wont work as exspected as voltage between the 2 Capacitors will be soaked to GND much faster as with 510k+.

I understand pkd as follows:Antenna Peak will charge c11&12 quickly near to max - voltage capped by d11 at 47V, on signal drop voltage stays high due to capacitors, drops only slow thru mainly r11 (r30 too high for effect) as d1 blocks path to lover v level. So r11 is mainly time constant on v drop after peaks.

I still dont understand how the signal can get shaped like we see. Zener opening too early would only cut high peaks, not liw extrema (?). hmm

Edit: Disconnected D11 - no luck - same issue.

Any ideas? ..

I also notice - if i tune my antenna to maximum voltage by adjusting turns - i get noise. If i lover voltage a bit - i get (distorted) waves..

Anyways, ill replace D1 & 11 and we ll see what happens. quite a mess right now, hard to interpret results..

Last edited by Enio (2014-03-17 02:11:28)

gaucho · 2014-03-17 08:24:20

if we replace D1 and the problem doesn't solve i have to go to the doctor.

gaucho · 2014-03-17 12:12:57

Here tests done this morning:
before to replace D1:

after replacing D1 with the schottky diode D2

then i replaced C39, C11,C12 and i retuned the antenna
dopo_aver_sostituito_d1_e_retunato_l'antenna.png

then i restored the old D1
dopo_aver_sostituito_d1_e_retunato_l'antenna_e_rimesso_poi_D1_al_suo_posto.png
then i removed D11

note that with the shottky diode i get really higher HW tUNE voltage (42 volt without the tag) but then it falls down when i place the tag on it.

commonly with the foreseen diode D1 i get 26volt without tag, and it goes a little bit down with the tag on it.

is it a good practice to tune the antenna for the value seen with the tag on it or without it?

finally i don't understand if there is a problem..

Last edited by gaucho (2014-03-17 12:14:46)

piwi · 2014-03-17 12:32:06

The effects in Enio's screenshots could be related to an A/D conversion problem (a single bit stuck at 1) rather than an issue in the analogue part. I propose to check the connections between A/D converter (IC8) and the FPGA - in Enio's case likely bit 4 (Pin 6 IC8 - Pin 57 FPGA).

Enio · 2014-03-17 14:19:18

piwi wrote:

The effects in Enio's screenshots could be related to an A/D conversion problem (a single bit stuck at 1) rather than an issue in the analogue part. I propose to check the connections between A/D converter (IC8) and the FPGA - in Enio's case likely bit 4 (Pin 6 IC8 - Pin 57 FPGA).

Thank you piwi, i just doublechecked the pins between IC8 and FPGA - they are good.
After more tests i can say its not the peaks that are malformed, it must just be some signal ranges.

Can you read anything out of this trace? Its done with a different antenna tuning and tag placement:

I checked thru my traces and calculated the bits on line close at the shifts - its indeed a bit pinned to 1!

Last edited by Enio (2014-03-17 14:54:47)

vivat · 2014-03-17 14:54:31

Enio
Can you replace in file ./armsrc/lfops.c in function AcquireRawAdcSamples125k() line SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
with this:
SetAdcMuxFor(GPIO_MUXSEL_LORAW);
Then recompile, re-flash and post our screenshots?

Enio · 2014-03-17 14:57:59

piwi hinted on the issuel!

i just went thru my traces and checked the bits involved in the jumps. Its indeed the 5th ping (Dec value 16) that never goes to 0. Its always 1. leading to 16 value jumps (whenever its supposed to go 1->0 - introduces error) and drops (whenever its supposed to 0->1 - removes error.)

Now i just got to find how the hell this bit (ADC5) stays on 1.

One thing that is weird though is that -128 can exist. That should be 0000 0000 on ADC[7..0]
Any higher value is >16 though, so from there on the b5 stays 1.

Last edited by Enio (2014-03-17 15:18:05)

vivat · 2014-03-17 15:03:34

Enio wrote:

piwi hinted on the issuel!
i just went thru my traces and checked the bits involved in the jumps. Its indeed the 5th ping (Dec value 16) that never goes to 0. Its always 1. leading to 16 value jumps (whenever its supposed to go 1->0 - introduces error) and drops (whenever its supposed to 0->1 - removes error.)
Now i just got to find how the hell this bit (ADC5) stays on 1.

But you don't have neither oscilloscope, nor logic analyzer, right?

Enio · 2014-03-17 15:19:02

vivat wrote:

Enio wrote:
piwi hinted on the issuel!
i just went thru my traces and checked the bits involved in the jumps. Its indeed the 5th ping (Dec value 16) that never goes to 0. Its always 1. leading to 16 value jumps (whenever its supposed to go 1->0 - introduces error) and drops (whenever its supposed to 0->1 - removes error.)
Now i just got to find how the hell this bit (ADC5) stays on 1.
But you don't have neither oscilloscope, nor logic analyzer, right?

Yeah. im about to disconnect ADC5 pin at ADC..

It seems no connection to pin means ADC reads an 1 of it for value? as i get as lowest value now 0001 0000 (-112).

Last edited by Enio (2014-03-17 15:35:51)

Enio · 2014-03-17 15:50:53

I guess my TLC5540 is broken. It does not power up bit5 to allow reading 0s on it BESIDE when measuring <=0 Analog signal it seems. Then fpga indeed receives -128 (0000 0000).
(Also, The line IC8 pin7(adc5) to fpga pin56 is good (tested pin to pin with multi). No idea why hf path works, probably doesnt rely much on non-peak values in Y axis.)

Thanks to y'all - gaucho, vivat, piwi,.. I'll order one sometime this week and let you know.

@Gaucho, your issues might not be related to mine then.

piwi · 2014-03-17 16:53:19

Could also be a shortcut between two neighboring pins on either ADC or FPGA side.

gaucho · 2014-03-17 16:54:55

ok, i'm concentrating on my 2 not working board (yes i saved another one).
the working boards are declared working also on LF path cause hitting the command "lf hid fskdemod" with my cloned tag on it, i always get the following log (few mistakes, like my previous log):

proxmark3> lf hid fskdemod
#db# TAG ID: 20042ea607 (21251)
#db# TAG ID: 20042ea607 (21251)
#db# TAG ID: 20042ea607 (21251)
#db# TAG ID: 20042ea607 (21251)
#db# TAG ID: 20042ea607 (21251)
#db# TAG ID: 20042ea607 (21251)
#db# TAG ID: 20042ea607 (21251)
#db# TAG ID: 20042ea607 (21251)
#db# TAG ID: 20042ea607 (21251)
#db# TAG ID: 20042ea607 (21251)
#db# TAG ID: 20042ea607 (21251)
#db# TAG ID: 20042ea607 (21251)
....
.....

one of the broken board was reporting always -128 on the data plot, even if the signal on the scope was present.
For this reason i replaced the analog to digital converter and now the board works fine on lf path (like the other boards).

the broblem on both boards now is that the HF tags are read only few times on 10 tests.

I replaced on both boards the capacitors of the HF path.

the result is not changed but tomorrow i want to see the signal on the scope.

this morning, before to replace capacitors there was a strange noise over the signal.

I would like also to see if all the A/D bits moves..

Last edited by gaucho (2014-03-17 16:56:07)

Enio · 2014-03-17 17:21:35

piwi wrote:

Could also be a shortcut between two neighboring pins on either ADC or FPGA side.

I triplecheckd with multimeter that bit5 of ADC only leads to the corresponding pin at FPGA.

I inspected the values further, my observation wasnt quite correct. Bit 5 is not always 1, sorry about that. It was in many cases but then i noticed on other traces thats not quite true. So i went to exactly see which values i can not find.

From the Datasheet of ADC we learn that there are 2 steps in comparison of Vin to VrefLow/VrefHigh.
The Upper Sampling Converter is in charge for the 4 upper bits 5 to 8.

I now made some table and went again thru my samples to see if i can find values.

Upper Sampling Converter, From Voltages RefT to RefB it should enumerate the Voltages sampled to the following 16 values
[bit8 to 5]
1111 - Ok
1110 - Ok
1101 - Ok
1100 - Ok
1011 - Ok
1010 - Ok
1001 - Ok
1000 - X 
0111 - Ok
0110 - Ok
0101 - Ok
0100 - X 
0011 - X 
0010 - X 
0001 - Ok
0000 - Ok

I havent checked for the lower bits, i think these are fine as i see soft courves on parts of my traces. I also Vdda pins, i dont trust my multimeter for voltages though. It bugs alot.

Bottomline: ADC seems bad, i have no other explaination. It does sample some voltage ranges to wrong digital values. I also dont think its due to bad input voltages, it compares Vin to reference voltages, which stay more or less the same across the sampling. If these were the issue we shouldnt see jumps, but maybe shifts or more global changes. Correct?

I wonder if other boards have this issue too.

Last edited by Enio (2014-03-17 17:28:10)

gaucho · 2014-03-17 20:53:47

Enio, are you planning to replace the ADC? if you order it, also order the D1..
cause I still have the doubt about it.
the shipping cost is very high if compared to the price of the components.

Last edited by gaucho (2014-03-17 20:54:51)

Enio · 2014-03-17 22:24:36

gaucho wrote:

Enio, are you planning to replace the ADC? if you order it, also order the D1..
cause I still have the doubt about it.
the shipping cost is very high if compared to the price of the components.

I ordered adc, ad8052, some other comparators an diodes today, will arrive tomorrow.
I did not find exactly the same switching diodes, i took some other - similar ones. Hope they behave the same.
Also got different zener ones, same values though.

Gaucho, can we be sure other boards dont have broken adc?
Do you have access to an em4100 lf tag? Its good for check because the waveform has slower raise/drops.

Edit: These i get tomorrow:

Farnell Bestellnr.	Bestell-
menge	Menge versendet	Nach-
lieferung	Produktbeschreibung	Herst.-
Bez.
1102961	1	1	0	TLC5540INS 8BIT ADC,SMD 5540,SOIC24	TLC5540INS
1466601	5	5	0	BZX84C47 DIODE ZENER,0.3W,SOT-23	BZX84C47
1660978	1	1	0	AD8052ARMZ OP AMP DUAL,HS, 110MHZ, 8MSOP	AD8052ARMZ
2075403	1	1	0	TLV3502AIDCNT KOMPARATOR,R-R,HI-SPD,SOT23-8	TLV3502AIDCNT
9843728	10	10	0	BAS21 DIODE, HIGH VOLT 250V SOT-23	BAS21

Last edited by Enio (2014-03-17 22:29:06)

Enio · 2014-03-18 08:48:21

Gaucho, as im still waiting on my parcel i checked your screenshots again. I am just wondering if the other ADCs are good enough for all types of tags.

In post No. #351 you pasted some lf read plots which seem fine on the first look. However with recent finds on my plots the small distortions seen on your plot could hint towards a similar malfunction, not necessarily grave but bad enough to mess with specific waveforms.
See these marked with arrows.

It could be worth checking again with other tags (i.e. em4100) or try adding more distance between antenna and tag for weaker signal (and hopefully less square waves). And then zoom in on these distortions.

Last edited by Enio (2014-03-18 08:48:51)

gaucho · 2014-03-18 10:42:23

I suggest the following test in order to check the A/D:
1)Put on TP1 a signal generator with a sine waveform (antenna disconnected).
2)run the LF READ.
3)check the DATA PLOT in order to see if the sampled data is the expected sine.

Which is the dinamic of the plotted data?
which is the minimum and the maximum detected voltage?

I can do this test this morning or tomorrow.

What voltage corresponds to -128 and +128?

Last edited by gaucho (2014-03-18 10:45:54)

vivat · 2014-03-18 10:48:46

gaucho wrote:

I suggest the following test in order to check the A/D:
1)Put on TP1 a signal generator with a sine waveform (antenna disconnected).
2)run the LF READ.
3)check the DATA PLOT in order to see if the sampled data is the expected sine.
Which is the dinamic of the plotted data?
which is the minimum and the maximum detected voltage?
I can do this test this morning or tomorrow.
What voltage corresponds to -128 and +128?

Why only LF READ? With this command FPGA reads ADC samples with speed 125 ksps.
If you run HF 14A READER, FPGA will read samples with speed 13.56 msps.

Enio · 2014-03-18 11:15:32

gaucho wrote:

I suggest the following test in order to check the A/D:
1)Put on TP1 a signal generator with a sine waveform (antenna disconnected).
2)run the LF READ.
3)check the DATA PLOT in order to see if the sampled data is the expected sine.
Which is the dinamic of the plotted data?
which is the minimum and the maximum detected voltage?
I can do this test this morning or tomorrow.
What voltage corresponds to -128 and +128?

ADC samples difference between Reference Top (pin 17) and Bottom (pin 23).
We have:
1) Vdd >> R52 (100Ohm) >> RefT >> R53 (330 Ohm) >> RefB >> R54( 100Ohm) >> GND
2) Vmid (at opamp) = Vdd/2

In my calculations i used Vdd 5.2V from USB. USB version <3 should be 5 +- 0.25.

Anyways, with 5.2 i get ~0.98 for RefB and 4.218 for RefT, Opamp output from antenna signal should be Min: GND+0.15 to Max: Vdd-0.15 with Med being Vmid ~ 2.6V (as its Vdd/2)

That said we should exspect signal from Opamp be 0.15 to 5.05 V arriving on Vin at ADC, Vmid being the 0-line on our plots.

0-255 will be sampled of voltages between 0.981 (=0) to 4.22 (= 255), transformed to signed byte it will be:
-128 starts at 0.981V
0 ~ Vmid 2.6V
+127 up to 4.218V

Step size should be RefT-RefB/256=0.0126ish Volts.
Ex.:
-128 would go from 0.981.. to 0.993...
-127 then 0.993... to 1.005...
[...]
+127 should then go from 4.206 to 4.218.

exact numbers depends on your Vdd though and there might be Voltage losses i havnt considered.

gaucho · 2014-03-18 11:48:19

vivat wrote:

gaucho wrote:
I suggest the following test in order to check the A/D:
1)Put on TP1 a signal generator with a sine waveform (antenna disconnected).
2)run the LF READ.
3)check the DATA PLOT in order to see if the sampled data is the expected sine.
Which is the dinamic of the plotted data?
which is the minimum and the maximum detected voltage?
I can do this test this morning or tomorrow.
What voltage corresponds to -128 and +128?
Why only LF READ? With this command FPGA reads ADC samples with speed 125 ksps.
If you run HF 14A READER, FPGA will read samples with speed 13.56 msps.

Yes but with HF 14A READER I can't see the data samples like i do with LF READ

gaucho · 2014-03-18 12:03:59

I did some tests:

applied this 500Hz sine to TP1 (without antenna connected):

this is the bigger signal that the board is able to digitize, minimum voltage of this signal is about 1,5V and maximum voltage is 3,4V.

then i measured the digitized signal with these commands:
LF READ
DATA SAMPLE 16000
DATA PLOT

this is the result on a working board, as you can see i choosen a sine amplitude that is a little bit saturating on the top and on the bottom edges of the wave.

I applied the same signal in the same way to the broken boards.
This first screenshot is taken on the board where i replaced the A/D with the spare component received with the boards:

this is the second broken board:

as you can see the result is qute the same.

Then I did this other test:

With the antenna disconnected, I applied to TP3 a sine waveform, in order to check the HF path.
the signal is 200KHz, oscillating between about zero volt and 10 volt.
Then i sampled the signal on IC6 pin 10 (the input of the op.amp. on HF path)

This is the result on the working board:

and on the 2 not working boards:

i repeated the same test changing the frequency on the input signal to 100KHz:

this is the result on the working board:

and this is the result on the 2 not working boards:

Last edited by gaucho (2014-03-18 13:09:14)

Enio · 2014-03-18 13:20:03

Replaced ADC, it is fixed!

Just for the giggles - i was stupid and ordered wrong version of ADC - way to big.

Last edited by Enio (2014-03-18 13:31:30)

gaucho · 2014-03-18 13:21:22

I'll try to make some considerations on my previous measures:

the A/D is not working perfectly, but in my opinion is not the source of the problem, because it has the same kind of problem of the working board (the one that can read the HF tags each time).
It could be interesting to see the A/D in action with higher sampling frequency but unfrotunately i don't know how to do.

The response of the filter on HF path is different between the working board and the not working board.
Consider that the applied signal amplitude is low (10Vpp), so the effect on the filter output is small. I suppose that the effect is amplified if you apply the 20-30Vpp signal that is commonly present on the TP3.
It seems that the 200kHz signal is bigger on the working board.
This means that on the not working board something is cutting out that frequency (a little bit).

Last edited by gaucho (2014-03-18 13:24:53)

gaucho · 2014-03-18 13:32:53

vivat wrote:

Why only LF READ? With this command FPGA reads ADC samples with speed 125 ksps.
If you run HF 14A READER, FPGA will read samples with speed 13.56 msps.

how to do it? How to see the HF 14a reader samples ?

gaucho · 2014-03-18 13:36:02

@Enio: really nice your A/D soldering. Compliments, it was not easy.
How much do you pay for each order (the shipment)?
also check mouser and digikey.

Last edited by gaucho (2014-03-18 13:37:20)

Enio · 2014-03-18 13:46:15

gaucho wrote:

@Enio: really nice your A/D soldering. Compliments, it was not easy.
How much do you pay for each order (the shipment)?
also check mouser and digikey.

Thank you, it took a while and alot of nerves as i dont have good equipment.

Farnell takes 5.95€ for orders worth <55€ (ordered yesterday 7:15pm, arrived today 11am) - shipped from Depot in GB (Im in Germany). For small orders thats much better then the 20€ from USA.
Sortiment is good but wont reach digikey/mouser ofcourse. I.e. i checked now again when i noticed i got the wrong one, turned out it was the only TLC5540 they have.

Ill probably keep it in until something breaks, its quite stable actually and doesnt seem to have more noise.

Last edited by Enio (2014-03-18 13:46:30)

Enio · 2014-03-18 15:24:15

gaucho wrote:

vivat wrote:
Why only LF READ? With this command FPGA reads ADC samples with speed 125 ksps.
If you run HF 14A READER, FPGA will read samples with speed 13.56 msps.
how to do it? How to see the HF 14a reader samples ?

Its not really aviable as far as i see.. I think hf 14b simlisten could do it, im not sure how to save the samples so you can plot them though.

Im not sure if the malfunction on my ADC has any noticable impact on HF reading, the waves are probably steep enough to not get problems with those voltage bands get converted too high/low. Also - HF worked for me, just LF couldnt demod as exspected.

vivat · 2014-03-18 15:30:04

Enio wrote:

Replaced ADC, it is fixed!
http://i.snag.gy/Tt20D.jpg
Just for the giggles - i was stupid and ordered wrong version of ADC - way to big.
http://i.snag.gy/IJb2t.jpg

Oh my god!
It looks ridiculous, but you have fixed the problem, right?

how to do it? How to see the HF 14a reader samples ?

You can sniff the connection between ADC outputs and FPGA with logic analyzer connected to all ADC outputs and ADC_CLK. When you run command HF 14A READER, FPGA selects sampling rate speed this way(./fpga/hi_iso14443a.v):
assign adc_clk = ck_1356meg;
Can you repeat your measurements with 13 mhz sine wave signal?

Last edited by vivat (2014-03-18 15:42:25)

Enio · 2014-03-18 17:24:45

vivat wrote:

Enio wrote:
Replaced ADC, it is fixed!
http://i.snag.gy/Tt20D.jpg
Just for the giggles - i was stupid and ordered wrong version of ADC - way to big.
http://i.snag.gy/IJb2t.jpg
Oh my god!
It looks ridiculous, but you have fixed the problem, right?

Yes as you can see in some posts above my lf wave is perfect now. I checked hf with hf 14a read and a snoop on a card select and these work fine too. But those worked before already, after i replaced the OpAmp.

Gaucho, these distortions look like mine, thats no good sign..
Can you recap what does and what does not work on your dysfunctional boards? I think i lost track.

Enio · 2014-03-18 17:40:31

Gaucho, the measurements on your Oscilloscope for the not working boards looks fine. As it detects peak it charges the Capacitor (C15 i think) bringing Voltage level up, then, as your wave is slow compared to the design (the time constant is R15, which is just 10k so the Voltage drops quite fast compared to lf path with 510k), Voltage drops as Capacitor decharges.

The measures of ADC look fine too, compared to the working board - i still think you get issues with Tags like mine.

Do these boards have new OpAmps?

Edit: I just saw you see the results on Oscilloscope are different, you mean because slightly less peak Voltage?

Last edited by Enio (2014-03-18 17:48:30)

gaucho · 2014-03-18 19:06:14

vivat wrote:

You can sniff the connection between ADC outputs and FPGA with logic analyzer connected to all ADC outputs and ADC_CLK. When you run command HF 14A READER, FPGA selects sampling rate speed this way(./fpga/hi_iso14443a.v):
assign adc_clk = ck_1356meg;
Can you repeat your measurements with 13 mhz sine wave signal?

I'm not confident with logic state analyzer as i am with the scope.
moreover is not in my main lab
moreover is really hard to place the probes on that small pins.

we need a function to get hf samples. we need it also in order to crack skipasses.. i mean for didactical purpose.

13Mhz sine has no sense if the sampling frequency is low..

talking about the code.. now i didn't watched in it, but teorically, starting from the LF READ command, shouldn't be hard to sample the hf signal no?
you just need to switch the mux on hf, use the high sampling frequency, then save the samples in the memory in the same way.. correct?

Last edited by gaucho (2014-03-18 19:27:06)

gaucho · 2014-03-18 19:15:11

Enio wrote:

Gaucho, the measurements on your Oscilloscope for the not working boards looks fine. As it detects peak it charges the Capacitor (C15 i think) bringing Voltage level up, then, as your wave is slow compared to the design (the time constant is R15, which is just 10k so the Voltage drops quite fast compared to lf path with 510k), Voltage drops as Capacitor decharges.
The measures of ADC look fine too, compared to the working board - i still think you get issues with Tags like mine.
Do these boards have new OpAmps?
Edit: I just saw you see the results on Oscilloscope are different, you mean because slightly less peak Voltage?

yes.
These 2 boards decode the LF tag T55x0 correctly
There 2 boards read good voltage values on HW TUNE
These 2 boards are not able to read my coffe key (mifare 1k) correctly all the times.
So there is a problem in the HF path.
If the A/D works in the same way also on high frequencies (I have no reason to don't think this) it is not the source of the problem.

I think that the analog path has some problem..
I will try to replace again the capacitors.. then i could try replacing the diodes..
i don't have the capacitors, i will try first replacing the diode.

@enio, of course i still replaced the op.amp.

Last edited by gaucho (2014-03-18 19:22:48)

asper · 2014-03-18 19:59:43

If your mifare key is small you shoukd build a smaller antenna, I have the same problem with "normal" sized antennas (ex the one described in the do-it-yourself tutorial, like mine) and small HF tags.

Enio · 2014-03-18 20:24:42

gaucho wrote:

yes.

Im not sure if this would be much of an issue beside a slightly weaker antenna signal. Diodes and Capacitors are the only ones i could imagine messing with the voltage there.. Hmm.

gaucho wrote:

These 2 boards decode the LF tag T55x0 correctly
There 2 boards read good voltage values on HW TUNE
These 2 boards are not able to read my coffe key (mifare 1k) correctly all the times.
So there is a problem in the HF path.
If the A/D works in the same way also on high frequencies (I have no reason to don't think this) it is not the source of the problem.
I think that the analog path has some problem..
I will try to replace again the capacitors.. then i could try replacing the diodes..
i don't have the capacitors, i will try first replacing the diode.

@enio, of course i still replaced the op.amp.

Darn. Have you tried the not working boards with svn 838 or less? Before the new Machester Demod. was introduced? I had this issue, but new OpAmp fixed it. SVN 838 worked while 839 wouldnt.

Last edited by Enio (2014-03-18 20:26:20)

vivat · 2014-03-19 06:35:24

gaucho wrote:

vivat wrote:
You can sniff the connection between ADC outputs and FPGA with logic analyzer connected to all ADC outputs and ADC_CLK. When you run command HF 14A READER, FPGA selects sampling rate speed this way(./fpga/hi_iso14443a.v):
assign adc_clk = ck_1356meg;
Can you repeat your measurements with 13 mhz sine wave signal?
I'm not confident with logic state analyzer as i am with the scope.
moreover is not in my main lab
moreover is really hard to place the probes on that small pins.
we need a function to get hf samples. we need it also in order to crack skipasses.. i mean for didactical purpose.
13Mhz sine has no sense if the sampling frequency is low..
talking about the code.. now i didn't watched in it, but teorically, starting from the LF READ command, shouldn't be hard to sample the hf signal no?
you just need to switch the mux on hf, use the high sampling frequency, then save the samples in the memory in the same way.. correct?

We can get some samples, but not so much because ARM has only 64kb RAM. You need some space to run the code and we have only 40k free RAM for samples. It's something like your oscilloscope's memory depth-your LeCroy have 1 megasamples memory.
Plus we need to transmit the samples via USB-CDC, and although it's fast, I'm not sure if it can do real-time sampling @ 13.56 msps.
EDIT:
I found that CDC works at 115200 baud per second.
Don't think it's possible to do it in real time, but we can read less ADC samples.

Last edited by vivat (2014-03-19 06:57:45)

gaucho · 2014-03-19 09:29:25

asper wrote:

If your mifare key is small you shoukd build a smaller antenna, I have the same problem with "normal" sized antennas (ex the one described in the do-it-yourself tutorial, like mine) and small HF tags.

no, the other boards works fine. moreover i have the same problem with big mifare 4k.

enio wrote:

Im not sure if this would be much of an issue beside a slightly weaker antenna signal.

no, the antenna is not connected on the tests that i made and the filtered signals are different betwwen working and not working board.

enio wrote:

Have you tried the not working boards with svn 838 or less?

EDIT: i have the same version on both the working board and the not working board: 834

vivat wrote:

We can get some samples, but not so much because ARM has only 64kb RAM. You need some space to run the code and we have only 40k free RAM for samples. It's something like your oscilloscope's memory depth-your LeCroy have 1 megasamples memory.
Plus we need to transmit the samples via USB-CDC, and although it's fast, I'm not sure if it can do real-time sampling @ 13.56 msps.
EDIT:
I found that CDC works at 115200 baud per second.
Don't think it's possible to do it in real time, but we can read less ADC samples.

sampling 42000 samples @ 13.56 MSps will result in an aquisition of 30,97ms
Considering the right triggering method (i mean triggering the acquisition when the communication with the tag is starting) may be we can get the communication?
We could also implement a down sampling (reducing the amplitude resolution) using 4 bits for each sample instread of 8, in order to get 62ms of sampling time.
NOTE: an HF 14A READ takes less than 4ms

EDIT:which is the speed at which we can write samples from the fpga to the arm memory? may be that is the limit?

Last edited by gaucho (2014-03-19 10:51:06)

vivat · 2014-03-19 10:01:45

Quick googling:
http://wiki.jelectronique.com/at91sam7
ARM's SSC speed is up to 12.5Mb/s
Are you going to implement downsampling in FPGA?
Oh, and also on the client because now it reads 8-bit samples(data in decimal from -128 to 128 that you can see on the plot window).

gaucho · 2014-03-19 10:32:42

vivat wrote:

Quick googling:
http://wiki.jelectronique.com/at91sam7
ARM's SSC speed is up to 12.5Mb/s
Are you going to implement downsampling in FPGA?
Oh, and also on the client because now it reads 8-bit samples(data in decimal from -128 to 128 that you can see on the plot window).

this means a max sampling frequency of 1,5MSps.
so the max frequency of the signal to aquire is (f/2) = 750KHz.
Is it too low?

I suppose that the maximum frequency of the signal should be around 830KHz (the sine modulated on the bit from the tag). is it correct?

moreover since it is a coherent sampling (sampling frequency=sampling clock of the generated wave), may be we can decode also a 1,5MHz signal..

By this way we could sniff data between tag and tournel.
then in post processing anyone can study the protocol, find the write password and so on..

Last edited by gaucho (2014-03-19 10:43:48)

Enio · 2014-03-19 11:50:49

gaucho wrote:

enio wrote:
Im not sure if this would be much of an issue beside a slightly weaker antenna signal.
no, the antenna is not connected on the tests that i made and the filtered signals are different betwwen working and not working board.

I meant, we only see lower amplitude, waveform looks identical. SO at pin 6 of opamp We get correct wave, just weaker. If opamp works fine and Mux works fine shouldnt we get correct peak detected waveform at ADC Vin? Do you get much worse HF Voltage in HF tune on broken boards with same antenna then on working?

HF path could still have issues, but ony your measure we cant see. Maybe it only is visible at higher frequency.

I am low on time these days but i will check code to get HF PKD samples plot.

Enio · 2014-03-19 13:23:58

An issue i see is that each ADC clock we get 8 bits at fpga, to send that to arm we only have ssp (1 bit per clock cycle). Im not sure how fast we can clock ssp, but probably not 8x as fast as samples arrive thru ADC. Thats probably why only accumulations are sent to arm.

Last edited by Enio (2014-03-19 13:24:26)

gaucho · 2014-03-19 13:59:26

OFFTOPIC: i calculated a save of about 18€ reducing the number of components with my pcb design. another saving can be made on pcb reducing the number of layers and another saving can be made on pcb soldering because of the reduced number of solderings. When i'll finish repairing these boards I'll request a quotation. consider the big price is the component's price.
I think it can cost 40€(total production cost). So the commercial price can be 80€, supposing to sell it at the double of the production price.

gaucho · 2014-03-19 14:06:48

Enio wrote:

An issue i see is that each ADC clock we get 8 bits at fpga, to send that to arm we only have ssp (1 bit per clock cycle). Im not sure how fast we can clock ssp, but probably not 8x as fast as samples arrive thru ADC. Thats probably why only accumulations are sent to arm.

infact the summary of my considerations ( maybe you can understand me reading again my previous post) , is to send one sample(1Byte) each 9 clock cycles.
So my final previous question was: will it be good to have a sampling frequency of 1,5MHz (13,5MHz/9)?
My answer is YES.

EDIT: one bit of the reply obtained from a mifare 1k tag, has a duration of 5 microseconds. With a sampling frequency of 1,5MHz you can get that HIGH bit sampled 7 times. It's a lot!

Last edited by gaucho (2014-03-19 14:17:15)

gaucho · 2014-03-19 17:26:47

On one board i replaced C15, D2 and D3 on the second board i replaced C15.

i measured with scope again, sending HF 14A READ

I report some comparisons.
If not specified the measure is taken on TP1

Working board:

not working boad:

comparing the previous 2 screenshots i can only say that first bit is a little bit corrupted.

working board:

not working boad:

comparing the previous 2 screenshots i can only say that signal is alittle bit weak on broken board.But the difference is very negligible.

working board:

not working boad :

comparing the previous 2 screenshots i can not see relevant differences.

working board on V mid during the read command:

not working boad on V mid during the read command:

comparing the previous 2 screenshots i can not see relevant differences.

working board:

not working boad :

comparing the previous 2 screenshots i can see that on the broken board it is missing the third reply of the tag. moreover there is also higher noise on the broken board.
Next screenshot shows the other broken board where the noise is not present, sometimes there is the third reply, and when there is the reply the tag is read:

Now I focalized on the third request (and reply)
This is the third request sent by the Board:
working board:

not working boad :

comparing the previous 2 screenshots i can see that the tag was still sending data when the PM3 sent the third request, then the tag didn't answered. The transmitted data seems to be different..but i'm not sure.

working board:

not working boad :

comparing the previous 2 screenshots i can see that one board has still noise on signal. First bit is a little bit corrupted.

On the following screenshot i can see that the second broken board has no noise. Anyway it has read problems. First bit is a little bit corrupted.
Note: we are still wathing the third reply.

Please help me to understand cause now I don't know where is the problem..

vivat · 2014-03-20 04:31:37

gaucho
I think that there is problem in analog TX path. Can you check that both 244's with scope?
Do you use same antenna on all boards?

vivat · 2014-03-20 04:56:19

gaucho wrote:

OFFTOPIC: i calculated a save of about 18€ reducing the number of components with my pcb design. another saving can be made on pcb reducing the number of layers and another saving can be made on pcb soldering because of the reduced number of solderings. When i'll finish repairing these boards I'll request a quotation. consider the big price is the component's price.
I think it can cost 40€(total production cost). So the commercial price can be 80€, supposing to sell it at the double of the production price.

I would personally pay more money to get more features, like SPA and DPA attacks on most cryptographically "strong" tags like desfire, or having the ability to debug the board with I/O pins on the PCB rather than buying.
To perform such attacks, we need more sensitive ADC, faster micro-controller, probadly external RAM, bigger more powerful FPGA.

Proxmark3 community

Announcement

#401 2014-03-16 15:01:17

Re: proxmark3 gerbers and bill of material

#402 2014-03-16 15:27:37

Re: proxmark3 gerbers and bill of material

#403 2014-03-16 16:17:50

Re: proxmark3 gerbers and bill of material

#404 2014-03-16 18:35:52

Re: proxmark3 gerbers and bill of material

#405 2014-03-16 18:51:16

Re: proxmark3 gerbers and bill of material

#406 2014-03-16 20:59:21

Re: proxmark3 gerbers and bill of material

#407 2014-03-17 08:24:20

Re: proxmark3 gerbers and bill of material

#408 2014-03-17 12:12:57

Re: proxmark3 gerbers and bill of material

#409 2014-03-17 12:32:06

Re: proxmark3 gerbers and bill of material

#410 2014-03-17 14:19:18

Re: proxmark3 gerbers and bill of material

#411 2014-03-17 14:54:31

Re: proxmark3 gerbers and bill of material

#412 2014-03-17 14:57:59

Re: proxmark3 gerbers and bill of material

#413 2014-03-17 15:03:34

Re: proxmark3 gerbers and bill of material

#414 2014-03-17 15:19:02

Re: proxmark3 gerbers and bill of material

#415 2014-03-17 15:50:53

Re: proxmark3 gerbers and bill of material

#416 2014-03-17 16:53:19

Re: proxmark3 gerbers and bill of material

#417 2014-03-17 16:54:55

Re: proxmark3 gerbers and bill of material

#418 2014-03-17 17:21:35

Re: proxmark3 gerbers and bill of material

#419 2014-03-17 20:53:47

Re: proxmark3 gerbers and bill of material

#420 2014-03-17 22:24:36

Re: proxmark3 gerbers and bill of material

#421 2014-03-18 08:48:21

Re: proxmark3 gerbers and bill of material

#422 2014-03-18 10:42:23

Re: proxmark3 gerbers and bill of material

#423 2014-03-18 10:48:46

Re: proxmark3 gerbers and bill of material

#424 2014-03-18 11:15:32

Re: proxmark3 gerbers and bill of material

#425 2014-03-18 11:48:19

Re: proxmark3 gerbers and bill of material

#426 2014-03-18 12:03:59

Re: proxmark3 gerbers and bill of material

#427 2014-03-18 13:20:03

Re: proxmark3 gerbers and bill of material

#428 2014-03-18 13:21:22

Re: proxmark3 gerbers and bill of material

#429 2014-03-18 13:32:53

Re: proxmark3 gerbers and bill of material

#430 2014-03-18 13:36:02

Re: proxmark3 gerbers and bill of material

#431 2014-03-18 13:46:15

Re: proxmark3 gerbers and bill of material

#432 2014-03-18 15:24:15

Re: proxmark3 gerbers and bill of material

#433 2014-03-18 15:30:04

Re: proxmark3 gerbers and bill of material

#434 2014-03-18 17:24:45

Re: proxmark3 gerbers and bill of material

#435 2014-03-18 17:40:31

Re: proxmark3 gerbers and bill of material

#436 2014-03-18 19:06:14

Re: proxmark3 gerbers and bill of material

#437 2014-03-18 19:15:11

Re: proxmark3 gerbers and bill of material

#438 2014-03-18 19:59:43

Re: proxmark3 gerbers and bill of material

#439 2014-03-18 20:24:42

Re: proxmark3 gerbers and bill of material